extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-16 03:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Some 1.3.14 Changes

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@427 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-01-31 21:50:51 +00:00
parent 5aeecee8ab
commit b56fd26640
23 changed files with 11632 additions and 10588 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4443
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

1539
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

268
Shorewall-docs/Install.htm
View File

@ -15,13 +15,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and <h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1> Upgrade</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -30,178 +30,192 @@ Upgrade</font></h1>
href="upgrade_issues.htm">Upgrade Issues</a></b></p> href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball</a><br> <a href="#Install_Tarball">Install using tarball<br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br> </a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball</a><br> <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br> <a href="#Upgrade_Tarball">Upgrade using tarball<br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p> </a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p> <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a <p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a 1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p> attempting to start Shorewall.</b></p>
<ul> <ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br> <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports <b>Note: </b>Some SuSE users have encountered a problem whereby rpm
a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps installed. If this happens, simply use the --nodeps option to rpm (rpm
&lt;shorewall rpm&gt;).</li> -ivh --nodeps &lt;shorewall rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match <li>Edit the <a href="#Config_Files"> configuration files</a> to match
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
CONNECTIVITY.</b></font></li> RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
</ul> </ul>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball <p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p> and install script: </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the <li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li> directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a <li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type <li>If you are using <a href="http://www.suse.com">SuSe</a> then type
"./install.sh /etc/init.d"</li> "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or <li>If your distribution has directory /etc/rc.d/init.d
/etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script directory&gt;</li> installs init scripts and type "./install.sh &lt;init script
<li>Edit the <a href="#Config_Files"> configuration files</a> to match directory&gt;</li>
your configuration.</li> <li>Edit the <a href="#Config_Files"> configuration files</a> to match
<li>Start the firewall by typing "shorewall start"</li> your configuration.</li>
<li>If the install script was unable to configure Shorewall to be started <li>Start the firewall by typing "shorewall start"</li>
automatically at boot, see <a <li>If the install script was unable to configure Shorewall to be started
automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li> href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul> </ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file that
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p> and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and <p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
you have entries in the /etc/shorewall/hosts file then please check your and you have entries in the /etc/shorewall/hosts file then please check
/etc/shorewall/interfaces file to be sure that it contains an entry for your /etc/shorewall/interfaces file to be sure that it contains an entry
each interface mentioned in the hosts file. Also, there are certain 1.2 for each interface mentioned in the hosts file. Also, there are certain
rule forms that are no longer supported under 1.3 (you must use the new 1.2 rule forms that are no longer supported under 1.3 (you must use the
1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details. new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
You can check your rules and host file for 1.3 compatibility using the "shorewall details. You can check your rules and host file for 1.3 compatibility using
check" command after installing the latest version of 1.3.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage
shorewall-1.2-0.noarch.rpm").
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is
installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  </p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
each interface mentioned in the hosts file.  Also, there are certain 1.2
rule forms that are no longer supported under 1.3 (you must use the new
1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
details. You can check your rules and host file for 1.3 compatibility using
the "shorewall check" command after installing the latest version of 1.3.</p> the "shorewall check" command after installing the latest version of 1.3.</p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
<li>cd to the shorewall directory (the version is encoded in the you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
directory name as in "shorewall-3.0.1").</li> installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
<li>If you are using <a -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  </p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file.  Also, there are certain
1.2 rule forms that are no longer supported under 1.3 (you must use the
new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
for details. You can check your rules and host file for 1.3 compatibility
using the "shorewall check" command after installing the latest version
of 1.3.</p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type <li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
"./install.sh /etc/init.d"</li> "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or <li>If your distribution has directory /etc/rc.d/init.d
/etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script directory&gt;</li> installs init scripts and type "./install.sh &lt;init script
<li>See if there are any incompatibilities between your configuration directory&gt;</li>
and the new Shorewall version (type "shorewall check") and correct as necessary.</li> <li>See if there are any incompatibilities between your configuration
<li>Restart the firewall by typing "shorewall restart"</li> and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul> </ul>
<a name="LRP_Upgrade"></a>If you already have a running Bering installation
and wish to upgrade to a later version of Shorewall:<br>
<br>
    <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3> <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match <p>You will need to edit some or all of these configuration files to match
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall your setup. In most cases, the <a
QuickStart Guides</a> contain all of the information you need.</p> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
contain all of the information you need.</p>
<ul> <ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall <li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li> parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that <li>/etc/shorewall/params - use this file to set shell variables that
you will expand in other files.</li> you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world <li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li> into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li> <li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the <li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li> firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual <li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li> hosts and subnetworks.</li>
<li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br> <li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br>
</li> </li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one <li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.</li> (dynamic) NAT a.k.a. Masquerading.</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li> <li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the <li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li> overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li> <li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li> <li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines <li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
hosts accessible when Shorewall is stopped.</li> hosts accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use <li>/etc/shorewall/tcrules - defines marking of packets for later use
by traffic control/shaping.</li> by traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet <li>/etc/shorewall/tos - defines rules for setting the TOS field in
headers.</li> packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on <li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.</li> the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li> <li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul> </ul>
<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 1/30/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br> <br>
<br>
<br> <br>
</body> </body>
</html> </html>

2219
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

554
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -12,124 +12,125 @@
<table cellpadding="0" cellspacing="0" border="0" width="100%" <table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169"> bgcolor="#400169">
<tbody> <tbody>
<tr> <tr>
<td valign="middle" width="33%" bgcolor="#400169"><a <td valign="middle" width="33%" bgcolor="#400169"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif" href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> alt="" width="88" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
<td valign="middle" height="90" align="center" width="34%"><font <td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br> color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
</td> </td>
<td valign="middle" height="90" width="33%" align="right"><a <td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif" href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4"> alt="" width="100" height="31" hspace="4">
</a><br> </a><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
This page covers Shorewall configuration to use with <a This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>.&nbsp;<br> Proxy</b></u>.&nbsp;<br>
<a href="#DMZ"></a><br> <a href="#DMZ"></a><br>
<img border="0" src="images/j0213519.gif" width="60" height="60" <img border="0" src="images/j0213519.gif" width="60" height="60"
alt="Caution" align="middle"> alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run &nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured to run
as a transparent proxy as described at <a as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br> href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br> <b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> </b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start &nbsp;&nbsp;&nbsp; </b>The following instructions mention the files /etc/shorewall/start
and /etc/shorewall/init -- if you don't have those files, siimply create and /etc/shorewall/init -- if you don't have those files, siimply create
them.<br> them.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or in </b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone or in
the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
file entries. That is because the packets being routed to the Squid server file entries. That is because the packets being routed to the Squid server
still have their original destination IP addresses.<br> still have their original destination IP addresses.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed </b>&nbsp;&nbsp;&nbsp; You must have iproute2 (<i>ip </i>utility) installed
on your firewall.<br> on your firewall.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid </b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your Squid
server.<br> server.<br>
<br> <br>
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13"> <b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
</b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your /etc/shorewall/conf </b>&nbsp;&nbsp;&nbsp; You must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br> file<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br> &nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp; NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br> </font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br> <br>
Three different configurations are covered:<br> Three different configurations are covered:<br>
<ol> <ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the <li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
Firewall.</a></li> Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the local <li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
network</a></li> local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li> <li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
</ol> </ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2> <h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT You want to redirect all local www connection requests EXCEPT
those to your own those to your own
http server (206.124.146.177) http server (206.124.146.177)
to a Squid transparent to a Squid transparent
proxy running on the firewall and listening on port 3128. Squid proxy running on the firewall and listening on port 3128. Squid
will of course require access to remote web servers.<br> will of course require access to remote web servers.<br>
<br> <br>
In /etc/shorewall/rules:<br> In /etc/shorewall/rules:<br>
<br> <br>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>REDIRECT</td> <td>REDIRECT</td>
<td>loc</td> <td>loc</td>
<td>3128</td> <td>3128</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> -<br> <td> -<br>
</td> </td>
<td>!206.124.146.177</td> <td>!206.124.146.177</td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>fw</td> <td>fw</td>
<td>net</td> <td>net</td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td> <br> <td> <br>
</td> </td>
</tr> </tr>
@ -140,75 +141,75 @@ network</a></li>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h2><a name="Local"></a>Squid Running in the local network</h2> <h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a Squid You want to redirect all local www connection requests to a Squid
transparent proxy transparent proxy
running in your local zone at 192.168.1.3 and listening on port 3128. running in your local zone at 192.168.1.3 and listening on port 3128.
Your local interface is eth1. There may also be a web server running on Your local interface is eth1. There may also be a web server running on 192.168.1.3.
192.168.1.3. It is assumed that web access is already enabled from the local It is assumed that web access is already enabled from the local zone to the
zone to the internet.<br> internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with <p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic shaping other aspects of your gateway including but not limited to traffic shaping
and route redirection. For that reason, I don't recommend it.<br> and route redirection. For that reason, <b>I don't recommend it</b>.<br>
</p> </p>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre> <pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre> <pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules:<br> <li>In /etc/shorewall/rules:<br>
<br> <br>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT<br> <td>ACCEPT<br>
</td> </td>
<td>loc</td> <td>loc</td>
<td>loc<br> <td>loc<br>
</td> </td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td><br> <td><br>
</td> </td>
</tr> </tr>
@ -219,190 +220,271 @@ zone to the internet.<br>
</table> </table>
<br> <br>
</li> </li>
<li>Alternativfely, you can have the following policy:<br> <li>Alternativfely, you can have the following policy:<br>
<br> <br>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>POLICY<br> <td valign="top"><b>POLICY<br>
</b></td> </b></td>
<td valign="top"><b>LOG LEVEL<br> <td valign="top"><b>LOG LEVEL<br>
</b></td> </b></td>
<td valign="top"><b>BURST PARAMETERS<br> <td valign="top"><b>BURST PARAMETERS<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</li> </li>
<li>In /etc/shorewall/start add:<br> <li>In /etc/shorewall/start add:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre> <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.168.1.3, arrange for the following command to be executed <li>On 192.168.1.3, arrange for the following command to be executed
after networking has come up<br> after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre> <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177. You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ interface You want to run both a web server and Squid on that system. Your DMZ interface
is eth1 and your local interface is eth2.<br> is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre> <pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre> <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>&nbsp;In /etc/shorewall/start add:<br> <li>&nbsp;Do<b> one </b>of the following:<br>
</li> <br>
A) In /etc/shorewall/start add<br>
</li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre> <pre><b><font color="#009900"> iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote> </blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
</blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules, you will need:</li> <li>In /etc/shorewall/rules, you will need:</li>
</ul> </ul>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ACTION<br> <td valign="top">ACTION<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
</td> </td>
<td valign="top">PROTO<br> <td valign="top">PROTO<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
PORT(S)<br> PORT(S)<br>
</td> </td>
<td valign="top">CLIENT<br> <td valign="top">CLIENT<br>
PORT(2)<br> PORT(2)<br>
</td> </td>
<td valign="top">ORIGINAL<br> <td valign="top">ORIGINAL<br>
DEST<br> DEST<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following <li>On 192.0.2.177 (your Web/Squid server), arrange for the following
command to be executed after networking has come up<br> command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre> <pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 1/10/2003 - <a <p><font size="-1"> Updated 1/23/2003 - <a
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a>
</font></p> </font></p>
<a <a
href="copyright.htm"><font size="2">Copyright</font> &copy; <font href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2003 Thomas M. Eastep.</font></a><br> size="2">2003 Thomas M. Eastep.</font></a><br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br> <br>
</body> </body>
</html> </html>

122
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -16,7 +16,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
@ -25,77 +25,77 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" bgcolor="#ffffff"> <td width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference <li> <a href="Documentation.htm">Reference
Manual</a></li> Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful <li><a href="useful_links.html">Useful
Links</a><br> Links</a><br>
</li> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade <li> <a href="upgrade_issues.htm">Upgrade
Issues</a></li> Issues</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing <li> <a
Lists</a></li> href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li> href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" <li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br> target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
@ -106,21 +106,22 @@ Lists</a></li>
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li> <li> <a href="quotes.htm">Quotes from
<li> <a href="shoreline.htm">About the Users</a></li>
<li> <a href="shoreline.htm">About the
Author</a></li> Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -128,20 +129,20 @@ Author</a></li>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily <b>Note: </b></strong>Search is unavailable Daily
0200-0330 GMT.<br> 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input
name="exclude" value="[http://lists.shorewall.net/pipermail/*]"> </font> type="hidden" name="exclude"
</form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p> <p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
@ -150,16 +151,17 @@ Author</a></li>
<p><a href="http://www.shorewall.net" target="_top"> <img border="1" <p><a href="http://www.shorewall.net" target="_top"> <img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="0"> src="images/shorewall.jpg" width="119" height="38" hspace="0">
</a><br> </a><br>
<br> <br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br>
<br>
<br> <br>
<br>
<br>
</body> </body>
</html> </html>

114
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -16,7 +16,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base target="main"> <base target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
@ -25,77 +26,77 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90"> bgcolor="#4b017c" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td width="100%" bgcolor="#ffffff"> <td width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li> <a
href="shorewall_features.htm">Features</a></li> href="shorewall_features.htm">Features</a></li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br> <li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li> </li>
<li> <b><a <li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
<li> <a href="Documentation.htm">Reference <li> <a href="Documentation.htm">Reference
Manual</a></li> Manual</a></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful <li><a href="useful_links.html">Useful
Links</a><br> Links</a><br>
</li> </li>
<li> <a href="troubleshoot.htm">Troubleshooting</a></li> <li> <a href="troubleshoot.htm">Troubleshooting</a></li>
<li> <a href="errata.htm">Errata</a></li> <li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade <li> <a href="upgrade_issues.htm">Upgrade
Issues</a></li> Issues</a></li>
<li> <a href="support.htm">Support</a></li> <li> <a href="support.htm">Support</a></li>
<li> <a href="mailing_list.htm">Mailing <li> <a
Lists</a></li> href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
<li> <a href="shorewall_mirrors.htm">Mirrors</a> <li> <a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a target="_top" <li><a target="_top"
href="http://slovakia.shorewall.net">Slovak Republic</a></li> href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.infohiiway.com">Texas, USA</a></li> href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" <li><a target="_top"
href="http://germany.shorewall.net">Germany</a></li> href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://shorewall.correofuego.com.ar">Argentina</a></li> href="http://shorewall.correofuego.com.ar">Argentina</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://www.shorewall.net" <li><a href="http://www.shorewall.net"
target="_top">Washington State, USA</a><br> target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
@ -106,22 +107,22 @@
<ul> <ul>
<li> <a href="News.htm">News Archive</a></li> <li> <a href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from <li> <a href="quotes.htm">Quotes from
Users</a></li> Users</a></li>
<li> <a href="shoreline.htm">About the <li> <a href="shoreline.htm">About the
Author</a></li> Author</a></li>
<li> <a <li> <a
href="sourceforge_index.htm#Donations">Donations</a></li> href="sourceforge_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -129,18 +130,18 @@ Author</a></li>
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch"> <form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<b>Note: </b></strong>Search is unavailable Daily <b>Note: </b></strong>Search is unavailable Daily
0200-0330 GMT.<br> 0200-0330 GMT.<br>
<strong></strong> <strong></strong>
<p><strong>Quick Search</strong><br> <p><strong>Quick Search</strong><br>
<font face="Arial" size="-1"> <input <font face="Arial" size="-1"> <input
type="text" name="words" size="15"></font><font size="-1"> </font> <font type="text" name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input <font face="Arial"> <input
type="hidden" name="exclude" type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form> value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
@ -150,16 +151,17 @@ Author</a></li>
size="2">2001-2003 Thomas M. Eastep.</font></a></p> size="2">2001-2003 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top"> </a><br> <p><a href="http://www.shorewall.net" target="_top"> </a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
<br> <br>
</body> </body>
</html> </html>

474
Shorewall-docs/errata.htm
View File

@ -2,6 +2,7 @@
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title> <title>Shorewall 1.3 Errata</title>
@ -9,6 +10,7 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
@ -19,14 +21,14 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -34,65 +36,65 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the <p align="left"> <b>If you are installing Shorewall for the first
first time and plan to use the .tgz and install.sh script, you can time and plan to use the .tgz and install.sh script, you can untar
untar the archive, replace the 'firewall' script in the untarred directory the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are running a Shorewall version earlier <p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected firewall than 1.3.11, when the instructions say to install a corrected firewall
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to the 'shorewall' file used by your system initialization scripts
to start Shorewall during boot. It is that file that must be overwritten to start Shorewall during boot. It is that file that must be
with the corrected script. Beginning with Shorewall 1.3.11, overwritten with the corrected script. Beginning with Shorewall
you may rename the existing file before copying in the new file.</b></p> 1.3.11, you may rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
For example, do NOT install the 1.3.9a firewall script if you are running example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br> 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li> <b><a href="#V1.3">Problems <li> <b><a href="#V1.3">Problems
in Version 1.3</a></b></li> in Version 1.3</a></b></li>
<li> <b><a <li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font <li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font <li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a href="#Debug">Problems <li> <b><a href="#Debug">Problems
with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li> with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version <li><b><a href="#Multiport">Problems with iptables version
1.2.7 and MULTIPORT=Yes</a></b></li> 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and
NAT</a></b><br> NAT</a></b><br>
</li> </li>
</ul> </ul>
@ -103,97 +105,105 @@ NAT</a></b><br>
<h3>Version 1.3.13</h3> <h3>Version 1.3.13</h3>
<ul> <ul>
<li>The 'shorewall add' command produces an error message referring to <li>The 'shorewall add' command produces an error message referring to
'find_interfaces_by_maclist'.</li> 'find_interfaces_by_maclist'.</li>
<li>The 'shorewall delete' command can leave behind undeleted rules.<br> <li>The 'shorewall delete' command can leave behind undeleted rules.<br>
</li> </li>
</ul> </ul>
Both problems are corrected by <a Both problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.13/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br> above.<br>
<ul>
<li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
are not supported in this version or in 1.3.12. If you need such support,
post on the users list and I can provide you with a patched version.<br>
</li>
</ul>
<h3>Version 1.3.12</h3> <h3>Version 1.3.12</h3>
<ul> <ul>
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is <li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is
the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is
corrected by <a corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
firewall script</a> which may be installed in /usr/lib/shorewall as described firewall script</a> which may be installed in /usr/lib/shorewall as described
above.<br> above.</li>
</li> <li>VLAN interface names of the form "eth<i>n</i>.<i>m</i>" (e.g., eth0.1)
are not supported in this version or in 1.3.13. If you need such support,
post on the users list and I can provide you with a patched version.<br>
</li>
</ul> </ul>
<h3>Version 1.3.12 LRP</h3> <h3>Version 1.3.12 LRP</h3>
<ul> <ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file -- a new <li>The .lrp was missing the /etc/shorewall/routestopped file -- a
lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br> new lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.11a</h3> <h3>Version 1.3.11a</h3>
<ul> <ul>
<li><a <li><a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br> copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.11</h3> <h3>Version 1.3.11</h3>
<ul> <ul>
<li>When installing/upgrading using the .rpm, you may receive the <li>When installing/upgrading using the .rpm, you may receive the
following warnings:<br> following warnings:<br>
<br> <br>
     user teastep does not exist - using root<br>      user teastep does not exist - using root<br>
     group teastep does not exist - using root<br>      group teastep does not exist - using root<br>
<br> <br>
These warnings are harmless and may be ignored. Users downloading These warnings are harmless and may be ignored. Users downloading
the .rpm from shorewall.net or mirrors should no longer see these warnings the .rpm from shorewall.net or mirrors should no longer see these warnings
as the .rpm you will get from there has been corrected.</li> as the .rpm you will get from there has been corrected.</li>
<li>DNAT rules that exclude a source subzone (SOURCE column contains <li>DNAT rules that exclude a source subzone (SOURCE column contains
! followed by a sub-zone list) result in an error message and Shorewall ! followed by a sub-zone list) result in an error message and Shorewall
fails to start.<br> fails to start.<br>
<br> <br>
Install <a Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem. corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br> Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
<br> <br>
This problem is corrected in version 1.3.11a.<br> This problem is corrected in version 1.3.11a.<br>
</li> </li>
</ul> </ul>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
<ul> <ul>
<li>If you experience problems connecting to a PPTP server running <li>If you experience problems connecting to a PPTP server running
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels, on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases version of the firewall script</a> may help. Please report any cases where
where installing this script in /usr/lib/shorewall/firewall solved your installing this script in /usr/lib/shorewall/firewall solved your connection
connection problems. Beginning with version 1.3.10, it is safe to save problems. Beginning with version 1.3.10, it is safe to save the old version
the old version of /usr/lib/shorewall/firewall before copying in the of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
new one since /usr/lib/shorewall/firewall is the real script now and is the real script now and not just a symbolic link to the real script.<br>
not just a symbolic link to the real script.<br> </li>
</li>
</ul> </ul>
<h3>Version 1.3.9a</h3> <h3>Version 1.3.9a</h3>
<ul> <ul>
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No <li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
then the following message appears during "shorewall [re]start":</li> then the following message appears during "shorewall [re]start":</li>
</ul> </ul>
@ -202,106 +212,106 @@ not just a symbolic link to the real script.<br>
<blockquote> The updated firewall script at <a <blockquote> The updated firewall script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
corrects this problem.Copy the script to /usr/lib/shorewall/firewall corrects this problem.Copy the script to /usr/lib/shorewall/firewall
as described above.<br> as described above.<br>
</blockquote> </blockquote>
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the <blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
to 'recalculate_interface'. <br> to 'recalculate_interface'. <br>
</blockquote> </blockquote>
<ul> <ul>
<li>The installer (install.sh) issues a misleading message "Common <li>The installer (install.sh) issues a misleading message "Common
functions installed in /var/lib/shorewall/functions" whereas the file functions installed in /var/lib/shorewall/functions" whereas the file
is installed in /usr/lib/shorewall/functions. The installer also performs is installed in /usr/lib/shorewall/functions. The installer also performs
incorrectly when updating old configurations that had the file /etc/shorewall/functions. incorrectly when updating old configurations that had the file /etc/shorewall/functions.
<a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
is an updated version that corrects these problems.<br> is an updated version that corrects these problems.<br>
</a></li> </a></li>
</ul> </ul>
<h3>Version 1.3.9</h3> <h3>Version 1.3.9</h3>
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall <b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall
script at <a script at <a
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall" href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a> target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
-- copy that file to /usr/lib/shorewall/firewall as described above.<br> -- copy that file to /usr/lib/shorewall/firewall as described above.<br>
<br> <br>
Version 1.3.8 Version 1.3.8
<ul> <ul>
<li> Use of shell variables in the LOG LEVEL or SYNPARMS <li> Use of shell variables in the LOG LEVEL or SYNPARMS
columns of the policy file doesn't work.</li> columns of the policy file doesn't work.</li>
<li>A DNAT rule with the same original and new IP addresses <li>A DNAT rule with the same original and new IP addresses
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
tcp 25 - 10.1.1.1")<br> tcp 25 - 10.1.1.1")<br>
</li> </li>
</ul> </ul>
Installing <a Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects these as described above corrects these problems.
problems.
<h3>Version 1.3.7b</h3> <h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW) <p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing result in an error message. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version 1.3.7a</h3> <h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper <p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward "shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing icmp echo-request (ping) packets. Installing
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this problem.</p> as described above corrects this problem.</p>
<h3>Version &lt;= 1.3.7a</h3> <h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as <p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918 options on a given interface then RFC 1918
checking is occurring before DHCP checking. This checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This reject the broadcast (usually logging it). This
has two problems:</p> has two problems:</p>
<ol> <ol>
<li>If the firewall is running <li>If the firewall is
a DHCP server, the client won't be running a DHCP server, the client
able to obtain an IP address lease won't be able to obtain an IP address
from that server.</li> lease from that server.</li>
<li>With this order of checking, <li>With this order of
the "dhcp" option cannot be used as checking, the "dhcp" option cannot
a noise-reduction measure where there be used as a noise-reduction measure
are both dynamic and static clients where there are both dynamic and static
on a LAN segment.</li> clients on a LAN segment.</li>
</ol> </ol>
<p> <a <p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a> This version of the 1.3.7a firewall script </a>
corrects the problem. It must be installed corrects the problem. It must be installed
in /var/lib/shorewall as described in /var/lib/shorewall as described
above.</p> above.</p>
<h3>Version 1.3.7</h3> <h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use <p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against version 1.3.7a and check your version against
these md5sums -- if there's a difference, please these md5sums -- if there's a difference, please
download again.</p> download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre> <pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
@ -314,54 +324,55 @@ above.</p>
<h3 align="left">Version 1.3.6</h3> <h3 align="left">Version 1.3.6</h3>
<ul> <ul>
<li> <li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, <p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to add an error occurs when the firewall script attempts to add
an SNAT alias. </p> an SNAT alias. </p>
</li> </li>
<li> <li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options <p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables cause errors during startup when Shorewall is run with iptables
1.2.7. </p> 1.2.7. </p>
</li> </li>
</ul> </ul>
<p align="left">These problems are fixed in <a <p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also /var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p> corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3> <h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="left">A line was inadvertently deleted from the "interfaces <p align="left">A line was inadvertently deleted from the "interfaces
file" -- this line should be added back in if the version that you file" -- this line should be added back in if the version that you
downloaded is missing it:</p> downloaded is missing it:</p>
<p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p> <p align="left">net    eth0    detect    routefilter,dhcp,norfc1918</p>
<p align="left">If you downloaded two-interfaces-a.tgz then the above <p align="left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p> line should already be in the file.</p>
<h3 align="left">Version 1.3.5-1.3.5b</h3> <h3 align="left">Version 1.3.5-1.3.5b</h3>
<p align="left">The new 'proxyarp' interface option doesn't work :-( <p align="left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in <a This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p> /var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3> <h3 align="left">Versions 1.3.4-1.3.5a</h3>
<p align="left">Prior to version 1.3.4, host file entries such as the <p align="left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p> following were allowed:</p>
<div align="left"> <div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre> <pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only <p align="left">That capability was lost in version 1.3.4 so that it is only
@ -370,118 +381,119 @@ above.</p>
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</p> as instructed above.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</p> <p align="left">This problem is corrected in version 1.3.5b.</p>
</div> </div>
<h3 align="left">Version 1.3.5</h3> <h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install <p align="left">REDIRECT rules are broken in this version. Install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version as instructed above. This problem is corrected in version
1.3.5a.</p> 1.3.5a.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3> <h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands <p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy to not verify that the zones named in the /etc/shorewall/policy file
file have been previously defined in the /etc/shorewall/zones have been previously defined in the /etc/shorewall/zones file.
file. The "shorewall check" command does perform this verification The "shorewall check" command does perform this verification so
so it's a good idea to run that command after you have made configuration it's a good idea to run that command after you have made configuration
changes.</p> changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3> <h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after <p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match "Activating rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include in that specifies an interface that you didn't include in
/etc/shorewall/interfaces. To correct this problem, you /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
later versions produce a clearer error message in this case.</p> later versions produce a clearer error message in this case.</p>
<h3 align="left">Version 1.3.2</h3> <h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the <p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct file can be identified by its size (56284 bytes). The correct version
version has a size of 38126 bytes.</p> has a size of 38126 bytes.</p>
<ul> <ul>
<li>The code to detect a duplicate interface <li>The code to detect a duplicate interface
entry in /etc/shorewall/interfaces contained a typo that prevented entry in /etc/shorewall/interfaces contained a typo that
it from working correctly. </li> prevented it from working correctly. </li>
<li>"NAT_BEFORE_RULES=No" was broken; it behaved <li>"NAT_BEFORE_RULES=No" was broken; it behaved
just like "NAT_BEFORE_RULES=Yes".</li> just like "NAT_BEFORE_RULES=Yes".</li>
</ul> </ul>
<p align="left">Both problems are corrected in <a <p align="left">Both problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
as described above.</p> as described above.</p>
<ul> <ul>
<li> <li>
<p align="left">The IANA have just announced the allocation of subnet <p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a 221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p> updated rfc1918</a> file reflects that allocation.</p>
</li> </li>
</ul> </ul>
<h3 align="left">Version 1.3.1</h3> <h3 align="left">Version 1.3.1</h3>
<ul> <ul>
<li>TCP SYN packets may be double counted when <li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e.,
each packet is sent through the limit chain twice).</li> each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain <li>An unnecessary jump to the policy chain
is sometimes generated for a CONTINUE policy.</li> is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more than one <li>When an option is given for more than one
interface in /etc/shorewall/interfaces then depending interface in /etc/shorewall/interfaces then depending
on the option, Shorewall may ignore all but the first on the option, Shorewall may ignore all but the first appearence
appearence of the option. For example:<br> of the option. For example:<br>
<br> <br>
net    eth0    dhcp<br> net    eth0    dhcp<br>
loc    eth1    dhcp<br> loc    eth1    dhcp<br>
<br> <br>
Shorewall will ignore the 'dhcp' on eth1.</li> Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described <li>Update 17 June 2002 - The bug described
in the prior bullet affects the following options: dhcp, in the prior bullet affects the following options: dhcp,
dropunclean, logunclean, norfc1918, routefilter, multi, dropunclean, logunclean, norfc1918, routefilter, multi,
filterping and noping. An additional bug has been found filterping and noping. An additional bug has been found
that affects only the 'routestopped' option.<br> that affects only the 'routestopped' option.<br>
<br> <br>
Users who downloaded the corrected script prior Users who downloaded the corrected script prior
to 1850 GMT today should download and install the corrected to 1850 GMT today should download and install the corrected
script again to ensure that this second problem is corrected.</li> script again to ensure that this second problem is corrected.</li>
</ul> </ul>
<p align="left">These problems are corrected in <a <p align="left">These problems are corrected in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in /etc/shorewall/firewall this firewall script</a> which should be installed in /etc/shorewall/firewall
as described above.</p> as described above.</p>
<h3 align="left">Version 1.3.0</h3> <h3 align="left">Version 1.3.0</h3>
<ul> <ul>
<li>Folks who downloaded 1.3.0 from the links <li>Folks who downloaded 1.3.0 from the links
on the download page before 23:40 GMT, 29 May 2002 may on the download page before 23:40 GMT, 29 May 2002 may
have downloaded 1.2.13 rather than 1.3.0. The "shorewall have downloaded 1.2.13 rather than 1.3.0. The "shorewall
version" command will tell you which version that you version" command will tell you which version that you
have installed.</li> have installed.</li>
<li>The documentation NAT.htm file uses non-existent <li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The <a wallpaper and bullet graphic files. The <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li> corrected version is here</a>.</li>
</ul> </ul>
@ -498,48 +510,51 @@ have installed.</li>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p> released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also corrected 1.2.3 rpm which you can download here</a>  and I have
built an <a also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download has released an iptables-1.2.4 RPM of their own which you can download
from<font color="#ff6633"> <a from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p> </font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level specification
while this <a while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 <p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
@ -548,73 +563,74 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by installing
installing <a <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to of iptables, you will need to specify the --oldpackage option to
rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict <p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to installed, simply use the "--nodeps" option to
rpm.</p> rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with <h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made <p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to an incompatible change to the syntax used to
specify multiport match rules; as a consequence, specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p> Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No in <li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li> /etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall <li>if you are running
1.3.6 you may install Shorewall 1.3.6 you may install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result /etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br> in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support The solution is to put "no" in the LOCAL column. Kernel support
for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. for LOCAL=yes has never worked properly and 2.4.18-10 has disabled
The 2.4.19 kernel contains corrected support under a new kernel configuraiton it. The 2.4.19 kernel contains corrected support under a new kernel
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 1/21/2003 - <p><font size="2"> Last updated 1/25/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

180
Shorewall-docs/mailing_list.htm
View File

@ -20,43 +20,47 @@
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%" <table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0" style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0"> border="0">
<tbody> <tbody>
<tr> <tr>
<td width="33%" valign="middle"> <td width="33%" valign="middle" align="left">
<h1 align="center"><a <h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78" src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
height="79" align="left"> height="79" align="left">
</a></h1> </a></h1>
<a
<h1 align="center"><a
href="http://www.gnu.org/software/mailman/mailman.html"> <img href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> height="35" alt="">
</a></h1> </a>
<p align="right"><font color="#ffffff"><b>  </b></font> </p>
</td>
<td valign="middle" width="34%" align="center">
<p align="right"><br>
<font color="#ffffff"><b>   </b></font> </p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
</td> </td>
<td valign="middle" width="33%"> <td valign="middle" width="33%"> <a
<h1 align="center"><a href="http://www.postfix.org/"> <img href="http://www.postfix.org/"> <img
src="images/small-picture.gif" align="right" border="0" width="115" src="images/small-picture.gif" align="right" border="0" width="115"
height="45" alt="(Postfix Logo)"> height="45" alt="(Postfix Logo)">
</a></h1> </a><br>
<br>
<div align="left"><a href="http://www.spamassassin.org"><img
src="file:///J:/Shorewall-docs/images/ninjalogo.png" alt="" width="110"
height="42" align="right" border="0">
</a> </div>
<br>
<div align="right"><br> <div align="right"><br>
<b><font color="#ffffff">Powered by Postfix    </font></b><br> <b><font color="#ffffff"><br>
</div> Powered by Postfix    </font></b><br>
</td> </div>
</tr> </td>
</tr>
</tbody> </tbody>
</table> </table>
@ -65,7 +69,7 @@
href="mailing_list_problems.htm">Check Here</a></h2> href="mailing_list_problems.htm">Check Here</a></h2>
<p align="left">If you experience problems with any of these lists, please <p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p> let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2> <h2 align="left">Not able to Post Mail to shorewall.net?</h2>
@ -76,46 +80,45 @@
href="http://osirusoft.com/"> </a></h2> href="http://osirusoft.com/"> </a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy <p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server about list traffic that bounces.</a> Also please note that the mail server
at shorewall.net checks incoming mail:<br> at shorewall.net checks incoming mail:<br>
</p> </p>
<ol> <ol>
<li>against <a href="http://spamassassin.org">Spamassassin</a> <li>against <a href="http://spamassassin.org">Spamassassin</a>
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br> (including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
</li> </li>
<li>to ensure that the sender address is fully qualified.</li> <li>to ensure that the sender address is fully qualified.</li>
<li>to verify that the sender's domain has an A or MX record <li>to verify that the sender's domain has an A or MX record
in DNS.</li> in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO command is <li>to ensure that the host name in the HELO/EHLO command
a valid fully-qualified DNS name that resolves.</li> is a valid fully-qualified DNS name that resolves.</li>
</ol> </ol>
<h2>Please post in plain text</h2> <h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are rejecting all A growing number of MTAs serving list subscribers are rejecting all
HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
"for continuous abuse" because it has been my policy to allow HTML in list "for continuous abuse" because it has been my policy to allow HTML in list
posts!!<br> posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian way to control spam I think that blocking all HTML is a Draconian way to control spam
and that the ultimate losers here are not the spammers but the list subscribers and that the ultimate losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list subscriber whose MTAs are bouncing all shorewall.net mail. As one list subscriber
wrote to me privately "These e-mail admin's need to get a <i>(explitive wrote to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i>
deleted)</i> life instead of trying to rid the planet of HTML based e-mail". life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
Nevertheless, to allow subscribers to receive list posts as must as possible, to allow subscribers to receive list posts as must as possible, I have now
I have now configured the list server at shorewall.net to strip all HTML configured the list server at shorewall.net to strip all HTML from outgoing
from outgoing posts. This means that HTML-only posts will be bounced by posts. This means that HTML-only posts will be bounced by the list server.<br>
the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br> <p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p> </p>
<h2>Other Mail Delivery Problems</h2> <h2>Other Mail Delivery Problems</h2>
If you find that you are missing an occasional list post, your e-mail If you find that you are missing an occasional list post, your e-mail
admin may be blocking mail whose <i>Received:</i> headers contain the names admin may be blocking mail whose <i>Received:</i> headers contain the names
of certain ISPs. Again, I believe that such policies hurt more than they help of certain ISPs. Again, I believe that such policies hurt more than they
but I'm not prepared to go so far as to start stripping <i>Received:</i> help but I'm not prepared to go so far as to start stripping <i>Received:</i>
headers to circumvent those policies.<br> headers to circumvent those policies.<br>
<h2 align="left">Mailing Lists Archive Search</h2> <h2 align="left">Mailing Lists Archive Search</h2>
@ -129,12 +132,13 @@ but I'm not prepared to go so far as to start stripping <i>Received:</i>
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -143,22 +147,22 @@ but I'm not prepared to go so far as to start stripping <i>Received:</i>
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font> <input type="hidden" name="config" value="htdig"> </font> <input type="hidden" name="config"
<input type="hidden" name="restrict" value="htdig"> <input type="hidden" name="restrict"
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden" value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
name="exclude" value=""> <br> name="exclude" value=""> <br>
Search: <input type="text" size="30" name="words" Search: <input type="text" size="30" name="words"
value=""> <input type="submit" value="Search"> </p> value=""> <input type="submit" value="Search"> </p>
</form> </form>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire <h2 align="left"><font color="#ff0000">Please do not try to download the
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
stand the traffic. If I catch you, you will be blacklisted.<br> won't stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2> </font></h2>
<h2 align="left">Shorewall CA Certificate</h2> <h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued by Shoreline If you want to trust X.509 certificates issued by Shoreline
Firewall (such as the one used on my web site), you may <a Firewall (such as the one used on my web site), you may <a
href="Shorewall_CA_html.html">download and install my CA certificate</a> href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates then you in your browser. If you don't wish to trust my certificates then you
can either use unencrypted access when subscribing to Shorewall mailing can either use unencrypted access when subscribing to Shorewall mailing
@ -176,13 +180,15 @@ this list.</p>
the <a href="support.htm">problem reporting guidelines</a>.</b></p> the <a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users" href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
</ul> </ul>
<p align="left">To post to the list, post to <a <p align="left">To post to the list, post to <a
@ -191,26 +197,30 @@ this list.</p>
<p align="left">The list archives are at <a <p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted <p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that <a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
list may be found at <a may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p> href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2> <h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the <p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe:<br> Shorewall community. To subscribe:<br>
</p> </p>
<p align="left"></p> <p align="left"></p>
<ul> <ul>
<li><b>Insecure:</b> <a <li><b>Insecure:</b> <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
<li><b>SSL</b>: <a <li><b>SSL</b>: <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce" href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
</ul> </ul>
<p align="left"><br> <p align="left"><br>
The list archives are at <a The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p> href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left">Shorewall Development Mailing List</h2> <h2 align="left">Shorewall Development Mailing List</h2>
@ -220,14 +230,17 @@ list may be found at <a
ongoing Shorewall Development.</p> ongoing Shorewall Development.</p>
<p align="left">To subscribe to the mailing list:<br> <p align="left">To subscribe to the mailing list:<br>
</p> </p>
<ul> <ul>
<li><b>Insecure: </b><a <li><b>Insecure: </b><a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li> href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
<li><b>SSL:</b> <a <li><b>SSL:</b> <a
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel" href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li> target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
</ul> </ul>
<p align="left"> To post to the list, post to <a <p align="left"> To post to the list, post to <a
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p> href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p>
@ -242,26 +255,26 @@ list may be found at <a
make this less confusing. To unsubscribe:</p> make this less confusing. To unsubscribe:</p>
<ul> <ul>
<li> <li>
<p align="left">Follow the same link above that you used to subscribe <p align="left">Follow the same link above that you used to subscribe
to the list.</p> to the list.</p>
</li> </li>
<li> <li>
<p align="left">Down at the bottom of that page is the following text: <p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password " To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get a password
reminder, or change your subscription options enter your subscription reminder, or change your subscription options enter your subscription
email address:". Enter your email address in the box and click email address:". Enter your email address in the box and click
on the "<b>Unsubscribe</b> or edit options" button.</p> on the "<b>Unsubscribe</b> or edit options" button.</p>
</li> </li>
<li> <li>
<p align="left">There will now be a box where you can enter your password <p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password, and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be emailed there is another button that will cause your password to be emailed
to you.</p> to you.</p>
</li> </li>
</ul> </ul>
@ -273,9 +286,10 @@ to you.</p>
<p align="left"><font size="2">Last updated 1/14/2003 - <a <p align="left"><font size="2">Last updated 1/14/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> © <p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

93
Shorewall-docs/myfiles.htm
View File

@ -17,13 +17,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">About My Network</font></h1> <h1 align="center"><font color="#ffffff">About My Network</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -37,77 +37,78 @@
use a combination of Static NAT and Proxy ARP, neither of which are relevant use a combination of Static NAT and Proxy ARP, neither of which are relevant
to a simple configuration with a single public IP address.</small></b></big><big><b><small> to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see here won't If you have just a single public IP address, most of what you see here won't
apply to your setup so beware of copying parts of this configuration and apply to your setup so beware of copying parts of this configuration and expecting
expecting them to work for you. They may or may not work in your setup. </small></b></big><br> them to work for you. What you copy may or may not work in your setup. </small></b></big><br>
</p> </p>
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180). <p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport) My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet is connected to eth0. I have a local network connected to eth2 (subnet
192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). </p> 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). </p>
<p> I use:<br> <p> I use:<br>
</p> </p>
<ul> <ul>
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5 <li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
and external address 206.124.146.178.</li> and external address 206.124.146.178.</li>
<li>Proxy ARP for wookie (my Linux System). This system has two <li>Proxy ARP for wookie (my Linux System). This system has two
IP addresses: 192.168.1.3/24 and 206.124.146.179/24.</li> IP addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
<li>SNAT through the primary gateway address (206.124.146.176) <li>SNAT through the primary gateway address (206.124.146.176)
for  my Wife's system (tarry) and the Wireless Access Point (wap)</li> for  my Wife's system (tarry) and the Wireless Access Point (wap)</li>
</ul> </ul>
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p> <p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
<p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its <p> Wookie runs Samba and acts as the a WINS server.  Wookie is in its
own 'whitelist' zone called 'me'.</p> own 'whitelist' zone called 'me'.</p>
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable. <p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall
and is managed by Proxy ARP. It connects to the local network through software and is managed by Proxy ARP. It connects to the local network
the PopTop server running on my firewall. </p> through the PopTop server running on my firewall. </p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix, <p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
(Pure-ftpd). The system also runs fetchmail to fetch our email from server (Pure-ftpd). The system also runs fetchmail to fetch our email
our old and current ISPs. That server is managed through Proxy ARP.</p> from our old and current ISPs. That server is managed through Proxy ARP.</p>
<p> The firewall system itself runs a DHCP server that serves the local <p> The firewall system itself runs a DHCP server that serves the local
network.</p> network.</p>
<p> All administration and publishing is done using ssh/scp.</p> <p> All administration and publishing is done using ssh/scp.</p>
<p> I run an SNMP server on my firewall to serve <a <p> I run an SNMP server on my firewall to serve <a
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
in the DMZ.</p> in the DMZ.</p>
<p align="center"> <img border="0" <p align="center"> <img border="0"
src="images/network.png" width="764" height="846"> src="images/network.png" width="764" height="846">
</p> </p>
<p> </p> <p> </p>
<p>The ethernet interface in the Server is configured <p>The ethernet interface in the Server is configured
with IP address 206.124.146.177, netmask with IP address 206.124.146.177, netmask
255.255.255.0. The server's default gateway is 255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same 206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall, default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because 206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see of the entry in /etc/shorewall/proxyarp (see
below).</p> below).</p>
<p>A similar setup is used on eth3 (192.168.3.1) which <p>A similar setup is used on eth3 (192.168.3.1) which
interfaces to my laptop (206.124.146.180).<br> interfaces to my laptop (206.124.146.180).<br>
</p> </p>
<p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior <p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
access.<br> access.<br>
</p> </p>
<p><font color="#ff0000" size="5"></font></p> <p><font color="#ff0000" size="5"></font></p>
</blockquote> </blockquote>
<h3>Shorewall.conf</h3> <h3>Shorewall.conf</h3>
@ -120,9 +121,9 @@ below).</p>
<h3>Interfaces File: </h3> <h3>Interfaces File: </h3>
<blockquote> <blockquote>
<p> This is set up so that I can start the firewall before bringing up my <p> This is set up so that I can start the firewall before bringing up
Ethernet interfaces. </p> my Ethernet interfaces. </p>
</blockquote> </blockquote>
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
@ -137,6 +138,7 @@ Ethernet interfaces. </p>
<h3>Common File: </h3> <h3>Common File: </h3>
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre> <pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre>
<h3>Policy File:</h3> <h3>Policy File:</h3>
<pre><font size="2" face="Courier"> <pre><font size="2" face="Courier">
@ -152,9 +154,9 @@ Ethernet interfaces. </p>
<blockquote> <blockquote>
<p> Although most of our internal systems use static NAT, my wife's system <p> Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p> laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
</blockquote> </blockquote>
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre> <pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
@ -173,15 +175,16 @@ Ethernet interfaces. </p>
<pre><small> #TYPE          ZONE    GATEWAY</small><small> <br> gre             net     $TEXAS</small><small><br> #LAST LINE -- DO NOT REMOVE<br></small></pre> <pre><small> #TYPE          ZONE    GATEWAY</small><small> <br> gre             net     $TEXAS</small><small><br> #LAST LINE -- DO NOT REMOVE<br></small></pre>
<h3>Rules File (The shell variables <h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3> are set in /etc/shorewall/params):</h3>
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> ACCEPT net loc:192.168.1.5 tcp 1723<br> ACCEPT net loc:192.168.1.5 gre<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre> <pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> ACCEPT net loc:192.168.1.5 tcp 1723<br> ACCEPT net loc:192.168.1.5 gre<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2"> Last updated 1/12/2003 - </font><font size="2"> <p><font size="2"> Last updated 1/12/2003 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font> <a href="support.htm">Tom Eastep</a></font>
</p> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <a href="copyright.htm"><font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br> <br>
</body> </body>
</html> </html>

137
Shorewall-docs/ping.html
View File

@ -13,118 +13,128 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1> <h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Shorewall 'Ping' management has evolved over time with the latest change Shorewall 'Ping' management has evolved over time with the latest change
coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>) coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>)
was added to /etc/shorewall/shorewall.conf. The value of that option determines was added to /etc/shorewall/shorewall.conf. The value of that option determines
the overall handling of ICMP echo requests (pings).<br> the overall handling of ICMP echo requests (pings).<br>
<h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2> <h2>Shorewall Versions &gt;= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests just like any other connection request. In order to accept ping requests from
from zone z1 to zone z2, you need a rule in /etc/shoreall/rules of the form:<br> zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need
a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
Example: <br> Example: <br>
<br> <br>
To permit ping from the local zone to the firewall:<br> To permit ping from the local zone to the firewall:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <blockquote>ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
If you would like to accept 'ping' by default, create <b>/etc/shorewall/icmpdef If you would like to accept 'ping' by default even when the relevant
</b>if it doesn't already exist and in that file place the following command:<br> policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
already exist and in that file place the following command:<br>
<blockquote> <blockquote>
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre> <pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
</blockquote> </blockquote>
With that rule in place, if you want to ignore 'ping' from z1 to z2 then With that rule in place, if you want to ignore 'ping' from z1 to z2 then
you need a rule of the form:<br> you need a rule of the form:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br> </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
Example:<br> Example:<br>
<br> <br>
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br> To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
<blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; <blockquote>DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br> <h2>Shorewall Versions &lt; 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
</h2> </h2>
There are several aspects to the old Shorewall Ping management:<br> There are several aspects to the old Shorewall Ping management:<br>
<ol> <ol>
<li>The <b>noping</b> and <b>filterping </b>interface options in <a <li>The <b>noping</b> and <b>filterping </b>interface options in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li> href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
<li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf"> <li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf</a>.</li> /etc/shorewall/shorewall.conf</a>.</li>
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li> <li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ol> </ol>
There are two cases to consider:<br> There are two cases to consider:<br>
<ol> <ol>
<li>Ping requests addressed to the firewall itself; and</li> <li>Ping requests addressed to the firewall itself; and</li>
<li>Ping requests being forwarded to another system. Included here are <li>Ping requests being forwarded to another system. Included here are
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
routing.</li> routing.</li>
</ol> </ol>
These cases will be covered separately.<br> These cases will be covered separately.<br>
<h3>Ping Requests Addressed to the Firewall Itself</h3> <h3>Ping Requests Addressed to the Firewall Itself</h3>
For ping requests addressed to the firewall, the sequence is as follows:<br> For ping requests addressed to the firewall, the sequence is as follows:<br>
<ol> <ol>
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for the <li>If neither <b>noping</b> nor <b>filterping </b>are specified for
interface that receives the ping request then the request will be responded the interface that receives the ping request then the request will be responded
to with an ICMP echo-reply.</li> to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives the <li>If <b>noping</b> is specified for the interface that receives the
ping request then the request is ignored.</li> ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the request <li>If <b>filterping </b>is specified for the interface then the request
is passed to the rules/policy evaluation.</li> is passed to the rules/policy evaluation.</li>
</ol> </ol>
<h3>Ping Requests Forwarded by the Firewall</h3> <h3>Ping Requests Forwarded by the Firewall</h3>
These requests are <b>always</b> passed to rules/policy evaluation.<br> These requests are <b>always</b> passed to rules/policy evaluation.<br>
<h3>Rules Evaluation</h3> <h3>Rules Evaluation</h3>
Ping requests are ICMP type 8. So the general rule format is:<br> Ping requests are ICMP type 8. So the general rule format is:<br>
<br> <br>
&nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <i>Target&nbsp;&nbsp;&nbsp; Source&nbsp;&nbsp;&nbsp;
Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br> Destination&nbsp;&nbsp;&nbsp; </i>icmp&nbsp;&nbsp;&nbsp; 8<br>
<br> <br>
Example 1. Accept pings from the net to the dmz (pings are responded to Example 1. Accept pings from the net to the dmz (pings are responded to
with an ICMP echo-reply):<br> with an ICMP echo-reply):<br>
<br> <br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
<br> <br>
Example 2. Drop pings from the net to the firewall<br> Example 2. Drop pings from the net to the firewall<br>
<br> <br>
&nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; DROP&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br> icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3> <h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to the destination If no applicable rule is found, then the policy for the source to the destination
is applied.<br> is applied.<br>
<ol> <ol>
<li>If the relevant policy is ACCEPT then the request is responded to <li>If the relevant policy is ACCEPT then the request is responded to
with an ICMP echo-reply.</li> with an ICMP echo-reply.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf <li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li> then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the request <li>Otherwise, the relevant REJECT or DROP policy is used and the request
is either rejected or simply ignored.</li> is either rejected or simply ignored.</li>
</ol> </ol>
@ -133,6 +143,7 @@ is either rejected or simply ignored.</li>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font <p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br>
<br> <br>
<br> <br>
</body> </body>

602
Shorewall-docs/seattlefirewall_index.htm
View File

@ -13,7 +13,8 @@
<base target="_self"> <base
target="_self">
</head> </head>
<body> <body>
@ -23,11 +24,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
@ -41,8 +42,10 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall 1.3 </a></i></font><font color="#ffffff">Shorewall
- <font size="4">"<i>iptables made easy"</i></font></font></h1> 1.3 - <font size="4">"<i>iptables made
easy"</i></font></font></h1>
@ -55,13 +58,13 @@
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a><br> color="#ffffff">Shorewall 1.2 Site here</font></a><br>
</div> </div>
<br> <br>
</td> </td>
</tr> </tr>
@ -80,11 +83,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%">
<td width="90%">
@ -104,10 +108,10 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a <p>The Shoreline Firewall, more commonly known as "Shorewall", is
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -119,24 +123,24 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
Public License</a> as published by the Free Software Foundation.<br> General Public License</a> as published by the Free Software Foundation.<br>
<br> <br>
This program is distributed in the hope This program is distributed in the hope
that it will be useful, but WITHOUT ANY WARRANTY; that it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br> GNU General Public License for more details.<br>
<br> <br>
You should have received a copy of the You should have received a copy of the
GNU General Public License along with this GNU General Public License along with this
program; if not, write to the Free Software Foundation, program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -161,24 +165,27 @@ program; if not, write to the Free Software Foundation,
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak </a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway on a floppy, CD or have a LEAF (router/firewall/gateway on a floppy, CD
compact flash) distribution called <i>Bering</i> or compact flash) distribution called <i>Bering</i>
that features Shorewall-1.3.10 and Kernel-2.4.18. that features Shorewall-1.3.10 and Kernel-2.4.18.
You can find their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<p><b>Congratulations to Jacques and Eric on the recent release of Bering
1.0 Final!!! </b><br> <p><b>Congratulations to Jacques and Eric on the recent release of
</p> Bering 1.0 Final!!! </b><br>
</p>
<h2>This is a mirror of the main Shorewall web site at SourceForge (<a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> <h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -210,245 +217,348 @@ compact flash) distribution called <i>Bering</i>
<p><b>1/18/2002 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b><img <p><b>1/28/2003 - Shorewall 1.3.14-Beta2 </b><b><img border="0"
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 <p>Includes the Beta 1 content plus restores VLAN device names of the
documenation. the PDF may be downloaded from</p> form $dev.$vid (e.g., eth0.1)</p>
    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
<p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b><img <p> The beta may be downloaded from:<br>
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>Thanks to the generosity of Alex Martin and <a
href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net and
ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A
big thanks to Alex for making this happen.<br>
</p> </p>
<p><b>1/13/2003 - Shorewall 1.3.13</b><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
</p> <a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p>Just includes a few things that I had on the burner:<br> <p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><b> </b><b><img
</p> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><br>
</p>
<p>The Beta includes the following changes:<br>
</p>
<ol> <ol>
<li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules <li>An OLD_PING_HANDLING option has been added to shorewall.conf.
file. DNAT- is intended for advanced users who wish to minimize the number When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).<br>
of rules that connection requests must traverse.<br> <br>
<br> When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies
A Shorewall DNAT rule actually generates two iptables rules: a header just like any other connection request. The FORWARDPING=Yes option in shorewall.conf
rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table. and the 'noping' and 'filterping' options in /etc/shorewall/interfaces will
A DNAT- rule only generates the first of these rules. This is handy when all generate an error.<br>
you have several DNAT rules that would generate the same ACCEPT rule.<br> <br>
<br> </li>
   Here are three rules from my previous rules file:<br> <li>It is now possible to direct Shorewall to create a "label"
<br> such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br> and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br> just the interface name:<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>  <br>
<br>    a) In the INTERFACE column of /etc/shorewall/masq<br>
   These three rules ended up generating _three_ copies of<br>    b) In the INTERFACE column of /etc/shorewall/nat<br>
<br>  </li>
         ACCEPT net  dmz:206.124.146.177 tcp smtp<br> <li>When an interface name is entered in the SUBNET column of the
<br> /etc/shorewall/masq file, Shorewall previously masqueraded traffic from
   By writing the rules this way, I end up with only one copy of the only the first subnet defined on that interface. It did not masquerade traffic
ACCEPT rule.<br> from:<br>
<br>  <br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>    a) The subnets associated with other addresses on the interface.<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>    b) Subnets accessed through local routers.<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>  <br>
<br> Beginning with Shorewall 1.3.14, if you enter an interface name in the
</li> SUBNET column, shorewall will use the firewall's routing table to construct
<li>The 'shorewall check' command now prints out the applicable the masquerading/SNAT rules.<br>
policy between each pair of zones.<br>  <br>
<br> Example 1 -- This is how it works in 1.3.14.<br>
</li>    <br>
<li>A new CLEAR_TC option has been added to shorewall.conf. If
this option is set to 'No' then Shorewall won't clear the current traffic <pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
control rules during [re]start. This setting is intended for use by people
that prefer to configure traffic shaping when the network interfaces come <pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
up rather than when the firewall is started. If that is what you want to
do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart <pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos... <br></pre>
file. That way, your traffic shaping rules can still use the 'fwmark' classifier When upgrading to Shorewall 1.3.14, if you have multiple local subnets
based on packet marking defined in /etc/shorewall/tcrules.<br> connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
<br> entry, your /etc/shorewall/masq file will need changing. In most cases, you
</li> will simply be able to remove redundant entries. In some cases though, you
<li>A new SHARED_DIR variable has been added that allows distribution might want to change from using the interface name to listing specific subnetworks
packagers to easily move the shared directory (default /usr/lib/shorewall). if the change described above will cause masquerading to occur on subnetworks
Users should never have a need to change the value of this shorewall.conf that you don't wish to masquerade.<br>
setting.<br>  <br>
</li> Example 2 -- Suppose that your current config is as follows:<br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#<br></pre>
   In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
 <br>
Example 3 -- What if your current configuration is like this?<br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#<br></pre>
   In this case, you would want to change the entry in  /etc/shorewall/masq
to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
</ol>
The beta may be downloaded from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13
documenation. the PDF may be downloaded from</p>
    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
<p><b>1/17/2003 - shorewall.net has MOVED</b><b></b></p>
<p>Thanks to the generosity of Alex Martin and <a
href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net and ftp.shorewall.net
are now hosted on a system in Bellevue, Washington. A big thanks to Alex
for making this happen.<br>
</p>
<p><b>1/13/2003 - Shorewall 1.3.13</b><br>
</p>
<p>Just includes a few things that I had on the burner:<br>
</p>
<ol>
<li>A new 'DNAT-' action has been added for entries in the
/etc/shorewall/rules file. DNAT- is intended for advanced users who wish
to minimize the number of rules that connection requests must traverse.<br>
<br>
A Shorewall DNAT rule actually generates two iptables rules: a header
rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table.
A DNAT- rule only generates the first of these rules. This is handy when
you have several DNAT rules that would generate the same ACCEPT rule.<br>
<br>
   Here are three rules from my previous rules file:<br>
<br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
<br>
   These three rules ended up generating _three_ copies of<br>
<br>
         ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
<br>
   By writing the rules this way, I end up with only one copy of the
ACCEPT rule.<br>
<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
<br>
</li>
<li>The 'shorewall check' command now prints out the applicable
policy between each pair of zones.<br>
<br>
</li>
<li>A new CLEAR_TC option has been added to shorewall.conf.
If this option is set to 'No' then Shorewall won't clear the current traffic
control rules during [re]start. This setting is intended for use by people
that prefer to configure traffic shaping when the network interfaces come
up rather than when the firewall is started. If that is what you want
to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
file. That way, your traffic shaping rules can still use the 'fwmark'
classifier based on packet marking defined in /etc/shorewall/tcrules.<br>
<br>
</li>
<li>A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default /usr/lib/shorewall).
Users should never have a need to change the value of this shorewall.conf
setting.<br>
</li>
</ol> </ol>
<p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> <p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
</b></p> </b></p>
<p><b>Until further notice, I will not be involved in either Shorewall <p><b>Until further notice, I will not be involved in either Shorewall
Development or Shorewall Support</b></p> Development or Shorewall Support</b></p>
<p><b>-Tom Eastep</b><br> <p><b>-Tom Eastep</b><br>
</p> </p>
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b> <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p> </p>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
</b></p> </b></p>
<p> Features include:<br> <p> Features include:<br>
</p> </p>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping <li>"shorewall refresh" now reloads the traffic shaping
rules (tcrules and tcstart).</li> rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging <li>"shorewall debug [re]start" now turns off debugging
after an error occurs. This places the point of the failure near the after an error occurs. This places the point of the failure near the
end of the trace rather than up in the middle of it.</li> end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more <li>"shorewall [re]start" has been speeded up by more
than 40% with my configuration. Your milage may vary.</li> than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added <li>A "shorewall show classifiers" command has been
which shows the current packet classification filters. The output added which shows the current packet classification filters. The output
from this command is also added as a separate page in "shorewall monitor"</li> from this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid <li>ULOG (must be all caps) is now accepted as a valid
syslog level and causes the subject packets to be logged using the ULOG syslog level and causes the subject packets to be logged using the
target rather than the LOG target. This allows you to run ulogd (available ULOG target rather than the LOG target. This allows you to run ulogd
from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) (available from <a
and log all Shorewall messages <a href="shorewall_logging.html">to href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
a separate log file</a>.</li> and log all Shorewall messages <a href="shorewall_logging.html">to
<li>If you are running a kernel that has a FORWARD chain a separate log file</a>.</li>
in the mangle table ("shorewall show mangle" will show you the chains <li>If you are running a kernel that has a FORWARD
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a chain in the mangle table ("shorewall show mangle" will show you
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
input packets based on their destination even when you are using Masquerading in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for
or SNAT.</li> marking input packets based on their destination even when you are
<li>I have cluttered up the /etc/shorewall directory with using Masquerading or SNAT.</li>
empty 'init', 'start', 'stop' and 'stopped' files. If you already <li>I have cluttered up the /etc/shorewall directory
have a file with one of these names, don't worry -- the upgrade process with empty 'init', 'start', 'stop' and 'stopped' files. If you already
won't overwrite your file.</li> have a file with one of these names, don't worry -- the upgrade process
<li>I have added a new RFC1918_LOG_LEVEL variable to <a won't overwrite your file.</li>
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies <li>I have added a new RFC1918_LOG_LEVEL variable to
the syslog level at which packets are logged as a result of entries in <a href="Documentation.htm#Conf">shorewall.conf</a>. This variable
the /etc/shorewall/rfc1918 file. Previously, these packets were always specifies the syslog level at which packets are logged as a result
logged at the 'info' level.<br> of entries in the /etc/shorewall/rfc1918 file. Previously, these packets
</li> were always logged at the 'info' level.<br>
</li>
</ol> </ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p> </p>
This version corrects a problem with Blacklist logging. In Beta This version corrects a problem with Blacklist logging. In
2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall
fail to start and "shorewall refresh" would also fail.<br> would fail to start and "shorewall refresh" would also fail.<br>
<p> You may download the Beta from:<br> <p> You may download the Beta from:<br>
</p> </p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote> </blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p> </b></p>
The first public Beta version of Shorewall 1.3.12 is now The first public Beta version of Shorewall 1.3.12 is now
available (Beta 1 was made available to a limited audience). <br> available (Beta 1 was made available to a limited audience). <br>
<br> <br>
Features include:<br> Features include:<br>
<br> <br>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping <li>"shorewall refresh" now reloads the traffic
rules (tcrules and tcstart).</li> shaping rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging <li>"shorewall debug [re]start" now turns off
after an error occurs. This places the point of the failure near the debugging after an error occurs. This places the point of the failure
end of the trace rather than up in the middle of it.</li> near the end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by <li>"shorewall [re]start" has been speeded up
more than 40% with my configuration. Your milage may vary.</li> by more than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been <li>A "shorewall show classifiers" command has
added which shows the current packet classification filters. The output been added which shows the current packet classification filters.
from this command is also added as a separate page in "shorewall monitor"</li> The output from this command is also added as a separate page in "shorewall
<li>ULOG (must be all caps) is now accepted as a monitor"</li>
valid syslog level and causes the subject packets to be logged using <li>ULOG (must be all caps) is now accepted as
the ULOG target rather than the LOG target. This allows you to run ulogd a valid syslog level and causes the subject packets to be logged using
(available from <a the ULOG target rather than the LOG target. This allows you to run ulogd
(available from <a
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a href="shorewall_logging.html">to and log all Shorewall messages <a href="shorewall_logging.html">to
a separate log file</a>.</li> a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD <li>If you are running a kernel that has a FORWARD
chain in the mangle table ("shorewall show mangle" will show you the chain in the mangle table ("shorewall show mangle" will show you the
chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
in shorewall.conf. This allows for marking input packets based on in shorewall.conf. This allows for marking input packets based on their
their destination even when you are using Masquerading or SNAT.</li> destination even when you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory <li>I have cluttered up the /etc/shorewall directory
with empty 'init', 'start', 'stop' and 'stopped' files. If you already with empty 'init', 'start', 'stop' and 'stopped' files. If you already
have a file with one of these names, don't worry -- the upgrade process have a file with one of these names, don't worry -- the upgrade process
won't overwrite your file.</li> won't overwrite your file.</li>
</ol> </ol>
You may download the Beta from:<br> You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote> </blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png" href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="21" border="0"> alt="Powered by Mandrake Linux" width="150" height="21" border="0">
</a></b></p> </a></b></p>
Shorewall is at the center of MandrakeSoft's recently-announced Shorewall is at the center of MandrakeSoft's recently-announced
<a <a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br> release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b> <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p> </b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now delivered. I have installed 9.0 on one of my systems and I am
in a position to support Shorewall users who run Mandrake 9.0.</p> now in a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br> <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><br>
</p> </p>
@ -458,39 +568,40 @@ their destination even when you are using Masquerading or SNAT.</li>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b> <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p> </b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
users who don't need rules of this type need not upgrade to 1.3.11.</p> users who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b> <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p> </p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b> <p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
</b></p> </b></p>
@ -498,24 +609,28 @@ their destination even when you are using Masquerading or SNAT.</li>
<ul> <ul>
<li>A 'tcpflags' option has been added <li>A 'tcpflags' option has been added
to entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. to entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP This option causes Shorewall to make a set of sanity check on TCP
packet header flags.</li> packet header flags.</li>
<li>It is now allowed to use 'all' in the <li>It is now allowed to use 'all' in
SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>. the SOURCE or DEST column in a <a
When used, 'all' must appear by itself (in may not be qualified) href="Documentation.htm#Rules">rule</a>. When used, 'all' must
and it does not enable intra-zone traffic. For example, the rule appear by itself (in may not be qualified) and it does not enable
<br> intra-zone traffic. For example, the rule <br>
<br> <br>
    ACCEPT loc all tcp 80<br>     ACCEPT loc all tcp 80<br>
<br> <br>
does not enable http traffic from 'loc' to 'loc'.</li> does not enable http traffic from 'loc' to
<li>Shorewall's use of the 'echo' command 'loc'.</li>
is now compatible with bash clones such as ash and dash.</li> <li>Shorewall's use of the 'echo' command
<li>fw-&gt;fw policies now generate a startup is now compatible with bash clones such as ash and dash.</li>
error. fw-&gt;fw rules generate a warning and are ignored</li> <li>fw-&gt;fw policies now generate
a startup error. fw-&gt;fw rules generate a warning and are
ignored</li>
@ -525,6 +640,7 @@ packet header flags.</li>
<p><b></b><a href="News.htm">More News</a></p> <p><b></b><a href="News.htm">More News</a></p>
@ -538,12 +654,13 @@ packet header flags.</li>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" valign="top" <td width="88" bgcolor="#4b017c"
align="center"> <a href="http://sourceforge.net">M</a></td> valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td>
</tr> </tr>
@ -553,9 +670,9 @@ packet header flags.</li>
</table> </table>
</center> </center>
</div> </div>
@ -563,11 +680,11 @@ packet header flags.</li>
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
@ -579,8 +696,8 @@ packet header flags.</li>
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
   
</a></p> </a></p>
@ -590,15 +707,16 @@ packet header flags.</li>
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></p>
</td> <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p>
</tr> </td>
</tr>
@ -610,7 +728,7 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 1/18/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 1/28/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>

87
Shorewall-docs/shoreline.htm
View File

@ -18,43 +18,43 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/TomNTarry.png" <p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392"> alt="Tom on the PCT - 1991" width="316" height="392">
</p> </p>
<p align="center">Tarry &amp; Tom -- August 2002<br> <p align="center">Tarry &amp; Tom -- August 2002<br>
<br> <br>
</p> </p>
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li> State University</a> 1967</li>
<li>MA Mathematics from <a <li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - (now part of the <a href="http://www.hp.com">The New HP</a>) 1980
present</li> - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation <p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p> operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
@ -69,27 +69,27 @@ present</li>
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 20GB
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Serves
Serves as a PPTP server for Road Warrior access. Also has <a as a PPTP server for Road Warrior access. Dual boots <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li> href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as a NIC - My personal Linux System which runs Samba configured as a
WINS server. This system also has <a WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run href="http://www.vmware.com/">VMware</a> installed and can run both
both <a href="http://www.debian.org">Debian Woody</a> and <a <a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li> href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Email (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
DNS server (Bind).</li> DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX  <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX 
(Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.12+  and a (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.14  and a DHCP
DHCP server.</li> server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC -
wife's personal system.</li> My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
work system.</li> work system.</li>
</ul> </ul>
@ -102,24 +102,25 @@ work system.</li>
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0" </a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"> src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0" </a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31"> src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img </a><font size="4"><a href="http://www.apache.org"><img
border="0" src="images/apache_pb1.gif" hspace="2" width="170" border="0" src="images/apache_pb1.gif" hspace="2" width="170"
height="20"> height="20">
</a><a href="http://www.mandrakelinux.com"><img </a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90" src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32"> height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall" </a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4"> width="125" height="40" hspace="4">
</font></p> </font></p>
<p><font size="2">Last updated 1/7/2003 - </font><font size="2"> <a <p><font size="2">Last updated 1/24/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font <font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
M. Eastep.</font></a></font><br> M. Eastep.</font></a></font><br>
<br>
</body> </body>
</html> </html>

109
Shorewall-docs/shorewall_features.htm
View File

@ -17,95 +17,98 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<ul> <ul>
<li>Uses Netfilter's connection tracking facilities for stateful packet <li>Uses Netfilter's connection tracking facilities for stateful packet
filtering.</li> filtering.</li>
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>. <li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
<ul> <ul>
<li>Completely customizable using configuration files.</li> <li>Completely customizable using configuration files.</li>
<li>No limit on the number of network interfaces.</li> <li>No limit on the number of network interfaces.</li>
<li>Allows you to partitions the network into <i><a <li>Allows you to partitions the network into <i><a
href="Documentation.htm#Zones">zones</a></i> and gives you complete href="Documentation.htm#Zones">zones</a></i> and gives you complete
control over the connections permitted between each pair of zones.</li> control over the connections permitted between each pair of zones.</li>
<li>Multiple interfaces per zone and multiple zones per interface <li>Multiple interfaces per zone and multiple zones per interface
permitted.</li> permitted.</li>
<li>Supports nested and overlapping zones.</li> <li>Supports nested and overlapping zones.</li>
</ul> </ul>
</li> </li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to <li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
help get your first firewall up and running quickly</li> to help get your first firewall up and running quickly</li>
<li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a> <li>Extensive <b> <a
</b> included in the .tgz and .rpm downloads.</li> href="shorewall_quickstart_guide.htm#Documentation" target="_top">documentation</a>
<li><b>Flexible address management/routing support</b> (and you can use </b> included in the .tgz and .rpm downloads.</li>
all types in the same firewall): <li><b>Flexible address management/routing support</b> (and you can
use all types in the same firewall):
<ul> <ul>
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li> <li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li> <li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li> <li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li> <li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
<li>Simple host/subnet Routing</li> <li>Simple host/subnet Routing</li>
</ul> </ul>
</li> </li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual <li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
IP addresses and subnetworks is supported.</li> IP addresses and subnetworks is supported.</li>
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>: <li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
<ul> <ul>
<li>Commands to start, stop and clear the firewall</li> <li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring with an audible alarm <li>Supports status monitoring with an audible alarm
when an "interesting" packet is detected.</li> when an "interesting" packet is detected.</li>
<li>Wide variety of informational commands.</li> <li>Wide variety of informational commands.</li>
</ul> </ul>
</li> </li>
<li><b>VPN Support</b> <li><b>VPN Support</b>
<ul> <ul>
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP Tunnels</a>.</li> <li><a href="Documentation.htm#Tunnels">IPSEC, GRE,  IPIP and
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li> OpenVPN Tunnels</a>.</li>
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
</ul> </ul>
</li> </li>
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a> <li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
integration.</li> integration.</li>
<li>Wide support for different <b>GNU/Linux Distributions</b>. <li>Wide support for different <b>GNU/Linux Distributions</b>.
<ul> <ul>
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a <li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a> href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
packages available.</li> packages available.</li>
<li>Includes <a href="Install.htm"><b>automated install, upgrade, fallback <li>Includes <a href="Install.htm"><b>automated install, upgrade,
and uninstall facilities</b></a> for users who can't use or choose fallback and uninstall facilities</b></a> for users who can't use
not to use the RPM or Debian packages.</li> or choose not to use the RPM or Debian packages.</li>
<li>Included as a standard part of<b> <a <li>Included as a standard part of<b> <a
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
on a floppy, CD or compact flash).</li> on a floppy, CD or compact flash).</li>
</ul> </ul>
</li>
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>) Address
<b>Verification</b><br>
</a><br>
</li> </li>
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>) Address
<b>Verification</b><br>
</a><br>
</li>
</ul> </ul>
<p><font size="2">Last updated 11/09/2002 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last updated 1/31/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
</body> </body>
</html> </html>

276
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -20,116 +20,121 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br> (HOWTO's)<br>
Version 3.1</font></h1> Version 3.1</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that we <p align="center">With thanks to Richard who reminded me once again that
must all first walk before we can run.</p> we must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall <p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p> in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>The following guides are for <b>users who have a single public IP address</b>:</p>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li> <li><a href="standalone.htm">Standalone</a> Linux System
<li><a href="two-interface.htm">Two-interface</a> Linux (<a href="standalone_fr.html">Version Française</a>)</li>
System acting as a firewall/router for a small local network</li> <li><a href="two-interface.htm">Two-interface</a> Linux
<li><a href="three-interface.htm">Three-interface</a> Linux System acting as a firewall/router for a small local network (<a
System acting as a firewall/router for a small local network and href="two-interface_fr.html">Version Française</a>)</li>
a DMZ.</li> <li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local network
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p> quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines <p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where <b>there are multiple the steps necessary to set up a firewall where <b>there are multiple
public IP addresses involved or if you want to learn more about Shorewall public IP addresses involved or if you want to learn more about Shorewall
than is explained in the single-address guides above.</b></p> than is explained in the single-address guides above.</b></p>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 <li><a href="shorewall_setup_guide.htm#Introduction">1.0
Introduction</a></li> Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li> Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 <li><a href="shorewall_setup_guide.htm#Interfaces">3.0
Network Interfaces</a></li> Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 <li><a href="shorewall_setup_guide.htm#Addressing">4.0
Addressing, Subnets and Routing</a> Addressing, Subnets and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 <li><a href="shorewall_setup_guide.htm#Addresses">4.1
IP Addresses</a></li> IP Addresses</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> <li><a href="shorewall_setup_guide.htm#Routing">4.3
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Routing</a></li>
Resolution Protocol</a></li> <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC <li><a href="shorewall_setup_guide.htm#RFC1918">4.5
1918</a></li> RFC 1918</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting <li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a> up your Network</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li> <li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 <li><a href="shorewall_setup_guide.htm#NonRouted">5.2
Non-routed</a> Non-routed</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
SNAT</a></li> SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li> DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 <li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li> Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static <li><a href="shorewall_setup_guide.htm#NAT">5.2.4
NAT</a></li> Static NAT</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 <li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li> Odds and Ends</a></li>
</ul> </ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li> <li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a <li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li> Stopping the Firewall</a></li>
@ -138,151 +143,154 @@ DNAT</a></li>
<h2><a name="Documentation"></a>Documentation Index</h2> <h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before trying described above</b>. Please review the appropriate guide before trying
to use this documentation directly.</p> to use this documentation directly.</p>
<ul> <ul>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a href="configuration_file_basics.htm">Common configuration <li><a href="configuration_file_basics.htm">Common configuration
file features</a> file features</a>
<ul> <ul>
<li><a href="configuration_file_basics.htm#Comments">Comments <li><a
in configuration files</a></li> href="configuration_file_basics.htm#Comments">Comments in configuration
<li><a files</a></li>
<li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li> href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#Ports">Port <li><a href="configuration_file_basics.htm#Ports">Port
Numbers/Service Names</a></li> Numbers/Service Names</a></li>
<li><a href="configuration_file_basics.htm#Ranges">Port <li><a href="configuration_file_basics.htm#Ranges">Port
Ranges</a></li> Ranges</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li> href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li><a href="configuration_file_basics.htm#dnsnames">Using <li><a
DNS Names</a><br> href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
</li> </li>
<li><a <li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li> or Subnet</a></li>
<li><a href="configuration_file_basics.htm#Configs">Shorewall <li><a href="configuration_file_basics.htm#Configs">Shorewall
Configurations (making a test configuration)</a></li> Configurations (making a test configuration)</a></li>
<li><a href="configuration_file_basics.htm#MAC">Using <li><a href="configuration_file_basics.htm#MAC">Using
MAC Addresses in Shorewall</a></li> MAC Addresses in Shorewall</a></li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration File Reference <li><a href="Documentation.htm">Configuration File Reference
Manual</a> Manual</a>
<ul> <ul>
<li> <a href="Documentation.htm#Variables">params</a></li> <li> <a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li> href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li> href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li> href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li> href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li> href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li> <li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li> href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li> href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li> href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li> <li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li> <li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li> <li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li> <li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li> <li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="dhcp.htm">DHCP</a></li> <li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
(How to extend Shorewall without modifying Shorewall code)</li> to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall <li><a href="shorewall_firewall_structure.htm">Firewall
Structure</a></li> Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li> <li><font color="#000099"><a href="kernel.htm">Kernel
<li><a href="shorewall_logging.html">Logging</a><br> Configuration</a></font></li>
</li> <li><a href="shorewall_logging.html">Logging</a><br>
<li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li> </li>
<li><a href="ports.htm">Port Information</a> <li><a href="MAC_Validation.html">MAC Verification</a><br>
</li>
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
use Shorewall)</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li> </li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li> <li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li> href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul> <ul>
<li>Description of all /sbin/shorewall commands</li> <li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration change<br> <li>How to safely test a Shorewall configuration change<br>
</li> </li>
</ul> </ul>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li> <li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy with <li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
Shorewall</a><br> with Shorewall</a><br>
</li> </li>
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li> <li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
<li>VPN <li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind <li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
your firewall to a remote network.</li> your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a href="whitelisting_under_shorewall.htm">White List <li><a href="whitelisting_under_shorewall.htm">White List
Creation</a></li> Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 1/9/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 1/28/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
</p> </p>
<br>
<br> <br>
<br> <br>
</body> </body>

593
Shorewall-docs/sourceforge_index.htm
View File

@ -15,21 +15,22 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" height="90"> <td width="100%" height="90">
@ -44,8 +45,8 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font color="#ffffff">Shorewall </a></i></font><font color="#ffffff">Shorewall
1.3 - <font size="4">"<i>iptables 1.3 - <font size="4">"<i>iptables
made easy"</i></font></font><a href="http://www.sf.net"> </a></h1> made easy"</i></font></font><a href="http://www.sf.net"> </a></h1>
@ -56,10 +57,12 @@
<div align="center"><a href="/1.2/index.html" target="_top"><font <div align="center"><a href="/1.2/index.html" target="_top"><font
color="#ffffff">Shorewall 1.2 Site here</font></a></div> color="#ffffff">Shorewall 1.2 Site here</font></a></div>
</td> </td>
</tr> </tr>
@ -77,11 +80,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -104,9 +107,9 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is <p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
firewall that can be used on a dedicated firewall system, a multi-function firewall that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -119,25 +122,27 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General <a href="http://www.gnu.org/licenses/gpl.html">Version 2 of
Public License</a> as published by the Free Software Foundation.<br> the GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br> <br>
This program is distributed in the This program is distributed in
hope that it will be useful, but WITHOUT ANY the hope that it will be useful, but WITHOUT
WARRANTY; without even the implied warranty of MERCHANTABILITY ANY WARRANTY; without even the implied warranty
or FITNESS FOR A PARTICULAR PURPOSE. See of MERCHANTABILITY or FITNESS FOR A PARTICULAR
the GNU General Public License for more details.<br> PURPOSE. See the GNU General Public License for
more details.<br>
<br> <br>
You should have received a copy of You should have received a copy
the GNU General Public License along with of the GNU General Public License along
this program; if not, write to the Free Software with this program; if not, write to the Free Software
Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, Foundation, Inc., 675 Mass Ave, Cambridge, MA
USA</p> 02139, USA</p>
@ -164,15 +169,15 @@ the GNU General Public License for more details.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo and Eric Wolzak </a>Jacques Nilo and Eric
have a LEAF (router/firewall/gateway on a floppy, CD Wolzak have a LEAF (router/firewall/gateway on a floppy,
or compact flash) distribution called <i>Bering</i> CD or compact flash) distribution called <i>Bering</i>
that features Shorewall-1.3.10 and Kernel-2.4.18. that features Shorewall-1.3.10 and Kernel-2.4.18.
You can find their work at: <a You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric <b>Congratulations to Jacques and Eric
on the recent release of Bering 1.0 Final!!! <br> on the recent release of Bering 1.0 Final!!! <br>
</b> </b>
@ -190,245 +195,352 @@ on the recent release of Bering 1.0 Final!!! <br>
<p><b>1/18/2002 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b><img <p><b>1/28/2003 - Shorewall 1.3.14-Beta2 </b><b><img border="0"
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>Includes the Beta 1 content plus restores VLAN device names of the
form $dev.$vid (e.g., eth0.1)</p>
<p> The beta may be downloaded from:<br>
</p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>1/25/2003 - Shorewall 1.3.14-Beta1</b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><br>
</p>
<p>The Beta includes the following changes:<br>
</p>
<ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and policies
just like any other connection request. The FORWARDPING=Yes option in shorewall.conf
and the 'noping' and 'filterping' options in /etc/shorewall/interfaces will
all generate an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create a "label"
such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of
just the interface name:<br>
 <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>
 </li>
<li>When an interface name is entered in the SUBNET column of the
/etc/shorewall/masq file, Shorewall previously masqueraded traffic from
only the first subnet defined on that interface. It did not masquerade traffic
from:<br>
 <br>
   a) The subnets associated with other addresses on the interface.<br>
   b) Subnets accessed through local routers.<br>
 <br>
Beginning with Shorewall 1.3.14, if you enter an interface name in the
SUBNET column, shorewall will use the firewall's routing table to construct
the masquerading/SNAT rules.<br>
 <br>
Example 1 -- This is how it works in 1.3.14.<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
 <br>
When upgrading to Shorewall 1.3.14, if you have multiple local subnets
connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
entry, your /etc/shorewall/masq file will need changing. In most cases, you
will simply be able to remove redundant entries. In some cases though, you
might want to change from using the interface name to listing specific subnetworks
if the change described above will cause masquerading to occur on subnetworks
that you don't wish to masquerade.<br>
 <br>
Example 2 -- Suppose that your current config is as follows:<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#<br></pre>
   In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
 <br>
Example 3 -- What if your current configuration is like this?<br>
 <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]# <br></pre>
   In this case, you would want to change the entry in  /etc/shorewall/masq
to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
</ol>
The beta may be downloaded from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote>
<p><b>1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format</b><b> </b><b>
</b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
    <a     <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a>
<p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b><img <p><b>1/17/2003 - shorewall.net has MOVED</b><b> </b><b>  </b></p>
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>Thanks to the generosity of Alex Martin and <a <p>Thanks to the generosity of Alex Martin and <a
href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net and href="http://www.rettc.com">Rett Consulting</a>, www.shorewall.net and ftp.shorewall.net
ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A are now hosted on a system in Bellevue, Washington. A big thanks to Alex
big thanks to Alex for making this happen.<br> for making this happen.<br>
</p> </p>
<p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0" <p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br> </b><br>
</p> </p>
<p>Just includes a few things that I had on the burner:<br> <p>Just includes a few things that I had on the burner:<br>
</p> </p>
<ol> <ol>
<li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules <li>A new 'DNAT-' action has been added for entries in the
file. DNAT- is intended for advanced users who wish to minimize the number /etc/shorewall/rules file. DNAT- is intended for advanced users who wish
of rules that connection requests must traverse.<br> to minimize the number of rules that connection requests must traverse.<br>
<br> <br>
A Shorewall DNAT rule actually generates two iptables rules: a header A Shorewall DNAT rule actually generates two iptables rules: a header
rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table. rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table.
A DNAT- rule only generates the first of these rules. This is handy when A DNAT- rule only generates the first of these rules. This is handy when
you have several DNAT rules that would generate the same ACCEPT rule.<br> you have several DNAT rules that would generate the same ACCEPT rule.<br>
<br> <br>
   Here are three rules from my previous rules file:<br>    Here are three rules from my previous rules file:<br>
<br> <br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
        DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
<br> <br>
   These three rules ended up generating _three_ copies of<br>    These three rules ended up generating _three_ copies of<br>
<br> <br>
         ACCEPT net  dmz:206.124.146.177 tcp smtp<br>          ACCEPT net  dmz:206.124.146.177 tcp smtp<br>
<br> <br>
   By writing the rules this way, I end up with only one copy of the    By writing the rules this way, I end up with only one copy of the
ACCEPT rule.<br> ACCEPT rule.<br>
<br> <br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178<br>
        DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179<br>
        ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
<br> <br>
</li> </li>
<li>The 'shorewall check' command now prints out the applicable <li>The 'shorewall check' command now prints out the applicable
policy between each pair of zones.<br> policy between each pair of zones.<br>
<br> <br>
</li> </li>
<li>A new CLEAR_TC option has been added to shorewall.conf. If <li>A new CLEAR_TC option has been added to shorewall.conf.
this option is set to 'No' then Shorewall won't clear the current traffic If this option is set to 'No' then Shorewall won't clear the current traffic
control rules during [re]start. This setting is intended for use by people control rules during [re]start. This setting is intended for use by people
that prefer to configure traffic shaping when the network interfaces come that prefer to configure traffic shaping when the network interfaces come
up rather than when the firewall is started. If that is what you want to up rather than when the firewall is started. If that is what you want
do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart
file. That way, your traffic shaping rules can still use the 'fwmark' classifier file. That way, your traffic shaping rules can still use the 'fwmark'
based on packet marking defined in /etc/shorewall/tcrules.<br> classifier based on packet marking defined in /etc/shorewall/tcrules.<br>
<br> <br>
</li> </li>
<li>A new SHARED_DIR variable has been added that allows distribution <li>A new SHARED_DIR variable has been added that allows distribution
packagers to easily move the shared directory (default /usr/lib/shorewall). packagers to easily move the shared directory (default /usr/lib/shorewall).
Users should never have a need to change the value of this shorewall.conf Users should never have a need to change the value of this shorewall.conf
setting.</li> setting.</li>
</ol> </ol>
<p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b> <p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
</b></p> </b></p>
<p><b>Until further notice, I will not be involved in either Shorewall <p><b>Until further notice, I will not be involved in either Shorewall
Development or Shorewall Support</b></p> Development or Shorewall Support</b></p>
<p><b>-Tom Eastep</b><br> <p><b>-Tom Eastep</b><br>
</p> </p>
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b> <p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p> </p>
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> <p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
</b></p> </b></p>
<p> Features include:<br> <p> Features include:<br>
</p> </p>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping <li>"shorewall refresh" now reloads the traffic shaping
rules (tcrules and tcstart).</li> rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging <li>"shorewall debug [re]start" now turns off debugging
after an error occurs. This places the point of the failure near the after an error occurs. This places the point of the failure near the
end of the trace rather than up in the middle of it.</li> end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by more <li>"shorewall [re]start" has been speeded up by more
than 40% with my configuration. Your milage may vary.</li> than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been added <li>A "shorewall show classifiers" command has been
which shows the current packet classification filters. The output added which shows the current packet classification filters. The output
from this command is also added as a separate page in "shorewall monitor"</li> from this command is also added as a separate page in "shorewall monitor"</li>
<li>ULOG (must be all caps) is now accepted as a valid <li>ULOG (must be all caps) is now accepted as a valid
syslog level and causes the subject packets to be logged using the ULOG syslog level and causes the subject packets to be logged using the
target rather than the LOG target. This allows you to run ulogd (available ULOG target rather than the LOG target. This allows you to run ulogd
from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) (available from <a
and log all Shorewall messages <a href="shorewall_logging.html">to href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
a separate log file</a>.</li> and log all Shorewall messages <a href="shorewall_logging.html">to
<li>If you are running a kernel that has a FORWARD chain a separate log file</a>.</li>
in the mangle table ("shorewall show mangle" will show you the chains <li>If you are running a kernel that has a FORWARD
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a chain in the mangle table ("shorewall show mangle" will show you
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
input packets based on their destination even when you are using Masquerading in <a href="Documentation.htm#Conf">shorewall.conf</a>. This allows for
or SNAT.</li> marking input packets based on their destination even when you are
<li>I have cluttered up the /etc/shorewall directory with using Masquerading or SNAT.</li>
empty 'init', 'start', 'stop' and 'stopped' files. If you already <li>I have cluttered up the /etc/shorewall directory
have a file with one of these names, don't worry -- the upgrade process with empty 'init', 'start', 'stop' and 'stopped' files. If you already
won't overwrite your file.</li> have a file with one of these names, don't worry -- the upgrade process
<li>I have added a new RFC1918_LOG_LEVEL variable to <a won't overwrite your file.</li>
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies <li>I have added a new RFC1918_LOG_LEVEL variable to
the syslog level at which packets are logged as a result of entries in <a href="Documentation.htm#Conf">shorewall.conf</a>. This variable
the /etc/shorewall/rfc1918 file. Previously, these packets were always specifies the syslog level at which packets are logged as a result
logged at the 'info' level.</li> of entries in the /etc/shorewall/rfc1918 file. Previously, these packets
were always logged at the 'info' level.</li>
</ol> </ol>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
</p> </p>
This version corrects a problem with Blacklist logging. In Beta This version corrects a problem with Blacklist logging. In
2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall
would fail to start and "shorewall refresh" would also fail.<br> would fail to start and "shorewall refresh" would also fail.<br>
<p> You may download the Beta from:<br> <p> You may download the Beta from:<br>
</p> </p>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote> </blockquote>
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> <p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
</b></p> </b></p>
The first public Beta version of Shorewall 1.3.12 is now The first public Beta version of Shorewall 1.3.12 is now
available (Beta 1 was made available only to a limited audience). <br> available (Beta 1 was made available only to a limited audience).
<br> <br>
Features include:<br> <br>
<br> Features include:<br>
<br>
<ol> <ol>
<li>"shorewall refresh" now reloads the traffic shaping <li>"shorewall refresh" now reloads the traffic
rules (tcrules and tcstart).</li> shaping rules (tcrules and tcstart).</li>
<li>"shorewall debug [re]start" now turns off debugging <li>"shorewall debug [re]start" now turns off
after an error occurs. This places the point of the failure near the debugging after an error occurs. This places the point of the failure
end of the trace rather than up in the middle of it.</li> near the end of the trace rather than up in the middle of it.</li>
<li>"shorewall [re]start" has been speeded up by <li>"shorewall [re]start" has been speeded up
more than 40% with my configuration. Your milage may vary.</li> by more than 40% with my configuration. Your milage may vary.</li>
<li>A "shorewall show classifiers" command has been <li>A "shorewall show classifiers" command has
added which shows the current packet classification filters. The output been added which shows the current packet classification filters.
from this command is also added as a separate page in "shorewall monitor"</li> The output from this command is also added as a separate page in "shorewall
<li>ULOG (must be all caps) is now accepted as a monitor"</li>
valid syslog level and causes the subject packets to be logged using <li>ULOG (must be all caps) is now accepted as
the ULOG target rather than the LOG target. This allows you to run ulogd a valid syslog level and causes the subject packets to be logged using
(available from <a the ULOG target rather than the LOG target. This allows you to run ulogd
(available from <a
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>) href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
and log all Shorewall messages <a href="shorewall_logging.html">to and log all Shorewall messages <a href="shorewall_logging.html">to
a separate log file</a>.</li> a separate log file</a>.</li>
<li>If you are running a kernel that has a FORWARD <li>If you are running a kernel that has a FORWARD
chain in the mangle table ("shorewall show mangle" will show you the chain in the mangle table ("shorewall show mangle" will show you the
chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes
in shorewall.conf. This allows for marking input packets based on in shorewall.conf. This allows for marking input packets based on their
their destination even when you are using Masquerading or SNAT.</li> destination even when you are using Masquerading or SNAT.</li>
<li>I have cluttered up the /etc/shorewall directory <li>I have cluttered up the /etc/shorewall directory
with empty 'init', 'start', 'stop' and 'stopped' files. If you already with empty 'init', 'start', 'stop' and 'stopped' files. If you already
have a file with one of these names, don't worry -- the upgrade process have a file with one of these names, don't worry -- the upgrade process
won't overwrite your file.</li> won't overwrite your file.</li>
</ol> </ol>
You may download the Beta from:<br> You may download the Beta from:<br>
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br> <blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" <a
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br> href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
</blockquote> </blockquote>
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a <p><b>12/12/2002 - Mandrake Multi Network Firewall <a
href="http://www.mandrakesoft.com"><img src="images/logo2.png" href="http://www.mandrakesoft.com"><img src="images/logo2.png"
alt="Powered by Mandrake Linux" width="150" height="23" border="0"> alt="Powered by Mandrake Linux" width="150" height="23" border="0">
</a></b></p> </a></b></p>
Shorewall is at the center of MandrakeSofts's recently-announced Shorewall is at the center of MandrakeSofts's recently-announced
<a <a
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&amp;id_art=250&amp;LANG_=en#GOTO_250">Multi
Network Firewall (MNF)</a> product. Here is the <a Network Firewall (MNF)</a> product. Here is the <a
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
release</a>.<br> release</a>.<br>
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b> <p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
</b></p> </b></p>
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally <p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
delivered. I have installed 9.0 on one of my systems and I am now delivered. I have installed 9.0 on one of my systems and I am
in a position to support Shorewall users who run Mandrake 9.0.</p> now in a position to support Shorewall users who run Mandrake 9.0.</p>
<p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br> <p><b>12/6/2002 -  Debian 1.3.11a Packages Available</b><b></b><br>
</p> </p>
@ -438,39 +550,40 @@ their destination even when you are using Masquerading or SNAT.</li>
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b> <p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
</b></p> </b></p>
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT <p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
users who don't need rules of this type need not upgrade to 1.3.11.</p> users who don't need rules of this type need not upgrade to 1.3.11.</p>
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b> <p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p> </p>
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> <p><b>11/24/2002 - Shorewall 1.3.11</b><b>
</b></p> </b></p>
@ -478,24 +591,28 @@ their destination even when you are using Masquerading or SNAT.</li>
<ul> <ul>
<li>A 'tcpflags' option has been added <li>A 'tcpflags' option has been added
to entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. to entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
This option causes Shorewall to make a set of sanity check on TCP packet This option causes Shorewall to make a set of sanity check on TCP
header flags.</li> packet header flags.</li>
<li>It is now allowed to use 'all' in <li>It is now allowed to use 'all'
the SOURCE or DEST column in a <a in the SOURCE or DEST column in a <a
href="Documentation.htm#Rules">rule</a>. When used, 'all' must href="Documentation.htm#Rules">rule</a>. When used, 'all' must appear
appear by itself (in may not be qualified) and it does not enable by itself (in may not be qualified) and it does not enable intra-zone
intra-zone traffic. For example, the rule <br> traffic. For example, the rule <br>
<br> <br>
    ACCEPT loc all tcp 80<br>     ACCEPT loc all tcp 80<br>
<br> <br>
does not enable http traffic from 'loc' to 'loc'.</li> does not enable http traffic from 'loc' to
<li>Shorewall's use of the 'echo' command 'loc'.</li>
is now compatible with bash clones such as ash and dash.</li> <li>Shorewall's use of the 'echo' command
<li>fw-&gt;fw policies now generate a is now compatible with bash clones such as ash and dash.</li>
startup error. fw-&gt;fw rules generate a warning and are ignored</li> <li>fw-&gt;fw policies now generate
a startup error. fw-&gt;fw rules generate a warning and are
ignored</li>
@ -503,23 +620,24 @@ startup error. fw-&gt;fw rules generate a warning and are ignored</
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b> <p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
</b></p> </b></p>
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 <p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
documenation. the PDF may be downloaded from</p> documenation. the PDF may be downloaded from</p>
<p>    <a <p>    <a
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br> href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
    <a     <a
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br> href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
</p> </p>
@ -535,6 +653,7 @@ startup error. fw-&gt;fw rules generate a warning and are ignored</
</ul> </ul>
@ -564,7 +683,7 @@ startup error. fw-&gt;fw rules generate a warning and are ignored</
<h1 align="center"><a href="http://www.sf.net"><img align="left" <h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1> </a></h1>
@ -575,6 +694,7 @@ startup error. fw-&gt;fw rules generate a warning and are ignored</
<h2>This site is hosted by the generous folks at <a <h2>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </h2> href="http://www.sf.net">SourceForge.net</a> </h2>
@ -584,13 +704,14 @@ startup error. fw-&gt;fw rules generate a warning and are ignored</
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" bgcolor="#4b017c" <td width="88" bgcolor="#4b017c"
valign="top" align="center"> <br> valign="top" align="center"> <br>
</td> </td>
</tr>
</tr>
@ -600,9 +721,9 @@ startup error. fw-&gt;fw rules generate a warning and are ignored</
</table> </table>
</center> </center>
</div> </div>
@ -610,11 +731,11 @@ startup error. fw-&gt;fw rules generate a warning and are ignored</
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
@ -628,7 +749,7 @@ startup error. fw-&gt;fw rules generate a warning and are ignored</
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -639,15 +760,15 @@ startup error. fw-&gt;fw rules generate a warning and are ignored</
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free
if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -659,7 +780,7 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 1/18/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 1/28/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>

70
Shorewall-docs/spam_filters.htm
View File

@ -1,44 +1,62 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta http-equiv="Content-Type"
<title>SPAM Filters</title> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>SPAM Filters</title>
</head> </head>
<body>
<body> <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">SPAM Filters</font></h1>
</td>
</tr>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90"> </tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">SPAM Filters</font></h1>
</td>
</tr>
</table> </table>
<h1 align="center"><br> <h1 align="center"><br>
<a href="http://ordb.org"> <a href="http://ordb.org"> <a href="http://www.spamassassin.org"><img
<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a></h1> src="images/ninjalogo.png" alt="(SpamAssassin Logo)" width="100"
height="38">
</a><img border="0" src="images/but3.png" hspace="3" width="88"
height="31">
</a></h1>
<p>Like all of you, I'm concerned about the increasing volume of Unsolicited <p>Like all of you, I'm concerned about the increasing volume of Unsolicited
Commercial Email (UCE or SPAM). I am therefore sympathetic with those of you who Commercial Email (UCE or SPAM). I am therefore sympathetic with those of
are installing SPAM filters on your mail servers. A couple of recent incidents you who are installing SPAM filters on your mail servers. A couple of recent
involving mis-configured filters have prompted me to establish this page to spell incidents involving mis-configured filters have prompted me to establish
out what I will do when these filters bounce list postings.</p> this page to spell out what I will do when these filters bounce list postings.</p>
<p>When your SPAM filter bounces/rejects list mail, I will:</p> <p>When your SPAM filter bounces/rejects list mail, I will:</p>
<ol> <ol>
<li>immediately turn off delivery to you from all Shorewall lists to <li>immediately turn off delivery to you from all Shorewall lists to which
which you subscribe.</li> you subscribe.</li>
<li><u>try</u> to send you an email from a source other than shorewall.net</li> <li><u>try</u> to send you an email from a source other than shorewall.net</li>
</ol> </ol>
<p>When you have corrected the problem, please let me know and I will re-enable <p>When you have corrected the problem, please let me know and I will re-enable
delivery (or you can reenable delivery yourself).</p> delivery (or you can reenable delivery yourself).</p>
<p><font size="2">Last Updated 3/21/2002 - Tom Eastep</font></p>
<p><font size="2">Last Updated 1/29/2003 - Tom Eastep</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
</body> </body>
</html> </html>

367
Shorewall-docs/standalone.htm
View File

@ -17,12 +17,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90"> id="AutoNumber6" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1> <h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -37,9 +37,9 @@
in one of its most common configurations:</p> in one of its most common configurations:</p>
<ul> <ul>
<li>Linux system</li> <li>Linux system</li>
<li>Single external IP address</li> <li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li> <li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
</ul> </ul>
@ -55,19 +55,19 @@ for this program:</p>
with what's involved then go back through it again making your configuration with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are flagged changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13" height="13"> with <img border="0" src="images/BD21298_.gif" width="13" height="13">
.</p> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> <p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows system, you must     If you edit your configuration files on a Windows system, you must
save them as Unix files if your editor supports that option or you must save them as Unix files if your editor supports that option or you must
run them through dos2unix before trying to use them. Similarly, if you copy run them through dos2unix before trying to use them. Similarly, if you
a configuration file from your Windows hard drive to a floppy disk, you must copy a configuration file from your Windows hard drive to a floppy disk,
run dos2unix against the copy before using it with Shorewall.</p> you must run dos2unix against the copy before using it with Shorewall.</p>
<ul> <ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version <li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li> of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux <li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li> Version of dos2unix</a></li>
</ul> </ul>
@ -76,14 +76,14 @@ run dos2unix against the copy before using it with Shorewall.</p>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13" <p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt=""> alt="">
    The configuration files for Shorewall are contained in the directory     The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of /etc/shorewall -- for simple setups, you only need to deal with a few of
these as described in this guide. After you have <a href="Install.htm">installed these as described in this guide. After you have <a
Shorewall</a>, <b>download the <a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>, href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
(they will replace files with the same names that were placed in /etc/shorewall (they will replace files with the same names that were placed in /etc/shorewall
during Shorewall installation)</b>.</p> during Shorewall installation)</b>.</p>
<p>As each file is introduced, I suggest that you look through the actual <p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration instructions file on your system -- each file contains detailed configuration instructions
@ -95,15 +95,15 @@ un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
<table border="0" style="border-collapse: collapse;" cellpadding="3" <table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2"> cellspacing="0" id="AutoNumber2">
<tbody> <tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr> <tr>
<td><u><b>Name</b></u></td> <td><b>net</b></td>
<td><u><b>Description</b></u></td> <td><b>The Internet</b></td>
</tr> </tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody> </tbody>
</table> </table>
@ -117,10 +117,10 @@ un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewal
in terms of zones.</p> in terms of zones.</p>
<ul> <ul>
<li>You express your default policy for connections from one zone <li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li> </a>file.</li>
<li>You define exceptions to those default policies in the <a <li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li> href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul> </ul>
@ -129,58 +129,57 @@ to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/pol
checked against the /etc/shorewall/rules file. If no rule in that file checked against the /etc/shorewall/rules file. If no rule in that file
matches the connection request then the first policy in /etc/shorewall/policy matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT or DROP  that matches the request is applied. If that policy is REJECT or DROP 
the request is first checked against the rules in /etc/shorewall/common the request is first checked against the rules in /etc/shorewall/common (the
(the samples provide that file for you).</p> samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample <p>The /etc/shorewall/policy file included with the one-interface sample has
has the following policies:</p> the following policies:</p>
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3"> id="AutoNumber3">
<tbody> <tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr> <tr>
<td><u><b>SOURCE ZONE</b></u></td> <td>fw</td>
<td><u><b>DESTINATION ZONE</b></u></td> <td>net</td>
<td><u><b>POLICY</b></u></td> <td>ACCEPT</td>
<td><u><b>LOG LEVEL</b></u></td> <td> </td>
<td><u><b>LIMIT:BURST</b></u></td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>fw</td> <td>net</td>
<td>net</td> <td>all<br>
<td>ACCEPT</td> </td>
<td> </td> <td>DROP</td>
<td> </td> <td>info</td>
</tr> <td> </td>
<tr> </tr>
<td>net</td> <tr>
<td>net</td> <td>all</td>
<td>DROP</td> <td>all</td>
<td>info</td> <td>REJECT</td>
<td> </td> <td>info</td>
</tr> <td> </td>
<tr> </tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<pre> fw net ACCEPT<br> net all DROP info<br> all all REJECT info</pre>
<p>The above policy will:</p> <p>The above policy will:</p>
<ol> <ol>
<li>allow all connection requests from the firewall to the internet</li> <li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to your <li>drop (ignore) all connection requests from the internet to your
firewall</li> firewall</li>
<li>reject all other connection requests (Shorewall requires this <li>reject all other connection requests (Shorewall requires this
catchall policy).</li> catchall policy).</li>
</ol> </ol>
@ -193,37 +192,37 @@ catchall policy).</li>
<p align="left">The firewall has a single network interface. Where Internet <p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i> connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem"  will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem" 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be <u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
a <b>ppp0</b>. If you connect via a regular modem, your External Interface a <b>ppp0</b>. If you connect via a regular modem, your External Interface
will also be <b>ppp0</b>. If you connect using ISDN, your external interface will also be <b>ppp0</b>. If you connect using ISDN, your external interface
will be<b> ippp0.</b></p> will be<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    The Shorewall one-interface sample configuration assumes that the     The Shorewall one-interface sample configuration assumes that the
external interface is <b>eth0</b>. If your configuration is different, external interface is <b>eth0</b>. If your configuration is different,
you will have to modify the sample /etc/shorewall/interfaces file accordingly. you will have to modify the sample /etc/shorewall/interfaces file accordingly.
While you are there, you may wish to review the list of options that are While you are there, you may wish to review the list of options that are
specified for the interface. Some hints:</p> specified for the interface. Some hints:</p>
<ul> <ul>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
you can replace the "detect" in the second column with "-". </p> you can replace the "detect" in the second column with "-". </p>
</li> </li>
<li> <li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> <p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
or if you have a static IP address, you can remove "dhcp" from the option or if you have a static IP address, you can remove "dhcp" from the option
list. </p> list. </p>
</li> </li>
</ul> </ul>
<div align="left"> <div align="left">
<h2 align="left">IP Addresses</h2> <h2 align="left">IP Addresses</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges <p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
@ -231,7 +230,7 @@ you will have to modify the sample /etc/shorewall/interfaces file accordingly.
<div align="left"> <div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre> <pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div> </div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i> <p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose because the Internet backbone routers will not forward a packet whose
@ -241,161 +240,158 @@ you will have to modify the sample /etc/shorewall/interfaces file accordingly.
<p align="left"><img border="0" src="images/BD21298_.gif" align="left" <p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13"> width="13" height="13">
     Before starting Shorewall, you should look at the IP address      Before starting Shorewall, you should look at the IP address
of your external interface and if it is one of the above ranges, you of your external interface and if it is one of the above ranges, you should
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p> remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Enabling other Connections</h2> <h2 align="left">Enabling other Connections</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you wish to enable connections from the internet to your <p align="left">If you wish to enable connections from the internet to your
firewall, the general format is:</p> firewall, the general format is:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td><i>&lt;protocol&gt;</i></td> <td><u><b>PROTOCOL</b></u></td>
<td><i>&lt;port&gt;</i></td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server <p align="left">Example - You want to run a Web Server and a POP3 Server on
on your firewall system:</p> your firewall system:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5"> id="AutoNumber5">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>80</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT</td> <td>ACCEPT</td>
<td>net</td> <td>net</td>
<td>fw</td> <td>fw</td>
<td>tcp</td> <td>tcp</td>
<td>110</td> <td>80</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left"> <div align="left">
<p align="left">If you don't know what port and protocol a particular <p align="left">If you don't know what port and protocol a particular application
application uses, see <a href="ports.htm">here</a>.</p> uses, see <a href="ports.htm">here</a>.</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from <p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you want the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p> shell access to your firewall from the internet, use SSH:</p>
</div> </div>
<div align="left"> <div align="left">
<blockquote> <blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;" <table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4"> id="AutoNumber4">
<tbody> <tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr> <tr>
<td>ACCEPT</td> <td><u><b>ACTION</b></u></td>
<td>net</td> <td><u><b>SOURCE</b></u></td>
<td>fw</td> <td><u><b>DESTINATION</b></u></td>
<td>tcp</td> <td><u><b>PROTOCOL</b></u></td>
<td>22</td> <td><u><b>PORT</b></u></td>
<td> </td> <td><u><b>SOURCE PORT</b></u></td>
<td> </td> <td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr> </tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</div> </div>
<div align="left">
<pre> ACCEPT net fw tcp 22</pre>
</div>
<div align="left"> <div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" <p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13"> height="13">
    At this point, edit /etc/shorewall/rules to add other connections     At this point, edit /etc/shorewall/rules to add other connections
as desired.</p> as desired.</p>
</div> </div>
<div align="left"> <div align="left">
<h2 align="left">Starting and Stopping Your Firewall</h2> <h2 align="left">Starting and Stopping Your Firewall</h2>
</div> </div>
<div align="left"> <div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" <p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow"> width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a> configures     The <a href="Install.htm">installation procedure </a> configures
your system to start Shorewall at system boot but beginning with Shorewall your system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won't try to start version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br> of your firewall, you can enable Shorewall startup by removing the file
</p> /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb <p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
package must edit /etc/default/shorewall and set 'startup=1'.</font><br> package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
</p> </p>
</div> </div>
<div align="left"> <div align="left">
<p align="left">The firewall is started using the "shorewall start" command <p align="left">The firewall is started using the "shorewall start" command
@ -405,25 +401,26 @@ of your firewall, you can enable Shorewall startup by removing the file /etc/sho
running firewall may be restarted using the "shorewall restart" command. running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter If you want to totally remove any trace of Shorewall from your Netfilter
configuration, use "shorewall clear".</p> configuration, use "shorewall clear".</p>
</div> </div>
<div align="left"> <div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from <p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to <a added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i> an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
try" command</a>.</p> try" command</a>.</p>
</div> </div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a <p align="left"><font size="2">Last updated 1/26/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas <p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
M. Eastep</font></a></p> Thomas M. Eastep</font></a></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

289
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -20,17 +20,18 @@
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring <h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
the Firewall</font></h1> the Firewall</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -40,9 +41,9 @@
<p> If you have a permanent internet connection such as DSL or Cable, <p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot. Once I recommend that you start the firewall automatically at boot. Once
you have installed "firewall" in your init.d directory, simply type you have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run "chkconfig --add firewall". This will start the firewall in run
levels 2-5 and stop it in run levels 1 and 6. If you want to configure levels 2-5 and stop it in run levels 1 and 6. If you want to configure
your firewall differently from this default, you can use the "--level" your firewall differently from this default, you can use the "--level"
option in chkconfig (see "man chkconfig") or using your favorite option in chkconfig (see "man chkconfig") or using your favorite
@ -54,166 +55,176 @@ graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br> <p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p> </p>
<ol> <ol>
<li>Shorewall startup is disabled by default. Once you have configured <li>Shorewall startup is disabled by default. Once you have configured
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled. your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
Note: Users of the .deb package must edit /etc/default/shorewall and set Note: Users of the .deb package must edit /etc/default/shorewall and set
'startup=1'.<br> 'startup=1'.<br>
</li> </li>
<li>If you use dialup, you may want to start the firewall in your <li>If you use dialup, you may want to start the firewall in
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart" your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
in that script.</li> restart" in that script.</li>
</ol> </ol>
<p> <p>
</p> </p>
<p> You can manually start and stop Shoreline Firewall using the "shorewall" <p> You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p> shell program: </p>
<ul> <ul>
<li>shorewall start - starts the firewall</li> <li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li> <li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running) <li>shorewall restart - stops the firewall (if it's
and then starts it again</li> running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters <li>shorewall reset - reset the packet and byte counters
in the firewall</li> in the firewall</li>
<li>shorewall clear - remove all rules and chains installed <li>shorewall clear - remove all rules and chains
by Shoreline Firewall</li> installed by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast <li>shorewall refresh - refresh the rules involving the broadcast
addresses of firewall interfaces and the black and white lists.</li> addresses of firewall interfaces and the black and white lists.</li>
</ul> </ul>
If you include the keyword <i>debug</i> as the first argument, then a shell If you include the keyword <i>debug</i> as the first argument, then a
trace of the command is produced as in:<br> shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre> <pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the trace <p>The above command would trace the 'start' command and place the trace information
information in the file /tmp/trace</p> in the file /tmp/trace<br>
<p> The "shorewall" program may also be used to monitor the firewall.</p> </p>
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
bottom of this page.<br>
</p>
<p>The "shorewall" program may also be used to monitor the firewall.</p>
<ul> <ul>
<li>shorewall status - produce a verbose report about the firewall <li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li> (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <li>shorewall show <i>chain</i> - produce a verbose report about
<i>chain </i>(iptables -L <i>chain</i> -n -v)</li> <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat table <li>shorewall show nat - produce a verbose report about the nat
(iptables -t nat -L -n -v)</li> table (iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle <li>shorewall show tos - produce a verbose report about the mangle
table (iptables -t mangle -L -n -v)</li> table (iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li> <li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently <li>shorewall show connections - displays the IP connections currently
being tracked by the firewall.</li> being tracked by the firewall.</li>
<li>shorewall <li>shorewall
show show
tc - displays information tc - displays information
about the traffic control/shaping configuration.</li> about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall <li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.</li> changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall <li>shorewall hits - Produces several reports about the Shorewall
packet log messages in the current /var/log/messages file.</li> packet log messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed version number.</li> <li>shorewall version - Displays the installed version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of <li>shorewall check - Performs a <u>cursory</u> validation
the zones, interfaces, hosts, rules and policy files. <font of the zones, interfaces, hosts, rules and policy files. <font
size="4" color="#ff6666"><b>The "check" command does not parse and validate size="4" color="#ff6666"><b>The "check" command does not parse and validate
the generated iptables commands so even though the "check" command the generated iptables commands so even though the "check" command
completes successfully, the configuration may fail to start. See the completes successfully, the configuration may fail to start. See the
recommended way to make configuration changes described below. </b></font> recommended way to make configuration changes described below. </b></font>
</li> </li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> <li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if an error ] - Restart shorewall using the specified configuration and if an
occurs or if the<i> timeout </i> option is given and the new configuration error occurs or if the<i> timeout </i> option is given and the new configuration
has been up for that many seconds then shorewall is restarted using has been up for that many seconds then shorewall is restarted using
the standard configuration.</li> the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall <li>shorewall deny, shorewall reject, shorewall accept and shorewall
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li> save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the <li>shorewall logwatch (added in version 1.3.2) - Monitors the
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall <a href="#Conf">LOGFILE </a>and produces an audible alarm when new
messages are logged.</li> Shorewall messages are logged.</li>
</ul> </ul>
Finally, the "shorewall" program may be used to dynamically alter the contents Finally, the "shorewall" program may be used to dynamically alter the
of a zone.<br> contents of a zone.<br>
<ul> <ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the <li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds
specified interface (and host if included) to the specified zone.</li> the specified interface (and host if included) to the specified zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes <li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
the specified interface (and host if included) from the specified zone.</li> Deletes the specified interface (and host if included) from the specified
zone.</li>
</ul> </ul>
<blockquote>Examples:<br> <blockquote>Examples:<br>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font> <blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font> <font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
</blockquote> </blockquote>
</blockquote> </blockquote>
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and <p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
<b>shorewall try </b>commands allow you to specify which <a <b>shorewall try </b>commands allow you to specify which <a
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a> href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
to use:</p> to use:</p>
<blockquote> <blockquote>
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br> <p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p> shorewall try <i>configuration-directory</i></p>
</blockquote> </blockquote>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall <p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i> is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
. If the file is present in the <i>configuration-directory</i>, that file . If the file is present in the <i>configuration-directory</i>, that
will be used; otherwise, the file in /etc/shorewall will be used.</p> file will be used; otherwise, the file in /etc/shorewall will be used.</p>
<p> When changing the configuration of a production firewall, I recommend <p> When changing the configuration of a production firewall, I recommend
the following:</p> the following:</p>
<ul> <ul>
<li><font color="#009900"><b>mkdir /etc/test</b></font></li> <li><font color="#009900"><b>mkdir /etc/test</b></font></li>
<li><font color="#009900"><b>cd /etc/test</b></font></li> <li><font color="#009900"><b>cd /etc/test</b></font></li>
<li>&lt;copy any files that you need to change from /etc/shorewall <li>&lt;copy any files that you need to change from /etc/shorewall
to . and change them here&gt;</li> to . and change them here&gt;</li>
<li><font color="#009900"><b>shorewall -c . check</b></font></li> <li><font color="#009900"><b>shorewall -c . check</b></font></li>
<li>&lt;correct any errors found by check and check again&gt;</li> <li>&lt;correct any errors found by check and check again&gt;</li>
<li><font color="#009900"><b>/sbin/shorewall try .</b></font></li> <li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
</ul> </ul>
<p> If the configuration starts but doesn't work, just "shorewall restart" <p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to start, to restore the old configuration. If the new configuration fails to start,
the "try" command will automatically start the old one for you.</p> the "try" command will automatically start the old one for you.</p>
@ -225,27 +236,97 @@ the standard configuration.</li>
<ul> <ul>
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li> <li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
<li><font color="#009900"><b>cd</b></font></li> <li><font color="#009900"><b>cd</b></font></li>
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li> <li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
</ul> </ul>
<p><font size="2"> Updated 1/9/2003 - <a href="support.htm">Tom Eastep</a> <p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
</font></p> </p>
<div align="center"><img
src="file:///J:/Shorewall-docs/images/State_Diagram.png"
alt="(State Diagram)" width="747" height="714" align="middle">
<br>
</div>
<p>  <br>
</p>
You will note that the commands that result in state transitions use
the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
<br>
<table cellpadding="2" cellspacing="2" border="1">
<tbody>
<tr>
<td valign="top">shorewall start<br>
</td>
<td valign="top">firewall start<br>
</td>
</tr>
<tr>
<td valign="top">shorewall stop<br>
</td>
<td valign="top">firewall stop<br>
</td>
</tr>
<tr>
<td valign="top">shorewall restart<br>
</td>
<td valign="top">firewall restart<br>
</td>
</tr>
<tr>
<td valign="top">shorewall add<br>
</td>
<td valign="top">firewall add<br>
</td>
</tr>
<tr>
<td valign="top">shorewall delete<br>
</td>
<td valign="top">firewall delete<br>
</td>
</tr>
<tr>
<td valign="top">shorewall refresh<br>
</td>
<td valign="top">firewall refresh<br>
</td>
</tr>
<tr>
<td valign="top">shorewall try<br>
</td>
<td valign="top">firewall -c &lt;new configuration&gt; restart<br>
If unsuccessful then firewall start (standard configuration)<br>
If timeout then firewall restart (standard configuration)<br>
</td>
</tr>
</tbody>
</table>
<br>
<p><font size="2"> Updated 1/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>

1254
Shorewall-docs/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

1014
Shorewall-docs/two-interface.htm
View File

File diff suppressed because it is too large Load Diff

186
Shorewall-docs/upgrade_issues.htm
View File

@ -17,12 +17,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -30,38 +31,92 @@
<p>For upgrade instructions see the <a <p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.</p> href="Install.htm">Install/Upgrade page</a>.</p>
<h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
<b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the interface
(as shown by "ip addr show <i>interface</i>") and would masquerade traffic
from that subnet. Any other subnets that routed through eth1 needed their
own entry in /etc/shorewall/masq to be masqueraded or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's routing
table to determine ALL subnets routed through the named interface. Traffic
originating in ANY of those subnets is masqueraded or has SNAT applied.</li>
</ul>
You will need to make a change to your configuration if:<br>
<ol>
<li>You have one or more entries in /etc/shorewall/masq with an interface
name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li>
</ol>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request (ping) handling.
The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf is used
to specify that the old (pre-1.3.14) ping handling is to be used (If the
option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
is assumed). I don't plan on supporting the old handling indefinitely so
I urge current users to migrate to using the new handling as soon as possible.
See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
1.3.10, you will need to use the '--force' option:<br> 1.3.10, you will need to use the '--force' option:<br>
<br> <br>
<blockquote> <blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre> <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.9</h3> <h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. If you The 'functions' file has moved to /usr/lib/shorewall/functions. If you
have an application that uses functions from that file, your application have an application that uses functions from that file, your application
will need to be changed to reflect this change of location.<br> will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3> <h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover <p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8, versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p> /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3> <h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules will need to include the following rules
in their /etc/shorewall/icmpdef file (creating in their /etc/shorewall/icmpdef file (creating
this file if necessary):</p> this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p> command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to <h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3> Shorewall &gt;= 1.3.3</b></h3>
@ -70,59 +125,60 @@ in their /etc/shorewall/icmpdef file (creating
1.3.3 and later:</p> 1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have a backup -- you <li>Be sure you have a backup -- you
will need to transcribe any Shorewall configuration will need to transcribe any Shorewall configuration
changes that you have made to the new changes that you have made to the new
configuration.</li> configuration.</li>
<li>Replace the shorwall.lrp package <li>Replace the shorwall.lrp package
provided on the Bering floppy with the later provided on the Bering floppy with the
one. If you did not obtain the later version later one. If you did not obtain the later
from Jacques's site, see additional instructions version from Jacques's site, see additional
below.</li> instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list <li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall file and remove the /var/lib/shorewall
entry if present. Then do not forget to entry if present. Then do not forget to
backup root.lrp !</li> backup root.lrp !</li>
</ol> </ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like <p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to add for setting up a two-interface firewall</a> plus you also need to add
the following two Bering-specific rules to /etc/shorewall/rules:</p> the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote> <blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre> <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote> </blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3> <h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p> and 1.3.7</p>
<ol> <ol>
<li> <li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br> the following rule<br>
<br> <br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN # <font face="Courier">run_iptables -A newnotsyn -j RETURN
So that the connection tracking table can be rebuilt<br> # So that the connection tracking table can be rebuilt<br>
                                    # from non-SYN packets                                     # from non-SYN packets
after takeover.<br> after takeover.<br>
 </font> </p>  </font> </p>
</li> </li>
<li> <li>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags <font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br> ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
</li> </li>
</ol> </ol>
@ -135,42 +191,44 @@ So that the connection tracking table can be rebuilt<br>
<div align="left"> <div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre> <pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div> </div>
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
<div align="left"> <div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre> <pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example 2:</p> <p align="left">Example 2:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre> <pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre> <pre> REDIRECT loc 3128 tcp 80</pre>
</div> </div>
<h3 align="left">Version &gt;= 1.3.2</h3> <h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the <p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications If you have applications that access these files, those applications
should be modified accordingly.</p> should be modified accordingly.</p>
<p><font size="2"> Last updated 11/09/2002 - <p><font size="2"> Last updated 1/25/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>