extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 16:54:10 +01:00
Code Issues Packages Projects Releases Wiki Activity

Initial revision

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@192 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-08-13 20:45:21 +00:00
parent 8a8692cf9a
commit b7b4f6d2e8
131 changed files with 15592 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2703
Shorewall-docs/Documentation.htm Normal file
View File

File diff suppressed because it is too large Load Diff

29
Shorewall-docs/Documentation_Index.htm Normal file
View File

@ -0,0 +1,29 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>The Documentation Index</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">The Shorewall Documentation Index</h1>
<h1 align="center">has Moved
<a href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
<p><font size="2">
Last updated 8/9/2002
-
<a href="support.htm">Tom Eastep</a></font>
</p>
<p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

571
Shorewall-docs/FAQ.htm Normal file
View File

@ -0,0 +1,571 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall FAQ</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall FAQs</h1>
<h2 align="left">About Shorewall</h2>
<blockquote>
<p align="left"><a href="#faq13">Why do you call it &quot;Shorewall&quot;?</a></p>
<p align="left"><a href="#faq10">What distributions does it work with?</a></p>
<p align="left"><a href="shorewall_features.htm">What features does it support?</a></p>
<p align="left"><a href="#faq12">Why isn't there a GUI?</a></p>
</blockquote>
<h2 align="left">Filtering</h2>
<blockquote>
<p align="left"><a href="#faq14">I'm connected via a cable modem and it has an
internel web server that allows me to configure/monitor it but as expected if I
enable rfc1918 blocking for my eth0 interface, it also blocks the cable modems
web server</a>.</p>
<p align="left"><a href="#faq14a">Even though it assigns public IP addresses, my
ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my
external interface, my DHCP client cannot renew its lease.</a></p>
<p align="left"><a href="#faq4">I just used an online port scanner to check my
firewall and it shows some ports as 'closed' rather than 'blocked'. Why?</a></p>
<p align="left"><a href="#faq4a">I just ran an nmap UDP scan of my firewall and
it showed 100s of ports as open!!!!</a></p>
</blockquote>
<h2 align="left">Port Forwarding</h2>
<blockquote>
<p align="left"><a href="#faq1">I want to forward UDP port 7777 to my my personal PC with IP
address 192.168.1.5. I've looked everywhere and can't find how to do it.</a></p>
<p align="left"><a href="#faq1a">Ok -- I followed those instructions but it
doesn't work.</a></p>
<p align="left"><a href="#faq2">I port forward www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse
http://www.mydomain.com but internal clients can't.</a></p>
<p align="left"><a href="#faq3">I have a zone &quot;Z&quot; with an RFC1918 subnet and I
use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
communicate with each other using their external (non-RFC1918 addresses) so they
can't access each other using their DNS names.</a></p>
</blockquote>
<h2 align="left">Applications</h2>
<blockquote>
<p align="left"><a href="#faq3">I want to use Netmeeting with Shorewall. What do I do?</a></p>
</blockquote>
<h2 align="left">Connection Problems</h2>
<blockquote>
<p align="left"><a href="#faq5">I've installed Shorewall and now I can't ping through the
firewall</a></p>
<p align="left"><a href="#faq15">My local systems can't see out to the net</a></p>
</blockquote>
<h2 align="left">Logging</h2>
<blockquote>
<p align="left"><a href="#faq6">Where are the log messages written and&nbsp;
how do I change the destination?</a></p>
<p align="left"><a href="#faq16">Shorewall is writing log messages all over my
console making it unusable!</a></p>
<p align="left"><a href="#faq6a">Are there any log parsers that work with
Shorewall?</a></p>
</blockquote>
<h2 align="left">Starting and stopping the firewall</h2>
<blockquote>
<p align="left"><a href="#faq7">When I stop Shorewall using 'shorewall stop',
I can't connect to anything. Why doesn't that command work?</a></p>
<p align="left"><a href="#faq8">When I try to start Shorewall on RedHat 7.x, I
get messages about insmod failing -- what's wrong?</a></p>
<p align="left"><a href="#faq17">Why can't Shorewall detect my interfaces
properly?</a></p>
</blockquote>
<h2 align="left">Design</h2>
<blockquote>
<p align="left"><a href="#faq9">Why does Shorewall only accept IP addresses as
opposed to FQDNs?</a></p>
</blockquote>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to my my personal PC with IP
address 192.168.1.5. I've looked everywhere and can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a href="Documentation.htm#PortForward"> first example</a> in the <a href="Documentation.htm#Rules">rules
file documentation</a> shows how to do port forwarding under Shorewall. Assuming
that you have a dynamic external IP address, the format of a port-forwarding
rule to a local system is as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIG. DEST.</b></u></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5, the
rule is:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIG. DEST.</b></u></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:192.168.1.5</td>
<td>udp</td>
<td>7777</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<div align="left">
<pre align="left"><font face="Courier"> DNAT net loc:192.168.1.5 udp 7777</font></pre>
</div>
<p align="left">If you want to forward requests directed to a particular
address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIG. DEST.</b></u></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td>-</td>
<td><i>&lt;external IP&gt;</i></td>
</tr>
</table>
</blockquote>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions but
it doesn't work</h4>
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
<ul>
<li>You are trying to test from inside your firewall (no, that
won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system such as an
incorrect default gateway configured (it should be set to the IP address of your
firewall's internal interface).</li>
</ul>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse
http://www.mydomain.com but internal clients can't.</h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<ul>
<li>Having an internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If the server is
compromised, there's nothing between that server and your other internal
systems. For the cost of another NIC and a cross-over cable, you can put
your server in a DMZ such that it is isolated from your local systems -
assuming that the Server can be located near the Firewall, of course :-)</li>
<li>The accessibility problem is best solved using
<a href="shorewall_setup_guide.htm#DNS">Bind Version
9 &quot;views&quot;</a> (or using a separate DNS server for local clients) such that www.mydomain.com resolves to 130.141.100.69
externally and 192.168.1.5 internally. That's what I do here at
shorewall.net for my local systems that use static NAT.</li>
</ul>
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface is eth0
and your internal interface is eth1
and that eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do the following:</p>
<p align="left">a) In /etc/shorewall/interfaces, specify &quot;multi&quot; as an option
for eth1.</p>
<div align="left">
<p align="left">b) In /etc/shorewall/rules, add:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIG. DEST.</b></u></td>
</tr>
<tr>
<td>DNAT</td>
<td>loc:192.168.1.0/24</td>
<td>loc:192.168.1.5</td>
<td>tcp</td>
<td>www</td>
<td>-</td>
<td>130.151.100.69:192.168.1.254</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<pre align="left"> <font face="Courier">DNAT&nbsp;&nbsp;&nbsp; loc:192.168.1.0/24&nbsp;&nbsp;&nbsp; loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; www&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; 130.151.100.69:192.168.1.254</font></pre>
</div>
<div align="left">
<p align="left">That rule only works of course if you have a static external IP
address. If you
have a dynamic IP address and are running Shorewall 1.3.4 or later then include this in
/etc/shorewall/params:</div>
<div align="left">
<pre> ETH0_IP=`find_interface_address eth0`</pre>
</div>
<div align="left">
<p align="left">and make your DNAT rule:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIG. DEST.</b></u></td>
</tr>
<tr>
<td>DNAT</td>
<td>loc:192.168.1.0/24</td>
<td>loc:192.168.1.5</td>
<td>tcp</td>
<td>www</td>
<td>-</td>
<td>$ETH0_IP:192.168.1.254</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time that you get a new IP
address.</div>
<h4 align="left"><a name="faq2a"></a>2a. I have a zone &quot;Z&quot; with an RFC1918 subnet and I
use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
communicate with each other using their external (non-RFC1918 addresses) so they
can't access each other using their DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved using Bind Version 9
&quot;views&quot;. It allows both external and internal clients to access a
NATed host using the host's DNS name.</p>
<p align="left">Another good way to approach this problem is to switch from
static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and
can be accessed externally and internally using the same address.&nbsp;</p>
<p align="left">If you don't like those solutions and prefer routing all Z-&gt;Z
traffic through your firewall then:</p>
<p align="left">a) Specify &quot;multi&quot; on the entry for Z's interface in
/etc/shorewall/interfaces.<br>
b) Set the Z-&gt;Z policy to ACCEPT.<br>
c) Masquerade Z to itself.<br>
<br>
Example:</p>
<p align="left">Zone: dmz<br>
Interface: eth2<br>
Subnet: 192.168.2.0/24</p>
<p align="left">In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber2">
<tr>
<td><u><b>ZONE</b></u></td>
<td><u><b>INTERFACE</b></u></td>
<td><u><b>BROADCAST</b></u></td>
<td><u><b>OPTIONS</b></u></td>
</tr>
<tr>
<td>dmz</td>
<td>eth2</td>
<td>192.168.2.255</td>
<td>multi</td>
</tr>
</table>
</blockquote>
<p align="left">In /etc/shorewall/policy:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<tr>
<td><u><b>SOURCE </b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr>
<td>dmz</td>
<td>dmz</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<div align="left">
<pre align="left"> dmz&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; ACCEPT</pre>
</div>
<p align="left">In /etc/shorewall/masq:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3" width="369">
<tr>
<td width="93"><u><b>INTERFACE </b></u></td>
<td width="31"><u><b>SUBNET</b></u></td>
<td width="120"><u><b>ADDRESS</b></u></td>
</tr>
<tr>
<td width="93">eth2</td>
<td width="31">192.168.2.0/24</td>
<td width="120">&nbsp;</td>
</tr>
</table>
</blockquote>
<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting with Shorewall. What do I do?</h4>
<p align="left"><b>Answer: </b>There is an <a href="http://www.kfki.hu/~kadlec/sw/netfilter/newnat-suite/"> H.323 connection tracking/NAT module</a> that may help.
Also check the Netfilter mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. </p>
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner to
check my firewall and it shows some ports as 'closed' rather than 'blocked'.
Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x always
rejects connection requests on TCP port 113 rather than dropping them. This is
necessary to prevent outgoing connection problems to services that use the
'Auth' mechanism for identifying requesting users. Shorewall also rejects TCP
ports 135, 137 and 139 as well as UDP ports 137-139. These are ports that are
used by Windows (Windows <u>can</u> be configured to use the DCE cell locator
on port 135). Rejecting these connection requests rather than dropping them
cuts down slightly on the amount of Windows chatter on LAN segments connected
to the Firewall. </p>
<p align="left">If you are seeing port 80 being 'closed', that's probably your
ISP preventing you from running a web server in violation of your Service
Agreement.</p>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!</h4>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page section about
UDP scans. If nmap gets <b>nothing</b> back from your firewall then it reports
the port as open. If you want to see which UDP ports are really open,
temporarily change your net-&gt;all policy to REJECT, restart Shorewall and do
the nmap UDP scan again.</p>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I can't ping through the
firewall</h4>
<p align="left"><b>Answer: </b>If you want your firewall to be totally open for
&quot;ping&quot;: </p>
<p align="left">a) Do NOT specify 'noping' on any interface in
/etc/shorewall/interfaces.<br>
b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef<br>
c) Add the following to /etc/shorewall/icmpdef: </p>
<blockquote>
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j
ACCEPT </p>
</blockquote>
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and&nbsp; how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog (see &quot;man
syslog&quot;) to log messages. It always uses the LOG_KERN (kern) facility (see
&quot;man openlog&quot;) and you get to choose the log level (again, see
&quot;man syslog&quot;) in your <a href="Documentation.htm#Policy">policies</a>
and <a href="Documentation.htm#Rules">rules</a>. The destination for messaged
logged by syslog is controlled by /etc/syslog.conf (see &quot;man
syslog.conf&quot;). When you have changed /etc/syslog.conf, be sure to restart
syslogd (on a RedHat system, &quot;service syslog restart&quot;). </p>
<p align="left">By default, older versions of Shorewall ratelimited log messages through
<a href="Documentation.htm#Conf">settings</a>
in /etc/shorewall/shorewall.conf -- If you want to log all messages, set: </p>
<div align="left">
<pre align="left"> LOGLIMIT=&quot;&quot;
LOGBURST=&quot;&quot;</pre>
</div>
<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
with Shorewall?</h4>
<p align="left"><b>Answer: </b>Here are several links that may be helpful: </p>
<blockquote>
<p align="left"><a href="http://www.shorewall.net/pub/shorewall/parsefw/">
http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a></p>
</blockquote>
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
stop', I can't connect to anything. Why doesn't that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into a
safe state whereby only those interfaces/hosts having the 'routestopped' option
in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. If you want
to totally open up your firewall, you must use the 'shorewall clear' command. </p>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
7.x, I get messages about insmod failing -- what's wrong?</h4>
<p align="left"><b>Answer: </b>The output you will see looks something like this:</p>
<pre> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.</pre>
<p align="left">This is usually cured by the following sequence of commands: </p>
<div align="left">
<pre align="left"> service ipchains stop
chkconfig --delete ipchains
rmmod ipchains</pre>
</div>
<div align="left">
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a> for
problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</div>
<h4 align="left"> <a name="faq9"></a>9. Why does Shorewall only accept IP
addresses as opposed to FQDNs?</h4><p align="left"> <b>Answer: </b>FQDNs in iptables rules
aren't nearly as useful as they first appear. When a DNS name appears in a rule,
the iptables utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So change in the DNS-&gt;IP address relationship
that occur after the firewall has started have absolutely no effect on the
firewall's ruleset.</p>
<p align="left"> I'm also trying to protect
people from themselves. If your firewall rules include FQDN's then:</p>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li>
</ul>
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
with?</h4>
<p align="left">Shorewall works with any GNU/Linux distribution that includes
the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.<h4 align="left">11. What Features does it have?</h4>
<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall Feature
List</a>.<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I find myself doing
other things. I guess I just don't care enough if Shorewall has a GUI to
invest the effort to create one myself. There are several Shorewall GUI
projects underway however and I will publish links to them when the authors
feel that they are ready. <h4 align="left">
<a name="faq13"></a>13. Why do you call it &quot;Shorewall&quot;?</h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of &quot;<u>Shore</u>line&quot; (<a href="http://www.cityofshoreline.com">the
city where I live</a>) and &quot;Fire<u>wall</u>&quot;.<h4 align="left">
<a name="faq14"></a>14.&nbsp; I'm connected via a cable modem and it has an
internal web server that allows me to configure/monitor it but as expected if I
enable rfc1918 blocking for my eth0 interface (the internet one), it also blocks
the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the
rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address
of the modem in/out but still block all other rfc1918 addresses.</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier than
1.3.1, create /etc/shorewall/start and in it, place the following:<div align="left">
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
</div>
<div align="left">
<p align="left">If you are running version 1.3.1 or later, simply add the
following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<tr>
<td><u><b>SUBNET </b></u></td>
<td><u><b>TARGET</b></u></td>
</tr>
<tr>
<td>192.168.100.1</td>
<td>RETURN</td>
</tr>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Be sure that you add the entry ABOVE the entry for
192.168.0.0/16.</div>
<div align="left">
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918
filtering on my external interface, my DHCP client cannot renew its lease.</h4>
</div>
<div align="left">
<p align="left">The solution is the same as FAQ 14 above. Simply substitute
the IP address of your ISPs DHCP server.</div>
<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to the
net</h4>
<p align="left"><b>Answer: </b>Every time I read &quot;systems can't see out to the net&quot;, I wonder
where the poster bought computers with eyes and what those computers will &quot;see&quot;
when things are working properly. That aside, the most common causes of this
problem are:</p>
<ol>
<li><p align="left">The default gateway on each local system isn't set to the
IP address of the local firewall interface.</p>
</li>
<li><p align="left">The entry for the local network in the /etc/shorewall/masq
file is wrong or missing.</p>
</li>
<li><p align="left">The DNS settings on the local systems are wrong or the
user is running a DNS server on the firewall and hasn't enabled UDP and TCP
port 53 from the firewall to the internet.</p>
</li>
</ol>
<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages all
over my console making it unusable!</h4>
<p align="left"><b>Answer: </b>&quot;man dmesg&quot; -- add a suitable 'dmesg' command to your startup
scripts or place it in /etc/shorewall/start.</p>
<h4 align="left"><a name="faq17"></a>17. Why can't Shorewall detect my
interfaces properly?</h4>
<p align="left">I just installed Shorewall and when I issue the start command,
I see the following:</p>
<div align="left">
<pre> Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net loc
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
<b> Net Zone: eth0:0.0.0.0/0
Local Zone: eth1:0.0.0.0/0
</b> Deleting user chains...
Creating input Chains...
...</pre>
</div>
<div align="left">
<p align="left">Why can't Shorewall detect my interfaces properly?</div>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1.
</div>
<p align="left"><font size="2">Last updated
7/31/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

277
Shorewall-docs/GnuCopyright.htm Normal file
View File

@ -0,0 +1,277 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Copyright</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h2><a href="#TOC1" name="SEC1">GNU Free Documentation License</a></h2>
<p>Version 1.1, March 2000 </p>
<pre>Copyright (C) 2000 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
</pre>
<p><strong>0. PREAMBLE</strong> </p>
<p>The purpose of this License is to make a manual, textbook, or other written
document &quot;free&quot; in the sense of freedom: to assure everyone the effective
freedom to copy and redistribute it, with or without modifying it, either
commercially or noncommercially. Secondarily, this License preserves for the
author and publisher a way to get credit for their work, while not being
considered responsible for modifications made by others. </p>
<p>This License is a kind of &quot;copyleft&quot;, which means that derivative works of
the document must themselves be free in the same sense. It complements the GNU
General Public License, which is a copyleft license designed for free software.
</p>
<p>We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free program should
come with manuals providing the same freedoms that the software does. But this
License is not limited to software manuals; it can be used for any textual work,
regardless of subject matter or whether it is published as a printed book. We
recommend this License principally for works whose purpose is instruction or
reference. </p>
<p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
<p>This License applies to any manual or other work that contains a notice
placed by the copyright holder saying it can be distributed under the terms of
this License. The &quot;Document&quot;, below, refers to any such manual or work. Any
member of the public is a licensee, and is addressed as &quot;you&quot;. </p>
<p>A &quot;Modified Version&quot; of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or
translated into another language. </p>
<p>A &quot;Secondary Section&quot; is a named appendix or a front-matter section of the
Document that deals exclusively with the relationship of the publishers or
authors of the Document to the Document's overall subject (or to related
matters) and contains nothing that could fall directly within that overall
subject. (For example, if the Document is in part a textbook of mathematics, a
Secondary Section may not explain any mathematics.) The relationship could be a
matter of historical connection with the subject or with related matters, or of
legal, commercial, philosophical, ethical or political position regarding them.
</p>
<p>The &quot;Invariant Sections&quot; are certain Secondary Sections whose titles are
designated, as being those of Invariant Sections, in the notice that says that
the Document is released under this License. </p>
<p>The &quot;Cover Texts&quot; are certain short passages of text that are listed, as
Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document
is released under this License. </p>
<p>A &quot;Transparent&quot; copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the general public,
whose contents can be viewed and edited directly and straightforwardly with
generic text editors or (for images composed of pixels) generic paint programs
or (for drawings) some widely available drawing editor, and that is suitable for
input to text formatters or for automatic translation to a variety of formats
suitable for input to text formatters. A copy made in an otherwise Transparent
file format whose markup has been designed to thwart or discourage subsequent
modification by readers is not Transparent. A copy that is not &quot;Transparent&quot; is
called &quot;Opaque&quot;. </p>
<p>Examples of suitable formats for Transparent copies include plain ASCII
without markup, Texinfo input format, LaTeX input format, SGML or XML using a
publicly available DTD, and standard-conforming simple HTML designed for human
modification. Opaque formats include PostScript, PDF, proprietary formats that
can be read and edited only by proprietary word processors, SGML or XML for
which the DTD and/or processing tools are not generally available, and the
machine-generated HTML produced by some word processors for output purposes
only. </p>
<p>The &quot;Title Page&quot; means, for a printed book, the title page itself, plus such
following pages as are needed to hold, legibly, the material this License
requires to appear in the title page. For works in formats which do not have any
title page as such, &quot;Title Page&quot; means the text near the most prominent
appearance of the work's title, preceding the beginning of the body of the text.
</p>
<p><strong>2. VERBATIM COPYING</strong> </p>
<p>You may copy and distribute the Document in any medium, either commercially
or noncommercially, provided that this License, the copyright notices, and the
license notice saying this License applies to the Document are reproduced in all
copies, and that you add no other conditions whatsoever to those of this
License. You may not use technical measures to obstruct or control the reading
or further copying of the copies you make or distribute. However, you may accept
compensation in exchange for copies. If you distribute a large enough number of
copies you must also follow the conditions in section 3. </p>
<p>You may also lend copies, under the same conditions stated above, and you may
publicly display copies. </p>
<p><strong>3. COPYING IN QUANTITY</strong> </p>
<p>If you publish printed copies of the Document numbering more than 100, and
the Document's license notice requires Cover Texts, you must enclose the copies
in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover
Texts on the front cover, and Back-Cover Texts on the back cover. Both covers
must also clearly and legibly identify you as the publisher of these copies. The
front cover must present the full title with all words of the title equally
prominent and visible. You may add other material on the covers in addition.
Copying with changes limited to the covers, as long as they preserve the title
of the Document and satisfy these conditions, can be treated as verbatim copying
in other respects. </p>
<p>If the required texts for either cover are too voluminous to fit legibly, you
should put the first ones listed (as many as fit reasonably) on the actual
cover, and continue the rest onto adjacent pages. </p>
<p>If you publish or distribute Opaque copies of the Document numbering more
than 100, you must either include a machine-readable Transparent copy along with
each Opaque copy, or state in or with each Opaque copy a publicly-accessible
computer-network location containing a complete Transparent copy of the
Document, free of added material, which the general network-using public has
access to download anonymously at no charge using public-standard network
protocols. If you use the latter option, you must take reasonably prudent steps,
when you begin distribution of Opaque copies in quantity, to ensure that this
Transparent copy will remain thus accessible at the stated location until at
least one year after the last time you distribute an Opaque copy (directly or
through your agents or retailers) of that edition to the public. </p>
<p>It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give them a
chance to provide you with an updated version of the Document. </p>
<p><strong>4. MODIFICATIONS</strong> </p>
<p>You may copy and distribute a Modified Version of the Document under the
conditions of sections 2 and 3 above, provided that you release the Modified
Version under precisely this License, with the Modified Version filling the role
of the Document, thus licensing distribution and modification of the Modified
Version to whoever possesses a copy of it. In addition, you must do these things
in the Modified Version: </p>
<p>&nbsp;</p>
<ul>
<li><strong>A.</strong> Use in the Title Page (and on the covers, if any) a
title distinct from that of the Document, and from those of previous versions
(which should, if there were any, be listed in the History section of the
Document). You may use the same title as a previous version if the original
publisher of that version gives permission. </li>
<li><strong>B.</strong> List on the Title Page, as authors, one or more
persons or entities responsible for authorship of the modifications in the
Modified Version, together with at least five of the principal authors of the
Document (all of its principal authors, if it has less than five). </li>
<li><strong>C.</strong> State on the Title page the name of the publisher of
the Modified Version, as the publisher. </li>
<li><strong>D.</strong> Preserve all the copyright notices of the Document.
</li>
<li><strong>E.</strong> Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices. </li>
<li><strong>F.</strong> Include, immediately after the copyright notices, a
license notice giving the public permission to use the Modified Version under
the terms of this License, in the form shown in the Addendum below. </li>
<li><strong>G.</strong> Preserve in that license notice the full lists of
Invariant Sections and required Cover Texts given in the Document's license
notice. </li>
<li><strong>H.</strong> Include an unaltered copy of this License. </li>
<li><strong>I.</strong> Preserve the section entitled &quot;History&quot;, and its
title, and add to it an item stating at least the title, year, new authors,
and publisher of the Modified Version as given on the Title Page. If there is
no section entitled &quot;History&quot; in the Document, create one stating the title,
year, authors, and publisher of the Document as given on its Title Page, then
add an item describing the Modified Version as stated in the previous
sentence. </li>
<li><strong>J.</strong> Preserve the network location, if any, given in the
Document for public access to a Transparent copy of the Document, and likewise
the network locations given in the Document for previous versions it was based
on. These may be placed in the &quot;History&quot; section. You may omit a network
location for a work that was published at least four years before the Document
itself, or if the original publisher of the version it refers to gives
permission. </li>
<li><strong>K.</strong> In any section entitled &quot;Acknowledgements&quot; or
&quot;Dedications&quot;, preserve the section's title, and preserve in the section all
the substance and tone of each of the contributor acknowledgements and/or
dedications given therein. </li>
<li><strong>L.</strong> Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers or the equivalent
are not considered part of the section titles. </li>
<li><strong>M.</strong> Delete any section entitled &quot;Endorsements&quot;. Such a
section may not be included in the Modified Version. </li>
<li><strong>N.</strong> Do not retitle any existing section as &quot;Endorsements&quot;
or to conflict in title with any Invariant Section. </li>
</ul>
<p>If the Modified Version includes new front-matter sections or appendices that
qualify as Secondary Sections and contain no material copied from the Document,
you may at your option designate some or all of these sections as invariant. To
do this, add their titles to the list of Invariant Sections in the Modified
Version's license notice. These titles must be distinct from any other section
titles. </p>
<p>You may add a section entitled &quot;Endorsements&quot;, provided it contains nothing
but endorsements of your Modified Version by various parties--for example,
statements of peer review or that the text has been approved by an organization
as the authoritative definition of a standard. </p>
<p>You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover
Texts in the Modified Version. Only one passage of Front-Cover Text and one of
Back-Cover Text may be added by (or through arrangements made by) any one
entity. If the Document already includes a cover text for the same cover,
previously added by you or by arrangement made by the same entity you are acting
on behalf of, you may not add another; but you may replace the old one, on
explicit permission from the previous publisher that added the old one. </p>
<p>The author(s) and publisher(s) of the Document do not by this License give
permission to use their names for publicity for or to assert or imply
endorsement of any Modified Version. </p>
<p><strong>5. COMBINING DOCUMENTS</strong> </p>
<p>You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified versions,
provided that you include in the combination all of the Invariant Sections of
all of the original documents, unmodified, and list them all as Invariant
Sections of your combined work in its license notice. </p>
<p>The combined work need only contain one copy of this License, and multiple
identical Invariant Sections may be replaced with a single copy. If there are
multiple Invariant Sections with the same name but different contents, make the
title of each such section unique by adding at the end of it, in parentheses,
the name of the original author or publisher of that section if known, or else a
unique number. Make the same adjustment to the section titles in the list of
Invariant Sections in the license notice of the combined work. </p>
<p>In the combination, you must combine any sections entitled &quot;History&quot; in the
various original documents, forming one section entitled &quot;History&quot;; likewise
combine any sections entitled &quot;Acknowledgements&quot;, and any sections entitled
&quot;Dedications&quot;. You must delete all sections entitled &quot;Endorsements.&quot; </p>
<p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
<p>You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this License
in the various documents with a single copy that is included in the collection,
provided that you follow the rules of this License for verbatim copying of each
of the documents in all other respects. </p>
<p>You may extract a single document from such a collection, and distribute it
individually under this License, provided you insert a copy of this License into
the extracted document, and follow this License in all other respects regarding
verbatim copying of that document. </p>
<p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
<p>A compilation of the Document or its derivatives with other separate and
independent documents or works, in or on a volume of a storage or distribution
medium, does not as a whole count as a Modified Version of the Document,
provided no compilation copyright is claimed for the compilation. Such a
compilation is called an &quot;aggregate&quot;, and this License does not apply to the
other self-contained works thus compiled with the Document, on account of their
being thus compiled, if they are not themselves derivative works of the
Document. </p>
<p>If the Cover Text requirement of section 3 is applicable to these copies of
the Document, then if the Document is less than one quarter of the entire
aggregate, the Document's Cover Texts may be placed on covers that surround only
the Document within the aggregate. Otherwise they must appear on covers around
the whole aggregate. </p>
<p><strong>8. TRANSLATION</strong> </p>
<p>Translation is considered a kind of modification, so you may distribute
translations of the Document under the terms of section 4. Replacing Invariant
Sections with translations requires special permission from their copyright
holders, but you may include translations of some or all Invariant Sections in
addition to the original versions of these Invariant Sections. You may include a
translation of this License provided that you also include the original English
version of this License. In case of a disagreement between the translation and
the original English version of this License, the original English version will
prevail. </p>
<p><strong>9. TERMINATION</strong> </p>
<p>You may not copy, modify, sublicense, or distribute the Document except as
expressly provided for under this License. Any other attempt to copy, modify,
sublicense or distribute the Document is void, and will automatically terminate
your rights under this License. However, parties who have received copies, or
rights, from you under this License will not have their licenses terminated so
long as such parties remain in full compliance. </p>
<p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
<p>The Free Software Foundation may publish new, revised versions of the GNU
Free Documentation License from time to time. Such new versions will be similar
in spirit to the present version, but may differ in detail to address new
problems or concerns. See http://www.gnu.org/copyleft/. </p>
<p>Each version of the License is given a distinguishing version number. If the
Document specifies that a particular numbered version of this License &quot;or any
later version&quot; applies to it, you have the option of following the terms and
conditions either of that specified version or of any later version that has
been published (not as a draft) by the Free Software Foundation. If the Document
does not specify a version number of this License, you may choose any version
ever published (not as a draft) by the Free Software Foundation. </p>
<p align="left">&nbsp;</p>
</body>
</html>

173
Shorewall-docs/IPIP.htm Normal file
View File

@ -0,0 +1,173 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>GRE/IPIP Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">GRE and IPIP Tunnels</h1>
<h3><font color="#FF6633">Warning: </font>GRE and IPIP Tunnels are insecure when used
over the internet; use them at your own risk</h3>
<p>GRE and IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks.&nbsp;GRE
tunnels were introduced in shorewall version 1.2.0_Beta2.</p>
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a> work fine with Shorewall. Shorewall also includes a tunnel
script for automating tunnel configuration. If you have installed the RPM, the
tunnel script may be found in the Shorewall documentation directory (usually
/usr/share/doc/shorewall-&lt;version&gt;/).</p>
<h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center">
<img border="0" src="images/TwoNets1.png" width="745" height="427"></p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is accomplished
through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file
and the /etc/shorewall/tunnel script that is included with Shorewall.</p>
<p align="left">The 'tunnel' script is not installed in /etc/shorewall by
default -- If you install using the tarball, the script is included in the
tarball; if you install using the RPM, the file is in your Shorewall
documentation directory (normally /usr/share/doc/shorewall-&lt;version&gt;).</p>
<p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type'
parameter to the type of tunnel that you want to create.</p>
<p align="left">Example:</p>
<blockquote>
<p align="left">tunnel_type=gre</p>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>gw</b> zone. In
/etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>gw</td>
<td>tosysb</td>
<td>10.255.255.255</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>ipip</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP
encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
<p>In the tunnel script on system A:</p>
<blockquote>
<p>tunnel=tosysb<br>
myrealip=206.161.148.9 (for GRE tunnel only)<br>
myip=192.168.1.1<br>
hisip=10.0.0.1<br>
gateway=134.28.54.2<br>
subnet=10.0.0.0/8</p>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>gw</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>gw</td>
<td>tosysa</td>
<td>192.168.1.255</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>ipip</td>
<td>net</td>
<td>206.191.148.9</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p>And in the tunnel script on system B:</p>
<blockquote>
<p>tunnel=tosysa<br>
myrealip=134.28.54.2 (for GRE tunnel only)<br>
myip=10.0.0.1<br>
hisip=192.168.1.1<br>
gateway=206.191.148.9<br>
subnet=192.168.1.0/24</p>
</blockquote>
<p>You can rename the modified tunnel scripts if you like; be sure that they are
secured so that root can execute them. </p>
<p align="Left"> You will need to allow traffic between the &quot;gw&quot; zone and
the &quot;loc&quot; zone on both systems -- if you simply want to admit all traffic
in both directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>gw</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>gw</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p>On both systems, restart Shorewall and
run the modified tunnel script with the &quot;start&quot; argument on each
system. The systems in the two masqueraded subnetworks can now talk to each
other</p>
<p><font size="2">Updated 5/18/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

240
Shorewall-docs/IPSEC.htm Normal file
View File

@ -0,0 +1,240 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall IPSec Tunneling</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">IPSEC Tunnels</h1>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a href="http://jixen.tripod.com">
http://jixen.tripod.com</a>
. I highly recommend that you consult that site for information about confuring
FreeS/Wan. <p><font color="#FF6633"><b>Warning: </b></font>Do not use Proxy ARP
and FreeS/Wan on the same system unless you are prepared to suffer the
consequences. If you start or restart Shorewall with an IPSEC tunnel active,
the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device
(ipsecX) rather than to the interface that you specify in the INTERFACE column
of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I
can't say if it is a bug in the Kernel or in FreeS/Wan.&nbsp;</p>
<p>You <b>might</b> be able to work around this problem using the following (I
haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p>
<p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
<p>In /etc/shorewall/start, include:</p>
<p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
<h2>
<font color="#660066">IPSec Gateway
on the Firewall System
</font></h2>
<p>Suppose that we have the following sutuation:</p>
<font color="#660066">
<p align="Center"><font face="Century Gothic, Arial, Helvetica">
<img src="images/TwoNets1.png" width="745" height="427">
</font></p>
</font>
<p align="Left">We want systems
in the 192.168.1.0/24 sub-network to be able to communicate with systems
in the 10.0.0.0/8 network.</p>
<p align="Left">To make this work, we need to do two things:</p>
<p align="Left">a) Open the firewall so that the IPSEC tunnel can be established
(allow the ESP and AH protocols and UDP Port 500). </p>
<p align="Left">b) Allow traffic through the tunnel.</p>
<p align="Left">Opening the firewall for the IPSEC tunnel is accomplished by
adding an entry to the /etc/shorewall/tunnels file.</p>
<p align="Left">In /etc/shorewall/tunnels
on system A, we need the following </p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table></blockquote>
<p align="Left">In /etc/shorewall/tunnels
on system B, we would have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>206.161.148.9</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table></blockquote>
<p align="Left">At both
systems, ipsec0 would be included in /etc/shorewall/interfaces as a "gw"
interface:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><strong>
ZONE</strong></td>
<td><strong>
INTERFACE</strong></td>
<td><strong>
BROADCAST</strong></td>
<td><strong>
OPTIONS</strong></td>
</tr>
<tr>
<td>gw</td>
<td>ipsec0</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table></blockquote>
<p align="Left"> You will need to allow traffic between the &quot;gw&quot; zone and
the &quot;loc&quot; zone -- if you simply want to admit all traffic in both
directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>gw</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>gw</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p align="Left"> Once
you have these entries in place, restart Shorewall (type shorewall restart);
you are now ready to configure the tunnel in <a href="http://www.xs4all.nl/%7Efreeswan/">
FreeS/WAN</a>
.</p>
<h2><font color="#660066"><a name="RoadWarrior"></a>
Mobile System (Road Warrior)</font></h2>
<p>Suppose that you have
a laptop system (B) that you take with you when you travel and you want to
be able to establish a secure connection back to your local network.</p>
<p align="Center"><strong><font face="Century Gothic, Arial, Helvetica">
<img src="images/Mobile.png" width="677" height="426">
</font></strong></p>
<p align="Left"> In this
instance, the mobile system (B) has IP address 134.28.54.2 but that cannot
be determined in advance. In the /etc/shorewall/tunnels file on system A,
the following entry should be made:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
</tr>
<tr>
<td>ipsec</td>
<td>net</td>
<td>0.0.0.0/0</td>
<td>gw</td>
</tr>
</tbody>
</table></blockquote>
<p>Note that the GATEWAY
ZONE column contains the name of the zone corresponding to peer subnetworks
(<i>gw</i> in the default /etc/shorewall/zones). This indicates that the
gateway system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</p>
<p>You will need to configure /etc/shorewall/interfaces and establish
your &quot;through the tunnel&quot; policy as shown under the first example above.</p>
<p><font size="2"> Last
updated 5/18/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

165
Shorewall-docs/Install.htm Normal file
View File

@ -0,0 +1,165 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body><h1 align="center">Shorewall Installation</h1>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install
using tarball</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade
using tarball</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell
prompt, type &quot;/sbin/iptables --version&quot;), you must upgrade to version 1.2.4
either from the
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps &lt;shorewall
rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#FF0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing &quot;shorewall start&quot;</li>
</ul>
<p><a name="Install_Tarball"></a>To
install Shorewall using the tarball and install
script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-1.1.10&quot;).</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.</li>
<li>Start the firewall by typing &quot;shorewall
start&quot;</li>
<li>If the install script was unable to configure Shorewall to be started automatically at boot,
see <a href="Documentation.htm#Starting">these
instructions</a>.</li>
</ul>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed and are upgrading to a new
version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file. Also, there are certain 1.2 rule forms
that are no longer supported under 1.3 (you must use the new 1.3 syntax). See
<a href="errata.htm#Upgrade">the upgrade issues </a>for details. You can check your rules and
host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If you
are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the &quot;--oldpackage&quot; option to rpm (e.g., &quot;rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm&quot;).
<p>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps &lt;shorewall
rpm&gt;).<br>
&nbsp;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and are upgrading to a new version
using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file.&nbsp; Also, there are certain 1.2 rule
forms that are no longer supported under 1.3 (you must use the new 1.3 syntax).
See <a href="errata.htm#Upgrade">the upgrade issues</a> for details. You can check your rules
and host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-3.0.1&quot;).</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Restart the firewall by typing &quot;shorewall restart&quot;</li>
</ul>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul>
<p><font size="2">Updated 8/7/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body></html>

87
Shorewall-docs/NAT.htm Normal file
View File

@ -0,0 +1,87 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall NAT</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<blockquote>
<h1 align="center">Static NAT</h1>
<p><font color="#FF0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static NAT.
Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<p>Static NAT is a way to make systems behind a
firewall and configured with private IP addresses (those
reserved for private use in RFC1918) appear to have public IP
addresses.</p>
<p>The following figure represents a static NAT
environment.</p>
<p align="center"><strong>
<img src="images/staticnat.png" width="435" height="397"></strong></p>
<blockquote>
</blockquote>
<p align="left">Static NAT can be used to make the systems with the
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we
assume that the interface to the upper subnet is eth0, then the following
/etc/shorewall/NAT file would make the lower left-hand system appear to have
IP address 130.252.100.18 and the right-hand one to have IP address
130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>EXTERNAL</b></td>
<td><b>INTERFACE</b></td>
<td><b>INTERNAL</b></td>
<td><b>ALL INTERFACES</b></td>
<td><b>LOCAL</b></td>
</tr>
<tr>
<td>130.252.100.18</td>
<td>eth0</td>
<td>10.1.1.2</td>
<td>yes</td>
<td>yes</td>
</tr>
<tr>
<td>130.252.100.19</td>
<td>eth0</td>
<td>10.1.1.3</td>
<td>yes</td>
<td>yes</td>
</tr>
</table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The &quot;ALL INTERFACES&quot; column
is used to specify whether access to the external IP from all firewall
interfaces should undergo NAT (Yes or yes) or if only access from the
interface in the INTERFACE column should undergo NAT. If you leave this
column empty, &quot;Yes&quot; is assumed.&nbsp;The ALL INTERFACES column was
added in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>=&quot;no&quot;
(or &quot;No&quot;) in /etc/shorewall/shorewall.conf; If you do not set
ADD_IP_ALIASES or if you set it to &quot;Yes&quot; or &quot;yes&quot; then you must NOT configure your own alias(es).</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the &quot;LOCAL&quot;
column determine whether packets originating on the firewall itself and
destined for the EXTERNAL address are redirected to the internal ADDRESS. If
this column contains &quot;yes&quot; or &quot;Yes&quot; (and the ALL
INTERFACES COLUMN also contains &quot;Yes&quot; or &quot;yes&quot;) then
such packets are redirected; otherwise, such packets are not redirected. The
LOCAL column was added in version 1.1.8.</p>
</blockquote>
<blockquote>
</blockquote>
<p><font size="2">Last updated 3/27/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

999
Shorewall-docs/News.htm Normal file
View File

@ -0,0 +1,999 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall News</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall News Archive</h1>
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></b></p>
<p>This branch will only be updated after I release a new version of Shorewall
so you can always update from this branch to get the latest stable tree.</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
to the <a href="errata.htm">Errata Page</a></b></p>
<p>Now there is one place to go to look for issues involved with upgrading to
recent versions of Shorewall.</p>
<p><b>8/7/2002 - Shorewall 1.3.6</b></p>
<p>This is primarily a bug-fix rollup with a couple of new features:</p>
<ul>
<li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides </a>
including the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></li>
<li>Shorewall will now DROP TCP packets that are not part of or
related to an existing connection and that are not SYN packets. These &quot;New
not SYN&quot; packets may be optionally logged by setting the LOGNEWNOTSYN option
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.</li>
<li>The processing of &quot;New not SYN&quot; packets may be extended by commands in
the new <a href="shorewall_extension_scripts.htm">newnotsyn extension script</a>.</li>
</ul>
<p><b>7/30/2002 - Shorewall 1.3.5b Released</b></p>
<p>This interim release:</p>
<ul>
<li>Causes the firewall script to remove the lock file if it is killed.</li>
<li>Once again allows lists in the second column of the
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.</li>
<li>Includes the latest <a href="shorewall_quickstart_guide.htm">QuickStart
Guides</a>.</li>
</ul>
<p><b>7/29/2002 - New Shorewall Setup Guide Available</b></p>
<p>The first draft of this guide is available at
<a href="http://www.shorewall.net/shorewall_setup_guide.htm">
http://www.shorewall.net/shorewall_setup_guide.htm</a>. The guide is intended
for use by people who are setting up Shorewall to manage multiple public IP
addresses and by people who want to learn more about Shorewall than is
described in the single-address guides. Feedback on the new guide is welcome.</p>
<p><b>7/28/2002 - Shorewall 1.3.5 Debian Package Available</b></p>
<p>Lorenzo Martignoni reports that the packages are version 1.3.5a and are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>7/27/2002 - Shorewall 1.3.5a Released</b></p>
<p>This interim release restores correct handling of REDIRECT rules. </p>
<p><b>7/26/2002 - Shorewall 1.3.5 Released</b></p>
<p>This will be the last Shorewall release for a while. I'm going to be
focusing on rewriting a lot of the documentation.</p>
<p><b>&nbsp;</b>In this version:</p>
<ul>
<li>Empty and invalid source and destination qualifiers are now detected in
the rules file. It is a good idea to use the 'shorewall check' command before
you issue a 'shorewall restart' command be be sure that you don't have any
configuration problems that will prevent a successful restart.</li>
<li>Added <b>MERGE_HOSTS</b> variable in <a href="Documentation.htm#Conf">
shorewall.conf</a> to provide saner behavior of the /etc/shorewall/hosts
file.</li>
<li>The time that the counters were last reset is now displayed in the
heading of the 'status' and 'show' commands.</li>
<li>A <b>proxyarp </b>option has been added for entries in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
option facilitates Proxy ARP sub-netting as described in the Proxy ARP
subnetting mini-HOWTO (<a href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>).
Specifying the proxyarp option for an interface causes Shorewall to set
/proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.</li>
<li>The Samples have been updated to reflect the new capabilities in this
release. </li>
</ul>
<p><b>7/16/2002 - New Mirror in Argentina</b></p>
<p>Thanks to Arturo &quot;Buanzo&quot; Busleiman, there is now a Shorewall mirror in
Argentina. Thanks Buanzo!!!</p>
<p><b>7/16/2002 - Shorewall 1.3.4 Released</b></p>
<p>In this version:</p>
<ul>
<li>A new <a href="Documentation.htm#Routestopped">
/etc/shorewall/routestopped</a> file has been added. This file is intended to
eventually replace the <b>routestopped</b> option in the
/etc/shorewall/interface and /etc/shorewall/hosts files. This new file makes
remote firewall administration easier by allowing any IP or subnet to be
enabled while Shorewall is stopped.</li>
<li>An /etc/shorewall/stopped <a href="Documentation.htm#Scripts">extension
script</a> has been added. This script is invoked after Shorewall has
stopped.</li>
<li>A <b>DETECT_DNAT_ADDRS </b>option has been added to
<a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When this
option is selected, DNAT rules only apply when the destination address is the
external interface's primary IP address.</li>
<li>The <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a> has
been broken into three guides and has been almost entirely rewritten.</li>
<li>The Samples have been updated to reflect the new capabilities in this
release. </li>
</ul>
<p><b>7/8/2002 - Shorewall 1.3.3 Debian Package Available</b></p>
<p>Lorenzo Marignoni reports that the packages are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>7/6/2002 - Shorewall 1.3.3 Released</b></p>
<p>In this version:</p>
<ul>
<li>Entries in /etc/shorewall/interface that use the wildcard character (&quot;+&quot;)
now have the &quot;multi&quot; option assumed.</li>
<li>The 'rfc1918' chain in the mangle table has been renamed 'man1918' to
make log messages generated from that chain distinguishable from those
generated by the 'rfc1918' chain in the filter table.</li>
<li>Interface names appearing in the hosts file are now validated against the
interfaces file.</li>
<li>The TARGET column in the rfc1918 file is now checked for correctness.</li>
<li>The chain structure in the nat table has been changed to reduce the
number of rules that a packet must traverse and to correct problems with
NAT_BEFORE_RULES=No</li>
<li>The &quot;hits&quot; command has been enhanced.</li>
</ul>
<p><b>6/25/2002 - Samples Updated for 1.3.2</b></p>
<p>The comments in the sample configuration files have been updated to reflect
new features introduced in Shorewall 1.3.2.</p>
<p><b>6/25/2002 - Shorewall 1.3.1 Debian Package Available</b></p>
<p>Lorenzo Marignoni reports that the package is available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>6/19/2002 - Documentation Available in PDF Format</b></p>
<p>Thanks to Mike Martinez, the Shorewall Documentation is now available for
<a href="download.htm">download</a> in <a href="http://www.adobe.com">Adobe</a>
PDF format.</p>
<p><b>6/16/2002 - Shorewall 1.3.2 Released</b></p>
<p>In this version:</p>
<ul>
<li>A <a href="Documentation.htm#Starting">logwatch command</a> has been
added to /sbin/shorewall.</li>
<li>A <a href="blacklisting_support.htm">dynamic blacklist facility</a> has
been added.</li>
<li>Support for the <a href="Documentation.htm#Conf">Netfilter multiport
match function</a> has been added.</li>
<li>The files <b>firewall, functions </b>and <b>version</b> have been moved
from /etc/shorewall to /var/lib/shorewall.</li>
</ul>
<p><b>6/6/2002 - Why CVS Web access is Password Protected</b></p>
<p>Last weekend, I installed the CVS Web package to provide brower-based access
to the Shorewall CVS repository. Since then, I have had several instances where
my server was almost unusable due to the high load generated by website copying
tools like HTTrack and WebStripper. These mindless tools:</p>
<ul>
<li>Ignore robot.txt files.</li>
<li>Recursively copy everything that they find.</li>
<li>Should be classified as weapons rather than tools.</li>
</ul>
<p>These tools/weapons are particularly damaging when combined with CVS Web
because they doggedly follow every link in the cgi-generated HTML resulting in
1000s of executions of the cvsweb.cgi script. Yesterday, I spend several hours
implementing measures to block these tools but unfortunately, these measures
resulted in my server OOM-ing under even moderate load.</p>
<p>Until I have the time to understand the cause of the OOM (or until I buy
more RAM if that is what is required), CVS Web access will remain Password
Protected. </p>
<p><b>6/5/2002 - Shorewall 1.3.1 Debian Package Available</b></p>
<p>Lorenzo Marignoni reports that the package is available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>6/2/2002 - Samples Corrected</b></p>
<p>The 1.3.0 samples configurations had several serious problems that prevented
DNS and SSH from working properly. These problems have been corrected in the
<a href="/pub/shorewall/samples-1.3.1">1.3.1 samples.</a></p>
<p><b>6/1/2002 - Shorewall 1.3.1 Released</b></p>
<p>Hot on the heels of 1.3.0, this release:</p>
<ul>
<li>Corrects a serious problem with &quot;all <i>&lt;zone&gt;</i> CONTINUE&quot; policies.
This problem is present in all versions of Shorewall that support the
CONTINUE policy. These previous versions optimized away the &quot;all2<i>&lt;zone&gt;</i>&quot;
chain and replaced it with the &quot;all2all&quot; chain with the usual result that a
policy of REJECT was enforced rather than the intended CONTINUE policy.</li>
<li>Adds an <a href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918</a>
file for defining the exact behavior of the<a href="Documentation.htm#Interfaces">
'norfc1918' interface option</a>.</li>
</ul>
<p><b>5/29/2002 - Shorewall 1.3.0 Released</b></p>
<p>In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0
includes:</p>
<ul>
<li>A 'filterping' interface option that allows ICMP echo-request (ping)
requests addressed to the firewall to be handled by entries in
/etc/shorewall/rules and /etc/shorewall/policy.</li>
</ul>
<p><b>5/23/2002 - Shorewall 1.3 RC1 Available</b></p>
<p>In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92)
incorporates the following:</p>
<ul>
<li>Support for the /etc/shorewall/whitelist file has been withdrawn. If you
need whitelisting, see <a href="/1.3/whitelisting_under_shorewall.htm">these
instructions</a>.</li>
</ul>
<p><b>5/19/2002 - Shorewall 1.3 Beta 2 Available</b></p>
<p>In addition to the changes in Beta 1, this release which carries the
designation 1.2.91 adds:</p>
<ul>
<li>The structure of the firewall is changed markedly. There is now an INPUT
and a FORWARD chain for each interface; this reduces the number of rules that
a packet must traverse, especially in complicated setups.</li>
<li><a href="Documentation.htm#Exclude">Sub-zones may now be excluded from
DNAT and REDIRECT rules.</a></li>
<li>The names of the columns in a number of the configuration files have been
changed to be more consistent and self-explanatory and the documentation has
been updated accordingly.</li>
<li>The sample configurations have been updated for 1.3.</li>
</ul>
<p><b>5/17/2002 - Shorewall 1.3 Beta 1 Available</b></p>
<p>Beta 1 carries the version designation 1.2.90 and implements the following
features:</p>
<ul>
<li>Simplified rule syntax which makes the intent of each rule clearer and
hopefully makes Shorewall easier to learn.</li>
<li>Upward compatibility with 1.2 configuration files has been maintained so
that current users can migrate to the new syntax at their convenience.</li>
<li><b><font color="#CC6666">WARNING:&nbsp; Compatibility with the old
parameterized sample configurations has NOT been maintained. Users still
running those configurations should migrate to the new sample configurations
before upgrading to 1.3 Beta 1.</font></b></li>
</ul>
<p><b>5/4/2002 - Shorewall 1.2.13 is Available</b></p>
<p>In this version:</p>
<ul>
<li><a href="Documentation.htm#Whitelist">White-listing</a> is supported.</li>
<li><a href="Documentation.htm#Policy">SYN-flood protection </a>is added.</li>
<li>IP addresses added under <a href="Documentation.htm#Conf">ADD_IP_ALIASES
and ADD_SNAT_ALIASES</a> now inherit the VLSM and Broadcast Address of the
interface's primary IP address.</li>
<li>The order in which port forwarding DNAT and Static DNAT
<a href="Documentation.htm#Conf">can now be reversed</a> so that port
forwarding rules can override the contents of <a href="Documentation.htm#NAT">
/etc/shorewall/nat</a>. </li>
</ul>
<p><b>4/30/2002 - Shorewall Debian News</b></p>
<p>Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</p>
<p><b>4/20/2002 - Shorewall 1.2.12 is Available</b></p>
<ul>
<li>The 'try' command works again</li>
<li>There is now a single RPM that also works with SuSE.</li>
</ul>
<p><b>4/17/2002 - Shorewall Debian News</b></p>
<p>Lorenzo Marignoni reports that:</p>
<ul>
<li>Shorewall 1.2.10 is in the
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a></li>
<li>Shorewall 1.2.11 is in the
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a></li>
</ul>
<p>Thanks, Lorenzo!</p>
<p><b>4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE</b></p>
<p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there is
now a Shorewall 1.2.11
<a href="http://www.shorewall.net/pub/shorewall/shorewall-1.2-11.i686.suse73.rpm">
SuSE RPM</a> available. </p>
<p><b>4/13/2002 - Shorewall 1.2.11 Available </b></p>
<p>In this version:</p>
<ul>
<li>The 'try' command now accepts an optional timeout. If the timeout is
given in the command, the standard configuration will automatically be
restarted after the new configuration has been running for that length of
time. This prevents a remote admin from being locked out of the firewall in
the case where the new configuration starts but prevents access.</li>
<li>Kernel route filtering may now be enabled globally using the new
ROUTE_FILTER parameter in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf</a>.</li>
<li>Individual IP source addresses and/or subnets may now be excluded from
masquerading/SNAT.</li>
<li>Simple &quot;Yes/No&quot; and &quot;On/Off&quot; values are now case-insensitive in
/etc/shorewall/shorewall.conf.</li>
</ul>
<p><b>4/13/2002 - Hamburg Mirror now has FTP </b></p>
<p>Stefan now has an FTP mirror at
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">
ftp://germany.shorewall.net/pub/shorewall</a>.&nbsp; Thanks Stefan!</p>
<p><b>4/12/2002 - New Mirror in Hamburg</b></p>
<p>Thanks to <a href="mailto:s.mohr@familie-mohr.com">Stefan Mohr</a>, there is
now a mirror of the Shorewall website at
<a target="_top" href="http://germany.shorewall.net">
http://germany.shorewall.net</a>. </p>
<p><b>4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available</b></p>
<p><a href="shorewall_quickstart_guide.htm">Version 1.1 of the QuickStart Guide</a>
is now available. Thanks to those who have read version 1.0 and offered their
suggestions. Corrections have also been made to the sample scripts.</p>
<p><b>4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available</b></p>
<p><a href="shorewall_quickstart_guide.htm">Version 1.0 of the QuickStart Guide</a>
is now available. This Guide and its accompanying sample configurations are
expected to provide a replacement for the recently withdrawn parameterized
samples. </p>
<p><b>4/8/2002 - Parameterized Samples Withdrawn </b></p>
<p>Although the <a href="http://www.shorewall.net/pub/shorewall/samples-1.2.1/">parameterized
samples</a> have allowed people to get a firewall up and running quickly, they
have unfortunately set the wrong level of expectation among those who have used
them. I am therefore withdrawing support for the samples and I am recommending
that they not be used in new Shorewall installations.</p>
<p><b>4/2/2002 - Updated Log Parser</b></p>
<p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided an updated
version of his
<a href="pub/shorewall/parsefw/">CGI-based log parser</a> with corrected date
handling. </p>
<p><b>3/30/2002 - Shorewall Website Search Improvements</b></p>
<p>The quick search on the home page now excludes the mailing list archives.
The <a href="htdig/search.html">Extended Search</a> allows excluding the
archives or restricting the search to just the archives. An archive search form
is also available on the <a href="mailing_list.htm">mailing list information
page</a>.</p>
<p><b>3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)</b></p>
<ul>
<li>The 1.2.10 Debian Package is available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</li>
<li>Shorewall 1.2.9 is now in the
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Distribution</a>.</li>
</ul>
<p><b>3/25/2002 - Log Parser Available</b></p>
<p><a href="mailto:JML@redwoodtech.com">John Lodge</a> has provided a
<a href="pub/shorewall/parsefw/">CGI-based log parser</a> for Shorewall. Thanks
John.</p>
<p><b>3/20/2002 - Shorewall 1.2.10 Released</b></p>
<p>In this version:</p>
<ul>
<li>A &quot;shorewall try&quot; command has been added (syntax: shorewall try <i>
&lt;configuration directory&gt;</i>). This command attempts &quot;shorewall -c <i>
&lt;configuration directory&gt;</i> start&quot; and if that results in the firewall
being stopped due to an error, a &quot;shorewall start&quot; command is executed. The
'try' command allows you to create a new <a href="Documentation.htm#Configs">
configuration</a> and attempt to start it; if there is an error that leaves
your firewall in the stopped state, it will automatically be restarted using
the default configuration (in /etc/shorewall).</li>
<li>A new variable ADD_SNAT_ALIASES has been added to
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>. If this
variable is set to &quot;Yes&quot;, Shorewall will automatically add IP addresses
listed in the third column of the <a href="Documentation.htm#Masq">
/etc/shorewall/masq</a> file.</li>
<li>Copyright notices have been added to the documenation.</li>
</ul>
<p><b>3/11/2002 - Shorewall 1.2.9 Released</b></p>
<p>In this version:</p>
<ul>
<li>Filtering by <a href="Documentation.htm#MAC">MAC address</a> has been added.
MAC addresses may be used as the source address in:<ul>
<li>Filtering rules (<a href="Documentation.htm#Rules">/etc/shorewall/rules</a>)</li>
<li>Traffic Control Classification Rules (<a href="traffic_shaping.htm#tcrules">/etc/shorewall/tcrules</a>)</li>
<li>TOS Rules (<a href="Documentation.htm#TOS">/etc/shorewall/tos</a>)</li>
<li>Blacklist (<a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a>)</li>
</ul>
</li>
<li>Several bugs have been fixed</li>
<li>The 1.2.9 Debian Package is also available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</li>
</ul>
<p><b>3/1/2002 - 1.2.8 Debian Package is Available</b></p>
<p>See <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<p><b>2/25/2002 - New Two-interface Sample</b></p>
<p>I've enhanced the two interface sample to allow access from the firewall to
servers in the local zone -
<a href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz">
http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz</a></p>
<p><b>2/23/2002 - Shorewall 1.2.8 Released</b></p>
<p>Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects
problems associated with the lock file used to prevent multiple state-changing
operations from occuring simultaneously. My apologies for any inconvenience my
carelessness may have caused.</p>
<p><b>2/22/2002 - Shorewall 1.2.7 Released</b></p>
<p>In this version:</p>
<ul>
<li>UPnP probes (UDP destination port 1900) are now silently dropped in the
<i>common</i> chain</li>
<li>RFC 1918 checking in the mangle table has been streamlined to no longer
require packet marking. RFC 1918 checking in the filter table has been
changed to require half as many rules as previously.</li>
<li>A 'shorewall check' command has been added that does a cursory validation
of the zones, interfaces, hosts, rules and policy files.</li>
</ul>
<p><b>2/18/2002 - 1.2.6 Debian Package is Available</b></p>
<p>See <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<p><b>2/8/2002 - Shorewall 1.2.6 Released</b></p>
<p>In this version:</p>
<ul>
<li>$-variables may now be used anywhere in the configuration files except
/etc/shorewall/zones.</li>
<li>The interfaces and hosts files now have their contents validated before
any changes are made to the existing Netfilter configuration. The appearance
of a zone name that isn't defined in /etc/shorewall/zones causes &quot;shorewall
start&quot; and &quot;shorewall restart&quot; to abort without changing the Shorewall state.
Unknown options in either file cause a warning to be issued.</li>
<li>A problem occurring when BLACKLIST_LOGLEVEL was not set has been
corrected.</li>
</ul>
<p><b>2/4/2002 - Shorewall 1.2.5 Debian Package Available</b></p>
<p>see <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<p><b>2/1/2002 - Shorewall 1.2.5 Released</b></p>
<p>Due to installation problems with Shorewall 1.2.4, I have released Shorewall
1.2.5. Sorry for the rapid-fire development.</p>
<p>In version 1.2.5:</p>
<ul>
<li>The installation problems have been corrected.</li>
<li><a href="Documentation.htm#Masq">SNAT</a> is now supported.</li>
<li>A &quot;shorewall version&quot; command has been added</li>
<li>The default value of the STATEDIR variable in
/etc/shorewall/shorewall.conf has been changed to /var/lib/shorewall in
order to conform to the GNU/Linux File Hierarchy Standard, Version 2.2.</li>
</ul>
<p><b>1/28/2002 - Shorewall 1.2.4 Released</b></p>
<ul>
<li>The &quot;fw&quot; zone <a href="Documentation.htm#FW">may now be given a
different name</a>.</li>
<li>You may now place end-of-line comments (preceded by '#') in any of the
configuration files</li>
<li>There is now protection against against two state changing operations
occuring concurrently. This is implemented using the 'lockfile' utility if
it is available (lockfile is part of procmail); otherwise, a less robust
technique is used. The lockfile is created in the STATEDIR defined in
/etc/shorewall/shorewall.conf and has the name &quot;lock&quot;.</li>
<li>&quot;shorewall start&quot; no longer fails if &quot;detect&quot; is
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> for an interface with subnet mask 255.255.255.255.</li>
</ul>
<p><b>1/27/2002 - Shorewall 1.2.3 Debian Package Available </b>-- see <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a></p>
<p><b>1/20/2002 - Corrected firewall script available&nbsp;</b></p>
<p>Corrects a problem with BLACKLIST_LOGLEVEL. See <a href="errata.htm">the
errata</a> for details.</p>
<p><b>1/19/2002 - Shorewall 1.2.3 Released</b></p>
<p>This is a minor feature and bugfix release. The single new feature is:</p>
<ul>
<li>Support for TCP MSS Clamp to PMTU -- This support is usually required when
the internet connection is via PPPoE or PPTP and may be enabled using the <a href="Documentation.htm#ClampMSS">CLAMPMSS</a>
option in /etc/shorewall/shorewall.conf.</li>
</ul>
<p>The following problems were corrected:</p>
<ul>
<li>The &quot;shorewall status&quot; command no longer hangs.</li>
<li>The &quot;shorewall monitor&quot; command now displays the icmpdef chain</li>
<li>The CLIENT PORT(S) column in tcrules is no longer ignored</li>
</ul>
<p><b>1/18/2002 - Shorewall 1.2.2 packaged with new </b><a href="http://leaf.sourceforge.net">LEAF</a><b>
release</b></p>
<p>Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution
that includes Shorewall 1.2.2. See <a href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a>
for details.</p>
<p><b>1/11/2002 - Debian Package (.deb) Now Available - </b>Thanks to <a href="mailto:lorenzo.martignoni@milug.org">Lorenzo
Martignoni</a>, a 1.2.2 Shorewall Debian package is now available. There is a
link to Lorenzo's site from the <a href="download.htm">Shorewall download page</a>.</p>
<p><b>1/9/2002 - Updated 1.2.2 /sbin/shorewall available - </b><a href="/pub/shorewall/errata/1.2.2/shorewall">This
corrected version </a>restores the &quot;shorewall status&quot; command to
health.</p>
<p><b>1/8/2002 - Shorewall 1.2.2 Released</b></p>
<p>In version 1.2.2</p>
<ul>
<li>Support for IP blacklisting has been added
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped or
rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION
</a>setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged and
at what syslog level using the <a href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a></li>
<li>You specify the interfaces you want checked against the blacklist
using the new &quot;<a href="Documentation.htm#BLInterface">blacklist</a>&quot;
option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the
&quot;shorewall refresh&quot; command.</li>
</ul>
</li>
<li>Use of TCP RST replies has been expanded&nbsp;
<ul>
<li>TCP connection requests rejected because of a REJECT policy are now
replied with a TCP RST packet.</li>
<li>TCP connection requests rejected because of a protocol=all rule in
/etc/shorewall/rules are now replied with a TCP RST packet.</li>
</ul>
</li>
<li>A <a href="Documentation.htm#Logfile">LOGFILE</a> specification has been
added to /etc/shorewall/shorewall.conf. LOGFILE is used to tell the
/sbin/shorewall program where to look for Shorewall messages.</li>
</ul>
<p><b>1/5/2002 - New Parameterized Samples (<a href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.2.0/" target="_blank">version
1.2.0</a>) released. </b>These are minor updates to the previously-released
samples. There are two new rules added:</p>
<ul>
<li>Unless you have explicitly enabled Auth connections (tcp port 113) to your
firewall, these connections will be REJECTED rather than DROPPED. This
speeds up connection establishment to some servers.</li>
<li>Orphan DNS replies are now silently dropped.</li>
</ul>
<p>See the README file for upgrade instructions.</p>
<p><b>1/1/2002 - <u><font color="#FF6633">Shorewall Mailing List Moving</font></u></b></p>
<p>The Shorewall mailing list hosted at <a href="http://sourceforge.net"> Sourceforge</a> is moving to Shorewall.net.
If you are a current subscriber to the list at Sourceforge, please <a href="shorewall_mailing_list_migration.htm">see
these instructions</a>. If you would like to subscribe to the new list, visit <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
<p><b>12/31/2001 - Shorewall 1.2.1 Released</b></p>
<p>In version 1.2.1:</p>
<ul>
<li><a href="Documentation.htm#LogUncleanOption">Logging of Mangled/Invalid
Packets</a> is added.&nbsp;</li>
<li>The <a href="IPIP.htm">tunnel script</a> has been corrected.</li>
<li>'shorewall show tc' now correctly handles tunnels.</li>
</ul>
<p><b>12/21/2001 - Shorewall 1.2.0 Released!</b> - <b>I couldn't resist
releasing 1.2 on 12/21/2001</b></p>
<p>Version 1.2 contains the following new features:</p>
<ul>
<li>Support for <a href="traffic_shaping.htm">Traffic Control/Shaping</a></li>
<li>Support for <a href="Documentation.htm#Unclean">Filtering of
Mangled/Invalid Packets</a></li>
<li>Support for <a href="IPIP.htm">GRE Tunnels</a></li>
</ul>
<p>For the next month or so, I will continue to provide corrections to version
1.1.18 as necessary so that current version 1.1.x users will not be forced into a
quick upgrade to 1.2.0 just to have access to bug fixes.</p>
<p>For those of you who have installed one of the Beta RPMS, you will need to
use the &quot;--oldpackage&quot; option when upgrading to 1.2.0:</p>
<blockquote>
<p>rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm</p>
</blockquote>
<p><b>12/19/2001 - Thanks to <a href="mailto:scowles@infohiiway.com">Steve
Cowles</a>, there is now a Shorewall mirror in Texas. </b>This web site is
mirrored at <a href="http://www.infohiiway.com/shorewall" target="_top">http://www.infohiiway.com/shorewall</a>
and the ftp site is at <a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall">ftp://ftp.infohiiway.com/pub/mirrors/shorewall</a>.<b>&nbsp;</b></p>
<p><b>11/30/2001 - A new set of the parameterized <a href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample
Configurations</a> has been released</b>. In this version:</p>
<ul>
<li>Ping is now allowed between the zones.</li>
<li>In the three-interface configuration, it is now possible to configure the
internet services that are to be available to servers in the DMZ.&nbsp;</li>
</ul>
<p><b>11/20/2001 - The current version of Shorewall is 1.1.18.&nbsp;</b></p>
<p>In this version:</p>
<ul>
<li>The spelling of ADD_IP_ALIASES has been corrected in the shorewall.conf
file</li>
<li>The logic for deleting user-defined chains has been simplified so that it
avoids a bug in the LRP version of the 'cut' utility.</li>
<li>The /var/lib/lrpkg/shorwall.conf file has been corrected to properly
display the NAT entry in that file.</li>
</ul>
<p><b>11/19/2001 - Thanks to <a href="mailto:shorewall@timelord.sk">Juraj
Ontkanin</a>, there is now a Shorewall mirror in the Slovak Republic</b>. The website is now mirrored at <a href="http://www.nrg.sk/mirror/shorewall" target="_top">http://www.nrg.sk/mirror/shorewall</a>
and the FTP site is mirrored at <a href="ftp://ftp.nrg.sk/mirror/shorewall">ftp://ftp.nrg.sk/mirror/shorewall</a>.</p>
<p><b>11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations.</b>
There are three sample configurations:</p>
<ul>
<li>One Interface -- for a standalone system.</li>
<li>Two Interfaces -- A masquerading firewall.</li>
<li>Three Interfaces -- A masquerading firewall with DMZ.</li>
</ul>
<p>Samples may be downloaded from <a href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17">
ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17</a>
. See the README file for instructions.</p>
<p><b>11/1/2001 - The current version of Shorewall is 1.1.17</b>.&nbsp; I intend
this to be the last of the 1.1 Shorewall releases.</p>
<p> In this version:</p>
<ul>
<li>The handling of <a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>
has been corrected. </li>
</ul>
<p><b>10/22/2001 - The current version of Shorewall is 1.1.16</b>. In this
version:</p>
<ul>
<li>A new &quot;shorewall show connections&quot; command has been added.</li>
<li>In the &quot;shorewall monitor&quot; output, the currently tracked
connections are now shown on a separate page.</li>
<li>Prior to this release, Shorewall unconditionally added the external IP
adddress(es) specified in /etc/shorewall/nat. Beginning with version
1.1.16, a new parameter (<a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>)
may be set to &quot;no&quot; (or &quot;No&quot;) to inhibit this behavior.
This allows IP aliases created using your distribution's network
configuration tools to be used in static NAT.&nbsp;</li>
</ul>
<p><b>10/15/2001 - The current version of Shorewall is 1.1.15.</b> In this
version:</p>
<ul>
<li>Support for nested zones has been improved. See <a href="Documentation.htm#Nested">
the documentation</a>
for details</li>
<li>Shorewall now correctly checks the alternate configuration directory for
the 'zones' file.</li>
</ul>
<p><b>10/4/2001 - The current version of Shorewall is 1.1.14.</b> In this version</p>
<ul>
<li>Shorewall now supports alternate configuration directories. When an
alternate directory is specified when starting or restarting Shorewall
(e.g., &quot;shorewall -c /etc/testconf restart&quot;), Shorewall will first
look for configuration files in the alternate directory then in
/etc/shorewall. To create an alternate configuration simply:<br>
1. Create a New Directory<br>
2. Copy to that directory any of your configuration files that you want to
change.<br>
3. Modify the copied files as needed.<br>
4. Restart Shorewall specifying the new directory.</li>
<li>The rules for allowing/disallowing icmp echo-requests (pings) are now
moved after rules created when processing the rules file. This allows you to
add rules that selectively allow/deny ping based on source or destination
address.</li>
<li>Rules that specify multiple client ip addresses or subnets no longer cause
startup failures.</li>
<li>Zone names in the policy file are now validated against the zones file.</li>
<li>If you have <a href="Documentation.htm#MangleEnabled">packet mangling</a>
support enabled, the &quot;<a href="Documentation.htm#Interfaces">norfc1918</a>&quot;
interface option now logs and drops any incoming packets on the interface
that have an RFC 1918 destination address.</li>
</ul>
<p><b>9/12/2001 - The current version of Shorewall is 1.1.13</b>. In this version</p>
<ul>
<li>Shell variables can now be used to parameterize Shorewall rules.</li>
<li>The second column in the hosts file may now contain a comma-separated
list.<br>
<br>
Example:<br>
&nbsp;&nbsp;&nbsp; sea&nbsp;&nbsp;&nbsp;
eth0:130.252.100.0/24,206.191.149.0/24</li>
<li>Handling of multi-zone interfaces has been improved. See the <a href="Documentation.htm#Interfaces">documentation
for the /etc/shorewall/interfaces file</a>.</li>
</ul>
<p><b>8/28/2001 - The current version of Shorewall is 1.1.12</b>. In this version</p>
<ul>
<li>Several columns in the rules file may now contain comma-separated lists.</li>
<li>Shorewall is now more rigorous in parsing the options in
/etc/shorewall/interfaces.</li>
<li>Complementation using &quot;!&quot; is now supported in rules.</li>
</ul>
<p><b>7/28/2001 - The current version of Shorewall is 1.1.11</b>. In this version</p>
<ul>
<li>A &quot;shorewall refresh&quot; command has been added to allow for
refreshing the rules associated with the broadcast address on a dynamic
interface. This command should be used in place of &quot;shorewall
restart&quot; when the internet interface's IP address changes.</li>
<li>The /etc/shorewall/start file (if any) is now processed after all
temporary rules have been deleted. This change prevents the accidental
removal of rules added during the processing of that file.</li>
<li>The &quot;dhcp&quot; interface option is now applicable to firewall
interfaces used by a DHCP server running on the firewall.</li>
<li>The RPM can now be built from the .tgz file using &quot;rpm -tb&quot;&nbsp;</li>
</ul>
<p><b>7/6/2001 - The current version of Shorewall is 1.1.10.</b> In this version</p>
<ul>
<li>Shorewall now enables Ipv4 Packet Forwarding by default. Packet forwarding
may be disabled by specifying IP_FORWARD=Off in
/etc/shorewall/shorewall.conf. If you don't want Shorewall to enable or
disable packet forwarding, add IP_FORWARDING=Keep to your
/etc/shorewall/shorewall.conf file.</li>
<li>The &quot;shorewall hits&quot; command no longer lists extraneous service
names in its last report.</li>
<li>Erroneous instructions in the comments at the head of the firewall script
have been corrected.</li>
</ul>
<p><b>6/23/2001 - The current version of Shorewall is 1.1.9.</b> In this version</p>
<ul>
<li>The &quot;tunnels&quot; file <u>really</u> is in the RPM now.</li>
<li>SNAT can now be applied to port-forwarded connections.</li>
<li>A bug which would cause firewall start failures in some dhcp configurations
has been fixed.</li>
<li>The firewall script now issues a message if you have the name of an
interface in the second column in an entry in /etc/shorewall/masq and that
interface is not up.</li>
<li>You can now configure Shorewall so that it<a href="Documentation.htm#NatEnabled"> doesn't require the NAT and/or
mangle netfilter modules</a>.</li>
<li>Thanks to Alex&nbsp; Polishchuk, the &quot;hits&quot; command
from seawall is now in shorewall.</li>
<li>Support for <a href="IPIP.htm">IPIP tunnels</a> has been added.</li>
</ul>
<p><b>6/18/2001 - The current version of Shorewall is 1.1.8</b>. In this version</p>
<ul>
<li>A typo in the sample rules file has been corrected.</li>
<li>It is now possible to restrict masquerading by<a href="Documentation.htm#Masq">
destination host or subnet.</a></li>
<li>It is now possible to have static <a href="NAT.htm#LocalPackets">NAT rules
applied to packets originating on the firewall itself</a>.</li>
</ul>
<p><b>6/2/2001 - The current version of Shorewall is 1.1.7.</b> In this version</p>
<ul>
<li>The TOS rules are now deleted when the firewall is stopped.</li>
<li>The .rpm will now install regardless of which version of iptables is
installed.</li>
<li>The .rpm will now install without iproute2 being installed.</li>
<li>The documentation has been cleaned up.</li>
<li>The sample configuration files included in Shorewall have been formatted
to 80 columns for ease of editing on a VGA console.</li>
</ul>
<p><b>5/25/2001 - The current version of Shorewall is 1.1.6</b>. In this version</p>
<ul>
<li><a href="Documentation.htm#lograte">You may now rate-limit the packet log.</a></li>
<li><font face="Century Gothic, Arial, Helvetica">&nbsp;Previous versions of
Shorewall have an implementation of Static NAT which violates the principle
of least surprise.&nbsp; NAT only occurs for packets arriving at (DNAT) or
send from (SNAT) the interface named in the INTERFACE column of
/etc/shorewall/nat. Beginning with version 1.1.6, NAT effective regardless
of which interface packets come from or are destined to. To get
compatibility with prior versions, I have added a new &quot;ALL <a href="NAT.htm#AllInterFaces">&quot;ALL
INTERFACES&quot;&nbsp; column to /etc/shorewall/nat</a>. By placing
&quot;no&quot; or &quot;No&quot; in the new column, the NAT behavior of
prior versions may be retained.&nbsp;</font></li>
<li>The treatment of <a href="IPSEC.htm#RoadWarrior">IPSEC Tunnels where the remote
gateway is a standalone system has been improved</a>. Previously, it was
necessary to include an additional rule allowing UDP port 500 traffic to
pass through the tunnel. Shorewall will now create this rule automatically
when you place the name of the remote peer's zone in a new GATEWAY ZONE
column in /etc/shorewall/tunnels.&nbsp;</li>
</ul>
<p><b>5/20/2001 - The current version of Shorewall is 1.1.5.</b> In this version</p>
<ul>
<li><a href="Documentation.htm#modules">You may now pass parameters when loading
netfilter modules and you can specify the modules to load.</a></li>
<li>Compressed modules are now loaded. This requires that you modutils support
loading compressed modules.</li>
<li><a href="Documentation.htm#TOS">You may now set the Type of Service (TOS)
field in packets.</a></li>
<li>Corrected rules generated for port redirection (again).</li>
</ul>
<p><b>5/10/2001 - The current version of Shorewall is 1.1.4.</b> In this version</p>
<ul>
<li> <a href="Documentation.htm#Conf">Accepting RELATED connections is now
optional.</a></li>
<li>Corrected problem where if &quot;shorewall start&quot; aborted early
(due to kernel configuration errors for example), superfluous 'sed' error
messages were reported.</li>
<li>Corrected rules generated for port redirection.</li>
<li>The order in which iptables kernel modules are loaded has been
corrected (Thanks to Mark Pavlidis).&nbsp;</li>
</ul>
<p><b>4/28/2001 - The current version of Shorewall is 1.1.3.</b> In this version</p>
<ul>
<li>Correct message issued when Proxy ARP address added (Thanks to Jason Kirtland).</li>
<li>/tmp/shorewallpolicy-$$ is now removed if there is an error while starting the firewall.</li>
<li>/etc/shorewall/icmp.def and /etc/shorewall/common.def are now used to define the icmpdef and common chains unless overridden by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.</li>
<li>In the .lrp, the file /var/lib/lrpkg/shorwall.conf has been corrected. An extra space after "/etc/shorwall/policy" has been removed and "/etc/shorwall/rules" has been added.</li>
<li>When a sub-shell encounters a fatal error and has stopped the firewall, it now kills the main shell so that the main shell will not continue.</li>
<li>A problem has been corrected where a sub-shell stopped the firewall and main shell continued resulting in a perplexing error message
referring to "common.so" resulted.</li>
<li>Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules resulted in an error message during start. This has been corrected.</li>
<li>The first line of "install.sh" has been corrected -- I had inadvertently deleted the initial "#".</li>
</ul>
<p><b>4/12/2001 - The current version of Shorewall is 1.1.2.</b> In this version</p>
<ul>
<li>Port redirection now works again.</li>
<li>The icmpdef and common chains <a href="Documentation.htm#Icmpdef">may
now be user-defined</a>.</li>
<li>The firewall no longer fails to start if &quot;routefilter&quot; is
specified for an interface that isn't started. A warning message is now
issued in this case.</li>
<li>The LRP Version is renamed &quot;shorwall&quot; for 8,3 MSDOS file
system compatibility.</li>
<li>A couple of LRP-specific problems were corrected.</li>
</ul>
<p><b>4/8/2001 - Shorewall is now affiliated with the <a href="http://leaf.sourceforge.net">Leaf
Project</a> </b> <a href="http://leaf.sourceforge.net">
<img border="0" src="images/leaflogo.gif" width="49" height="36"></a></p>
<p><b>4/5/2001 - The current version of Shorewall is 1.1.1. In this version:</b></p>
<ul>
<li>The common chain is traversed from INPUT, OUTPUT and FORWARD before
logging occurs</li>
<li>The source has been cleaned up dramatically</li>
<li>DHCP DISCOVER packets with RFC1918 source addresses no longer
generate log messages. Linux DHCP clients generate such packets and it's
annoying to see them logged.&nbsp;</li>
</ul>
<p><b>3/25/2001 - The current version of Shorewall is 1.1.0. In this version:</b></p>
<ul>
<li>Log messages now indicate the packet disposition.</li>
<li>Error messages have been improved.</li>
<li>The ability to define zones consisting of an enumerated set of hosts
and/or subnetworks has been added.</li>
<li>The zone-to-zone chain matrix is now sparse so that only those chains
that contain meaningful rules are defined.</li>
<li>240.0.0.0/4 and 169.254.0.0/16 have been added to the source
subnetworks whose packets are dropped under the <i>norfc1918</i> interface
option.</li>
<li>Exits are now provided for executing an user-defined script when a
chain is defined, when the firewall is initialized, when the firewall is
started, when the firewall is stopped and when the firewall is cleared.</li>
<li>The Linux kernel's route filtering facility can now be specified
selectively on network interfaces.</li>
</ul>
<p><b>3/19/2001 - The current version of Shorewall is 1.0.4. This version:</b></p>
<ul>
<li>Allows user-defined zones. Shorewall now has only one pre-defined
zone (fw) with the remaining zones being defined in the new configuration
file /etc/shorewall/zones. The /etc/shorewall/zones file released in this
version provides behavior that is compatible with Shorewall 1.0.3.&nbsp;</li>
<li>Adds the ability to specify logging in entries in the
/etc/shorewall/rules file.</li>
<li>Correct handling of the icmp-def chain so that only ICMP packets are
sent through the chain.</li>
<li>Compresses the output of &quot;shorewall monitor&quot; if awk is
installed. Allows the command to work if awk isn't installed (although
it's not pretty).</li>
</ul>
<p><b>3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix
release with no new features.</b></p>
<ul>
<li>The PATH variable in the firewall script now includes /usr/local/bin
and /usr/local/sbin.</li>
<li>DMZ-related chains are now correctly deleted if the DMZ is deleted.</li>
<li>The interface OPTIONS for &quot;gw&quot; interfaces are no longer
ignored.</li>
</ul>
<p><b>3/8/2001 - The current version of Shorewall is 1.0.2. It supports an
additional &quot;gw&quot; (gateway) zone for tunnels and it supports IPSEC
tunnels with end-points on the firewall. There is also a .lrp available now.</b></p>
<p><font size="2">Updated 7/31/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body></html>

731
Shorewall-docs/PPTP.htm Normal file
View File

@ -0,0 +1,731 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall PPTP</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">PPTP</h1>
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
<ul>
<li>
<a href="#ServerFW">PPTP Server running on your Firewall</a></li>
<li>
<a href="#ServerBehind">PPTP Server running behind your
Firewall.</a></li>
<li>
<a href="#ClientsBehind">PPTP Clients running behind your
Firewall.</a></li>
<li>
<a href="#ClientFW">PPTP Client running on your Firewall.</a></li>
</ul>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall</h2>
<p>I will try to give you an idea of how to set up a PPTP server
on your firewall system. This isn't a detailed HOWTO but rather an example of
how I have set up a working PPTP server on my own firewall.</p>
<p>The steps involved are:</p>
<ol>
<li><a href="#PatchPppd">Patching and building pppd</a></li>
<li><a href="#PatchKernel">Patching and building your Kernel</a></li>
<li><a href="#Samba">Configuring Samba</a></li>
<li><a href="#ConfigPppd">Configuring pppd</a></li>
<li><a href="#ConfigPptpd">Configuring pptpd</a></li>
<li><a href="#ConfigFw">Configuring Shorewall</a></li>
</ol>
<h3><a name="PatchPppd"></a>Patching and Building pppd</h3>
<p>To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary
site for releases of pppd is <a href="ftp://ftp.samba.org/pub/ppp">ftp://ftp.samba.org/pub/ppp</a>.</p>
<p>You will need the following patches:</p>
<ul>
<li>
<a href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz</a></li>
<li><a href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz</a></li>
</ul>
<p>You may also want the following patch if you want to require remote hosts to
use encryption:</p>
<ul>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff">ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff</a></li>
</ul>
<p>Un-tar the pppd source and uncompress the patches into one directory (the
patches and the ppp-2.4.1 directory are all in a single parent directory):</p>
<ul>
<li>cd ppp-2.4.1</li>
<li>patch -p1 &lt; ../ppp-2.4.0-openssl-0.9.6-mppe.patch</li>
<li>patch -p1 &lt; ../ppp-2.4.1-MSCHAPv2-fix.patch</li>
<li>(Optional) patch -p1 &lt; ../require-mppe.diff</li>
<li>./configure</li>
<li>make</li>
</ul>
<p>You will need to install the resulting binary on your firewall system. To do
that, I NFS mount my source filesystem and use &quot;make install&quot; from the
ppp-2.4.1 directory.</p>
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
<p>You will need one of the following patches depending on your kernel version:</p>
<ul>
<li>
<a href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz</a></li>
<li>
<a href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz">http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz</a></li>
</ul>
<p>Uncompress the patch into the same directory where your top-level kernel
source is located and:</p>
<ul>
<li>cd &lt;your GNU/Linux source top-level directory&gt;</li>
<li>patch -p1 &lt; ../linux-2.4.16-openssl-0.9.6b-mppe.patch</li>
</ul>
<p>Now configure your kernel. Here is my ppp configuration:</p>
<blockquote>
<p><img border="0" src="images/ppp.jpg" width="592" height="734"></p>
</blockquote>
<h3><a name="Samba"></a>Configuring Samba</h3>
<p>You will need a WINS server (Samba configured to run as a WINS server is
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) is:</p>
<blockquote>
<pre>[global]
workgroup = TDM-NSTOP
netbios name = WOOKIE
server string = GNU/Linux Box
encrypt passwords = Yes
log file = /var/log/samba/%m.log
max log size = 0
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
os level = 65
domain master = True
preferred master = True
dns proxy = No
wins support = Yes
printing = lprng
[homes]
comment = Home Directories
valid users = %S
read only = No
create mask = 0664
directory mask = 0775
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes</pre>
</blockquote>
<h3><a name="ConfigPppd"></a>Configuring pppd</h3>
<p>Here is a copy of my /etc/ppp/options.poptop file:</p>
<blockquote>
<p><font face="Courier" size="2">ipparam PoPToP<br>
lock<br>
mtu 1490<br>
mru 1490<br>
ms-wins 192.168.1.3<br>
ms-dns 206.124.146.177<br>
multilink<br>
proxyarp<br>
auth<br>
+chap<br>
+chapms<br>
+chapms-v2<br>
ipcp-accept-local<br>
ipcp-accept-remote<br>
lcp-echo-failure 30<br>
lcp-echo-interval 5<br>
deflate 0<br>
mppe-128<br>
mppe-stateless<br>
require-mppe<br>
require-mppe-stateless</font></p>
</blockquote>
<p>Notes:</p>
<ul>
<li>Since the firewall itself is acting as a WINS server, I have included the
firewall's internal IP as the 'ms-wins' value.</li>
<li>I have pointed the remote clients at my DNS server -- it has external
address 206.124.146.177.</li>
<li>I am requiring 128-bit stateless compression (my kernel is built with the
'require-mppe.diff' patch mentioned above.</li>
</ul>
<p>Here's my /etc/ppp/chap-secrets:</p>
<blockquote>
<p><font face="Courier" size="2"> Secrets for authentication using CHAP<br>
# client&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; server&nbsp;&nbsp;&nbsp; secret&nbsp;&nbsp;&nbsp;
IP addresses<br>
CPQTDM\\TEastep *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;shhhhhh&gt;
192.168.1.7<br>
TEastep&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; *&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;shhhhhh&gt; 192.168.1.7</font></p>
</blockquote>
<p>I am the only user who connects to the server but I may connect either with
or without a domain being specified. The system I connect from is my laptop so I
give it the same IP address when tunneled in as it has when it is in its docking
station.</p>
<p>You will also want the following in /etc/modules.conf:</p>
<pre> alias ppp-compress-18 ppp_mppe
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate</pre>
<h3><a name="ConfigPptpd"></a>Configuring pptpd</h3>
<p>PoPTop (pptpd) is available from <a href="http://poptop.lineo.com/">http://poptop.lineo.com/</a>.</p>
<p>Here is a copy of my /etc/pptpd.conf file:</p>
<blockquote>
<p><font face="Courier" size="2">option /etc/ppp/options.poptop<br>
speed 115200<br>
localip 192.168.1.254<br>
remoteip 192.168.1.33-38</font></p>
</blockquote>
<p>Notes:</p>
<ul>
<li>I specify the /etc/ppp/options.poptop file as my ppp options file (I have
several).</li>
<li>The local IP is the same as my internal interface's (192.168.1.254).</li>
<li>I have assigned a remote IP range that overlaps my local network. This,
together with 'proxyarp' in my /etc/ppp/options.poptop file make the remote
hosts look like they are part of the local subnetwork.</li>
</ul>
<p>I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:</p>
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
#<br>
# /etc/rc.d/init.d/pptpd<br>
#<br>
# chkconfig: 5 12 85<br>
# description: control pptp server<br>
#<br>
<br>
case "$1" in<br>
start)<br>
&nbsp;&nbsp;&nbsp; echo 1 > /proc/sys/net/ipv4/ip_forward<br>
&nbsp;&nbsp;&nbsp; modprobe ppp_async<br>
&nbsp;&nbsp;&nbsp; modprobe ppp_generic<br>
&nbsp;&nbsp;&nbsp; modprobe ppp_mppe<br>
&nbsp;&nbsp;&nbsp; modprobe slhc<br>
&nbsp;&nbsp;&nbsp; if /usr/local/sbin/pptpd; then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; touch /var/lock/subsys/pptpd<br>
&nbsp;&nbsp;&nbsp; fi<br>
&nbsp;&nbsp;&nbsp; ;;<br>
stop)<br>
&nbsp;&nbsp;&nbsp; killall pptpd<br>
&nbsp;&nbsp;&nbsp; rm -f /var/lock/subsys/pptpd<br>
&nbsp;&nbsp;&nbsp; ;;<br>
restart)<br>
&nbsp;&nbsp;&nbsp; killall pptpd<br>
&nbsp;&nbsp;&nbsp; if /usr/local/sbin/pptpd; then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; touch /var/lock/subsys/pptpd<br>
&nbsp;&nbsp;&nbsp; fi<br>
&nbsp;&nbsp;&nbsp; ;;<br>
status)<br>
&nbsp;&nbsp;&nbsp; ifconfig<br>
&nbsp;&nbsp;&nbsp; ;;<br>
*)<br>
&nbsp;&nbsp;&nbsp; echo "Usage: $0 {start|stop|restart|status}"<br>
&nbsp;&nbsp;&nbsp; ;;<br>
esac</font></p>
</blockquote>
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
<p>I consider hosts connected to my PPTP server to be just like local systems.
My key Shorewall entries are:</p>
<h4>/etc/shorewall/zones:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>ZONE</b></td>
<td><b>DISPLAY</b></td>
<td><b>COMMENTS</b></td>
</tr>
<tr>
<td>net</td>
<td>Internet</td>
<td>The Internet</td>
</tr>
<tr>
<td>loc</td>
<td>Local</td>
<td>My Local Network including remote PPTP clients</td>
</tr>
</table>
</blockquote>
<h4>/etc/shorewall/interfaces:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>206.124.146.255</td>
<td>noping,norfc1918</td>
</tr>
<tr>
<td>loc</td>
<td>eth2</td>
<td>192.168.1.255</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>-</td>
<td>ppp+</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<h4>/etc/shorewall/hosts:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>ZONE</b></td>
<td><b>HOST(S)</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>loc</td>
<td>eth2:192.168.1.0/24</td>
<td>routestopped</td>
</tr>
<tr>
<td>loc</td>
<td>ppp+:192.168.1.0/24</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<h4>/etc/shorewall/policy:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>POLICY</b></td>
<td><b>LOG LEVEL</b></td>
</tr>
<tr>
<td>loc</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<h4>/etc/shorewall/rules:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</font>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>1723</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p align="left">Note: I have multiple ppp interfaces on my firewall. If you
have a single ppp interface, you probably want:</p>
<h4>/etc/shorewall/interfaces:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>206.124.146.255</td>
<td>noping,norfc1918</td>
</tr>
<tr>
<td>loc</td>
<td>eth2</td>
<td>192.168.1.255</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>loc</td>
<td>ppp0</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind your Firewall</h2>
<p>If you have a single external IP address, add the following to your
/etc/shorewall/rules file:</p>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</font>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>tcp</td>
<td>1723</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table>
<p>If you have multiple external IP address and you want to forward a single <i>&lt;external
address&gt;, </i>add the following to your /etc/shorewall/rules file:<p>&nbsp;<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</font>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>tcp</td>
<td>1723</td>
<td>-</td>
<td><i>&lt;external address&gt;</i></td>
</tr>
<tr>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>47</td>
<td>-</td>
<td>-</td>
<td><i>&lt;external address&gt;</i></td>
</tr>
</table>
<h2 align="center"><a name="ClientsBehind"></a>3. PPTP Clients Running Behind your Firewall</h2>
<p>You shouldn't have to take any special action for this case unless you wish
to connect multiple clients to the same external server. In that case, you will
need to follow the instructions at <a href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>.
I recommend that you also add these two lines to your /etc/shorewall/modules
file:
<blockquote>
<p>loadmodule ip_conntrack_pptp<br>
loadmodule ip_nat_pptp
</blockquote>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.</h2>
<p align="left">The PPTP GNU/Linux client is available at <a href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.&nbsp;&nbsp;&nbsp;
Rather than use the configuration script that comes with the client, I built my
own. I also build my own kernel <a href="#PatchKernel">as described above</a>
rather than using the mppe package that is available with the client. My
/etc/ppp/options file is mostly unchanged from what came with the client (see
below).</p>
<p>The key elements of this setup are as follows:
<ol>
<li>Define a zone for the remote network accessed via PPTP.</li>
<li>Associate that zone with a ppp interface.</li>
<li>Define rules for PPTP traffic to/from the firewall.</li>
<li>Define rules for traffic two and from the remote zone.</li>
</ol>
<p>Here are examples from my setup:</p>
<h4>/etc/shorewall/zones</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>ZONE</b></td>
<td><b>DISPLAY</b></td>
<td><b>COMMENTS</b></td>
</tr>
<tr>
<td>cpq</td>
<td>Compaq</td>
<td>Compaq Intranet</td>
</tr>
</table>
</blockquote>
<h4>/etc/shorewall/interfaces</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>-</td>
<td>ppp+</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<h4>/etc/shorewall/hosts</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>ZONE</b></td>
<td><b>HOST(S)</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>-</td>
<td>ppp+:!192.168.1.0/24</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<h4>/etc/shorewall/rules</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</font>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>1723</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p>I use the combination of interface and hosts file to define the 'cpq' zone
because I also run a PPTP server on my firewall (see above). Using this
technique allows me to distinguish clients of my own PPTP server from arbitrary
hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and
Compaq doesn't use that RFC1918 Class C subnet.
<p>I use this script in /etc/init.d to control the client. The reason that I
disable ECN when connecting is that the Compaq tunnel servers don't do ECN yet
and reject the initial TCP connection request if I enable ECN :-(
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
#<br>
# /etc/rc.d/init.d/pptp<br>
#<br>
# chkconfig: 5 60 85<br>
# description: PPTP Link Control<br>
#<br>
NAME=&quot;Tandem&quot;<br>
ADDRESS=tunnel-tandem.compaq.com<br>
USER='Tandem\tommy'<br>
ECN=0<br>
DEBUG=<br>
<br>
start_pptp() {<br>
&nbsp;&nbsp;&nbsp; echo $ECN > /proc/sys/net/ipv4/tcp_ecn<br>
&nbsp;&nbsp;&nbsp; if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG; then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; touch /var/lock/subsys/pptp<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo "PPTP Connection to $NAME Started"<br>
&nbsp;&nbsp;&nbsp; fi<br>
}<br>
<br>
stop_pptp() {<br>
&nbsp;&nbsp;&nbsp; if killall /usr/sbin/pptp 2> /dev/null; then<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; echo "Stopped pptp"<br>
&nbsp;&nbsp;&nbsp; else<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; rm -f /var/run/pptp/*<br>
&nbsp;&nbsp;&nbsp; fi<br>
<br>
&nbsp;&nbsp;&nbsp; # if killall pppd; then<br>
&nbsp;&nbsp;&nbsp; # echo "Stopped pppd"<br>
&nbsp;&nbsp;&nbsp; # fi<br>
<br>
&nbsp;&nbsp;&nbsp; rm -f /var/lock/subsys/pptp<br>
<br>
&nbsp;&nbsp;&nbsp; echo 1 > /proc/sys/net/ipv4/tcp_ecn<br>
}<br>
<br>
<br>
case "$1" in<br>
start)<br>
&nbsp;&nbsp;&nbsp; echo "Starting PPTP Connection to ${NAME}..."<br>
&nbsp;&nbsp;&nbsp; start_pptp<br>
&nbsp;&nbsp;&nbsp; ;;<br>
stop)<br>
&nbsp;&nbsp;&nbsp; echo "Stopping $NAME PPTP Connection..."<br>
&nbsp;&nbsp;&nbsp; stop_pptp<br>
&nbsp;&nbsp;&nbsp; ;;<br>
restart)<br>
&nbsp;&nbsp;&nbsp; echo "Restarting $NAME PPTP Connection..."<br>
&nbsp;&nbsp;&nbsp; stop_pptp<br>
&nbsp;&nbsp;&nbsp; start_pptp<br>
&nbsp;&nbsp;&nbsp; ;;<br>
status)<br>
&nbsp;&nbsp;&nbsp; ifconfig<br>
&nbsp;&nbsp;&nbsp; ;;<br>
*)<br>
&nbsp;&nbsp;&nbsp; echo "Usage: $0 {start|stop|restart|status}"<br>
&nbsp;&nbsp;&nbsp; ;;<br>
esac<br>
</font>
</blockquote>
<p>Here's my /etc/ppp/options file:
<blockquote>
<p><font face="Courier" size="2">#<br>
# Identify this connection<br>
#<br>
ipparam Compaq<br>
#<br>
# Lock the port<br>
#<br>
lock<br>
#<br>
# We don't need the tunnel server to authenticate itself<br>
#<br>
noauth<br>
<br>
+chap<br>
+chapms<br>
+chapms-v2<br>
<br>
multilink<br>
mrru 1614<br>
#<br>
# Turn off transmission protocols we know won't be used<br>
#<br>
nobsdcomp<br>
nodeflate<br>
<br>
#<br>
# We want MPPE<br>
#<br>
mppe-128<br>
mppe-stateless<br>
<br>
#<br>
# We want a sane mtu/mru<br>
#<br>
mtu 1000<br>
mru 1000<br>
<br>
#<br>
# Time this thing out of it goes poof<br>
#<br>
lcp-echo-failure 10<br>
lcp-echo-interval 10</font>
</blockquote>
<p>My /etc/ppp/ip-up.local file sets up the routes that I need to route Compaq
traffic through the PPTP tunnel:
<blockquote>
<p><font face="Courier" size="2">#/bin/sh<br>
<br>
case $6 in<br>
Compaq)<br>
&nbsp;&nbsp;&nbsp; route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1<br>
&nbsp;&nbsp;&nbsp; route add -net 130.252.0.0 netmask 255.255.0.0 gw $5 $1<br>
&nbsp;&nbsp;&nbsp; route add -net 131.124.0.0 netmask 255.255.0.0 gw $5 $1<br>
&nbsp;&nbsp;&nbsp; ...<br>
&nbsp;&nbsp;&nbsp; ;;<br>
esac</font></blockquote>
<p>Finally, I run the following script every five minutes under crond to
restart the tunnel if it fails:<pre> #!/bin/sh
restart_pptp() {
/sbin/service pptp stop
sleep 10
if /sbin/service pptp start; then
/usr/bin/logger &quot;PPTP Restarted&quot;
fi
}
if [ -n &quot;`ps ax | grep /usr/sbin/pptp | grep -v grep`&quot; ]; then
exit 0
fi
echo &quot;Attempting to restart PPTP&quot;
restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;
</pre>
<p><a href="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's a script
and corresponding ip-up.local </a>from <a href="mailto:jvonau@home.com">Jerry
Vonau </a>that controls two PPTP connections.</p>
<p><font size="2">Last modified 7/11/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

95
Shorewall-docs/ProxyARP.htm Normal file
View File

@ -0,0 +1,95 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Proxy ARP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<blockquote>
<h1 align="center">Proxy ARP</h1>
<p>&nbsp;</p>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet.</p>
<p>The following figure represents a Proxy ARP
environment.</p>
<p align="center"><strong>
<img src="images/proxyarp.png" width="444" height="397"></strong></p>
<blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.&nbsp; Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries in
/etc/shorewall/proxyarp:</p>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>ADDRESS</b></td>
<td><b>INTERFACE</b></td>
<td><b>EXTERNAL</b></td>
<td><b>HAVEROUTE</b></td>
</tr>
<tr>
<td>130.252.100.18</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
<tr>
<td>130.252.100.19</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
</table>
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19&nbsp;
in the above example) are not included in any specification in
/etc/shorewall/masq or /etc/shorewall/nat.</p>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
irrelevant. </p>
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
subnet mask and default gateway configured exactly the same way that the
Firewall system's eth0 is configured.</p>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
there routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet. You
can call your ISP and ask them to purge the stale ARP cache entry but many
either can't or won't purge individual entries. You can determine if your
ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we
suspect that the gateway router has a stale ARP cache entry for 130.252.100.19.
On the firewall, run tcpdump as follows:</div>
<div align="left">
<pre> tcpdump -nei eth0 icmp</pre>
</div>
<div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we will
assume is 130.252.100.254):</div>
<div align="left">
<pre> ping 130.252.100.254</pre>
</div>
<div align="left">
<p align="left">We can now observe the tcpdump output:</div>
<div align="left">
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)
13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
</div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this case
0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still
associates 130.252.100.19 with the NIC in that system rather than with the firewall's
eth0.</div>
</blockquote>
<p><font size="2">Last updated 8/11/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

21
Shorewall-docs/Shorewall_Banner.htm Normal file
View File

@ -0,0 +1,21 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Banner</title>
<base target="contents">
<meta name="Microsoft Theme" content="blueprnt 011">
<meta name="Microsoft Border" content="none, default">
</head>
<body background="_themes/blueprnt/blutextb.gif" bgcolor="#FFFFFF" text="#003399" link="#3366FF" vlink="#9900FF" alink="#000066"><!--mstheme--><font face="Century Gothic, Arial, Helvetica"><p align="right"><b><font size="2"><img border="0" src="images/Shorewall_Banner.gif" align="left" width="600" height="60"></font><font size="4"><strong>
</strong></font><font size="2">The Shorewall Project uses the Services of</font><font size="4">
&nbsp;</font></b><a href="http://sourceforge.net" target="_top"><img src="http://sourceforge.net/sflogo.php?group_id=22587" alt="SourceForge Logo" align="top"></a> </p>
<p align="right">&nbsp; </p>
<!--mstheme--></font></body>
</html>

67
Shorewall-docs/Shorewall_index_frame.htm Normal file
View File

@ -0,0 +1,67 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body><h3 align="center">&nbsp;Shorewall</h3>
<ul>
<li><a href="seattlefirewall_index.htm">Home</a></li>
<li><a target="_top" href="/1.2/index.htm">Shorewall 1.2 Home</a></li>
<li><a href="shorewall_features.htm">Features</a></li>
<li><a href="shorewall_prerequisites.htm">Requirements</a></li>
<li><a href="download.htm">Download</a></li>
<li><a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
<li><a href="Install.htm">Installation/Upgrade<br>
/Configuration</a></li>
<li><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li><a href="Documentation.htm">Reference Manual</a></li>
<li><a href="FAQ.htm">FAQs</a></li>
<li><a href="troubleshoot.htm">Troubleshooting</a></li>
<li><a href="errata.htm">Errata</a></li>
<li><a href="support.htm">Support</a></li>
<li><a href="mailing_list.htm">Mailing Lists</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a><ul>
<li><a target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a></li>
</ul>
</li>
<li><a href="News.htm">News Archive</a></li>
<li><a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></li>
<li><a href="quotes.htm">Quotes from Users</a></li>
<li><a href="shoreline.htm">About the Author</a></li>
<li><a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch" >
<p>
<strong>Quick Search</strong><br>
<font size="-1">
<input type=text name=words size=15>
<input type=hidden name=format value=long>
<input type=hidden name=method value=and>
<input type=hidden name=config value=htdig>
<input type="submit" value="Search"></font>
</p>
<input type="hidden" name="exclude" value="[http://www.shorewall.net/pipermail/*]">
</form>
<p><strong><a href="htdig/search.html">Extended Search Forms</a></strong></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<p><a href="http://www.shorewall.net" target="_top">
<img border="1" src="images/shorewall.jpg" width="119" height="38" hspace="0"></a></p>
</body>
</html>

62
Shorewall-docs/blacklisting_support.htm Normal file
View File

@ -0,0 +1,62 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Blacklisting Support</h1>
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
<h2>Static Blacklisting</h2>
<p>Shorewall
static blacklisting support has the following configuration parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped or
rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged and at
what syslog level using the <a href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a></li>
<li>You specify the interfaces whose incoming packets you want checked against
the blacklist using the &quot;<a href="Documentation.htm#BLInterface">blacklist</a>&quot;
option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the &quot;<a href="Documentation.htm#Starting">shorewall
refresh</a>&quot; command.</li>
</ul>
<h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
<ul>
<li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed IP
addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed IP
addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets from hosts
previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
<li>save - save the dynamic blacklisting configuration so that it will be
automatically restored the next time that the firewall is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul>
<p>Example 1:</p>
<pre> shorewall deny 192.0.2.124 192.0.2.125</pre>
<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>Example 2:</p>
<pre> shorewall allow 192.0.2.125</pre>
<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 6/16/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

228
Shorewall-docs/configuration_file_basics.htm Normal file
View File

@ -0,0 +1,228 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Configuration Files</h1>
<p><b><font color="#FF0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a href="http://www.megaloman.com/~hany/software/hd2u/">
dos2unix</a> before you use them with Shorewall.</b></p>
<h2>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) Network Address Translation (a.k.a. Masquerading) and Source
Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign (&quot;#&quot;). You may also place comments at the end of any line, again by
delimiting the comment from the rest of the line with a pound sign.</p>
<p>Examples:</p>
<pre># This is a comment</pre><pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash (&quot;\&quot;) followed
immediately by a new line character.</p>
<p>Example:</p>
<pre>ACCEPT net fw tcp \
smtp,www,pop3,imap #Services running on the firewall</pre>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with &quot;!&quot; to specify the complement of the item. For
example, !192.168.1.4 means &quot;any host but 192.168.1.4&quot;.</p>
<h2>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,&nbsp;&nbsp;&nbsp;&nbsp; dhcp,&nbsp;&nbsp;&nbsp;&nbsp;
norfc1818</li>
<li>If you use line continuation to break a comma-separated list, the
continuation line(s) must begin in column 1 (or there would be embedded
white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul>
<h2>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;.</p>
<h2>Using Shell Variables</h2>
<p>You may use the file /etc/shorewall/params
file to set shell variables that you can then use in some of the other
configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font size="1">
</font>to distinguish them from variables used internally within the
Shorewall programs</p>
<p>Example:</p>
<blockquote>
<pre>NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=noping,norfc1918</pre>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
</font>
<p>Variables may be used anywhere in the
other configuration files.</p>
<h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC)
addresses can be used to specify packet source in several of the
configuration files. To use this feature, your kernel must have MAC
Address Match support (CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
unique MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers
separated by colons. Example:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp; [root@gateway root]# ifconfig eth0<br>
&nbsp;&nbsp;&nbsp;&nbsp; eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
&nbsp;&nbsp;&nbsp;&nbsp; inet addr:206.124.146.176 Bcast:206.124.146.255
Mask:255.255.255.0<br>
&nbsp;&nbsp;&nbsp;&nbsp; UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX packets:2398102 errors:0 dropped:0 overruns:0
frame:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; TX packets:3044698 errors:0 dropped:0 overruns:0
carrier:0<br>
&nbsp;&nbsp;&nbsp;&nbsp; collisions:30394 txqueuelen:100<br>
&nbsp;&nbsp;&nbsp;&nbsp; RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
(1582.8 Mb)<br>
&nbsp;&nbsp;&nbsp;&nbsp; Interrupt:11 Base address:0x1800<br>
<br>
Because Shorewall uses colons as a separator for address fields, Shorewall requires
MAC addresses to be written in another way. In Shorewall, MAC addresses
begin with a tilde (&quot;~&quot;) and consist of 6 hex numbers separated by
hyphens. In Shorewall, the MAC address in the example above would be
written &quot;~02-00-08-E3-FA-55&quot;.</p>
<h2>Shorewall Configurations</h2>
<p>
Shorewall allows you to have configuration
directories other than /etc/shorewall. The <a href="#Starting">shorewall start
and restart</a>
commands allow you to specify an alternate configuration directory and
Shorewall will use the files in the alternate directory rather than the corresponding
files in /etc/shorewall. The alternate directory need not contain a complete
configuration; those files not in the alternate directory will be read from
/etc/shorewall.</p>
<p>
This facility permits you to easily create a test or temporary configuration
by:</p>
<ol>
<li>
copying the files that need modification from /etc/shorewall to a separate
directory;</li>
<li>
modify those files in the separate directory; and</li>
<li>
specifying the separate directory in a shorewall start or shorewall
restart command (e.g., <i><b>shorewall -c /etc/testconfig restart</b></i>
).</li>
</ol>
<p><font size="2">
Updated 8/6/2002 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

29
Shorewall-docs/copyright.htm Normal file
View File

@ -0,0 +1,29 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Copyright</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Copyright</h1>
<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp; 2000, 2001
Thomas M Eastep<br>
&nbsp;</p>
<blockquote>
<p align="left">Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version 1.1 or
any later version published by the Free Software Foundation; with no Invariant
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
license is included in the section entitled &quot;<a href="GnuCopyright.htm">GNU Free Documentation License</a>&quot;.<br>
&nbsp;</p>
</blockquote>
</body>
</html>

55
Shorewall-docs/dhcp.htm Normal file
View File

@ -0,0 +1,55 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">DHCP</h1>
<h2 align="left">DHCP Server on your firewall</h2>
<ul>
<li>
<p align="left">Specify the &quot;dhcp&quot; option on each interface to be
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</li>
<li>
<p align="left">When starting &quot;dhcpd&quot;, you need to list those
interfaces on the run line. On a RedHat system, this is done by modifying
/etc/sysconfig/dhcpd.</li>
</ul>
<h2 align="left">A Firewall Interface gets its IP Address via DHCP</h2>
<ul>
<li>
<p align="left">Specify the &quot;dhcp&quot; option for this interface in
the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</li>
<li>
<p align="left">If you know that the dynamic address is always going to be
in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.</li>
<li>
<p align="left">If you don't know the subnet address in advance, you should
specify &quot;detect&quot; for the interface's subnet address in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file and start Shorewall after the interface has started.</li>
<li>
<p align="left">In the event that the subnet address might change while
Shorewall is started, you need to arrange for a &quot;shorewall
refresh&quot; command to be executed when a new dynamic IP address gets
assigned to the interface. Check your DHCP client's documentation.</li>
</ul>
<p align="left"><font size="2">Last updated 1/26/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

222
Shorewall-docs/download.htm Normal file
View File

@ -0,0 +1,222 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall Download</h1>
<p><b>I strongly urge you to read and print a copy of the
<a href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b></p>
<p>Once you've done that, download <u> one</u> of the modules:</p>
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux PPC</b> or
<b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig or insserv).
If you find that it works in other cases, let <a href="mailto:teastep@shorewall.net">
me</a>
know so that I can mention them here. See the
<a href="Install.htm">Installation Instructions</a> if you have problems
installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also want to
download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is in both the
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files and
there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have
downloaded -- during the release of a new version of Shorewall, the links
below may point to a newer or an older version than is shown below.</p>
<ul>
<li>RPM - &quot;rpm -qip LATEST.rpm&quot;</li>
<li>TARBALL - &quot;tar -ztf LATEST.tgz&quot; (the directory
name will contain the version)</li>
<li>LRP - &quot;mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version&quot; </li>
</ul>
<p><font face="Arial">Once you have verified the
version, check the </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font face="Arial">
to see if there are updates that apply to the version that you have
downloaded.</font></p>
<p><font color="#FF0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></p>
<p>Download Latest Version (<b>1.3.6</b>): <b>Remember that updates to the mirrors
occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<table border="2" cellspacing="3" cellpadding="3" style="border-collapse: collapse">
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a>&nbsp;<br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a>&nbsp;<br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a></td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td>
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.rpm</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm">
Download .rpm</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
<td>
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm">
Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
<td>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a></td>
</tr>
</table>
</blockquote>
<p>Browse Download Sites:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
<tr>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">
Browse</a></td>
</tr>
<tr>
<td>California, USA (Incomplete)</td>
<td>Sourceforge.net</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td>
<td>N/A</td>
</tr>
</table>
</blockquote>
<p align="left">CVS:</p>
<blockquote>
<p align="left">The
<a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS
repository at cvs.shorewall.net</a> contains the latest snapshots of the each
Shorewall component. There's no guarantee that what you find there will work at
all.</p>
</blockquote>
<p align="left"><font size="2">Last Updated 8/05/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

366
Shorewall-docs/errata.htm Normal file
View File

@ -0,0 +1,366 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall Errata/Upgrade Issues</h1>
<p align="center">
<font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p>
<ol>
<li>
<p align="left">
<b><u>I</u>f you use a Windows system to download a corrected script, be sure to
run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" style="text-decoration: none">
dos2unix</a></u>
after you have moved it to your Linux system.</b></p>
</li>
<li>
<p align="left">
<b>If you are installing Shorewall for the first time and plan to use the
.tgz and install.sh script, you can untar the archive, replace the
'firewall' script in the untarred directory with the one you downloaded
below, and then run install.sh.</b></p>
</li>
<li>
<p align="left">
<b>When the instructions say to install a corrected firewall script in
/etc/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the
existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
and /var/lib/shorewall/firewall are symbolic links that point
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot. It is that file that must be overwritten
with the corrected script. </b></p>
</li>
</ol>
<ul>
<li><b><a href="#Upgrade">Upgrade Issues</a></b></li>
<li>
<b><font color="#660066">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li>
<b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li>
<b><a href="#V1.3">Problems in Version 1.3</a></b></li>
<li>
<b><font color="#660066"><a href="#iptables">
Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li>
<b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
</ul>
<hr>
<h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
<h3 align="Left">Version &gt;= 1.3.6</h3>
<p align="Left">If you have a pair of firewall systems configured for
failover, you will need to modify your firewall setup slightly under
Shorewall versions &gt;= 1.3.6. </p>
<ol>
<li>
<p align="Left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the
connection tracking table can be rebuilt<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# from non-SYN packets after takeover.<br>
&nbsp;</font></li>
<li>
<p align="Left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
#tracking table. <br>
. /etc/shorewall/common.def</font></li>
</ol>
<h3 align="Left">Versions &gt;= 1.3.5</h3>
<p align="Left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
<p align="Left">Example 1:</p>
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
<p align="Left">Must be replaced with:</p>
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
<div align="left">
<p align="left">Example 2:</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
<div align="left">
<p align="left">Must be replaced with:</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
<h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3 align="Left">Version 1.3.5-1.3.5b</h3>
<p align="Left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="Left">Versions 1.3.4-1.3.5a</h3>
<p align="Left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
possible to&nbsp; include a single host specification on each line. This
problem is corrected by
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
as instructed above.</div>
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</div>
<h3 align="Left">Version 1.3.5</h3>
<p align="Left">REDIRECT rules are broken in this version. Install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version 1.3.5a.</p>
<h3 align="Left">Version 1.3.n, n &lt; 4</h3>
<p align="Left">The &quot;shorewall start&quot; and &quot;shorewall restart&quot; commands
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file. The
&quot;shorewall check&quot; command does perform this verification so it's a
good idea to run that command after you have made configuration
changes.</p>
<h3 align="Left">Version 1.3.n, n &lt; 3</h3>
<p align="Left">If you have upgraded from Shorewall 1.2 and after
&quot;Activating rules...&quot; you see the message: &quot;iptables: No
chains/target/match by that name&quot; then you probably have an entry in
/etc/shorewall/hosts that specifies an interface that you didn't
include in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
later versions produce a clearer error message in this case.</p>
<h3 align="Left">Version 1.3.2</h3>
<p align="Left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. </li>
<li>&quot;NAT_BEFORE_RULES=No&quot; was broken; it behaved just like &quot;NAT_BEFORE_RULES=Yes&quot;.</li>
</ul>
<p align="Left">Both problems are corrected in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> as described above.</p>
<ul>
<li>
<p align="Left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
</li>
</ul>
<h3 align="Left">Version 1.3.1</h3>
<ul>
<li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface in
/etc/shorewall/interfaces then depending on the option, Shorewall
may ignore all but the first appearence of the option. For example:<br>
<br>
net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; dhcp<br>
loc&nbsp;&nbsp;&nbsp; eth1&nbsp;&nbsp;&nbsp; dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior bullet
affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An additional
bug has been found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script prior to 1850 GMT today
should download and install the corrected script again to ensure
that this second problem is corrected.</li>
</ul>
<p align="Left">These problems are corrected in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in
/etc/shorewall/firewall as described above.</p>
<h3 align="Left">Version 1.3.0</h3>
<ul>
<li>Folks who downloaded 1.3.0 from the links on the download page
before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than
1.3.0. The &quot;shorewall version&quot; command will tell you which version
that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.</li>
</ul>
<hr>
<h3 align="Left"><a name="iptables"></a><font color="#660066">
Problem with iptables version 1.2.3</font></h3>
<blockquote>
<p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built
an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If
you are currently running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="Left"><font face="Century Gothic, Arial, Helvetica" color="#FF6633"><b>Update
11/9/2001: </b></font>RedHat has
released an iptables-1.2.4 RPM of their own which you can download from<font face="Century Gothic, Arial, Helvetica" color="#FF6633">
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM
on my firewall and it works fine.</p>
<p align="Left">If you
would like to patch iptables 1.2.3 yourself, the patches are available
for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification while
this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="Left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may
experience the following:</p>
<blockquote>
<pre># shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
</pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter 'mangle' table. You can correct the problem by installing
<a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
&quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
</blockquote>
<h3><a name="SuSE"></a>Problems
installing/upgrading RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the &quot;--nodeps&quot; option to
rpm.</p>
<p>Installing: rpm -ivh <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh <i>&lt;shorewall rpm&gt;</i></p>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2">
Last updated 8/7/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

210
Shorewall-docs/errata_1.htm Normal file
View File

@ -0,0 +1,210 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Errata for Version 1</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall Errata for Version 1.1</h1>
<h3 align="Left"><font color="#660066"><u>To those of you who downloaded the 1.1.13 updated firewall script prior
to Sept 20, 2001:</u></font></h3>
<blockquote>
<p align="Left">Prior
to 20:00 20 Sept 2001 GMT, the link under 1.1.13 pointed to a broken version
of the firewall script. This has now been corrected. I apologize for any confusion
this may have caused.</p>
</blockquote>
<h3 align="Left">Version 1.1.18</h3>
<blockquote>
<p align="Left">In the original .lrp, /etc/init.d/shorewall was not
secured for execute access. I have replaced the incorrect .lrp
(shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.17</font></h3>
<blockquote>
<p align="Left">In
shorewall.conf, ADD_IP_ALIASES was incorrectly spelled
IP_ADD_ALIASAES. There is a corrected version of the file <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
<p align="Left">This
problem is also corrected in version 1.1.18.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.16</font></h3>
<blockquote>
<p align="Left">
The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly spelled IP_ADD_ALIASES
in the firewall script. To correct this problem, install the <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall">
corrected firewall script</a>
in the location pointed to by the symbolic link /etc/shorewall/firewall.</p>
<p align="Left">
This problem is also corrected in version 1.1.17.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.14-1.1.15</font></h3>
<blockquote>
<p align="Left">
There are no corrections for these versions.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.13</font></h3>
<blockquote>
<p align="Left">
The firewall fails to start if a rule with the following format is given:</p>
<p align="Left">
&lt;disposition&gt;    z1:www.xxx.yyy.zzz    z2    proto    p1,p2,p3</p>
<p align="Left">
To correct this problem, install <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall">
this corrected firewall script</a>
in the location pointed to by the symbolic link /etc/shorewall/firewall. </p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.12</font></h3>
<blockquote>
<p align="Left">
The LRP version of Shorewall 1.1.12 has the incorrect /etc/shorewall/functions
file. This incorrect file results in many error messages of the form:</p>
<blockquote>
<p align="Left">
separate_list: not found</p>
</blockquote>
<p align="Left"><a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions">
The correct file may be obtained here</a>
. This problem is also corrected in version 1.1.13.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.11</font></h3>
<blockquote>
<p align="Left">
There are no known problems with this version.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.10</font></h3>
<blockquote>
<p align="Left">
If the following conditions were met:<br>
</p>
<ol>
<li>
<p align="Left">
A LAN segment attached to the firewall was served by a DHCP server
running on the firewall.</p>
</li>
<li>
<p align="Left">
There were entries in /etc/shorewall/hosts that referred to the
interface to that LAN segment.</p>
</li>
</ol>
<p align="Left">
then up until now it has been necessary to include entries for 0.0.0.0
and 255.255.255.255 for that interface in /etc/shorewall/hosts. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall">
This version of the firewall script</a>
makes those additions unnecessary provided that you simply include
"dhcp" in the options for the interface in /etc/shorewall/interfaces.
Install the script into the location pointed to by the symbolic link
/etc/shorewall/firewall.</p>
<p align="Left">
This problem has also been corrected in version 1.1.11.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.9</font></h3>
<ul>
<li>The shorewall "hits" command lists extraneous service names in the final
report. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall">
This version of the shorewall script</a>
corrects this problem.<br>
</li>
</ul>
<h3 align="Left">Version 1.1.8</h3>
<ul>
<li>Under some circumstances, the "dhcp" option on an interface triggers
a bug in the firewall script that results in a "chain already exists"
error. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall">
This version of the firewall script</a>
corrects this problem. Install it into the location pointed to by
the symbolic link /etc/shorewall/firewall.<br>
<br>
This problem is also corrected in version 1.1.9.<br>
</li>
</ul>
<h3 align="Left">Version 1.1.7</h3>
<ul>
<li>If the /etc/shorewall/rules template from version 1.1.7 is used, a warning
message appears during firewall startup:<br>
<br>
    Warning: Invalid Target - rule "@ icmp-unreachable packet."
ignored<br>
<br>
This warning may be eliminated by replacing the "@" in column 1 of
line 17 with "#"</li>
</ul>
<blockquote>
<p align="Left">
This problem is also corrected in version 1.1.8</p>
</blockquote>
<p align="left"><font size="2">
Last updated 12/21/2001 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

434
Shorewall-docs/errata_2.htm Normal file
View File

@ -0,0 +1,434 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall 1.2 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Shorewall 1.2 Errata</h1>
<p align="center">
<font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p>
<p align="center">
<b><u>If you use a Windows system to download a corrected script, be sure to
run the script through <a href="http://www.megaloman.com/%7Ehany/software/hd2u/">
dos2unix</a>
after you have moved it to your Linux system.</u></b></p>
<p align="center">
<u><b>When the instructions say to install a corrected firewall script in
/etc/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the
existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
before you do that. /etc/shorewall/firewall is a symbolic link that points
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot and it is that file that must be overwritten
with the corrected script. </b></u></p>
<ul>
<li>
<h3 align="Left"><font color="#660066">
<a href="errata_1.htm">
Problems in Version 1.1</a></font></h3>
</li>
<li>
<h3 align="Left"><a href="#V1.2">Problems in Version 1.2</a></h3>
</li>
<li>
<h3 align="Left"><font color="#660066"><a href="#iptables">
Problem with iptables version 1.2.3</a></font></h3>
</li>
<li>
<h3 align="Left"><a href="#Debug">Problems with kernel 2.4.18 and
RedHat iptables</a></h3>
</li>
</ul>
<hr>
<h3 align="Left"><a name="V1.2"></a>Problems in Version 1.2</h3>
<h3 align="Left">Version 1.2.13</h3>
<ul>
<li>
<p align="Left">Some users have reported problems installing the RPM
on SuSE 7.3 where rpm reports a conflict with kernel &lt;= 2.2 even
though a 2.4 kernel RPM is installed. To get around this problem, use
the --nodeps option to rpm (e.g., &quot;rpm -ivh --nodeps
shorewall-1.2-13.noarch.rpm&quot;).<br>
<br>
The problem stems from the fact that SuSE does not
include a package named &quot;kernel&quot; but rather has a number of packages
that provide the virtual package &quot;kernel&quot;. Since virtual packages have
no version associated with them, a conflict results. Since the
workaround is simple, I don't intend to change the Shorewall package.</p>
</li>
<li>
<p align="Left">Shorewall accepts invalid rules of the form:<br>
<br>
<font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt; all &lt;port number&gt; -
&lt;original ip address&gt;<br>
<br>
</font>The &lt;port number&gt; is ignored with the result that <u>all</u>
connection requests from the &lt;src&gt; zone whose original destination IP
address matches the last column are forwarded to the &lt;dest&gt; zone, IP
address &lt;ip addr&gt;.&nbsp;
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall">
This corrected firewall script</a> correctly generates an error when
such a rule is encountered.</p>
</li>
</ul>
<h3 align="Left">Version 1.2.11</h3>
<ul>
<li>
<p align="Left">The 'try' command is broken.</li>
<li>
<p align="Left">The usage text printed by the shorewall utility
doesn't show the optional timeout for the 'try' command.</li>
</ul>
<p align="Left">Both problems are corrected by
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
this new version of /sbin/shorewall</a>.</p>
<h3 align="Left">Sample Configurations:</h3>
<ul>
<li>
<p align="Left">There have been several problems with SSH, DNS and
ping in the two- and three-interface examples. Before reporting
problems with these services, please verify that you have the latest
version of the appropriate sample 'rules' file.</li>
</ul>
<h3 align="Left">All Versions through 1.2.10</h3>
<ul>
<li>
<p align="Left">The <a href="PPTP.htm#ServerFW">documentation for
running PoPToP on the firewall system</a> contained an incorrect entry
in the /etc/shorewall/hosts file. The corrected entry (underlined) is
shown here:</li>
</ul>
<blockquote>
<blockquote>
<table border="2">
<tr>
<td><b>ZONE</b></td>
<td><b>HOST(S)</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>loc</td>
<td><u>eth2</u>:192.168.1.0/24</td>
<td>routestopped</td>
</tr>
<tr>
<td>loc</td>
<td>ppp+:192.168.1.0/24</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
</blockquote>
<h3 align="Left">All Versions through 1.2.8</h3>
<ul>
<li>
<p align="Left">The shorewall.conf file and the documentation
incorrectly refer to a parameter in /etc/shorewall/shorewall.conf
called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a href="Documentation.htm#Conf">see
the corrected online documentation</a>). Users of the rpm should
change the name (and possibly the value) of this parameter so that
Shorewall interacts properly with the SysV init scripts. The
documentation on this web site has been corrected and
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf">
here's a corrected version of shorewall.conf</a>.</p>
</li>
<li>
<p align="Left">The documentation indicates that a comma-separated
list of IP/subnet addresses may appear in an entry in the hosts file.
This is not the case; if you want to specify multiple addresses for a
zone, you need to have a separate entry for each address.</p>
</li>
</ul>
<h3 align="Left">Version 1.2.7</h3>
<p align="Left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
<p>If you have installed and started version 1.2.7 then before trying
to restart under 1.2.8:</p>
<ol>
<li>Look at your /etc/shorewall/shorewall.conf file and note the directory
named in the STATEDIR variable. If that variable is empty, assume
/var/state/shorewall.</li>
<li>Remove the file 'lock' in the directory determined in step 1.</li>
</ol>
<p>You may now restart using 1.2.8.</p>
<h3 align="Left">Version 1.2.6</h3>
<ul>
<li>
<p align="Left">GRE and IPIP tunnels are broken.</li>
<li>
<p align="Left">The following rule results in a start error:<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
icmp</li>
</ul>
<p align="Left">To correct the above problems, install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this
corrected firewall script</a> in&nbsp; /etc/shorewall/firewall..<h3 align="Left">Version 1.2.5</h3>
<ul>
<li>
<p align="Left">The new ADDRESS column in /etc/shorewall/masq cannot
contain a $-variable name.</li>
<li>
<p align="Left">Errors result if $FW appears in the
/etc/shorewall/policy file.</li>
<li>
<p align="Left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
results in an error at start time.</li>
</ul>
<p align="Left">To correct the above problems, install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall.<p align="Left">&nbsp;<ul>
<li>
<p align="Left">The /sbin/shorewall script produces error messages
saying that 'mygrep' cannot be found.
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
Here is the correct version of /sbin/shorewall.</a></li>
</ul>
<h3 align="Left">Version 1.2.4</h3>
<ul>
<li><p align="Left">This version will not install &quot;out of the box&quot; without
modification. Before attempting to start the
firewall, please change the STATEDIR in /etc/shorewall/shorewall.conf to
refer to /var/lib/shorewall. This only applies to fresh installations -- if
you are upgrading from a previous version of Shorewall, version 1.2.4 will
work without modification.</li>
</ul>
<h3 align="Left">Version 1.2.3</h3>
<ul>
<li>
<p align="Left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted
hosts aren't logged. Install <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall.</li>
</ul>
<blockquote>
<p>Alternatively, edit /etc/shorewall/firewall and change line 1564 from:</p>
</blockquote>
<pre> run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<blockquote>
<p>to</p>
</blockquote>
<pre> run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<h3 align="Left">Version 1.2.2</h3>
<ul>
<li>The &quot;shorewall status&quot; command hangs after
it displays the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's
a corrected /sbin/shorewall.</a> if&nbsp; you want to simply modify your copy of
/sbin/shorewall, then at line 445 change this:</li>
</ul>
<div align="left">
<pre align="Left"> status)
clear</pre>
</div>
<blockquote>
<p align="Left">to this:</p>
</blockquote>
<div align="left">
<pre align="Left"> status)
get_config
clear</pre>
</div>
<ul>
<li>The &quot;shorewall monitor&quot; command
doesn't show the icmpdef chain - <a href="pub/shorewall/errata/1.2.2/shorewall">this
corrected /sbin/shorewall</a> fixes that problem as well as the status
problem described above.</li>
</ul>
<ul>
<li>In all 1.2.x versions, the 'CLIENT PORT(S)'
column in /etc/shorewall/tcrules is ignored. This is corrected in <a href="/pub/shorewall/errata/1.2.2/firewall">this
updated firewall script</a>.&nbsp; Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for
spotting this bug.</li>
</ul>
<h3 align="Left">Version 1.2.1</h3>
<ul>
<li>The new <i>logunclean </i>interface option is not
described in the help text in /etc/shorewall/interfaces. An <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated
interfaces file</a> is available.</li>
<li>When REJECT is specified in a TCP rule, Shorewall
correctly replies with a TCP RST packet. Previous versions of the
firewall script are broken in the case of a REJECT policy, however; in
REJECT policy chains, all requests are currently replied to with an
ICMP port-unreachable packet. <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This
corrected firewall script</a> replies to TCP requests with TCP RST in
REJECT policy chains. Place the script in /etc/shorewall/firewall.</li>
</ul>
<h3 align="Left">Version 1.2.0</h3>
<blockquote>
<p align="Left"><b>Note: </b>If you are upgrading from one of the Beta
RPMs to 1.2.0, you must use the &quot;--oldpackage&quot; option to rpm
(e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).</p>
<p align="Left">The tunnel script released in version 1.2.0 contained
errors -- a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected
script</a> is available.</p>
</blockquote>
<hr>
<h3 align="Left"><a name="iptables"></a><font color="#660066">
Problem with iptables version 1.2.3</font></h3>
<blockquote>
<p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built
an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If
you are currently running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="Left"><font face="Century Gothic, Arial, Helvetica" color="#FF6633"><b>Update
11/9/2001: </b></font>RedHat has
released an iptables-1.2.4 RPM of their own which you can download from<font face="Century Gothic, Arial, Helvetica" color="#FF6633">
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM
on my firewall and it works fine.</p>
<p align="Left">If you
would like to patch iptables 1.2.3 yourself, the patches are available
for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification while
this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="Left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernel 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may
experience the following:</p>
<blockquote>
<pre># shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
</pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter 'mangle' table. You can correct the problem by installing
<a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
&quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
</blockquote>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2">
Last updated 5/24/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

67
Shorewall-docs/fallback.htm Normal file
View File

@ -0,0 +1,67 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Fallback and Uninstall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">Fallback and Uninstall</h1>
<p><strong>Shorewall includes
a </strong><a href="#fallback"><strong>fallback script</strong></a><strong>
and an </strong><a href="#uninstall"><strong>uninstall script</strong></a><strong>.</strong></p>
<h2><a name="fallback"></a>Falling Back to the Previous Version of Shorewall
using the Fallback Script</h2>
<p>If you install Shorewall and discover that
it doesn't work for you, you can fall back to your previously
installed version. To do that:</p>
<ul>
<li>cd to the distribution directory for the version
of Seattle Firewall <u>that you are
currently running </u>(NOT the version
that you want to fall back to).</li>
<li>Type &quot;./fallback.sh&quot;</li>
</ul>
<h3><strong><u>Warning:</u> The fallback script
will replace /etc/shorewall/policy, /etc/shorewall/rules, /etc/shorewall/interfaces,
/etc/shorewall/nat, /etc/shorewall/proxyarp and /etc/shorewall/masq with the version of
these files from before the current version was installed. Any
changes to any of these files will be lost.</strong></h3>
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using
rpm</h2>
<p>If your previous version of Shorewall was
installed using RPM, you may fall back to that version by typing
&quot;rpm -Uvh --force &lt;old rpm&gt;&quot; at a root shell
prompt (Example: &quot;rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm&quot; would fall back to the 3.1-0
version of Shorewall).</p>
<h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
<p>If you no longer wish to use Shorewall, you
may remove it by:</p>
<ul>
<li>cd to the distribution directory for the version
of Shorewall that you have installed.</li>
<li>type &quot;./uninstall.sh&quot;</li>
</ul>
<p>If you installed using an rpm, at a root shell prompt
type &quot;rpm -e shorewall&quot;.</p>
<p><font size="2">Last updated 3/26/2001 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

55
Shorewall-docs/gnu_mailman.htm Normal file
View File

@ -0,0 +1,55 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>GNU Mailman</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">GNU Mailman/Postfix<br>
the Easy Way</h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.</h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
<br>
A: Mailman uses a setgid wrapper that is designed to be used in system-wide
aliases file so that rest of mailman's mail handling processes will run with
proper uid/gid. Postfix has an ability to run a command specified in an alias as
owner of that alias, thus mailman's wrapper is not needed here. The best method
to invoke mailman's mail handling via aliases is to use separate alias file
especially for mailman, and made it owned by mailman and group mailman. Like:<br>
<br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
<br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this may be
done by executing postalias as mailman userid).<br>
<br>
Next, instead of using mailman-suggested aliases entries with wrapper, use the
following:<br>
<br>
instead of<br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
...<br>
<br>
use<br>
mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p>
<h4>The Shorewall mailing lists are currently running Postfix 1.1.7 together
with the stock RedHat Mailman-2.0.8 RPM configured as shown above.</h4>
<p align="left"><font size="2">Last updated 5/4/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

21
Shorewall-docs/hosts_file.htm Normal file
View File

@ -0,0 +1,21 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>The Hosts File</title>
<meta name="Microsoft Theme" content="boldstri 011, default">
</head>
<body>
<h1 align="center">The Hosts File</h1>
<p align="left">Since there seems to be a lot of confusion regarding the
/etc/shorewall/hosts file, I have created this page to try to clear the fog.</p>
<p align="left">&nbsp;</p>
</body>
</html>

BIN
Shorewall-docs/images/BD21298_.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 B

BIN
Shorewall-docs/images/BD21298_1.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 B

BIN
Shorewall-docs/images/BD21298_2.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 B

BIN
Shorewall-docs/images/BD21298_3.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 101 B

BIN
Shorewall-docs/images/DMZ.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 44 KiB

BIN
Shorewall-docs/images/DMZ2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
Shorewall-docs/images/DMZ3.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 45 KiB

BIN
Shorewall-docs/images/DMZ4.JPG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 50 KiB

BIN
Shorewall-docs/images/DMZ5.JPG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 49 KiB

BIN
Shorewall-docs/images/DMZ6.JPG Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 52 KiB

BIN
Shorewall-docs/images/Hiking1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 36 KiB

BIN
Shorewall-docs/images/Mobile.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/Mobile.vsd Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/ORE.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 35 KiB

BIN
Shorewall-docs/images/SY00079.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
Shorewall-docs/images/Shorewall_Banner.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
Shorewall-docs/images/Thumbs.db Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/TwoNets1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
Shorewall-docs/images/TwoNets1.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/TwoNets1.vsd Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/apache_pb1.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.5 KiB

BIN
Shorewall-docs/images/basics.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 31 KiB

BIN
Shorewall-docs/images/basics.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/basics.vsd Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/basics1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 33 KiB

BIN
Shorewall-docs/images/basics1.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/basics1.vsd Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/but3.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/compaq.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 932 B

BIN
Shorewall-docs/images/dmz1.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dmz1.vsd Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dmz2.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dmz2.vsd Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dmz3.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dmz3.vsd Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dmz4.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dmz4.vsd Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dmz5.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dmz5.vsd Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dmz6.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dmz6.vsd Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/dyndns_anim2.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
Shorewall-docs/images/j0213519.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 18 KiB

BIN
Shorewall-docs/images/leaflogo.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.5 KiB

BIN
Shorewall-docs/images/leaflogo.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.5 KiB

BIN
Shorewall-docs/images/linux_powered.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.2 KiB

BIN
Shorewall-docs/images/logo-sm.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 2.0 KiB

BIN
Shorewall-docs/images/menuconfig.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 86 KiB

BIN
Shorewall-docs/images/menuconfig1.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 88 KiB

BIN
Shorewall-docs/images/netopts.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 110 KiB

BIN
Shorewall-docs/images/network.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
Shorewall-docs/images/network.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/network.vsd Normal file
View File

Binary file not shown.

438
Shorewall-docs/images/network.xpm Normal file
View File

@ -0,0 +1,438 @@
/* XPM */
static char * network_xpm[] = {
"493 432 3 1",
" c None",
". c #FFFFFF",
"+ c #000000",
"...........................................................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+.................+++++.....++++...+..........+.+..+.......+.............+..................+.+................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+.................+....+...+....+..+..........+.+..++.....++.............+..................+.+................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+.................+.....+..+.......+..........+.+..++.....++...+++....++.+...+++...+.+..+...+.+................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+.................+.....+...++.....+...............+.+...+.+..+...+..+..++..+...+..++.++.+.....................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+.................+.....+.....++...+...............+.+...+.+..+...+..+...+..+...+..+..+..+.....................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+.................+.....+.......+..+...............+..+.+..+..+...+..+...+..+++++..+..+..+.....................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+.................+.....+..+....+..+...............+..+.+..+..+...+..+...+..+......+..+..+.....................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+.................+....+...+....+..+...............+...+...+..+...+..+..++..+...+..+..+..+.....................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+.................+++++.....++++...+++++...........+...+...+...+++....++.+...+++...+..+..+.....................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................",
"...........................................................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................",
"............................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+..................+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++...+++.........+....+++++...+++..........+.....+++....+++..........................+.......................................................................................................................",
"............................................................................................................................................................................................+.................+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+..+...+......+++........+..+...+.......+++....+...+..+...+.........................+.......................................................................................................................",
"............................................................................................................................................................................................+.....................+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+...+............+.......+...+...+.........+....+...+..+...+.........................+.......................................................................................................................",
"............................................................................................................................................................................................+....................+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+...+.++.........+.......+....+++..........+.....+++...+...+.........................+.......................................................................................................................",
"............................................................................................................................................................................................+...................+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+....++..+........+......+....+...+.........+....+...+..+...+.........................+.......................................................................................................................",
"............................................................................................................................................................................................+..................+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+....+...+........+......+....+...+.++++....+....+...+..+...+.........................+.......................................................................................................................",
"............................................................................................................................................................................................+.................+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+....+...+........+......+....+...+.........+....+...+..+...+.........................+.......................................................................................................................",
"++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................+.................+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+.....+...+........+.....+.....+...+.........+....+...+..+...+.........................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+.................+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+++....+....+.....+......+++..........+.....+++....+++..........................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+...............................................................................................................+........................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+..............................................................................................................+.........................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+..........++++..........................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+.........+....+.........................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+.........+........+++...+.+.+...+...+++...+.+...........................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+..........++.....+...+..++..+...+..+...+..++............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+............++...+...+..+...+...+..+...+..+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+..............+..+++++..+....+.+...+++++..+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+.........+....+..+......+....+.+...+......+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+.........+....+..+...+..+.....+....+...+..+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+..........++++....+++...+.....+.....+++...+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+..........+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++..+++++....................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+.........+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+......+....................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+.............+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+......+.....................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+............+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+......+.....................................+..................................................+.........+.....+++....+++........+.....+++....+++.......+++........+....................++++++..+.............................+..+......................................................+.......................................................................................................................",
"+...........+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+......+......................................+..................................................+.......+++....+...+..+...+.....+++....+...+..+...+.....+...+.....+++....................+.....................................+..+......................................................+.......................................................................................................................",
"+..........+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+......+......................................+..................................................+.........+....+...+......+.......+....+......+...+.........+.......+....................+.......+..+.+..+++..+...+...+..+++...+..+......................................................+.......................................................................................................................",
"+.........+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+......+......................................+..................................................+.........+....+...+.....+........+....+.++....+++.........+........+....................+.......+..++..+...+.+...+...+.+...+..+..+......................................................+.......................................................................................................................",
"+.........+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+......+.......................................+..................................................+.........+.....++++....+.........+....++..+..+...+.......+.........+....................+++++...+..+...+...+..+..+..+......+..+..+......................................................+.......................................................................................................................",
"+.........+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+.......................................+..................................................+.........+........+...+..........+....+...+..+...+......+..........+....................+.......+..+...+++++..+..+..+...++++..+..+......................................................+.......................................................................................................................",
"+........................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++.+.........+........+..+...........+....+...+..+...+.....+...........+....................+.......+..+...+......+.+.+.+..+...+..+..+......................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+.........+....+...+..+...........+....+...+..+...+.....+...........+....................+.......+..+...+...+...+...+...+...+..+..+......................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+.........+.....+++...+++++..+....+.....+++....+++...+..+++++..+....+....................+.......+..+....+++....+...+....+++.+.+..+......................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+.................................................+.....+++....+++........+.....+++....+++........+........+++...+++++.....+.............................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+...............................................+++....+...+..+...+.....+++....+...+..+...+.....+++.......+...+..+........++.............................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+.................................................+....+...+......+.......+....+......+...+.......+...........+..+.......+.+.............................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+.................................................+....+...+.....+........+....+.++....+++........+..........+...++++....+.+.............................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+.................................................+.....++++....+.........+....++..+..+...+.......+.........+........+..+..+.............................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+.................................................+........+...+..........+....+...+..+...+.......+........+.........+.+...+.............................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+.................................................+........+..+...........+....+...+..+...+.......+.......+......+...+.++++++............................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+.................................................+....+...+..+...........+....+...+..+...+.......+.......+......+...+.....+.............................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+.................................................+.....+++...+++++..+....+.....+++....+++...+....+....+..+++++...+++......+.............................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................",
"............................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.......................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................",
"............................................................................................................................................................................................................................................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+..........................++++............+..+.........+.....................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.........................+....+..............+.........+.....................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.........................+......+...+...+.+.+++..+++...+.++..................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+..........................++....+...+...+.+..+..+...+..++..+.................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+............................++...+..+..+..+..+..+......+...+.................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+..............................+..+..+..+..+..+..+......+...+.................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.........................+....+..+.+.+.+..+..+..+......+...+.................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.........................+....+...+...+...+..+..+...+..+...+.................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+..........................++++....+...+...+..++..+++...+...+.................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+..........................................+..................................................+..................................................................................................................................................................",
"............................................................................................................................................................................................................................................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................",
".............................................................................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................",
".....................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...........................................................+.........................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++",
".....................+.........................................................................................................+............++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+....+...+..+.+..++....+++................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+....+...+..++..+..+..+...+...............................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+....+...+..+...+.........+...............................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+....+...+..+....++....++++...............................................................................+............+......+...................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+....+...+..+......+..+...+...............................................................................+............+......+...................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+....+..++..+...+..+..+...+...............................................................................+............+.....+++..+++...+.+.+.+.+...+.............................................................................+.............+............................+................+....+.............................................................+.........+...........................................................................................................+",
".....................+.....++.+..+....++....+++.+..............................................................................+............+......+..+...+..++..++..+...+.............................................................................+.............+............................+................+..+++.............................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+......+......+..+...+...+...+.............................................................................+.............+.........+++....+++....++..+++..+++...+.++..+++...+.............................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+......+...++++..+...+...+..+..............................................................................+.............+........+...+..+...+..+..+..+..+...+..++..+..+....+.............................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+......+..+...+..+...+....+.+..............................................................................+.............+........+...+......+..+.....+..+...+..+...+..+....+.............................................................+.........+..............+.............+..............................................................................+",
".....................+.........................................................................................................+............+......+..+...+..+...+....+.+..............................................................................+.............+........+++++...++++...++...+..+++++..+...+..+....+.............................................................+.........+..............+.............+..............................................................................+",
".....................+.........................................................................................................+............+......++..+++.+.+...+.....+...............................................................................+.............+........+......+...+.....+..+..+......+...+..+....+.............................................................+.........+.........++...+.++...+...+..+..+...++....+++...+.++........................................................+",
".....................+.........................................................................................................+............+..........................+...............................................................................+.............+........+...+..+...+..+..+..+..+...+..++..+..+....+.............................................................+.........+........+..+..++..+..+...+..+.+...+..+..+...+..++..+.......................................................+",
".....................+.....+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++...+++.....+.....+............+.........................+................................................................................+.............+.........+++....+++.+..++...++..+++...+.++...++...+.............................................................+.........+........+.....+...+..+...+..++....+.........+..+...+.......................................................+",
".....................+....+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+..+...+....+.....+............+........................+.................................................................................+.............+......................................+.........................................................................+.........+.........++...+...+..+...+..++.....++....++++..+...+.......................................................+",
".....................+........+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+...+...+...+......+............+..........................................................................................................+.............+......................................+.........................................................................+.........+...........+..+...+..+...+..+.+......+..+...+..+...+.......................................................+",
".....................+.......+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+....+++....+......+............+..........................................................................................................+.............+......................................+.........................................................................+.........+........+..+..+...+..+..++..+..+..+..+..+...+..+...+.......................................................+",
".....................+......+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+....+...+..+.......+............+..........................................................................................................+.............+................................................................................................................+.........+.........++...+...+...++.+..+...+..++....+++.+.+...+.......................................................+",
".....................+.....+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+....+...+..+.......+............+.......+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++...+++.....+....+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+....+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+....+...+..+.......+............+......+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+..+...+....+....+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+....+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+.....+...+.+........+............+..........+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+...+...+...+.....+.............+.........+++....+++....+++........+.....+++......+........+.......+....+++........+.....+++....+++.....+........+.........+...........................................................................................................+",
".....................+....+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+++..+........+............+.........+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+...+...+...+.....+.............+........+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++....+...+..+...+....+........+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+........+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+.....++++..+......+.............+............+..+...+..+...........+........+...+.+........+.....+.+...+...........+....+...+..+...+...+.........+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+.......+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+........+..+......+.............+...........+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.....+++...+...+...+.........+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+......+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+........+..+......+.............+..........+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+....+...+..+...+..+..........+.........+..........+.....+++....+++........+.....+++....+++........+........+++.....................................+",
".....................+.........................................................................................................+............+......+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+.....+...+.+.......+.............+.........+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+....+...+..+...+..+..........+.........+........+++....+...+..+...+.....+++....+...+..+...+.....+++.......+...+....................................+",
".....................+.........................................................................................................+............+......+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+++..+.......+.............+........+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+....+...+..+...+..+..........+.........+..........+....+...+......+.......+....+......+...+.......+.......+...+....................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+........+......+...+..+...+.......+....+.........+........+.......+...+...+.......+....+...+..+...+.+...........+.........+..........+....+...+.....+........+....+.++....+++........+........+++.....................................+",
".....................+......+.....+++....+++........+.....+++....+++........+.......+++++......................................+............+..........................................................................................................+.............+........+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+++....+++..+...........+.........+..........+.....++++....+.........+....++..+..+...+.......+.......+...+....................................+",
".....................+....+++....+...+..+...+.....+++....+...+..+...+.....+++.......+..........................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+........+...+..........+....+...+..+...+.......+.......+...+....................................+",
".....................+......+....+...+......+.......+....+......+...+.......+.......+..........................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+........+..+...........+....+...+..+...+.......+.......+...+....................................+",
".....................+......+....+...+.....+........+....+.++....+++........+.......++++.......................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+....+...+..+...........+....+...+..+...+.......+.......+...+....................................+",
".....................+......+.....++++....+.........+....++..+..+...+.......+...........+......................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+.....+++...+++++..+....+.....+++....+++...+....+....+...+++.....................................+",
".....................+......+........+...+..........+....+...+..+...+.......+...........+......................................+............+........+.....+++....+++........+.....+++....+++........+..........+......................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+......+........+..+...........+....+...+..+...+.......+.......+...+......................................+............+......+++....+...+..+...+.....+++....+...+..+...+.....+++.........++......................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+......+....+...+..+...........+....+...+..+...+.......+.......+...+......................................+............+........+....+...+......+.......+....+......+...+.......+........+.+......................................+.............+..........+.....+++....+++........+.....+++....+++........+.......+++++.........................................+.........+...........................................................................................................+",
".....................+......+.....+++...+++++..+....+.....+++....+++...+....+....+...+++.......................................+............+........+....+...+.....+........+....+.++....+++........+........+.+......................................+.............+........+++....+...+..+...+.....+++....+...+..+...+.....+++...........+.........................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+........+.....++++....+.........+....++..+..+...+.......+.......+..+......................................+.............+..........+....+...+......+.......+....+......+...+.......+..........+..........................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+........+........+...+..........+....+...+..+...+.......+......+...+......................................+.............+..........+....+...+.....+........+....+.++....+++........+..........+..........................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+........+........+..+...........+....+...+..+...+.......+......++++++.....................................+.............+..........+.....++++....+.........+....++..+..+...+.......+.........+...........................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+........+....+...+..+...........+....+...+..+...+.......+..........+......................................+.............+..........+........+...+..........+....+...+..+...+.......+.........+...........................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+........+.....+++...+++++..+....+.....+++....+++...+....+....+.....+......................................+.............+..........+........+..+...........+....+...+..+...+.......+.........+...........................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+..........+....+...+..+...........+....+...+..+...+.......+........+............................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+..........+.....+++...+++++..+....+.....+++....+++...+....+....+...+............................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+",
".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++",
".....................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++............+..........................................................................................................+.............+................................................................................................................+......................................................................................................................",
"............................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.............++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++......................................................................................................................"};

BIN
Shorewall-docs/images/new10.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 281 B

BIN
Shorewall-docs/images/newlog.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 3.4 KiB

BIN
Shorewall-docs/images/ol600_01mic.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/penguin_in_red_compaq_racer.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 6.8 KiB

BIN
Shorewall-docs/images/poweredby.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/poweredbycompaqlog0.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.0 KiB

BIN
Shorewall-docs/images/ppp.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 79 KiB

BIN
Shorewall-docs/images/proxyarp.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

BIN
Shorewall-docs/images/proxyarp.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/proxyarp.vsd Normal file
View File

Binary file not shown.

6
Shorewall-docs/images/publish Normal file
View File

@ -0,0 +1,6 @@
#!/bin/sh
# scp $@ teastep@shorewall.sourceforge.net:/home/groups/s/sh/shorewall/htdocs
scp $@ root@mail:/var/www/html/images

BIN
Shorewall-docs/images/pure.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
Shorewall-docs/images/pureftp-d.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 15 KiB

BIN
Shorewall-docs/images/sf_logo_metal2.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.1 KiB

BIN
Shorewall-docs/images/sflogo.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/shorewall.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 4.2 KiB

BIN
Shorewall-docs/images/small-picture.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 402 B

BIN
Shorewall-docs/images/staticnat.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 14 KiB

BIN
Shorewall-docs/images/staticnat.png Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/staticnat.vsd Normal file
View File

Binary file not shown.

BIN
Shorewall-docs/images/updated.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 168 B

BIN
Shorewall-docs/images/washington.jpg Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 16 KiB

Some files were not shown because too many files have changed in this diff Show More