.Shorewall consists of the following components:
+ +You may use the file /etc/shorewall/params + file to set shell variables that you can then use in some of the other + configuration files.
+ +It is suggested that variable names begin with an upper case letter + to distinguish them from variables used internally within the +Shorewall programs
+ +Example:
+ +++ +NET_IF=eth0 +NET_BCAST=130.252.100.255 +NET_OPTIONS=noping,norfc1918+
+ Example (/etc/shorewall/interfaces record):
++ +net $NET_IF $NET_BCAST $NET_OPTIONS+
The result will be the same as if the record had been written
+ +++ +net eth0 130.252.100.255 noping,norfc1918+
Variables may be used anywhere in the + other configuration files.
+ +This file is used + to define the network zones. There is one entry in /etc/shorewall/zones + for each zone; Columns in an entry are:
+ +The /etc/shorewall/zones file released with Shorewall + is as follows:
+ +| + ZONE | ++ DISPLAY | ++ COMMENTS | +
| net | +Net | +Internet | +
| loc | +Local | +Local networks | +
| dmz | +DMZ | +Demilitarized zone | +
You may +add, delete and modify entries in the /etc/shorewall/zones file as desired +so long as you have at least one zone defined.
+ ++ Warning 1: If you rename or delete a zone, +you should perform "shorewall stop; shorewall start" to install the change +rather than "shorewall restart".
+ +Warning 2: The + order of entries in the /etc/shorewall/zones file is significant in + some cases.
+ +This file +is used to tell the firewall which of your firewall's network interfaces +are connected to which zone. There will be one entry in /etc/shorewall/interfaces +for each of your interfaces. Columns in an entry are:
+
+ blacklist - This option causes incoming packets on this
+ interface to be checked against the blacklist.
+
+ dhcp - The interface is assigned an IP address via DHCP or is used
+ by a DHCP server running on the firewall. The firewall will be configured
+ to allow DHCP traffic to and from the interface even when the firewall
+ is stopped. You may also wish to use this option if you have a static IP but
+ you are on a LAN segment that has a lot of Laptops that use DHCP and you
+ select the norfc1918 option (see below).
+
+ noping - ICMP echo-request (ping) packets addressed to the firewall will be ignored by this
+ interface.
+
+ filterping - ICMP echo-request (ping) packets addressed to the firewall
+ will be handled according to the /etc/shorewall/rules and
+ /etc/shorewall/policy file. If the applicable policy is DROP or REJECT and you
+ have supplied your own /etc/shorewall/icmpdef file then these 'ping' requests
+ will be passed through the rules in that file before being dropped or
+ rejected. If neither noping nor filterping is specified then the
+ firewall will automatically ACCEPT these 'ping' requests. If both noping
+ and filterping are specified, filterping takes precedence.
+ + routestopped - Beginning with Shorewall 1.3.4, this option is deprecated + in favor of the /etc/shorewall/routestopped file. When the firewall is stopped, traffic to and from +this interface will be accepted and routing will occur between this + interface and other routestopped interfaces.
+ +
+
+ norfc1918 - Packets arriving on this interface and that have a source
+ address that is reserved in RFC 1918 or in other RFCs will be dropped after
+ being optionally logged. If packet mangling is
+ enabled in /etc/shorewall/shorewall.conf
+ , then packets arriving on this interface that have a destination address
+ that is reserved by one of these RFCs will also be logged and dropped.
+
+ Addresses blocked by the standard rfc1918 file
+ include those addresses reserved by RFC1918 plus other ranges reserved by the
+ IANA or by other RFCs.
+ Beware that as IPv4 addresses become in increasingly short supply, ISPs are + beginning to use RFC 1918 addresses within their own infrastructure. Also, + many cable and DSL "modems" have an RFC 1918 address that can be used through + a web browser for management and monitoring functions. If you want to specify + norfc1918 on your external interface but need to allow access to + certain addresses from the above list, see FAQ 14.
+ ++ + routefilter - Invoke the Kernel's route filtering (anti-spoofing) facility on this + interface. The kernel will reject any packets incoming on this interface + that have a source address that would be routed outbound through another + interface on the firewall. Warning: If + you specify this option for an interface then the interface must be + up prior to starting the firewall.
+ ++ + multi - The interface has multiple addresses and you want to be able + to route between them. Example: you have two addresses on your single + local interface eth1, one each in subnets 192.168.1.0/24 and 192.168.2.0/24 + and you want to route between these subnets. Because you only have +one interface in the local zone, Shorewall won't normally create a +rule to forward packets from eth1 to eth1. Adding "multi" to the entry +for eth1 will cause Shorewall to create the loc2loc chain and the +appropriate forwarding rule.
+dropunclean - Packets from this interface that
+ are selected by the 'unclean' match target in iptables will
+ be optionally logged and then dropped. Warning: This feature
+ requires that UNCLEAN match support be configured in your
+ kernel, either in the kernel itself or as a module. UNCLEAN
+ support is broken in some versions of the kernel but appears
+ to work ok in 2.4.17-rc1.
+
+ Update 12/17/2001: The unclean match patch from
+ 2.4.17-rc1 is available
+ for download. I am currently running this patch applied
+ to kernel 2.4.16.
Update + 12/20/2001: I've + seen a number of tcp connection requests with OPT (020405B40000080A...) + being dropped in the badpkt chain. This appears to be + a bug in the remote TCP stack whereby it is 8-byte aligning + a timestamp (TCP option 8) but rather than padding with 0x01 + it is padding with 0x00. It's a tough call whether to deny + people access to your servers because of this rather minor + bug in their networking software. If you wish to disable the + check that causes these connections to be dropped, here's + a kernel patch against 2.4.17-rc2.
+logunclean + - This option works like dropunclean + with the exception that packets selected by the 'unclean' + match target in iptables are logged but not dropped. + The level at which the packets are logged is determined by + the setting of LOGUNCLEAN and if + LOGUNCLEAN has not been set, "info" is assumed.
+proxyarp (Added in version 1.3.5) - This option + causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp + and is used when implementing Proxy ARP Sub-netting as + described at + + http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do + not set this option if you are implementing Proxy ARP + through entries in + /etc/shorewall/proxyarp.
+Example + 1: You have a conventional firewall setup in which eth0 connects to a +Cable or DSL modem and eth1 connects to your local network and eth0 gets + its IP address via DHCP. You want to ignore ping requests from the internet + and you want to check all packets entering from the internet + against the black list. Your /etc/shorewall/interfaces file would be as follows:
+ +++ ++ +
+ ++ ZONE ++ INTERFACE ++ BROADCAST ++ OPTIONS ++ +net +eth0 +detect +dhcp,noping,norfc1918,blacklist ++ + + +loc +eth1 +detect ++
Example + 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces + file would be:
+ +++ ++ +
+ ++ ZONE ++ INTERFACE ++ BROADCAST ++ OPTIONS ++ + + + +net +ppp0 + ++ +
Example 3: You have local interface eth1 with two IP + addresses - 192.168.1.1/24 and 192.168.12.1/24
+ +++ ++
++ ++ ZONE ++ INTERFACE ++ BROADCAST ++ OPTIONS ++ + +loc +eth1 + +192.168.1.255,192.168.12.255 ++
For most applications, specifying zones entirely + in terms of network interfaces is sufficient. There may be times though + where you need to define a zone to be a more general collection of hosts. + This is the purpose of the /etc/shorewall/hosts file.
+ + +WARNING: 90% of + Shorewall users don't need to put entries in this file and + 80% of those who try to add such entries do it wrong. + Unless you are ABSOLUTELY SURE that you need entries in + this file, don't touch it.
+ + +Columns in this +file are:
+ + ++ ++ + ++ +
+ +- An IP address (example - eth1:192.168.1.3)
+ +- A subnet in the form <subnet address>/<width> + (example - eth2:192.168.2.0/2)
+ +The interface name much match an entry in + /etc/shorewall/interfaces.
+
+ ++ +routestopped - Beginning with Shorewall + 1.3.4, this option is deprecated in favor of the + /etc/shorewall/routestopped + file. When the firewall is stopped, + traffic to and from this host (these hosts) will be accepted and routing + will occur between this host and other routestopped interfaces + and hosts.
+
If you don't define any hosts for a zone, the + hosts in the zone default to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, + i1, ... are the interfaces to the zone.
+ +Note 1: + You probably DON'T want to specify any hosts for your internet zone +since the hosts that you specify will be the only ones that you will be +able to access without adding additional rules.
+ +Note 2: + + + The setting of the MERGE_HOSTS variable in + /etc/shorewall/shorewall.conf has + an important effect on how the host file is processed. + Please read the description of that variable + carefully.
+ +Example:
+ +Your local interface is eth1 and you have two + groups of local hosts that you want to make into separate zones:
+ + ++ Your /etc/shorewall/interfaces file might look like:
+ +++ ++ +
+ ++ ZONE ++ INTERFACE ++ BROADCAST ++ OPTIONS ++ +net +eth0 +detect +dhcp,noping,norfc1918 ++ + + + +- +eth1 +detect ++
+ The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces + to multiple zones.
+ ++ Your /etc/shorewall/hosts file might look like:
+ +++ ++ +
+ ++ ZONE ++ HOST(S) ++ OPTIONS ++ + +loc1 +eth1:192.168.1.0/25 + + + ++ + + + + +loc2 +eth1:192.168.1.128/25 +routestopped +
+ Hosts in 'loc2' can communicate with the firewall while Shorewall is stopped + -- those in 'loc1' cannot.
+ ++ The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow you +to define nested or overlapping zones. Such overlapping/nested zones are + allowed and Shorewall processes zones in the order that they appear in +the /etc/shorewall/zones file. So if you have nested zones, you want the +sub-zone to appear before the super-zone and in the case of overlapping +zones, the rules that will apply to hosts that belong to both zones is determined +by which zone appears first in /etc/shorewall/zones.
+ ++ Hosts that belong to more than +one zone may be managed by the rules of all of those zones. This is done through + use of the special CONTINUE policy + described below.
+ +This file is used to describe the firewall + policy regarding establishment of connections. Connection establishment + is described in terms of clients who initiate connections and + servers who receive those connection requests. Policies defined in + /etc/shorewall/policy describe which zones are allowed to establish connections + with other zones.
+ +Policies established in /etc/shorewall/policy + can be viewed as default policies. If no rule in /etc/shorewall/rules +applies to a particular connection request then the policy from /etc/shorewall/policy + is applied.
+ +Four policies are defined:
+ + ++ For each policy specified in /etc/shorewall/policy, you can indicate +that you want a message sent to your system log each time that the policy +is applied.
+ ++ Entries in /etc/shorewall/policy have four columns as follows:
+ ++ In the SOURCE and DEST columns, you can enter "all" to indicate all +zones.
+ ++ The policy file installed by default is as follows:
+ +++ ++ +
+ +SOURCE +DEST ++ POLICY ++ LOG LEVEL +LIMIT:BURST ++ + +loc +net +ACCEPT + + + ++ + + + + +net +all +DROP +info ++ + + + + + +all +all +REJECT +info ++
+ This table may be interpreted as follows:
+ ++ WARNING:
++ The firewall script processes the /etc/shorewall/policy file +from top to bottom and uses the first applicable policy that it finds. + For example, in the following policy file, the policy for (loc, loc) + connections would be ACCEPT as specified in the first entry even though + the third entry in the file specifies REJECT.
++++ +
+ +SOURCE +DEST +POLICY +LOG LEVEL +LIMIT:BURST ++ + +loc +all +ACCEPT + ++ + + +net +all +DROP +info ++ + + + + + +loc +loc +REJECT +info ++
+ Where zones are nested or overlapping + , the CONTINUE policy allows hosts that are within multiple zones to be +managed under the rules of all of these zones. Let's look at an example:
++ /etc/shorewall/zones:
++++ +
+ ++ ZONE ++ DISPLAY ++ COMMENTS ++ +sam +Sam +Sam's system at home ++ +net +Internet +The Internet ++ + + + + +loc +Loc +Local Network +
+ /etc/shorewall/interfaces:
++++ +
+ ++ ZONE ++ INTERFACE ++ BROADCAST ++ OPTIONS ++ +- +eth0 +detect +dhcp,noping,norfc1918 ++ + + + + +loc +eth1 +detect +routestopped +
+ /etc/shorewall/hosts:
++++ +
+ ++ ZONE ++ HOST(S) ++ OPTIONS ++ + +net +eth0:0.0.0.0/0 + ++ + + + + + +sam +eth0:206.191.149.197 +routestopped +
+ Note that Sam's home system is a member of both the sam zone and +the net zone and + as described above + , that means that sam must be listed before net in /etc/shorewall/zones.
++ /etc/shorewall/policy:
++++ +
+ ++ SOURCE ++ DEST ++ POLICY ++ LOG LEVEL ++ + +loc +net +ACCEPT + ++ + + +sam +all +CONTINUE + ++ + +net +all +DROP +info ++ + + + + +all +all +REJECT +info +
+ The second entry above says that when Sam is the client, connection requests + should first be process under rules where the source zone is sam and +if there is no match then the connection request should be treated under + rules where the source zone is net. It is important that this policy + be listed BEFORE the next policy (net to all).
++ Partial /etc/shorewall/rules:
++++ +
+ + +ACTION +SOURCE +DEST ++ PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ + +... + ++ + + + + + + +DNAT +sam +loc:192.168.1.3 +tcp +ssh +- ++ + +DNAT +net +loc:192.168.1.5 +tcp +www +- ++ + + + + + +... ++ + + + + +
+ Given these two rules, Sam can connect to the firewall's internet interface + with ssh and the connection request will be forwarded to 192.168.1.3. Like + all hosts in the net zone, Sam can connect to the firewall's internet + interface on TCP port 80 and the connection request will be forwarded to +192.168.1.5. The order of the rules is not significant.
+ ++ Sometimes it is necessary to suppress port forwarding + for a sub-zone. For example, suppose that all hosts can SSH to the firewall + and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the + firewall's external IP, he should be connected to the firewall itself. Because + of the way that Netfilter is constructed, this requires two rules as follows:
+ +++ ++
+ ++
++ + +ACTION +SOURCE +DEST ++ PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ ++ + + + + + + + +... + ++ + + + + + + + +DNAT +sam +fw +tcp +ssh +- ++ + +DNAT +net!sam +loc:192.168.1.3 +tcp +ssh +- ++ + + + +... ++ + + + + +
The first rule allows Sam SSH + access to the firewall. The second + rule says that any clients from the + net zone with the exception of those + in the 'sam' zone should have their + connection port forwarded to + 192.168.1.3. If you need to exclude + more than one zone in this way, you + can list the zones separated by + commas (e.g., net!sam,joe,fred). + This technique also may be used when + the ACTION is REDIRECT.
+ + +The /etc/shorewall/rules file + defines exceptions to the policies established in the /etc/shorewall/policy + file. There is one entry in /etc/shorewall/rules for each of these rules.
+ + +Entries in the file have the + following columns:
+The ACTION may optionally be followed by
+ ":" and a syslogd log level (example: REJECT:info). This causes the
+ packet to be logged at the specified level prior to being processed according
+ to the specified ACTION.
+
+ The use of DNAT or REDIRECT requires that you have NAT enabled.
+
+ + + Example 1. You wish to forward all ssh connection requests from the + internet to local system 192.168.1.3.
+ +++ ++ +
+ + +ACTION +SOURCE +DEST ++ PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ + + + + + +DNAT +net +loc:192.168.1.3 +tcp +ssh ++ +
+ Example 2. You want to redirect all local www connection requests EXCEPT + those to your own http server + (206.124.146.177) to a Squid + transparent proxy running on the firewall and listening on port 3128. Squid + will of course require access to remote web servers. This example shows yet + another use for the ORIGINAL + DEST column; here, connection + requests that were NOT + + (notice the "!") originally + destined to 206.124.146.177 are + redirected to local port 3128.
+ +++ ++ +
+ + +ACTION +SOURCE +DEST ++ PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ +REDIRECT +loc +3128 +tcp +www ++ !206.124.146.177 ++ + + + + + +ACCEPT +fw +net +tcp +www ++ +
+ Example 3. You want to run a web server at 155.186.235.222 in your +DMZ and have it accessible remotely and locally. the DMZ is managed by +Proxy ARP or by classical sub-netting.
+ +++ ++ +
+ + +ACTION +SOURCE +DEST ++ PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ + +ACCEPT +net +dmz:155.186.235.222 +tcp +www +- + ++ + + + + + + +ACCEPT +loc +dmz:155.186.235.222 +tcp +www ++ +
+ Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded
+ DMZ. Your internet interface address is 155.186.235.151 and you want the
+ FTP server to be accessible from the internet in addition to the local 192.168.1.0/24 and dmz 192.168.2.0/24
+ subnetworks. Note that since the server is in the 192.168.2.0/24 subnetwork,
+ we can assume that access to the server from that subnet will not involve
+ the firewall (but see FAQ 2). Note that unless you
+ have more than one external
+ IP address, you can leave
+ the ORIGINAL DEST column
+ blank in the first rule. You
+ cannot leave it blank in the
+ second rule though because
+ then all ftp connections
+ originating in the local
+ subnet 192.168.1.0/24 would
+ be sent to 192.168.2.2
+ regardless of the site that
+ the user was trying to
+ connect to. That is
+ clearly not what you want
+ .
++ + ++ +
+ + +ACTION +SOURCE +DEST ++ PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ +DNAT +net +dmz:192.168.2.2 +tcp +ftp ++ + + + + + + + +DNAT +loc:192.168.1.0/24 +dmz:192.168.2.2 +tcp +ftp + +- + +155.186.235.151 +
If you are running + wu-ftpd, you should restrict the range of passive in your /etc/ftpaccess + file. I only need a few simultaneous FTP sessions so I use port range +65500-65535. In /etc/ftpaccess, this entry is appropriate:
+ + ++ + ++ + +passive ports + 0.0.0.0/0 65500 65534
+
If you are running + pure-ftpd, you would include "-p 65500:65534" on the pure-ftpd runline.
+ + +The important +point here is to ensure that the port range used for FTP passive connections +is unique and will not overlap with any usage on the firewall system.
+ + +Example 5. You + wish to allow unlimited + DMZ access to the host + with MAC address + 02:00:08:E3:FA:55.
+ + +++ + ++
++ + +ACTION +SOURCE +DEST ++ PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ + + +ACCEPT +loc:~02-00-08-E3-FA-55 +dmz +all ++ + +
+ Look here for information on other services. +
+ + +Shorewall allows + definition of rules that + apply between all zones. + By default, these rules + are defined in the file + /etc/shorewall/common.def + but may be modified to + suit individual + requirements. Rather + than modify + /etc/shorewall/common.def, + you should copy that + file to + /etc/shorewall/common + and modify that file.
+ + +The + /etc/shorewall/common + file is expected to + contain iptables + commands; rather than + running iptables + directly, you should run + it indirectly using the + Shorewall function 'run_iptables'. + That way, if iptables + encounters an error, the + firewall will be safely + stopped.
+ + +The /etc/shorewall/masq + file is used to define classical IP Masquerading and Source Network Address Translation (SNAT). There is one entry in + the file for each subnet that you want to masquerade. In order to make +use of this feature, you must have NAT enabled + .
+ + +Columns are:
++ Example 1: You have eth0 connected to a cable modem and eth1 connected + to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq file +would look like:
+ +++ ++ +
+ ++ INTERFACE ++ SUBNET +ADDRESS ++ + + + + + +eth0 +192.168.9.0/24 ++
+ Example 2: You have a number of IPSEC tunnels through ipsec0 and +you want to masquerade traffic from your 192.168.9.0/24 subnet to the +remote subnet 10.1.0.0/16 only.
+ +++ ++ +
+ ++ INTERFACE ++ SUBNET +ADDRESS ++ + + + + + +ipsec0:10.1.0.0/16 +192.168.9.0/24 ++
+ Example 3: You have a DSL line connected on eth0 and a local network + (192.168.10.0/24) + connected to eth1. You + want all local->net + connections to use + source address + 206.124.146.176.
+ +++ ++
++ ++ INTERFACE ++ SUBNET +ADDRESS ++ + + +eth0 +192.168.10.0/24 +206.124.146.176 +
Example 4: + Same as example 3 + except that you wish + to exclude + 192.168.10.44 and + 192.168.10.45 from + the SNAT rule.
+ + +++ ++
++ ++ INTERFACE ++ SUBNET +ADDRESS ++ + + +eth0 +192.168.10.0/24!192.168.10.44,192.168.10.45 +206.124.146.176 +
If you want to + use proxy ARP on an + entire sub-network, + I suggest that you + look at + + http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. + If you decide to use + the technique + described in that + HOWTO, you can set + the proxy_arp flag + for an interface + (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) + by including the + proxyarp option + in the interface's + record in + + /etc/shorewall/interfaces. + When using Proxy ARP + sub-netting, you do + NOT include + any entries in + /etc/shorewall/proxyarp.
+ + +The /etc/shorewall/proxyarp + file is used to define Proxy ARP. The file is + typically used for + enabling Proxy ARP + on a small set of + systems since you + need one entry in + this file for each + system using proxy + ARP. Columns are:
+Note: After you have made a change to the + /etc/shorewall/proxyarp file, you may need to flush the ARP cache of all + routers on the LAN segment connected to the interface specified in the EXTERNAL + column of the change/added entry(s). If you are having problems communicating + between an individual host (A) on that segment and a system whose entry has + changed, you may need to flush the ARP cache on host A as well.
+ + +ISPs typically have ARP configured with long TTL + (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump + -nei <external interface> host <IP addr>"), it may take a long while to time + out. I personally have had to contact my ISP and ask them to delete a stale + entry in order to restore a system to working order after changing my proxy ARP + settings.
+ + +Example: + You have + public IP addresses 155.182.235.0/28. You configure your firewall as follows:
++ In your DMZ, you want to install a Web/FTP server with public address + 155.186.235.4. On the Web server, you subnet just like the firewall's eth0 +and you configure 155.186.235.1 as the default gateway. In your /etc/shorewall/proxyarp +file, you will have:
+ +++ ++ +
+ ++ ADDRESS ++ INTERFACE ++ EXTERNAL +HAVEROUTE ++ + + + + + +155.186.235.4 +eth2 +eth0 +No +
+ Note: You may want to configure the servers in your DMZ with a subnet +that is smaller than the subnet of your internet interface. See the Proxy +ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) for details. In this case you will want to place + "Yes" in the HAVEROUTE column.
+ +To learn how I use Proxy ARP + in my DMZ, see my configuration files.
+ +Warning: Do not use Proxy ARP and + FreeS/Wan on the same system unless you are prepared to suffer the + consequences. If you start or restart Shorewall with an IPSEC tunnel active, + the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device + (ipsecX) rather than to the interface that you specify in the INTERFACE column + of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I + can't say if it is a bug in the Kernel or in FreeS/Wan.
+You might be able to work around this problem using the following (I + haven't tried it):
+In /etc/shorewall/init, include:
+qt service ipsec stop
+In /etc/shorewall/start, include:
+qt service ipsec start
+ +The /etc/shorewall/nat + file is used to define static NAT. There is one entry in the file for +each static NAT relationship that you wish to define. In order to make +use of this feature, you must have NAT enabled + .
+ + ++ + IMPORTANT: If + all you want to do + is forward ports + to servers behind + your firewall, you + do NOT want to use + static NAT. Port + forwarding can be + accomplished with + simple entries in + the + + rules file. + Also, in most + cases + + Proxy ARP + provides a + superior solution + to static NAT + because the + internal systems + are accessed using + the same IP + address internally + and externally.
+ + +Columns +in an entry are:
++ Look here for additional information and an example. +
+ ++ The /etc/shorewall/tunnels file allows you to define IPSec, GRE and IPIP tunnels + with end-points on your firewall. To use ipsec, you must install version + 1.9, 1.91 or the current FreeS/WAN + development snapshot.
+ ++ Note: For kernels 2.4.4 and above, you will need to use version 1.91 or +a development snapshot as patching with version 1.9 results in kernel compilation + errors.
+ ++ Instructions for setting up IPSEC tunnels may be found here + and instructions for IPIP tunnels are here + . Look here for information about setting up PPTP + tunnels under + Shorewall.
+ ++ This file is used to set the following firewall parameters:
+| ZONE | +HOSTS | +BROADCAST | +OPTIONS | +
| loc | +eth1 | +- | +dhcp | +
| - | +ppp+ | ++ | + |
+ Hosts File:
+
| ZONE | +HOSTS | +
| loc | +ppp+:192.168.12.0/24 | +
+ With MERGE_HOSTS=No, the loc zone consists of only ppp+:192.168.12.0/24;
+ with MERGE_HOSTS=Yes, it includes eth1:0.0.0.0/0 and ppp+:192.168.12.0/24.
+
Rules not meeting those criteria will continue to generate an individual + rule for each listed port or port range.
The file + /etc/shorewall/modules contains commands for loading the kernel modules + required by Shorewall-defined firewall rules. Shorewall will source this + file during start/restart provided that it exists and that the directory + specified by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf + above).
+ + +The file + that is released with Shorewall calls the Shorewall function "loadmodule" + for the set of modules that I load.
+ + +The loadmodule + function is called as follows:
+ + ++ + ++ + +loadmodule + <modulename> + [ + <module parameters> ]
+
where
+ + ++ + ++ + + +<modulename>
+ + ++ + + ++ + +is + the name of the modules without the trailing ".o" (example ip_conntrack).
++ <module parameters>
+ + ++ + + +++ Optional parameters to the insmod utility.
+
+ The function determines if the module named by <modulename> + is already loaded and if not then the function determines if the ".o" + file corresponding to the module exists in the moduledirectory; if +so, then the following command is executed:
+ + + ++ + + ++ + + ++ insmod moduledirectory/<modulename>.o <module + parameters>
+
+ If the file doesn't exist, the function determines of the ".o.gz" file + corresponding to the module exists in the moduledirectory. If it + does, the function assumes that the running configuration supports compressed + modules and execute the following command:
+ + + ++ + + ++ + + ++ insmod moduledirectory/<modulename>.o.gz <module + parameters>
+
+ The /etc/shorewall/tos file allows you to set the Type of Service field +in packet headers based on packet source, packet destination, protocol, +source port and destination port. In order for this file to be processed +by Shorewall, you must have mangle support enabled + .
+ + + ++ Entries in the file have the following columns:
+ + ++ ++ ++ +++ Minimize-Delay (16)
+
+ Maximize-Throughput (8)
+ Maximize-Reliability (4)
+ Minimize-Cost (2)
+ Normal-Service (0)
+ The /etc/shorewall/tos file that is included with Shorewall contains the + following entries.
+ +++ ++ + +
+ +SOURCE +DEST +PROTOCOL +SOURCE +
+ PORT(S)DEST PORT(S) +TOS ++ +all +all +tcp +- +ssh +16 ++ +all +all +tcp +ssh +- +16 ++ +all +all +tcp +- +ftp +16 ++ +all +all +tcp +ftp +- +16 ++ +all +all +tcp +- +ftp-data +8 ++ + + + + + + + +all +all +tcp +ftp-data +- +8 +
WARNING: Users have reported that odd routing problems result from adding the ESP and AH protocols to the /etc/shorewall/tos file. +
+ +Each + line + in + /etc/shorewall/blacklist + contains + an + IP + address, a MAC address in Shorewall Format + or + subnet + address. + Example:
+ +130.252.100.69 + 206.124.146.0/24+ +
Packets + from + hosts + listed + in + the + blacklist + file + will + be + disposed + of + according + to + the + value + assigned + to + the BLACKLIST_DISPOSITION + and BLACKLIST_LOGLEVEL variables + in + /etc/shorewall/shorewall.conf. + Only + packets + arriving + on + interfaces + that + have + the + 'blacklist' + option + in + /etc/shorewall/interfaces + are + checked + against + the + blacklist. The black list is designed to prevent listed hosts/subnets from accessing services on your network.
+ +Shorewall also has a dynamic blacklist capability.
+ +IMPORTANT: The Shorewall blacklist file is NOT designed to police your users' web browsing -- to do that, I suggest that you install and configure Squid (http://www.squid-cache.org).
+ + + +This file lists the subnets affected by the norfc1918 interface option. Columns in the file are:
+ + + +This fine defines the hosts that are accessible from the firewall when the firewall is stopped. Columns in the file are:
+ + + +Example: When your firewall is stopped, you want firewall accessibility from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces through eth1 and your local hosts through eth2.
+ + + +++ + + ++
++ +INTERFACE +HOST(S) ++ +eth2 +192.168.1.0/24 ++ +eth1 +- +
+ Updated 8/13/2002 - Tom +Eastep +
+ + + +Copyright + © 2001, 2002 Thomas M. Eastep.
+ + + + + + + + \ No newline at end of file diff --git a/Shorewall-docs/Documentation_Index.htm b/Shorewall-docs/Documentation_Index.htm new file mode 100644 index 000000000..6e2c831ae --- /dev/null +++ b/Shorewall-docs/Documentation_Index.htm @@ -0,0 +1,29 @@ + + + + + + + ++Last updated 8/9/2002 + - + Tom Eastep +
++ Copyright + © 2001, 2002 Thomas M. Eastep.
+ + + + diff --git a/Shorewall-docs/FAQ.htm b/Shorewall-docs/FAQ.htm new file mode 100644 index 000000000..951f9d91c --- /dev/null +++ b/Shorewall-docs/FAQ.htm @@ -0,0 +1,571 @@ + + + + + + + +++Why do you call it "Shorewall"?
+What distributions does it work with?
+ + +
+ + + ++I just ran an nmap UDP scan of my firewall and +it showed 100s of ports as open!!!!
+
+ + + + ++
+ ++
++I've installed Shorewall and now I can't ping through the +firewall
+ +
++Where are the log messages written and +how do I change the destination?
+Shorewall is writing log messages all over my +console making it unusable!
+ +
+ ++When I try to start Shorewall on RedHat 7.x, I +get messages about insmod failing -- what's wrong?
+ +
++Why does Shorewall only accept IP addresses as +opposed to FQDNs?
+
Answer: The first example in the rules +file documentation shows how to do port forwarding under Shorewall. Assuming +that you have a dynamic external IP address, the format of a port-forwarding +rule to a local system is as follows:
++++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ +DNAT +net +loc:<local IP address>[:<local port>] +<protocol> +<port #> ++ +
So to forward UDP port 7777 to internal system 192.168.1.5, the +rule is:
++++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ +DNAT +net +loc:192.168.1.5 +udp +7777 ++ +
DNAT net loc:192.168.1.5 udp 7777+
If you want to forward requests directed to a particular +address ( <external IP> ) on your firewall to an internal system:
++++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ +DNAT +net +loc:<local IP address>[:<local port>] +<protocol> +<port #> +- +<external IP> +
Answer: That is usually the result of one of two things:
+Answer: I have two objections to this setup.
+If you insist on an IP solution to the accessibility problem +rather than a DNS solution, then assuming that your external interface is eth0 +and your internal interface is eth1 +and that eth1 has IP address 192.168.1.254 with subnet 192.168.1.0/24, do the following:
+a) In /etc/shorewall/interfaces, specify "multi" as an option +for eth1.
+b) In /etc/shorewall/rules, add:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ +DNAT +loc:192.168.1.0/24 +loc:192.168.1.5 +tcp +www +- +130.151.100.69:192.168.1.254 +
DNAT loc:192.168.1.0/24 loc:192.168.1.5 tcp www - 130.151.100.69:192.168.1.254+
That rule only works of course if you have a static external IP +address. If you +have a dynamic IP address and are running Shorewall 1.3.4 or later then include this in +/etc/shorewall/params:
ETH0_IP=`find_interface_address eth0`+
and make your DNAT rule:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIG. DEST. ++ +DNAT +loc:192.168.1.0/24 +loc:192.168.1.5 +tcp +www +- +$ETH0_IP:192.168.1.254 +
Using this technique, you will want to configure your DHCP/PPPoE +client to automatically restart Shorewall each time that you get a new IP +address.
Answer: This is another problem that is best solved using Bind Version 9 +"views". It allows both external and internal clients to access a +NATed host using the host's DNS name.
+Another good way to approach this problem is to switch from +static NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and +can be accessed externally and internally using the same address.
+If you don't like those solutions and prefer routing all Z->Z +traffic through your firewall then:
+a) Specify "multi" on the entry for Z's interface in
+/etc/shorewall/interfaces.
+b) Set the Z->Z policy to ACCEPT.
+c) Masquerade Z to itself.
+
+Example:
Zone: dmz
+Interface: eth2
+Subnet: 192.168.2.0/24
In /etc/shorewall/interfaces:
++++
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +dmz +eth2 +192.168.2.255 +multi +
In /etc/shorewall/policy:
++++
++ +SOURCE +DESTINATION +POLICY +LIMIT:BURST ++ +dmz +dmz +ACCEPT ++
dmz dmz ACCEPT+
In /etc/shorewall/masq:
++++
++ +INTERFACE +SUBNET +ADDRESS ++ +eth2 +192.168.2.0/24 ++
Answer: There is an H.323 connection tracking/NAT module that may help. +Also check the Netfilter mailing list archives at http://netfilter.samba.org.
+ +Answer: The common.def included with version 1.3.x always + rejects connection requests on TCP port 113 rather than dropping them. This is + necessary to prevent outgoing connection problems to services that use the + 'Auth' mechanism for identifying requesting users. Shorewall also rejects TCP + ports 135, 137 and 139 as well as UDP ports 137-139. These are ports that are + used by Windows (Windows can be configured to use the DCE cell locator + on port 135). Rejecting these connection requests rather than dropping them + cuts down slightly on the amount of Windows chatter on LAN segments connected + to the Firewall.
+ +If you are seeing port 80 being 'closed', that's probably your + ISP preventing you from running a web server in violation of your Service + Agreement.
+ +Answer: Take a deep breath and read the nmap man page section about + UDP scans. If nmap gets nothing back from your firewall then it reports + the port as open. If you want to see which UDP ports are really open, + temporarily change your net->all policy to REJECT, restart Shorewall and do + the nmap UDP scan again.
+ +Answer: If you want your firewall to be totally open for +"ping":
+a) Do NOT specify 'noping' on any interface in
+/etc/shorewall/interfaces.
+b) Copy /etc/shorewall/icmp.def to /etc/shorewall/icmpdef
+c) Add the following to /etc/shorewall/icmpdef:
++run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j +ACCEPT
+
Answer: NetFilter uses the kernel's equivalent of syslog (see "man +syslog") to log messages. It always uses the LOG_KERN (kern) facility (see +"man openlog") and you get to choose the log level (again, see +"man syslog") in your policies +and rules. The destination for messaged +logged by syslog is controlled by /etc/syslog.conf (see "man +syslog.conf"). When you have changed /etc/syslog.conf, be sure to restart +syslogd (on a RedHat system, "service syslog restart").
+By default, older versions of Shorewall ratelimited log messages through +settings +in /etc/shorewall/shorewall.conf -- If you want to log all messages, set:
+LOGLIMIT="" + LOGBURST=""+
Answer: Here are several links that may be helpful:
++++http://www.shorewall.net/pub/shorewall/parsefw/
+
+http://www.fireparse.com
+http://cert.uni-stuttgart.de/projects/fwlogwatch
The 'stop' command is intended to place your firewall into a +safe state whereby only those interfaces/hosts having the 'routestopped' option +in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. If you want +to totally open up your firewall, you must use the 'shorewall clear' command.
+Answer: The output you will see looks something like this:
+/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy + Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters + /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod + /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed + /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed + iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?) + Perhaps iptables or your kernel needs to be upgraded.+
This is usually cured by the following sequence of commands:
+service ipchains stop + chkconfig --delete ipchains + rmmod ipchains+
Also, be sure to check the errata for +problems concerning the version of iptables (v1.2.3) shipped with RH7.2.
Answer: FQDNs in iptables rules +aren't nearly as useful as they first appear. When a DNS name appears in a rule, +the iptables utility resolves the name to one or more IP addresses and inserts +those addresses into the rule. So change in the DNS->IP address relationship +that occur after the firewall has started have absolutely no effect on the +firewall's ruleset.
+I'm also trying to protect +people from themselves. If your firewall rules include FQDN's then:
+Shorewall works with any GNU/Linux distribution that includes + the proper prerequisites.
Answer: See the Shorewall Feature + List.
Answer: Every time I've started to work on one, I find myself doing + other things. I guess I just don't care enough if Shorewall has a GUI to + invest the effort to create one myself. There are several Shorewall GUI + projects underway however and I will publish links to them when the authors + feel that they are ready.
Answer: Shorewall is a concatenation of "Shoreline" (the + city where I live) and "Firewall".
Is there any way it can add a rule before the +rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address +of the modem in/out but still block all other rfc1918 addresses.
+Answer: If you are running a version of Shorewall earlier than + 1.3.1, create /etc/shorewall/start and in it, place the following:
run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT+
If you are running version 1.3.1 or later, simply add the + following to /etc/shorewall/rfc1918:
+++
++ +SUBNET +TARGET ++ +192.168.100.1 +RETURN +
Be sure that you add the entry ABOVE the entry for + 192.168.0.0/16.
The solution is the same as FAQ 14 above. Simply substitute + the IP address of your ISPs DHCP server.
Answer: Every time I read "systems can't see out to the net", I wonder +where the poster bought computers with eyes and what those computers will "see" +when things are working properly. That aside, the most common causes of this +problem are:
+ +The default gateway on each local system isn't set to the + IP address of the local firewall interface.
+ +The entry for the local network in the /etc/shorewall/masq + file is wrong or missing.
+ +The DNS settings on the local systems are wrong or the + user is running a DNS server on the firewall and hasn't enabled UDP and TCP + port 53 from the firewall to the internet.
+ +Answer: "man dmesg" -- add a suitable 'dmesg' command to your startup + scripts or place it in /etc/shorewall/start.
+ +I just installed Shorewall and when I issue the start command, + I see the following:
+ +Processing /etc/shorewall/shorewall.conf ... + Processing /etc/shorewall/params ... + Starting Shorewall... + Loading Modules... + Initializing... + Determining Zones... + Zones: net loc + Validating interfaces file... + Validating hosts file... + Determining Hosts in Zones... + Net Zone: eth0:0.0.0.0/0 + Local Zone: eth1:0.0.0.0/0 + Deleting user chains... + Creating input Chains... + ...+
Why can't Shorewall detect my interfaces properly?
Answer: The above output is perfectly normal. The Net + zone is defined as all hosts that are connected through eth0 and the local + zone is defined as all hosts connected through eth1. +
Last updated +7/31/2002 - Tom +Eastep
+ +Copyright +© 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/GnuCopyright.htm b/Shorewall-docs/GnuCopyright.htm new file mode 100644 index 000000000..7b70f73ff --- /dev/null +++ b/Shorewall-docs/GnuCopyright.htm @@ -0,0 +1,277 @@ + + + + + + + +Version 1.1, March 2000
+Copyright (C) 2000 Free Software Foundation, Inc. +59 Temple Place, Suite 330, Boston, MA 02111-1307 USA +Everyone is permitted to copy and distribute verbatim copies +of this license document, but changing it is not allowed. ++
0. PREAMBLE
+The purpose of this License is to make a manual, textbook, or other written +document "free" in the sense of freedom: to assure everyone the effective +freedom to copy and redistribute it, with or without modifying it, either +commercially or noncommercially. Secondarily, this License preserves for the +author and publisher a way to get credit for their work, while not being +considered responsible for modifications made by others.
+This License is a kind of "copyleft", which means that derivative works of +the document must themselves be free in the same sense. It complements the GNU +General Public License, which is a copyleft license designed for free software. +
+We have designed this License in order to use it for manuals for free +software, because free software needs free documentation: a free program should +come with manuals providing the same freedoms that the software does. But this +License is not limited to software manuals; it can be used for any textual work, +regardless of subject matter or whether it is published as a printed book. We +recommend this License principally for works whose purpose is instruction or +reference.
+1. APPLICABILITY AND DEFINITIONS
+This License applies to any manual or other work that contains a notice +placed by the copyright holder saying it can be distributed under the terms of +this License. The "Document", below, refers to any such manual or work. Any +member of the public is a licensee, and is addressed as "you".
+A "Modified Version" of the Document means any work containing the Document +or a portion of it, either copied verbatim, or with modifications and/or +translated into another language.
+A "Secondary Section" is a named appendix or a front-matter section of the +Document that deals exclusively with the relationship of the publishers or +authors of the Document to the Document's overall subject (or to related +matters) and contains nothing that could fall directly within that overall +subject. (For example, if the Document is in part a textbook of mathematics, a +Secondary Section may not explain any mathematics.) The relationship could be a +matter of historical connection with the subject or with related matters, or of +legal, commercial, philosophical, ethical or political position regarding them. +
+The "Invariant Sections" are certain Secondary Sections whose titles are +designated, as being those of Invariant Sections, in the notice that says that +the Document is released under this License.
+The "Cover Texts" are certain short passages of text that are listed, as +Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document +is released under this License.
+A "Transparent" copy of the Document means a machine-readable copy, +represented in a format whose specification is available to the general public, +whose contents can be viewed and edited directly and straightforwardly with +generic text editors or (for images composed of pixels) generic paint programs +or (for drawings) some widely available drawing editor, and that is suitable for +input to text formatters or for automatic translation to a variety of formats +suitable for input to text formatters. A copy made in an otherwise Transparent +file format whose markup has been designed to thwart or discourage subsequent +modification by readers is not Transparent. A copy that is not "Transparent" is +called "Opaque".
+Examples of suitable formats for Transparent copies include plain ASCII +without markup, Texinfo input format, LaTeX input format, SGML or XML using a +publicly available DTD, and standard-conforming simple HTML designed for human +modification. Opaque formats include PostScript, PDF, proprietary formats that +can be read and edited only by proprietary word processors, SGML or XML for +which the DTD and/or processing tools are not generally available, and the +machine-generated HTML produced by some word processors for output purposes +only.
+The "Title Page" means, for a printed book, the title page itself, plus such +following pages as are needed to hold, legibly, the material this License +requires to appear in the title page. For works in formats which do not have any +title page as such, "Title Page" means the text near the most prominent +appearance of the work's title, preceding the beginning of the body of the text. +
+2. VERBATIM COPYING
+You may copy and distribute the Document in any medium, either commercially +or noncommercially, provided that this License, the copyright notices, and the +license notice saying this License applies to the Document are reproduced in all +copies, and that you add no other conditions whatsoever to those of this +License. You may not use technical measures to obstruct or control the reading +or further copying of the copies you make or distribute. However, you may accept +compensation in exchange for copies. If you distribute a large enough number of +copies you must also follow the conditions in section 3.
+You may also lend copies, under the same conditions stated above, and you may +publicly display copies.
+3. COPYING IN QUANTITY
+If you publish printed copies of the Document numbering more than 100, and +the Document's license notice requires Cover Texts, you must enclose the copies +in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover +Texts on the front cover, and Back-Cover Texts on the back cover. Both covers +must also clearly and legibly identify you as the publisher of these copies. The +front cover must present the full title with all words of the title equally +prominent and visible. You may add other material on the covers in addition. +Copying with changes limited to the covers, as long as they preserve the title +of the Document and satisfy these conditions, can be treated as verbatim copying +in other respects.
+If the required texts for either cover are too voluminous to fit legibly, you +should put the first ones listed (as many as fit reasonably) on the actual +cover, and continue the rest onto adjacent pages.
+If you publish or distribute Opaque copies of the Document numbering more +than 100, you must either include a machine-readable Transparent copy along with +each Opaque copy, or state in or with each Opaque copy a publicly-accessible +computer-network location containing a complete Transparent copy of the +Document, free of added material, which the general network-using public has +access to download anonymously at no charge using public-standard network +protocols. If you use the latter option, you must take reasonably prudent steps, +when you begin distribution of Opaque copies in quantity, to ensure that this +Transparent copy will remain thus accessible at the stated location until at +least one year after the last time you distribute an Opaque copy (directly or +through your agents or retailers) of that edition to the public.
+It is requested, but not required, that you contact the authors of the +Document well before redistributing any large number of copies, to give them a +chance to provide you with an updated version of the Document.
+4. MODIFICATIONS
+You may copy and distribute a Modified Version of the Document under the +conditions of sections 2 and 3 above, provided that you release the Modified +Version under precisely this License, with the Modified Version filling the role +of the Document, thus licensing distribution and modification of the Modified +Version to whoever possesses a copy of it. In addition, you must do these things +in the Modified Version:
++
If the Modified Version includes new front-matter sections or appendices that +qualify as Secondary Sections and contain no material copied from the Document, +you may at your option designate some or all of these sections as invariant. To +do this, add their titles to the list of Invariant Sections in the Modified +Version's license notice. These titles must be distinct from any other section +titles.
+You may add a section entitled "Endorsements", provided it contains nothing +but endorsements of your Modified Version by various parties--for example, +statements of peer review or that the text has been approved by an organization +as the authoritative definition of a standard.
+You may add a passage of up to five words as a Front-Cover Text, and a +passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover +Texts in the Modified Version. Only one passage of Front-Cover Text and one of +Back-Cover Text may be added by (or through arrangements made by) any one +entity. If the Document already includes a cover text for the same cover, +previously added by you or by arrangement made by the same entity you are acting +on behalf of, you may not add another; but you may replace the old one, on +explicit permission from the previous publisher that added the old one.
+The author(s) and publisher(s) of the Document do not by this License give +permission to use their names for publicity for or to assert or imply +endorsement of any Modified Version.
+5. COMBINING DOCUMENTS
+You may combine the Document with other documents released under this +License, under the terms defined in section 4 above for modified versions, +provided that you include in the combination all of the Invariant Sections of +all of the original documents, unmodified, and list them all as Invariant +Sections of your combined work in its license notice.
+The combined work need only contain one copy of this License, and multiple +identical Invariant Sections may be replaced with a single copy. If there are +multiple Invariant Sections with the same name but different contents, make the +title of each such section unique by adding at the end of it, in parentheses, +the name of the original author or publisher of that section if known, or else a +unique number. Make the same adjustment to the section titles in the list of +Invariant Sections in the license notice of the combined work.
+In the combination, you must combine any sections entitled "History" in the +various original documents, forming one section entitled "History"; likewise +combine any sections entitled "Acknowledgements", and any sections entitled +"Dedications". You must delete all sections entitled "Endorsements."
+6. COLLECTIONS OF DOCUMENTS
+You may make a collection consisting of the Document and other documents +released under this License, and replace the individual copies of this License +in the various documents with a single copy that is included in the collection, +provided that you follow the rules of this License for verbatim copying of each +of the documents in all other respects.
+You may extract a single document from such a collection, and distribute it +individually under this License, provided you insert a copy of this License into +the extracted document, and follow this License in all other respects regarding +verbatim copying of that document.
+7. AGGREGATION WITH INDEPENDENT WORKS
+A compilation of the Document or its derivatives with other separate and +independent documents or works, in or on a volume of a storage or distribution +medium, does not as a whole count as a Modified Version of the Document, +provided no compilation copyright is claimed for the compilation. Such a +compilation is called an "aggregate", and this License does not apply to the +other self-contained works thus compiled with the Document, on account of their +being thus compiled, if they are not themselves derivative works of the +Document.
+If the Cover Text requirement of section 3 is applicable to these copies of +the Document, then if the Document is less than one quarter of the entire +aggregate, the Document's Cover Texts may be placed on covers that surround only +the Document within the aggregate. Otherwise they must appear on covers around +the whole aggregate.
+8. TRANSLATION
+Translation is considered a kind of modification, so you may distribute +translations of the Document under the terms of section 4. Replacing Invariant +Sections with translations requires special permission from their copyright +holders, but you may include translations of some or all Invariant Sections in +addition to the original versions of these Invariant Sections. You may include a +translation of this License provided that you also include the original English +version of this License. In case of a disagreement between the translation and +the original English version of this License, the original English version will +prevail.
+9. TERMINATION
+You may not copy, modify, sublicense, or distribute the Document except as +expressly provided for under this License. Any other attempt to copy, modify, +sublicense or distribute the Document is void, and will automatically terminate +your rights under this License. However, parties who have received copies, or +rights, from you under this License will not have their licenses terminated so +long as such parties remain in full compliance.
+10. FUTURE REVISIONS OF THIS LICENSE
+The Free Software Foundation may publish new, revised versions of the GNU +Free Documentation License from time to time. Such new versions will be similar +in spirit to the present version, but may differ in detail to address new +problems or concerns. See http://www.gnu.org/copyleft/.
+Each version of the License is given a distinguishing version number. If the +Document specifies that a particular numbered version of this License "or any +later version" applies to it, you have the option of following the terms and +conditions either of that specified version or of any later version that has +been published (not as a draft) by the Free Software Foundation. If the Document +does not specify a version number of this License, you may choose any version +ever published (not as a draft) by the Free Software Foundation.
++ + + + \ No newline at end of file diff --git a/Shorewall-docs/IPIP.htm b/Shorewall-docs/IPIP.htm new file mode 100644 index 000000000..f0c80a4f7 --- /dev/null +++ b/Shorewall-docs/IPIP.htm @@ -0,0 +1,173 @@ + + + + +
GRE and IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks. GRE +tunnels were introduced in shorewall version 1.2.0_Beta2.
+The simple scripts described in the Linux Advanced Routing +and Shaping HOWTO work fine with Shorewall. Shorewall also includes a tunnel +script for automating tunnel configuration. If you have installed the RPM, the +tunnel script may be found in the Shorewall documentation directory (usually +/usr/share/doc/shorewall-<version>/).
+Suppose that we have the following situation:
+
+
We want systems in the 192.168.1.0/24 subnetwork to be able to +communicate with the systems in the 10.0.0.0/8 network. This is accomplished +through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file +and the /etc/shorewall/tunnel script that is included with Shorewall.
+The 'tunnel' script is not installed in /etc/shorewall by +default -- If you install using the tarball, the script is included in the +tarball; if you install using the RPM, the file is in your Shorewall +documentation directory (normally /usr/share/doc/shorewall-<version>).
+In the /etc/shorewall/tunnel script, set the 'tunnel_type' +parameter to the type of tunnel that you want to create.
+Example:
+++tunnel_type=gre
+
On system A, the 10.0.0.0/8 will comprise the gw zone. In +/etc/shorewall/interfaces:
++++
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +gw +tosysb +10.255.255.255 ++
In /etc/shorewall/tunnels on system A, we need the following:
++++
++ +TYPE +ZONE +GATEWAY +GATEWAY ZONE ++ +ipip +net +134.28.54.2 ++
This entry in /etc/shorewall/tunnels, opens the firewall so that the IP +encapsulation protocol (4) will be accepted to/from the remote gateway.
+In the tunnel script on system A:
+++tunnel=tosysb
+
+ myrealip=206.161.148.9 (for GRE tunnel only)
+ myip=192.168.1.1
+ hisip=10.0.0.1
+ gateway=134.28.54.2
+ subnet=10.0.0.0/8
Similarly, On system B the 192.168.1.0/24 subnet will comprise the gw +zone. In /etc/shorewall/interfaces:
++++
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +gw +tosysa +192.168.1.255 ++
In /etc/shorewall/tunnels on system B, we have:
++++
++ +TYPE +ZONE +GATEWAY +GATEWAY ZONE ++ +ipip +net +206.191.148.9 ++
And in the tunnel script on system B:
+++tunnel=tosysa
+
+ myrealip=134.28.54.2 (for GRE tunnel only)
+ myip=10.0.0.1
+ hisip=192.168.1.1
+ gateway=206.191.148.9
+ subnet=192.168.1.0/24
You can rename the modified tunnel scripts if you like; be sure that they are +secured so that root can execute them.
+ +You will need to allow traffic between the "gw" zone and + the "loc" zone on both systems -- if you simply want to admit all traffic + in both directions, you can use the policy file:
+ + ++++
++ +SOURCE +DEST +POLICY +LOG LEVEL ++ + +loc +gw +ACCEPT ++ + + +gw +loc +ACCEPT ++
On both systems, restart Shorewall and +run the modified tunnel script with the "start" argument on each +system. The systems in the two masqueraded subnetworks can now talk to each +other
+Updated 5/18/2002 - Tom +Eastep
+Copyright +© 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/IPSEC.htm b/Shorewall-docs/IPSEC.htm new file mode 100644 index 000000000..2c827b29c --- /dev/null +++ b/Shorewall-docs/IPSEC.htm @@ -0,0 +1,240 @@ + + + + + +Warning: Do not use Proxy ARP + and FreeS/Wan on the same system unless you are prepared to suffer the + consequences. If you start or restart Shorewall with an IPSEC tunnel active, + the proxied IP addresses are mistakenly assigned to the IPSEC tunnel device + (ipsecX) rather than to the interface that you specify in the INTERFACE column + of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I + can't say if it is a bug in the Kernel or in FreeS/Wan.
+You might be able to work around this problem using the following (I + haven't tried it):
+In /etc/shorewall/init, include:
+qt service ipsec stop
+In /etc/shorewall/start, include:
+qt service ipsec start
+Suppose that we have the following sutuation:
+ + + +
+
+
We want systems +in the 192.168.1.0/24 sub-network to be able to communicate with systems +in the 10.0.0.0/8 network.
+ +To make this work, we need to do two things:
+ +a) Open the firewall so that the IPSEC tunnel can be established +(allow the ESP and AH protocols and UDP Port 500).
+ +b) Allow traffic through the tunnel.
+ +Opening the firewall for the IPSEC tunnel is accomplished by +adding an entry to the /etc/shorewall/tunnels file.
+ +In /etc/shorewall/tunnels +on system A, we need the following
+ +++ ++ +
+ ++ TYPE ++ ZONE ++ GATEWAY ++ GATEWAY ZONE ++ + + +ipsec +net +134.28.54.2 ++
In /etc/shorewall/tunnels +on system B, we would have:
+ +++ ++ +
+ ++ TYPE ++ ZONE ++ GATEWAY ++ GATEWAY ZONE ++ + + +ipsec +net +206.161.148.9 ++
At both +systems, ipsec0 would be included in /etc/shorewall/interfaces as a "gw" +interface:
+ +++ ++ +
+ ++ ZONE ++ INTERFACE ++ BROADCAST ++ OPTIONS ++ + + +gw +ipsec0 ++ +
You will need to allow traffic between the "gw" zone and + the "loc" zone -- if you simply want to admit all traffic in both + directions, you can use the policy file:
+ + +++ ++
++ +SOURCE +DEST +POLICY +LOG LEVEL ++ + +loc +gw +ACCEPT ++ + + +gw +loc +ACCEPT ++
Once +you have these entries in place, restart Shorewall (type shorewall restart); +you are now ready to configure the tunnel in + FreeS/WAN + .
+ + +Suppose that you have +a laptop system (B) that you take with you when you travel and you want to +be able to establish a secure connection back to your local network.
+ +
+ 
+
In this +instance, the mobile system (B) has IP address 134.28.54.2 but that cannot +be determined in advance. In the /etc/shorewall/tunnels file on system A, +the following entry should be made:
+ +++ ++ +
+ ++ TYPE ++ ZONE ++ GATEWAY ++ GATEWAY ZONE ++ + + +ipsec +net +0.0.0.0/0 +gw +
Note that the GATEWAY +ZONE column contains the name of the zone corresponding to peer subnetworks +(gw in the default /etc/shorewall/zones). This indicates that the +gateway system itself comprises the peer subnetwork; in other words, the +remote gateway is a standalone system.
+ + +You will need to configure /etc/shorewall/interfaces and establish + your "through the tunnel" policy as shown under the first example above.
+ + +Last +updated 5/18/2002 - + Tom Eastep +
+ + ++ Copyright © 2001, 2002 Thomas M. Eastep.
+ + + \ No newline at end of file diff --git a/Shorewall-docs/Install.htm b/Shorewall-docs/Install.htm new file mode 100644 index 000000000..321ae6156 --- /dev/null +++ b/Shorewall-docs/Install.htm @@ -0,0 +1,165 @@ + + + + +Install using RPM
+Install
+using tarball
+Upgrade using RPM
+Upgrade
+using tarball
+Configuring Shorewall
+Uninstall/Fallback
To install Shorewall using the RPM:
+If you have RedHat 7.2 and are running iptables version 1.2.3 (at a shell +prompt, type "/sbin/iptables --version"), you must upgrade to version 1.2.4 +either from the +RedHat update +site or from the Shorewall Errata page before +attempting to start Shorewall.
+To + install Shorewall using the tarball and install + script:
+If you already have the Shorewall RPM installed and are upgrading to a new +version:
+If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you +have entries in the /etc/shorewall/hosts file then please check your +/etc/shorewall/interfaces file to be sure that it contains an entry for each +interface mentioned in the hosts file. Also, there are certain 1.2 rule forms +that are no longer supported under 1.3 (you must use the new 1.3 syntax). See +the upgrade issues for details. You can check your rules and +host file for 1.3 compatibility using the "shorewall check" command after +installing the latest version of 1.3.
+
+ Note: Some SuSE users have encountered a problem whereby rpm reports a
+ conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this
+ happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps <shorewall
+ rpm>).
+
If you already have Shorewall installed and are upgrading to a new version +using the tarball:
+If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you +have entries in the /etc/shorewall/hosts file then please check your +/etc/shorewall/interfaces file to be sure that it contains an entry for each +interface mentioned in the hosts file. Also, there are certain 1.2 rule +forms that are no longer supported under 1.3 (you must use the new 1.3 syntax). +See the upgrade issues for details. You can check your rules +and host file for 1.3 compatibility using the "shorewall check" command after +installing the latest version of 1.3.
+You will need to edit some or all of these configuration files to match your +setup. In most cases, the Shorewall +QuickStart Guides contain all of the information you need.
+Updated 8/7/2002 - Tom +Eastep
+Copyright +© 2001, 2002 Thomas M. Eastep.
+ + \ No newline at end of file diff --git a/Shorewall-docs/NAT.htm b/Shorewall-docs/NAT.htm new file mode 100644 index 000000000..6c7d6dadc --- /dev/null +++ b/Shorewall-docs/NAT.htm @@ -0,0 +1,87 @@ + + + + +++ +Static NAT
+IMPORTANT: If all you want to do is forward + ports to servers behind your firewall, you do NOT want to use static NAT. + Port forwarding can be accomplished with simple entries in the + rules file.
+Static NAT is a way to make systems behind a + firewall and configured with private IP addresses (those + reserved for private use in RFC1918) appear to have public IP + addresses.
+The following figure represents a static NAT + environment.
++
+++Static NAT can be used to make the systems with the + 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we + assume that the interface to the upper subnet is eth0, then the following + /etc/shorewall/NAT file would make the lower left-hand system appear to have + IP address 130.252.100.18 and the right-hand one to have IP address + 130.252.100.19.
++
++ +EXTERNAL +INTERFACE +INTERNAL +ALL INTERFACES +LOCAL ++ +130.252.100.18 +eth0 +10.1.1.2 +yes +yes ++ +130.252.100.19 +eth0 +10.1.1.3 +yes +yes +Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above + example) is (are) not included in any specification in /etc/shorewall/masq + or /etc/shorewall/proxyarp.
+Note 1: The "ALL INTERFACES" column + is used to specify whether access to the external IP from all firewall + interfaces should undergo NAT (Yes or yes) or if only access from the + interface in the INTERFACE column should undergo NAT. If you leave this + column empty, "Yes" is assumed. The ALL INTERFACES column was + added in version 1.1.6.
+Note 2: Shorewall will automatically add the external address to the + specified interface unless you specify ADD_IP_ALIASES="no" + (or "No") in /etc/shorewall/shorewall.conf; If you do not set + ADD_IP_ALIASES or if you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
+Note 3: The contents of the "LOCAL" + column determine whether packets originating on the firewall itself and + destined for the EXTERNAL address are redirected to the internal ADDRESS. If + this column contains "yes" or "Yes" (and the ALL + INTERFACES COLUMN also contains "Yes" or "yes") then + such packets are redirected; otherwise, such packets are not redirected. The + LOCAL column was added in version 1.1.8.
+
++ +
Last updated 3/27/2002 - +Tom +Eastep
+Copyright +© 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/Shorewall-docs/News.htm b/Shorewall-docs/News.htm new file mode 100644 index 000000000..4bf79e73b --- /dev/null +++ b/Shorewall-docs/News.htm @@ -0,0 +1,999 @@ + + + + +8/7/2002 - STABLE branch added to CVS Repository
+ +This branch will only be updated after I release a new version of Shorewall + so you can always update from this branch to get the latest stable tree.
+ +8/7/2002 - Upgrade Issues section added + to the Errata Page
+ +Now there is one place to go to look for issues involved with upgrading to + recent versions of Shorewall.
+ +8/7/2002 - Shorewall 1.3.6
+ +This is primarily a bug-fix rollup with a couple of new features:
+ +7/30/2002 - Shorewall 1.3.5b Released
+ +This interim release:
+ +7/29/2002 - New Shorewall Setup Guide Available
+ +The first draft of this guide is available at + + http://www.shorewall.net/shorewall_setup_guide.htm. The guide is intended + for use by people who are setting up Shorewall to manage multiple public IP + addresses and by people who want to learn more about Shorewall than is + described in the single-address guides. Feedback on the new guide is welcome.
+ +7/28/2002 - Shorewall 1.3.5 Debian Package Available
+ +Lorenzo Martignoni reports that the packages are version 1.3.5a and are available at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +7/27/2002 - Shorewall 1.3.5a Released
+ +This interim release restores correct handling of REDIRECT rules.
+ +7/26/2002 - Shorewall 1.3.5 Released
+ +This will be the last Shorewall release for a while. I'm going to be + focusing on rewriting a lot of the documentation.
+ +In this version:
+ +7/16/2002 - New Mirror in Argentina
+ +Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in + Argentina. Thanks Buanzo!!!
+ +7/16/2002 - Shorewall 1.3.4 Released
+ +In this version:
+ +7/8/2002 - Shorewall 1.3.3 Debian Package Available
+ +Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +7/6/2002 - Shorewall 1.3.3 Released
+ +In this version:
+ +6/25/2002 - Samples Updated for 1.3.2
+ +The comments in the sample configuration files have been updated to reflect + new features introduced in Shorewall 1.3.2.
+ +6/25/2002 - Shorewall 1.3.1 Debian Package Available
+ +Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +6/19/2002 - Documentation Available in PDF Format
+ +Thanks to Mike Martinez, the Shorewall Documentation is now available for + download in Adobe + PDF format.
+ +6/16/2002 - Shorewall 1.3.2 Released
+ +In this version:
+ +6/6/2002 - Why CVS Web access is Password Protected
+ +Last weekend, I installed the CVS Web package to provide brower-based access + to the Shorewall CVS repository. Since then, I have had several instances where + my server was almost unusable due to the high load generated by website copying + tools like HTTrack and WebStripper. These mindless tools:
+ +These tools/weapons are particularly damaging when combined with CVS Web + because they doggedly follow every link in the cgi-generated HTML resulting in + 1000s of executions of the cvsweb.cgi script. Yesterday, I spend several hours + implementing measures to block these tools but unfortunately, these measures + resulted in my server OOM-ing under even moderate load.
+ +Until I have the time to understand the cause of the OOM (or until I buy + more RAM if that is what is required), CVS Web access will remain Password + Protected.
+ +6/5/2002 - Shorewall 1.3.1 Debian Package Available
+ +Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.
+ +6/2/2002 - Samples Corrected
+ +The 1.3.0 samples configurations had several serious problems that prevented + DNS and SSH from working properly. These problems have been corrected in the + 1.3.1 samples.
+ +6/1/2002 - Shorewall 1.3.1 Released
+ +Hot on the heels of 1.3.0, this release:
+ +5/29/2002 - Shorewall 1.3.0 Released
+ +In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 + includes:
+ +5/23/2002 - Shorewall 1.3 RC1 Available
+ +In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) + incorporates the following:
+ +5/19/2002 - Shorewall 1.3 Beta 2 Available
+ +In addition to the changes in Beta 1, this release which carries the + designation 1.2.91 adds:
+ +5/17/2002 - Shorewall 1.3 Beta 1 Available
+ +Beta 1 carries the version designation 1.2.90 and implements the following + features:
+ +5/4/2002 - Shorewall 1.2.13 is Available
+ +In this version:
+ +4/30/2002 - Shorewall Debian News
+ +Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the + Debian + Testing Branch and the + Debian + Unstable Branch.
+ +4/20/2002 - Shorewall 1.2.12 is Available
+ +4/17/2002 - Shorewall Debian News
+ +Lorenzo Marignoni reports that:
+ +Thanks, Lorenzo!
+ +4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE
+ +Thanks to Stefan Mohr, there is + now a Shorewall 1.2.11 + + SuSE RPM available.
+ +4/13/2002 - Shorewall 1.2.11 Available
+ +In this version:
+ +4/13/2002 - Hamburg Mirror now has FTP
+ +Stefan now has an FTP mirror at + + ftp://germany.shorewall.net/pub/shorewall. Thanks Stefan!
+ +4/12/2002 - New Mirror in Hamburg
+ +Thanks to Stefan Mohr, there is + now a mirror of the Shorewall website at + + http://germany.shorewall.net.
+ +4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available
+ +Version 1.1 of the QuickStart Guide + is now available. Thanks to those who have read version 1.0 and offered their + suggestions. Corrections have also been made to the sample scripts.
+ +4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available
+ +Version 1.0 of the QuickStart Guide + is now available. This Guide and its accompanying sample configurations are + expected to provide a replacement for the recently withdrawn parameterized + samples.
+ +4/8/2002 - Parameterized Samples Withdrawn
+ +Although the parameterized + samples have allowed people to get a firewall up and running quickly, they + have unfortunately set the wrong level of expectation among those who have used + them. I am therefore withdrawing support for the samples and I am recommending + that they not be used in new Shorewall installations.
+ +4/2/2002 - Updated Log Parser
+ +John Lodge has provided an updated + version of his + CGI-based log parser with corrected date + handling.
+ +3/30/2002 - Shorewall Website Search Improvements
+ +The quick search on the home page now excludes the mailing list archives. + The Extended Search allows excluding the + archives or restricting the search to just the archives. An archive search form + is also available on the mailing list information + page.
+ +3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)
+ +3/25/2002 - Log Parser Available
+ +John Lodge has provided a + CGI-based log parser for Shorewall. Thanks + John.
+ +3/20/2002 - Shorewall 1.2.10 Released
+ +In this version:
+ +3/11/2002 - Shorewall 1.2.9 Released
+ +In this version:
+ +3/1/2002 - 1.2.8 Debian Package is Available
+ +See http://security.dsi.unimi.it/~lorenzo/debian.html
+ +2/25/2002 - New Two-interface Sample
+I've enhanced the two interface sample to allow access from the firewall to +servers in the local zone - + +http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz
+ +2/23/2002 - Shorewall 1.2.8 Released
+ +Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects + problems associated with the lock file used to prevent multiple state-changing + operations from occuring simultaneously. My apologies for any inconvenience my + carelessness may have caused.
+ +2/22/2002 - Shorewall 1.2.7 Released
+ +In this version:
+ +2/18/2002 - 1.2.6 Debian Package is Available
+ +See http://security.dsi.unimi.it/~lorenzo/debian.html
+ +2/8/2002 - Shorewall 1.2.6 Released
+ +In this version:
+ +2/4/2002 - Shorewall 1.2.5 Debian Package Available
+ +see http://security.dsi.unimi.it/~lorenzo/debian.html
+ +2/1/2002 - Shorewall 1.2.5 Released
+ +Due to installation problems with Shorewall 1.2.4, I have released Shorewall + 1.2.5. Sorry for the rapid-fire development.
+ +In version 1.2.5:
+ +1/28/2002 - Shorewall 1.2.4 Released
+ +1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html
+ +1/20/2002 - Corrected firewall script available
+ +Corrects a problem with BLACKLIST_LOGLEVEL. See the +errata for details.
+ +1/19/2002 - Shorewall 1.2.3 Released
+ +This is a minor feature and bugfix release. The single new feature is:
+ +The following problems were corrected:
+1/18/2002 - Shorewall 1.2.2 packaged with new LEAF +release
+ +Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution +that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo +for details.
+ +1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo +Martignoni, a 1.2.2 Shorewall Debian package is now available. There is a +link to Lorenzo's site from the Shorewall download page.
+ +1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This +corrected version restores the "shorewall status" command to +health.
+ +1/8/2002 - Shorewall 1.2.2 Released
+ +In version 1.2.2
+ +1/5/2002 - New Parameterized Samples (version +1.2.0) released. These are minor updates to the previously-released +samples. There are two new rules added:
+ +See the README file for upgrade instructions.
+ +1/1/2002 - Shorewall Mailing List Moving
+ +The Shorewall mailing list hosted at Sourceforge is moving to Shorewall.net. + If you are a current subscriber to the list at Sourceforge, please see + these instructions. If you would like to subscribe to the new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.
+ +12/31/2001 - Shorewall 1.2.1 Released
+ +In version 1.2.1:
+ +12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist + releasing 1.2 on 12/21/2001
+ +Version 1.2 contains the following new features:
+ +For the next month or so, I will continue to provide corrections to version + 1.1.18 as necessary so that current version 1.1.x users will not be forced into a + quick upgrade to 1.2.0 just to have access to bug fixes.
+For those of you who have installed one of the Beta RPMS, you will need to + use the "--oldpackage" option when upgrading to 1.2.0:
+++ +rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm
+
12/19/2001 - Thanks to Steve +Cowles, there is now a Shorewall mirror in Texas. This web site is +mirrored at http://www.infohiiway.com/shorewall +and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall.
+ +11/30/2001 - A new set of the parameterized Sample + Configurations has been released. In this version:
+ +11/20/2001 - The current version of Shorewall is 1.1.18.
+ +In this version:
+ +11/19/2001 - Thanks to Juraj + Ontkanin, there is now a Shorewall mirror in the Slovak Republic. The website is now mirrored at http://www.nrg.sk/mirror/shorewall + and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.
+ +11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. + There are three sample configurations:
+ +Samples may be downloaded from + ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 + . See the README file for instructions.
+ +11/1/2001 - The current version of Shorewall is 1.1.17. I intend + this to be the last of the 1.1 Shorewall releases.
+ +In this version:
+ +10/22/2001 - The current version of Shorewall is 1.1.16. In this +version:
+ +10/15/2001 - The current version of Shorewall is 1.1.15. In this +version:
+ +10/4/2001 - The current version of Shorewall is 1.1.14. In this version
+ +9/12/2001 - The current version of Shorewall is 1.1.13. In this version
+ +8/28/2001 - The current version of Shorewall is 1.1.12. In this version
+ +7/28/2001 - The current version of Shorewall is 1.1.11. In this version
+ +7/6/2001 - The current version of Shorewall is 1.1.10. In this version
+ +6/23/2001 - The current version of Shorewall is 1.1.9. In this version
+ +6/18/2001 - The current version of Shorewall is 1.1.8. In this version
+ +6/2/2001 - The current version of Shorewall is 1.1.7. In this version
+ +5/25/2001 - The current version of Shorewall is 1.1.6. In this version
+ +5/20/2001 - The current version of Shorewall is 1.1.5. In this version
+ +5/10/2001 - The current version of Shorewall is 1.1.4. In this version
+ +4/28/2001 - The current version of Shorewall is 1.1.3. In this version
+ +4/12/2001 - The current version of Shorewall is 1.1.2. In this version
+4/8/2001 - Shorewall is now affiliated with the Leaf
+ Project
+ 
4/5/2001 - The current version of Shorewall is 1.1.1. In this version:
+ +3/25/2001 - The current version of Shorewall is 1.1.0. In this version:
+ +3/19/2001 - The current version of Shorewall is 1.0.4. This version:
+ +3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix + release with no new features.
+ +3/8/2001 - The current version of Shorewall is 1.0.2. It supports an + additional "gw" (gateway) zone for tunnels and it supports IPSEC + tunnels with end-points on the firewall. There is also a .lrp available now.
+ +Updated 7/31/2002 - Tom +Eastep
+ ++ Copyright © 2001, 2002 Thomas M. Eastep.
+ + \ No newline at end of file diff --git a/Shorewall-docs/PPTP.htm b/Shorewall-docs/PPTP.htm new file mode 100644 index 000000000..0bcf7ba44 --- /dev/null +++ b/Shorewall-docs/PPTP.htm @@ -0,0 +1,731 @@ + + + + + + + +Shorewall easily supports PPTP in a number of configurations:
+I will try to give you an idea of how to set up a PPTP server +on your firewall system. This isn't a detailed HOWTO but rather an example of +how I have set up a working PPTP server on my own firewall.
+The steps involved are:
+To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary +site for releases of pppd is ftp://ftp.samba.org/pub/ppp.
+You will need the following patches:
+You may also want the following patch if you want to require remote hosts to +use encryption:
+ +Un-tar the pppd source and uncompress the patches into one directory (the +patches and the ppp-2.4.1 directory are all in a single parent directory):
+You will need to install the resulting binary on your firewall system. To do +that, I NFS mount my source filesystem and use "make install" from the +ppp-2.4.1 directory.
+You will need one of the following patches depending on your kernel version:
+Uncompress the patch into the same directory where your top-level kernel +source is located and:
+Now configure your kernel. Here is my ppp configuration:
++++
You will need a WINS server (Samba configured to run as a WINS server is +fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) is:
+++[global] + workgroup = TDM-NSTOP + netbios name = WOOKIE + server string = GNU/Linux Box + encrypt passwords = Yes + log file = /var/log/samba/%m.log + max log size = 0 + socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192 + os level = 65 + domain master = True + preferred master = True + dns proxy = No + wins support = Yes + printing = lprng + +[homes] + comment = Home Directories + valid users = %S + read only = No + create mask = 0664 + directory mask = 0775 + +[printers] + comment = All Printers + path = /var/spool/samba + printable = Yes+
Here is a copy of my /etc/ppp/options.poptop file:
+++ipparam PoPToP
+
+ lock
+ mtu 1490
+ mru 1490
+ ms-wins 192.168.1.3
+ ms-dns 206.124.146.177
+ multilink
+ proxyarp
+ auth
+ +chap
+ +chapms
+ +chapms-v2
+ ipcp-accept-local
+ ipcp-accept-remote
+ lcp-echo-failure 30
+ lcp-echo-interval 5
+ deflate 0
+ mppe-128
+ mppe-stateless
+ require-mppe
+ require-mppe-stateless
Notes:
+Here's my /etc/ppp/chap-secrets:
+++Secrets for authentication using CHAP
+
+ # client server secret + IP addresses
+ CPQTDM\\TEastep * <shhhhhh> + 192.168.1.7
+ TEastep * + <shhhhhh> 192.168.1.7
I am the only user who connects to the server but I may connect either with +or without a domain being specified. The system I connect from is my laptop so I +give it the same IP address when tunneled in as it has when it is in its docking +station.
+You will also want the following in /etc/modules.conf:
+alias ppp-compress-18 ppp_mppe + alias ppp-compress-21 bsd_comp + alias ppp-compress-24 ppp_deflate + alias ppp-compress-26 ppp_deflate+
PoPTop (pptpd) is available from http://poptop.lineo.com/.
+Here is a copy of my /etc/pptpd.conf file:
+++option /etc/ppp/options.poptop
+
+ speed 115200
+ localip 192.168.1.254
+ remoteip 192.168.1.33-38
Notes:
+I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:
+++#!/bin/sh
+
+ #
+ # /etc/rc.d/init.d/pptpd
+ #
+ # chkconfig: 5 12 85
+ # description: control pptp server
+ #
+
+ case "$1" in
+ start)
+ echo 1 > /proc/sys/net/ipv4/ip_forward
+ modprobe ppp_async
+ modprobe ppp_generic
+ modprobe ppp_mppe
+ modprobe slhc
+ if /usr/local/sbin/pptpd; then
+ touch /var/lock/subsys/pptpd
+ fi
+ ;;
+ stop)
+ killall pptpd
+ rm -f /var/lock/subsys/pptpd
+ ;;
+ restart)
+ killall pptpd
+ if /usr/local/sbin/pptpd; then
+ touch /var/lock/subsys/pptpd
+ fi
+ ;;
+ status)
+ ifconfig
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|status}"
+ ;;
+ esac
I consider hosts connected to my PPTP server to be just like local systems. +My key Shorewall entries are:
++++
++ +ZONE +DISPLAY +COMMENTS ++ +net +Internet +The Internet ++ +loc +Local +My Local Network including remote PPTP clients +
+++
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +net +eth0 +206.124.146.255 +noping,norfc1918 ++ +loc +eth2 +192.168.1.255 ++ + +- +ppp+ ++ +
+++
++ +ZONE +HOST(S) +OPTIONS ++ +loc +eth2:192.168.1.0/24 +routestopped ++ +loc +ppp+:192.168.1.0/24 ++
+++
++ +SOURCE +DEST +POLICY +LOG LEVEL ++ +loc +loc +ACCEPT ++
+++
++ + +ACTION +SOURCE +DEST ++ PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ +ACCEPT +net +fw +tcp +1723 ++ + + +ACCEPT +net +fw +47 +- ++ + + +ACCEPT +fw +net +47 +- ++ +
Note: I have multiple ppp interfaces on my firewall. If you + have a single ppp interface, you probably want:
++++
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +net +eth0 +206.124.146.255 +noping,norfc1918 ++ +loc +eth2 +192.168.1.255 ++ + +loc +ppp0 ++ +
and no entries in /etc/shorewall/hosts.
+If you have a single external IP address, add the following to your + /etc/shorewall/rules file:
+| ACTION | +SOURCE | +DEST | ++ PROTO | +DEST + PORT(S) |
+ SOURCE + PORT(S) |
+ ORIGINAL + DEST |
+
+
| DNAT | +net | +loc:<server address> | +tcp | +1723 | ++ | + |
| DNAT | +net | +loc:<server address> | +47 | +- | ++ | + |
If you have multiple external IP address and you want to forward a single <external +address>, add the following to your /etc/shorewall/rules file:
| ACTION | +SOURCE | +DEST | ++ PROTO | +DEST + PORT(S) |
+ SOURCE + PORT(S) |
+ ORIGINAL + DEST |
+
+
| DNAT | +net | +loc:<server address> | +tcp | +1723 | +- | +<external address> | +
| DNAT | +net | +loc:<server address> | +47 | +- | +- | +<external address> | +
You shouldn't have to take any special action for this case unless you wish +to connect multiple clients to the same external server. In that case, you will +need to follow the instructions at http://www.impsec.org/linux/masquerade/ip_masq_vpn.html. +I recommend that you also add these two lines to your /etc/shorewall/modules +file: +
++loadmodule ip_conntrack_pptp
+ loadmodule ip_nat_pptp +
The PPTP GNU/Linux client is available at http://sourceforge.net/projects/pptpclient/. +Rather than use the configuration script that comes with the client, I built my +own. I also build my own kernel as described above +rather than using the mppe package that is available with the client. My +/etc/ppp/options file is mostly unchanged from what came with the client (see +below).
+The key elements of this setup are as follows: +
Here are examples from my setup:
++++
++ +ZONE +DISPLAY +COMMENTS ++ +cpq +Compaq +Compaq Intranet +
+++
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +- +ppp+ ++ +
+++
++ +ZONE +HOST(S) +OPTIONS ++ +- +ppp+:!192.168.1.0/24 ++
+++
++ + +ACTION +SOURCE +DEST ++ PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ +ACCEPT +fw +net +tcp +1723 ++ + + +ACCEPT +fw +net +47 +- ++ +
I use the combination of interface and hosts file to define the 'cpq' zone +because I also run a PPTP server on my firewall (see above). Using this +technique allows me to distinguish clients of my own PPTP server from arbitrary +hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and +Compaq doesn't use that RFC1918 Class C subnet. +
I use this script in /etc/init.d to control the client. The reason that I +disable ECN when connecting is that the Compaq tunnel servers don't do ECN yet +and reject the initial TCP connection request if I enable ECN :-( +
++#!/bin/sh
+#
+# /etc/rc.d/init.d/pptp
+#
+# chkconfig: 5 60 85
+# description: PPTP Link Control
+#
+NAME="Tandem"
+ADDRESS=tunnel-tandem.compaq.com
+USER='Tandem\tommy'
+ECN=0
+DEBUG=
+
+start_pptp() {
+ echo $ECN > /proc/sys/net/ipv4/tcp_ecn
+ if /usr/sbin/pptp $ADDRESS user $USER noauth $DEBUG; then
+ touch /var/lock/subsys/pptp
+ echo "PPTP Connection to $NAME Started"
+ fi
+}
+
+stop_pptp() {
+ if killall /usr/sbin/pptp 2> /dev/null; then
+ echo "Stopped pptp"
+ else
+ rm -f /var/run/pptp/*
+ fi
+
+ # if killall pppd; then
+ # echo "Stopped pppd"
+ # fi
+
+ rm -f /var/lock/subsys/pptp
+
+ echo 1 > /proc/sys/net/ipv4/tcp_ecn
+}
+
+
+case "$1" in
+ start)
+ echo "Starting PPTP Connection to ${NAME}..."
+ start_pptp
+ ;;
+ stop)
+ echo "Stopping $NAME PPTP Connection..."
+ stop_pptp
+ ;;
+ restart)
+ echo "Restarting $NAME PPTP Connection..."
+ stop_pptp
+ start_pptp
+ ;;
+ status)
+ ifconfig
+ ;;
+ *)
+ echo "Usage: $0 {start|stop|restart|status}"
+ ;;
+esac
+ +
Here's my /etc/ppp/options file: +
++#
+# Identify this connection
+#
+ipparam Compaq
+#
+# Lock the port
+#
+lock
+#
+# We don't need the tunnel server to authenticate itself
+#
+noauth
+
++chap
++chapms
++chapms-v2
+
+multilink
+mrru 1614
+#
+# Turn off transmission protocols we know won't be used
+#
+nobsdcomp
+nodeflate
+
+#
+# We want MPPE
+#
+mppe-128
+mppe-stateless
+
+#
+# We want a sane mtu/mru
+#
+mtu 1000
+mru 1000
+
+#
+# Time this thing out of it goes poof
+#
+lcp-echo-failure 10
+lcp-echo-interval 10 +
My /etc/ppp/ip-up.local file sets up the routes that I need to route Compaq +traffic through the PPTP tunnel: +
++#/bin/sh
+
+ case $6 in
+ Compaq)
+ route add -net 16.0.0.0 netmask 255.0.0.0 gw $5 $1
+ route add -net 130.252.0.0 netmask 255.255.0.0 gw $5 $1
+ route add -net 131.124.0.0 netmask 255.255.0.0 gw $5 $1
+ ...
+ ;;
+ esac
Finally, I run the following script every five minutes under crond to + restart the tunnel if it fails:
#!/bin/sh
+ restart_pptp() {
+ /sbin/service pptp stop
+ sleep 10
+ if /sbin/service pptp start; then
+ /usr/bin/logger "PPTP Restarted"
+ fi
+ }
+
+ if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then
+ exit 0
+ fi
+
+ echo "Attempting to restart PPTP"
+
+ restart_pptp > /dev/null 2>&1 &
+
+ Here's a script + and corresponding ip-up.local from Jerry + Vonau that controls two PPTP connections.
+Last modified 7/11/2002 - Tom +Eastep
+Copyright © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/Shorewall-docs/ProxyARP.htm b/Shorewall-docs/ProxyARP.htm new file mode 100644 index 000000000..d87c18d34 --- /dev/null +++ b/Shorewall-docs/ProxyARP.htm @@ -0,0 +1,95 @@ + + +
+ +++ +Proxy ARP
++
Proxy ARP allows you to insert a firewall in front of a set of servers + without changing their IP addresses and without having to re-subnet.
+The following figure represents a Proxy ARP + environment.
++
+++Proxy ARP can be used to make the systems with addresses + 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) + subnet. Assuming that the upper firewall interface is eth0 and the + lower interface is eth1, this is accomplished using the following entries in + /etc/shorewall/proxyarp:
++
++ +ADDRESS +INTERFACE +EXTERNAL +HAVEROUTE ++ +130.252.100.18 +eth1 +eth0 +no ++ +130.252.100.19 +eth1 +eth0 +no +Be sure that the internal systems (130.242.100.18 and 130.252.100.19 + in the above example) are not included in any specification in + /etc/shorewall/masq or /etc/shorewall/nat.
+Note that I've used an RFC1918 IP address for eth1 - that IP address is + irrelevant.
+The lower systems (130.252.100.18 and 130.252.100.19) should have their + subnet mask and default gateway configured exactly the same way that the + Firewall system's eth0 is configured.
+++A word of warning is in order here. ISPs typically configure + there routers with a long ARP cache timeout. If you move a system from + parallel to your firewall to behind your firewall with Proxy ARP, it will + probably be HOURS before that system can communicate with the internet. You + can call your ISP and ask them to purge the stale ARP cache entry but many + either can't or won't purge individual entries. You can determine if your + ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we + suspect that the gateway router has a stale ARP cache entry for 130.252.100.19. + On the firewall, run tcpdump as follows:
++tcpdump -nei eth0 icmp+++Now from 130.252.100.19, ping the ISP's gateway (which we will + assume is 130.252.100.254):
++ping 130.252.100.254+++We can now observe the tcpdump output:
++13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF) + 13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply+++Notice that the source MAC address in the echo request is + different from the destination MAC address in the echo reply!! In this case + 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 + was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still + associates 130.252.100.19 with the NIC in that system rather than with the firewall's + eth0.
Last updated 8/11/2002 - +Tom +Eastep
+Copyright +© 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/Shorewall-docs/Shorewall_Banner.htm b/Shorewall-docs/Shorewall_Banner.htm new file mode 100644 index 000000000..4ac2b00e9 --- /dev/null +++ b/Shorewall-docs/Shorewall_Banner.htm @@ -0,0 +1,21 @@ + + + + + + +
+The Shorewall Project uses the Services of
+
+ + + + diff --git a/Shorewall-docs/Shorewall_index_frame.htm b/Shorewall-docs/Shorewall_index_frame.htm new file mode 100644 index 000000000..21a2b0ff1 --- /dev/null +++ b/Shorewall-docs/Shorewall_index_frame.htm @@ -0,0 +1,67 @@ + + + + + + + +
Copyright +© 2001, 2002 Thomas M. Eastep.
+ + + + + + \ No newline at end of file diff --git a/Shorewall-docs/blacklisting_support.htm b/Shorewall-docs/blacklisting_support.htm new file mode 100644 index 000000000..c27da0af8 --- /dev/null +++ b/Shorewall-docs/blacklisting_support.htm @@ -0,0 +1,62 @@ + + + + + + + +Shorewall supports two different forms of blacklisting; static and dynamic.
+Shorewall +static blacklisting support has the following configuration parameters:
+Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting +doesn't use any configuration parameters but is rather controlled using +/sbin/shorewall commands:
+Example 1:
+shorewall deny 192.0.2.124 192.0.2.125+
Drops packets from hosts 192.0.2.124 and 192.0.2.125
+Example 2:
+shorewall allow 192.0.2.125+
Reenables access from 192.0.2.125.
+Last updated 6/16/2002 - Tom +Eastep
+ +Copyright +© 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/configuration_file_basics.htm b/Shorewall-docs/configuration_file_basics.htm new file mode 100644 index 000000000..c08ba2dca --- /dev/null +++ b/Shorewall-docs/configuration_file_basics.htm @@ -0,0 +1,228 @@ + + + + + + + +Warning: If you copy or edit your + configuration files on a system running Microsoft Windows, you must + run them through + dos2unix before you use them with Shorewall.
+ + +Shorewall's configuration files are in the directory /etc/shorewall.
+ + +You may place comments in configuration files by making the first non-whitespace + character a pound sign ("#"). You may also place comments at the end of any line, again by + delimiting the comment from the rest of the line with a pound sign.
+ + +Examples:
+ + +# This is a comment
ACCEPT net fw tcp www #This is an end-of-line comment+
You may continue lines in the configuration files using the usual backslash ("\") followed + immediately by a new line character.
+ + +Example:
+ + +ACCEPT net fw tcp \ +smtp,www,pop3,imap #Services running on the firewall+
Where specifying an IP address, a subnet or an interface, you can + precede the item with "!" to specify the complement of the item. For + example, !192.168.1.4 means "any host but 192.168.1.4".
+ +Comma-separated lists are allowed in a number of contexts within the + configuration files. A comma separated list:
+ +Unless otherwise specified, when giving a port number you can use + either an integer or a service name from /etc/services.
+ +If you need to specify a range of ports, the proper syntax is <low + port number>:<high port number>.
+ +You may use the file /etc/shorewall/params + file to set shell variables that you can then use in some of the other + configuration files.
+ +It is suggested that variable names begin with an upper case letter + to distinguish them from variables used internally within the +Shorewall programs
+ +Example:
+ +++ +NET_IF=eth0 +NET_BCAST=130.252.100.255 +NET_OPTIONS=noping,norfc1918+
+ Example (/etc/shorewall/interfaces record):
++ + + +net $NET_IF $NET_BCAST $NET_OPTIONS+
The result will be the same as if the record had been written
+ + + +++ + + +net eth0 130.252.100.255 noping,norfc1918+
Variables may be used anywhere in the + other configuration files.
+ +Media Access Control (MAC) + addresses can be used to specify packet source in several of the + configuration files. To use this feature, your kernel must have MAC + Address Match support (CONFIG_IP_NF_MATCH_MAC) included.
+MAC addresses are 48 bits wide and each Ethernet Controller has a
+ unique MAC address.
+
+ In GNU/Linux, MAC addresses are usually written as a series of 6 hex numbers
+ separated by colons. Example:
+
+ [root@gateway root]# ifconfig eth0
+ eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
+ inet addr:206.124.146.176 Bcast:206.124.146.255
+ Mask:255.255.255.0
+ UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
+ RX packets:2398102 errors:0 dropped:0 overruns:0
+ frame:0
+ TX packets:3044698 errors:0 dropped:0 overruns:0
+ carrier:0
+ collisions:30394 txqueuelen:100
+ RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
+ (1582.8 Mb)
+ Interrupt:11 Base address:0x1800
+
+ Because Shorewall uses colons as a separator for address fields, Shorewall requires
+ MAC addresses to be written in another way. In Shorewall, MAC addresses
+ begin with a tilde ("~") and consist of 6 hex numbers separated by
+ hyphens. In Shorewall, the MAC address in the example above would be
+ written "~02-00-08-E3-FA-55".
+ Shorewall allows you to have configuration +directories other than /etc/shorewall. The shorewall start +and restart + commands allow you to specify an alternate configuration directory and +Shorewall will use the files in the alternate directory rather than the corresponding + files in /etc/shorewall. The alternate directory need not contain a complete + configuration; those files not in the alternate directory will be read from + /etc/shorewall.
++ This facility permits you to easily create a test or temporary configuration +by:
++ Updated 8/6/2002 - Tom +Eastep +
+ + + +Copyright + © 2001, 2002 Thomas M. Eastep.
+ + + + + + \ No newline at end of file diff --git a/Shorewall-docs/copyright.htm b/Shorewall-docs/copyright.htm new file mode 100644 index 000000000..2330511e6 --- /dev/null +++ b/Shorewall-docs/copyright.htm @@ -0,0 +1,29 @@ + + + + + + + +Copyright © 2000, 2001
+Thomas M Eastep
+
++ + + + \ No newline at end of file diff --git a/Shorewall-docs/dhcp.htm b/Shorewall-docs/dhcp.htm new file mode 100644 index 000000000..4e68f8043 --- /dev/null +++ b/Shorewall-docs/dhcp.htm @@ -0,0 +1,55 @@ + + + + + + + +Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version 1.1 or + any later version published by the Free Software Foundation; with no Invariant + Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the + license is included in the section entitled "GNU Free Documentation License".
+
+
Specify the "dhcp" option on each interface to be + served by your server in the /etc/shorewall/interfaces + file.
When starting "dhcpd", you need to list those + interfaces on the run line. On a RedHat system, this is done by modifying + /etc/sysconfig/dhcpd.
Specify the "dhcp" option for this interface in + the /etc/shorewall/interfaces + file.
If you know that the dynamic address is always going to be + in the same subnet, you can specify the subnet address in the interface's + entry in the /etc/shorewall/interfaces + file.
If you don't know the subnet address in advance, you should + specify "detect" for the interface's subnet address in the /etc/shorewall/interfaces + file and start Shorewall after the interface has started.
In the event that the subnet address might change while + Shorewall is started, you need to arrange for a "shorewall + refresh" command to be executed when a new dynamic IP address gets + assigned to the interface. Check your DHCP client's documentation.
Last updated 1/26/2002 - Tom +Eastep
+ +Copyright +© 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/download.htm b/Shorewall-docs/download.htm new file mode 100644 index 000000000..fd531673a --- /dev/null +++ b/Shorewall-docs/download.htm @@ -0,0 +1,222 @@ + + + + + + + +I strongly urge you to read and print a copy of the + Shorewall QuickStart Guide + for the configuration that most closely matches your own.
+ +Once you've done that, download one of the modules:
+ +The documentation in HTML format is included in the .tgz and .rpm files and +there is an documentation .deb that also contains the documentation.
+Please verify the version that you have + downloaded -- during the release of a new version of Shorewall, the links + below may point to a newer or an older version than is shown below.
+Once you have verified the + version, check the errata + to see if there are updates that apply to the version that you have + downloaded.
+WARNING - YOU CAN NOT SIMPLY INSTALL THE RPM +AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE +FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO +START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, +ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.
+Download Latest Version (1.3.6): Remember that updates to the mirrors +occur 1-12 hours after an update to the primary site.
++++
++ +SERVER LOCATION +DOMAIN +HTTP +FTP ++ +Washington State, USA +Shorewall.net +Download .rpm +
+ Download + .tgz
+ Download + .lrp+ Download .rpm +
+ Download + .tgz
+ Download + .lrp+ +Slovak Republic +Shorewall.net +Download .rpm +
+ Download + .tgz
+ Download + .lrp+ Download .rpm +
+ Download + .tgz
+ Download + .rpm+ +Texas, USA +Infohiiway.com +Download .rpm +
+ Download + .tgz
+ Download + .lrp+ Download .rpm +
+ Download + .tgz
+ Download + .rpm+ +Hamburg, Germany +Shorewall.net ++ Download .rpm +
+ Download + .tgz
+ Download + .lrp+ + Download .rpm +
+ Download + .tgz
+ Download + .lrp+ +Martinez (Zona Norte - GBA), Argentina +Correofuego.com.ar ++ Download .rpm +
+ Download + .tgz
+ + Download .lrp+ Download .rpm +
+ Download + .tgz
+ + Download .lrp
Browse Download Sites:
++++
++ +SERVER LOCATION +DOMAIN +HTTP +FTP ++ +Washington State, USA +Shorewall.net +Browse +Browse ++ +Slovak Republic +Shorewall.net +Browse ++ Browse ++ +Texas, USA +Infohiiway.com +Browse +Browse ++ +Hamburg, Germany +Shorewall.net +Browse +Browse ++ +Martinez (Zona Norte - GBA), Argentina +Correofuego.com.ar +Browse ++ + Browse ++ +California, USA (Incomplete) +Sourceforge.net +Browse +N/A +
CVS:
+ +++The +CVS +repository at cvs.shorewall.net contains the latest snapshots of the each +Shorewall component. There's no guarantee that what you find there will work at +all.
+ +
Last Updated 8/05/2002 - Tom +Eastep
+ +Copyright +© 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/errata.htm b/Shorewall-docs/errata.htm new file mode 100644 index 000000000..1ecf240fa --- /dev/null +++ b/Shorewall-docs/errata.htm @@ -0,0 +1,366 @@ + + + + + ++ + + IMPORTANT
+ ++ + If you use a Windows system to download a corrected script, be sure to +run the script through + +dos2unix + after you have moved it to your Linux system.
+ ++ + If you are installing Shorewall for the first time and plan to use the + .tgz and install.sh script, you can untar the archive, replace the + 'firewall' script in the untarred directory with the one you downloaded + below, and then run install.sh.
+ ++ + When the instructions say to install a corrected firewall script in + /etc/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the + existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall + or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall + and /var/lib/shorewall/firewall are symbolic links that point + to the 'shorewall' file used by your system initialization scripts to + start Shorewall during boot. It is that file that must be overwritten + with the corrected script.
+ +If you have a pair of firewall systems configured for + failover, you will need to modify your firewall setup slightly under + Shorewall versions >= 1.3.6.
+ +Create the file /etc/shorewall/newnotsyn and in it add
+ the following rule
+
+ run_iptables -A newnotsyn -j RETURN # So that the
+ connection tracking table can be rebuilt
+
+ # from non-SYN packets after takeover.
+
Create /etc/shorewall/common (if you don't already
+ have that file) and include the following:
+
+ run_iptables -A common -p tcp --tcp-flags
+ ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection
+
+ #tracking table.
+ . /etc/shorewall/common.def
Some forms of pre-1.3.0 rules file syntax are no + longer supported.
+ +Example 1:
+ +ACCEPT net loc:192.168.1.12:22 tcp 11111 - all+
Must be replaced with:
+ +DNAT net loc:192.168.1.12:22 tcp 11111+
Example 2:
ACCEPT loc fw::3128 tcp 80 - all+
Must be replaced with:
REDIRECT loc 3128 tcp 80+
The new 'proxyarp' interface option doesn't work :-( + This is fixed in + + this corrected firewall script which must be installed in + /var/lib/shorewall/ as described above.
+ +Prior to version 1.3.4, host file entries such as the + following were allowed:
+ +adm eth0:1.2.4.5,eth0:5.6.7.8+
That capability was lost in version 1.3.4 so that it is only + possible to include a single host specification on each line. This + problem is corrected by + this + modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall + as instructed above.
This problem is corrected in version 1.3.5b.
REDIRECT rules are broken in this version. Install + + this corrected firewall script in /var/lib/pub/shorewall/firewall + as instructed above. This problem is corrected in version 1.3.5a.
+ +The "shorewall start" and "shorewall restart" commands + to not verify that the zones named in the /etc/shorewall/policy file + have been previously defined in the /etc/shorewall/zones file. The + "shorewall check" command does perform this verification so it's a + good idea to run that command after you have made configuration + changes.
+ +If you have upgraded from Shorewall 1.2 and after + "Activating rules..." you see the message: "iptables: No + chains/target/match by that name" then you probably have an entry in + /etc/shorewall/hosts that specifies an interface that you didn't + include in /etc/shorewall/interfaces. To correct this problem, you + must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and + later versions produce a clearer error message in this case.
+ +Until approximately 2130 GMT on 17 June 2002, the + download sites contained an incorrect version of the .lrp file. That + file can be identified by its size (56284 bytes). The correct version + has a size of 38126 bytes.
+ +Both problems are corrected in + + this script which should be installed in /var/lib/shorewall as described above.
+ +The IANA have just announced the allocation of subnet + 221.0.0.0/8. This + + updated rfc1918 file reflects that allocation.
+ +These problems are corrected in + + this firewall script which should be installed in + /etc/shorewall/firewall as described above.
+ ++ ++ +There are a couple of serious bugs in iptables 1.2.3 that + prevent it from working with Shorewall. Regrettably, +RedHat released this buggy iptables in RedHat 7.2.
+ +I have built a + corrected 1.2.3 rpm which you can download here and I have also built + an + iptables-1.2.4 rpm which you can download here. If +you are currently running RedHat 7.1, you can install either of these RPMs + before you upgrade to RedHat 7.2.
+ +Update + 11/9/2001: RedHat has + released an iptables-1.2.4 RPM of their own which you can download from + http://www.redhat.com/support/errata/RHSA-2001-144.html. + I have installed this RPM + on my firewall and it works fine.
+ +If you + would like to patch iptables 1.2.3 yourself, the patches are available + for download. This patch + which corrects a problem with parsing of the --log-level specification while + this patch + corrects a problem in handling the TOS target.
+ +To install one of the above patches:
++
+ +- cd iptables-1.2.3/extensions
+- patch -p0 < the-patch-file
+
++ +Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may + experience the following:
+++# shorewall start +Processing /etc/shorewall/shorewall.conf ... +Processing /etc/shorewall/params ... +Starting Shorewall... +Loading Modules... +Initializing... +Determining Zones... +Zones: net +Validating interfaces file... +Validating hosts file... +Determining Hosts in Zones... +Net Zone: eth0:0.0.0.0/0 +iptables: libiptc/libip4tc.c:380: do_check: Assertion +`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. +Aborted (core dumped) +iptables: libiptc/libip4tc.c:380: do_check: Assertion +`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. +Aborted (core dumped) ++The RedHat iptables RPM is compiled with debugging enabled but the + user-space debugging code was not updated to reflect recent changes in the + Netfilter 'mangle' table. You can correct the problem by installing + + this iptables RPM. If you are already running a 1.2.5 version of + iptables, you will need to specify the --oldpackage option to rpm (e.g., + "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").
+
If you find that rpm complains about a conflict + with kernel <= 2.2 yet you have a 2.4 kernel + installed, simply use the "--nodeps" option to + rpm.
+ +Installing: rpm -ivh <shorewall rpm>
+ +Upgrading: rpm -Uvh <shorewall rpm>
+ ++ Last updated 8/7/2002 - + Tom Eastep +
+ +Copyright + © 2001, 2002 Thomas M. Eastep.
+ + + \ No newline at end of file diff --git a/Shorewall-docs/errata_1.htm b/Shorewall-docs/errata_1.htm new file mode 100644 index 000000000..c6b5123a1 --- /dev/null +++ b/Shorewall-docs/errata_1.htm @@ -0,0 +1,210 @@ + + + + + + + ++ ++ +Prior +to 20:00 20 Sept 2001 GMT, the link under 1.1.13 pointed to a broken version +of the firewall script. This has now been corrected. I apologize for any confusion +this may have caused.
+
+ ++ +In the original .lrp, /etc/init.d/shorewall was not + secured for execute access. I have replaced the incorrect .lrp + (shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).
+ +
+ ++ +In + shorewall.conf, ADD_IP_ALIASES was incorrectly spelled + IP_ADD_ALIASAES. There is a corrected version of the file here.
+ +This + problem is also corrected in version 1.1.18.
+
++ ++ The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly spelled IP_ADD_ALIASES +in the firewall script. To correct this problem, install the + corrected firewall script + in the location pointed to by the symbolic link /etc/shorewall/firewall.
+ ++ This problem is also corrected in version 1.1.17.
+
++ ++ There are no corrections for these versions.
+
++ ++ The firewall fails to start if a rule with the following format is given:
+ ++ <disposition> z1:www.xxx.yyy.zzz z2 proto p1,p2,p3
+ ++ To correct this problem, install + this corrected firewall script + in the location pointed to by the symbolic link /etc/shorewall/firewall.
+
++ ++ The LRP version of Shorewall 1.1.12 has the incorrect /etc/shorewall/functions +file. This incorrect file results in many error messages of the form:
+ +++ ++ separate_list: not found
++ The correct file may be obtained here + . This problem is also corrected in version 1.1.13.
+
++ ++ There are no known problems with this version.
+
++ ++ If the following conditions were met:
+ +
++ +
+ +- +
+ ++ A LAN segment attached to the firewall was served by a DHCP server +running on the firewall.
+- +
+ ++ There were entries in /etc/shorewall/hosts that referred to the +interface to that LAN segment.
++ then up until now it has been necessary to include entries for 0.0.0.0 +and 255.255.255.255 for that interface in /etc/shorewall/hosts. + This version of the firewall script + makes those additions unnecessary provided that you simply include +"dhcp" in the options for the interface in /etc/shorewall/interfaces. +Install the script into the location pointed to by the symbolic link +/etc/shorewall/firewall.
+ ++ This problem has also been corrected in version 1.1.11.
+
++ ++ This problem is also corrected in version 1.1.8
+
+ Last updated 12/21/2001 - + Tom Eastep +
+ ++Copyright © 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/errata_2.htm b/Shorewall-docs/errata_2.htm new file mode 100644 index 000000000..11355f3a7 --- /dev/null +++ b/Shorewall-docs/errata_2.htm @@ -0,0 +1,434 @@ + + + + + ++ + + IMPORTANT
+ ++ + If you use a Windows system to download a corrected script, be sure to +run the script through +dos2unix + after you have moved it to your Linux system.
+ ++ + When the instructions say to install a corrected firewall script in + /etc/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the + existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall + before you do that. /etc/shorewall/firewall is a symbolic link that points + to the 'shorewall' file used by your system initialization scripts to + start Shorewall during boot and it is that file that must be overwritten + with the corrected script.
+ +Some users have reported problems installing the RPM
+ on SuSE 7.3 where rpm reports a conflict with kernel <= 2.2 even
+ though a 2.4 kernel RPM is installed. To get around this problem, use
+ the --nodeps option to rpm (e.g., "rpm -ivh --nodeps
+ shorewall-1.2-13.noarch.rpm").
+
+ The problem stems from the fact that SuSE does not
+ include a package named "kernel" but rather has a number of packages
+ that provide the virtual package "kernel". Since virtual packages have
+ no version associated with them, a conflict results. Since the
+ workaround is simple, I don't intend to change the Shorewall package.
Shorewall accepts invalid rules of the form:
+
+ ACCEPT <src> <dest>:<ip addr> all <port number> -
+ <original ip address>
+
+ The <port number> is ignored with the result that all
+ connection requests from the <src> zone whose original destination IP
+ address matches the last column are forwarded to the <dest> zone, IP
+ address <ip addr>.
+
+ This corrected firewall script correctly generates an error when
+ such a rule is encountered.
The 'try' command is broken.
The usage text printed by the shorewall utility + doesn't show the optional timeout for the 'try' command.
Both problems are corrected by + + this new version of /sbin/shorewall.
+ +There have been several problems with SSH, DNS and + ping in the two- and three-interface examples. Before reporting + problems with these services, please verify that you have the latest + version of the appropriate sample 'rules' file.
The documentation for + running PoPToP on the firewall system contained an incorrect entry + in the /etc/shorewall/hosts file. The corrected entry (underlined) is + shown here:
++ ++++
++ +ZONE +HOST(S) +OPTIONS ++ +loc +eth2:192.168.1.0/24 +routestopped ++ +loc +ppp+:192.168.1.0/24 ++
The shorewall.conf file and the documentation + incorrectly refer to a parameter in /etc/shorewall/shorewall.conf + called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (see + the corrected online documentation). Users of the rpm should + change the name (and possibly the value) of this parameter so that + Shorewall interacts properly with the SysV init scripts. The + documentation on this web site has been corrected and + + here's a corrected version of shorewall.conf.
+ +The documentation indicates that a comma-separated + list of IP/subnet addresses may appear in an entry in the hosts file. + This is not the case; if you want to specify multiple addresses for a + zone, you need to have a separate entry for each address.
+ +Version 1.2.7 is quite broken -- please install 1.2.8
+ +If you have installed and started version 1.2.7 then before trying + to restart under 1.2.8:
+You may now restart using 1.2.8.
+ +GRE and IPIP tunnels are broken.
The following rule results in a start error:
+
+ ACCEPT z1 z2
+ icmp
To correct the above problems, install + this + corrected firewall script in /etc/shorewall/firewall..
The new ADDRESS column in /etc/shorewall/masq cannot + contain a $-variable name.
Errors result if $FW appears in the + /etc/shorewall/policy file.
Using Blacklisting without setting BLACKLIST_LOGLEVEL + results in an error at start time.
To correct the above problems, install + this + corrected firewall script in /etc/shorewall/firewall.
The /sbin/shorewall script produces error messages + saying that 'mygrep' cannot be found. + + Here is the correct version of /sbin/shorewall.
This version will not install "out of the box" without + modification. Before attempting to start the + firewall, please change the STATEDIR in /etc/shorewall/shorewall.conf to + refer to /var/lib/shorewall. This only applies to fresh installations -- if + you are upgrading from a previous version of Shorewall, version 1.2.4 will + work without modification.
When BLACKLIST_LOGLEVEL is set, packets from blacklisted + hosts aren't logged. Install this + corrected firewall script in /etc/shorewall/firewall.
+ ++Alternatively, edit /etc/shorewall/firewall and change line 1564 from:
+ +
run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \+
+ ++to
+ +
run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \+ +
status) + clear+ +
+ ++to this:
+ +
status) + get_config + clear+ +
+ ++ +Note: If you are upgrading from one of the Beta + RPMs to 1.2.0, you must use the "--oldpackage" option to rpm + (e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).
+ +The tunnel script released in version 1.2.0 contained + errors -- a corrected + script is available.
+ +
+ ++ +There are a couple of serious bugs in iptables 1.2.3 that + prevent it from working with Shorewall. Regrettably, +RedHat released this buggy iptables in RedHat 7.2.
+ +I have built a + corrected 1.2.3 rpm which you can download here and I have also built + an + iptables-1.2.4 rpm which you can download here. If +you are currently running RedHat 7.1, you can install either of these RPMs + before you upgrade to RedHat 7.2.
+ +Update + 11/9/2001: RedHat has + released an iptables-1.2.4 RPM of their own which you can download from + http://www.redhat.com/support/errata/RHSA-2001-144.html. + I have installed this RPM + on my firewall and it works fine.
+ +If you + would like to patch iptables 1.2.3 yourself, the patches are available + for download. This patch + which corrects a problem with parsing of the --log-level specification while + this patch + corrects a problem in handling the TOS target.
+ +To install one of the above patches:
++
+ +- cd iptables-1.2.3/extensions
+- patch -p0 < the-patch-file
+
++ +Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may + experience the following:
+++# shorewall start +Processing /etc/shorewall/shorewall.conf ... +Processing /etc/shorewall/params ... +Starting Shorewall... +Loading Modules... +Initializing... +Determining Zones... +Zones: net +Validating interfaces file... +Validating hosts file... +Determining Hosts in Zones... +Net Zone: eth0:0.0.0.0/0 +iptables: libiptc/libip4tc.c:380: do_check: Assertion +`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. +Aborted (core dumped) +iptables: libiptc/libip4tc.c:380: do_check: Assertion +`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed. +Aborted (core dumped) ++The RedHat iptables RPM is compiled with debugging enabled but the + user-space debugging code was not updated to reflect recent changes in the + Netfilter 'mangle' table. You can correct the problem by installing + + this iptables RPM. If you are already running a 1.2.5 version of + iptables, you will need to specify the --oldpackage option to rpm (e.g., + "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").
+
+ Last updated 5/24/2002 - + Tom Eastep +
+ +Copyright + © 2001, 2002 Thomas M. Eastep.
+ + + \ No newline at end of file diff --git a/Shorewall-docs/fallback.htm b/Shorewall-docs/fallback.htm new file mode 100644 index 000000000..843fa0682 --- /dev/null +++ b/Shorewall-docs/fallback.htm @@ -0,0 +1,67 @@ + + + + +Shorewall includes +a fallback script +and an uninstall script.
+ +If you install Shorewall and discover that +it doesn't work for you, you can fall back to your previously +installed version. To do that:
+ +If your previous version of Shorewall was +installed using RPM, you may fall back to that version by typing +"rpm -Uvh --force <old rpm>" at a root shell +prompt (Example: "rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm" would fall back to the 3.1-0 +version of Shorewall).
+ +If you no longer wish to use Shorewall, you +may remove it by:
+ +If you installed using an rpm, at a root shell prompt +type "rpm -e shorewall".
+ +Last updated 3/26/2001 - +Tom +Eastep
+Copyright +© 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/Shorewall-docs/gnu_mailman.htm b/Shorewall-docs/gnu_mailman.htm new file mode 100644 index 000000000..94a1aa0bd --- /dev/null +++ b/Shorewall-docs/gnu_mailman.htm @@ -0,0 +1,55 @@ + + + + + + + +Q: Mailman does not work with Postfix, complaining about GID mismatch
+
+A: Mailman uses a setgid wrapper that is designed to be used in system-wide
+aliases file so that rest of mailman's mail handling processes will run with
+proper uid/gid. Postfix has an ability to run a command specified in an alias as
+owner of that alias, thus mailman's wrapper is not needed here. The best method
+to invoke mailman's mail handling via aliases is to use separate alias file
+especially for mailman, and made it owned by mailman and group mailman. Like:
+
+alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases
+
+Make sure that /var/mailman/aliases.db is owned by mailman user (this may be
+done by executing postalias as mailman userid).
+
+Next, instead of using mailman-suggested aliases entries with wrapper, use the
+following:
+
+instead of
+mailinglist: /var/mailman/mail/wrapper post mailinglist
+mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist
+mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist
+...
+
+use
+mailinglist: /var/mailman/scripts/post mailinglist
+mailinglist-admin: /var/mailman/scripts/mailowner mailinglist
+mailinglist-request: /var/mailman/scripts/mailcmd mailinglist
+...
Last updated 5/4/2002 - Tom +Eastep
++Copyright © 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/hosts_file.htm b/Shorewall-docs/hosts_file.htm new file mode 100644 index 000000000..72ad66b7a --- /dev/null +++ b/Shorewall-docs/hosts_file.htm @@ -0,0 +1,21 @@ + + + + + + + +Since there seems to be a lot of confusion regarding the +/etc/shorewall/hosts file, I have created this page to try to clear the fog.
++ + + + diff --git a/Shorewall-docs/images/BD21298_.gif b/Shorewall-docs/images/BD21298_.gif new file mode 100644 index 000000000..335cde588 Binary files /dev/null and b/Shorewall-docs/images/BD21298_.gif differ diff --git a/Shorewall-docs/images/BD21298_1.gif b/Shorewall-docs/images/BD21298_1.gif new file mode 100644 index 000000000..335cde588 Binary files /dev/null and b/Shorewall-docs/images/BD21298_1.gif differ diff --git a/Shorewall-docs/images/BD21298_2.gif b/Shorewall-docs/images/BD21298_2.gif new file mode 100644 index 000000000..335cde588 Binary files /dev/null and b/Shorewall-docs/images/BD21298_2.gif differ diff --git a/Shorewall-docs/images/BD21298_3.gif b/Shorewall-docs/images/BD21298_3.gif new file mode 100644 index 000000000..335cde588 Binary files /dev/null and b/Shorewall-docs/images/BD21298_3.gif differ diff --git a/Shorewall-docs/images/DMZ.jpg b/Shorewall-docs/images/DMZ.jpg new file mode 100644 index 000000000..30704b5b7 Binary files /dev/null and b/Shorewall-docs/images/DMZ.jpg differ diff --git a/Shorewall-docs/images/DMZ2.jpg b/Shorewall-docs/images/DMZ2.jpg new file mode 100644 index 000000000..be96e6565 Binary files /dev/null and b/Shorewall-docs/images/DMZ2.jpg differ diff --git a/Shorewall-docs/images/DMZ3.jpg b/Shorewall-docs/images/DMZ3.jpg new file mode 100644 index 000000000..06a9fc3dc Binary files /dev/null and b/Shorewall-docs/images/DMZ3.jpg differ diff --git a/Shorewall-docs/images/DMZ4.JPG b/Shorewall-docs/images/DMZ4.JPG new file mode 100644 index 000000000..9fbcfb951 Binary files /dev/null and b/Shorewall-docs/images/DMZ4.JPG differ diff --git a/Shorewall-docs/images/DMZ5.JPG b/Shorewall-docs/images/DMZ5.JPG new file mode 100644 index 000000000..a17315b34 Binary files /dev/null and b/Shorewall-docs/images/DMZ5.JPG differ diff --git a/Shorewall-docs/images/DMZ6.JPG b/Shorewall-docs/images/DMZ6.JPG new file mode 100644 index 000000000..93a95329a Binary files /dev/null and b/Shorewall-docs/images/DMZ6.JPG differ diff --git a/Shorewall-docs/images/Hiking1.jpg b/Shorewall-docs/images/Hiking1.jpg new file mode 100644 index 000000000..0c94246a7 Binary files /dev/null and b/Shorewall-docs/images/Hiking1.jpg differ diff --git a/Shorewall-docs/images/Mobile.png b/Shorewall-docs/images/Mobile.png new file mode 100644 index 000000000..5456c7bcf Binary files /dev/null and b/Shorewall-docs/images/Mobile.png differ diff --git a/Shorewall-docs/images/Mobile.vsd b/Shorewall-docs/images/Mobile.vsd new file mode 100644 index 000000000..f7f9087f2 Binary files /dev/null and b/Shorewall-docs/images/Mobile.vsd differ diff --git a/Shorewall-docs/images/ORE.jpg b/Shorewall-docs/images/ORE.jpg new file mode 100644 index 000000000..5dad3179f Binary files /dev/null and b/Shorewall-docs/images/ORE.jpg differ diff --git a/Shorewall-docs/images/SY00079.gif b/Shorewall-docs/images/SY00079.gif new file mode 100644 index 000000000..9d567b7ae Binary files /dev/null and b/Shorewall-docs/images/SY00079.gif differ diff --git a/Shorewall-docs/images/Shorewall_Banner.gif b/Shorewall-docs/images/Shorewall_Banner.gif new file mode 100644 index 000000000..6450fe29c Binary files /dev/null and b/Shorewall-docs/images/Shorewall_Banner.gif differ diff --git a/Shorewall-docs/images/Thumbs.db b/Shorewall-docs/images/Thumbs.db new file mode 100644 index 000000000..128d0b393 Binary files /dev/null and b/Shorewall-docs/images/Thumbs.db differ diff --git a/Shorewall-docs/images/TwoNets1.jpg b/Shorewall-docs/images/TwoNets1.jpg new file mode 100644 index 000000000..3c10145da Binary files /dev/null and b/Shorewall-docs/images/TwoNets1.jpg differ diff --git a/Shorewall-docs/images/TwoNets1.png b/Shorewall-docs/images/TwoNets1.png new file mode 100644 index 000000000..c425132ea Binary files /dev/null and b/Shorewall-docs/images/TwoNets1.png differ diff --git a/Shorewall-docs/images/TwoNets1.vsd b/Shorewall-docs/images/TwoNets1.vsd new file mode 100644 index 000000000..d442abbe5 Binary files /dev/null and b/Shorewall-docs/images/TwoNets1.vsd differ diff --git a/Shorewall-docs/images/apache_pb1.gif b/Shorewall-docs/images/apache_pb1.gif new file mode 100644 index 000000000..e27b7fb74 Binary files /dev/null and b/Shorewall-docs/images/apache_pb1.gif differ diff --git a/Shorewall-docs/images/basics.jpg b/Shorewall-docs/images/basics.jpg new file mode 100644 index 000000000..4b457f92f Binary files /dev/null and b/Shorewall-docs/images/basics.jpg differ diff --git a/Shorewall-docs/images/basics.png b/Shorewall-docs/images/basics.png new file mode 100644 index 000000000..b2de10dba Binary files /dev/null and b/Shorewall-docs/images/basics.png differ diff --git a/Shorewall-docs/images/basics.vsd b/Shorewall-docs/images/basics.vsd new file mode 100644 index 000000000..9f8681770 Binary files /dev/null and b/Shorewall-docs/images/basics.vsd differ diff --git a/Shorewall-docs/images/basics1.jpg b/Shorewall-docs/images/basics1.jpg new file mode 100644 index 000000000..3af2a7c83 Binary files /dev/null and b/Shorewall-docs/images/basics1.jpg differ diff --git a/Shorewall-docs/images/basics1.png b/Shorewall-docs/images/basics1.png new file mode 100644 index 000000000..9b3e58db5 Binary files /dev/null and b/Shorewall-docs/images/basics1.png differ diff --git a/Shorewall-docs/images/basics1.vsd b/Shorewall-docs/images/basics1.vsd new file mode 100644 index 000000000..84182f7b4 Binary files /dev/null and b/Shorewall-docs/images/basics1.vsd differ diff --git a/Shorewall-docs/images/but3.png b/Shorewall-docs/images/but3.png new file mode 100644 index 000000000..e6d39edfc Binary files /dev/null and b/Shorewall-docs/images/but3.png differ diff --git a/Shorewall-docs/images/compaq.gif b/Shorewall-docs/images/compaq.gif new file mode 100644 index 000000000..11f8674ee Binary files /dev/null and b/Shorewall-docs/images/compaq.gif differ diff --git a/Shorewall-docs/images/dmz1.png b/Shorewall-docs/images/dmz1.png new file mode 100644 index 000000000..a5454ebff Binary files /dev/null and b/Shorewall-docs/images/dmz1.png differ diff --git a/Shorewall-docs/images/dmz1.vsd b/Shorewall-docs/images/dmz1.vsd new file mode 100644 index 000000000..0db26c62b Binary files /dev/null and b/Shorewall-docs/images/dmz1.vsd differ diff --git a/Shorewall-docs/images/dmz2.png b/Shorewall-docs/images/dmz2.png new file mode 100644 index 000000000..a793a1caa Binary files /dev/null and b/Shorewall-docs/images/dmz2.png differ diff --git a/Shorewall-docs/images/dmz2.vsd b/Shorewall-docs/images/dmz2.vsd new file mode 100644 index 000000000..2729c2743 Binary files /dev/null and b/Shorewall-docs/images/dmz2.vsd differ diff --git a/Shorewall-docs/images/dmz3.png b/Shorewall-docs/images/dmz3.png new file mode 100644 index 000000000..b7d8b23fc Binary files /dev/null and b/Shorewall-docs/images/dmz3.png differ diff --git a/Shorewall-docs/images/dmz3.vsd b/Shorewall-docs/images/dmz3.vsd new file mode 100644 index 000000000..0a8c0807a Binary files /dev/null and b/Shorewall-docs/images/dmz3.vsd differ diff --git a/Shorewall-docs/images/dmz4.png b/Shorewall-docs/images/dmz4.png new file mode 100644 index 000000000..6e79d5d91 Binary files /dev/null and b/Shorewall-docs/images/dmz4.png differ diff --git a/Shorewall-docs/images/dmz4.vsd b/Shorewall-docs/images/dmz4.vsd new file mode 100644 index 000000000..47ca4187f Binary files /dev/null and b/Shorewall-docs/images/dmz4.vsd differ diff --git a/Shorewall-docs/images/dmz5.png b/Shorewall-docs/images/dmz5.png new file mode 100644 index 000000000..ffd5b9bdd Binary files /dev/null and b/Shorewall-docs/images/dmz5.png differ diff --git a/Shorewall-docs/images/dmz5.vsd b/Shorewall-docs/images/dmz5.vsd new file mode 100644 index 000000000..9e7356452 Binary files /dev/null and b/Shorewall-docs/images/dmz5.vsd differ diff --git a/Shorewall-docs/images/dmz6.png b/Shorewall-docs/images/dmz6.png new file mode 100644 index 000000000..2763dbf5d Binary files /dev/null and b/Shorewall-docs/images/dmz6.png differ diff --git a/Shorewall-docs/images/dmz6.vsd b/Shorewall-docs/images/dmz6.vsd new file mode 100644 index 000000000..997174862 Binary files /dev/null and b/Shorewall-docs/images/dmz6.vsd differ diff --git a/Shorewall-docs/images/dyndns_anim2.gif b/Shorewall-docs/images/dyndns_anim2.gif new file mode 100644 index 000000000..07def3a1e Binary files /dev/null and b/Shorewall-docs/images/dyndns_anim2.gif differ diff --git a/Shorewall-docs/images/j0213519.gif b/Shorewall-docs/images/j0213519.gif new file mode 100644 index 000000000..818e79c18 Binary files /dev/null and b/Shorewall-docs/images/j0213519.gif differ diff --git a/Shorewall-docs/images/leaflogo.gif b/Shorewall-docs/images/leaflogo.gif new file mode 100644 index 000000000..ac6fbec2f Binary files /dev/null and b/Shorewall-docs/images/leaflogo.gif differ diff --git a/Shorewall-docs/images/leaflogo.jpg b/Shorewall-docs/images/leaflogo.jpg new file mode 100644 index 000000000..b810b420d Binary files /dev/null and b/Shorewall-docs/images/leaflogo.jpg differ diff --git a/Shorewall-docs/images/linux_powered.gif b/Shorewall-docs/images/linux_powered.gif new file mode 100644 index 000000000..3a7ddf192 Binary files /dev/null and b/Shorewall-docs/images/linux_powered.gif differ diff --git a/Shorewall-docs/images/logo-sm.jpg b/Shorewall-docs/images/logo-sm.jpg new file mode 100644 index 000000000..c81c74d04 Binary files /dev/null and b/Shorewall-docs/images/logo-sm.jpg differ diff --git a/Shorewall-docs/images/menuconfig.jpg b/Shorewall-docs/images/menuconfig.jpg new file mode 100644 index 000000000..835996728 Binary files /dev/null and b/Shorewall-docs/images/menuconfig.jpg differ diff --git a/Shorewall-docs/images/menuconfig1.jpg b/Shorewall-docs/images/menuconfig1.jpg new file mode 100644 index 000000000..fb23469e0 Binary files /dev/null and b/Shorewall-docs/images/menuconfig1.jpg differ diff --git a/Shorewall-docs/images/netopts.jpg b/Shorewall-docs/images/netopts.jpg new file mode 100644 index 000000000..d50c3022d Binary files /dev/null and b/Shorewall-docs/images/netopts.jpg differ diff --git a/Shorewall-docs/images/network.jpg b/Shorewall-docs/images/network.jpg new file mode 100644 index 000000000..f928049ac Binary files /dev/null and b/Shorewall-docs/images/network.jpg differ diff --git a/Shorewall-docs/images/network.png b/Shorewall-docs/images/network.png new file mode 100644 index 000000000..fab0fcace Binary files /dev/null and b/Shorewall-docs/images/network.png differ diff --git a/Shorewall-docs/images/network.vsd b/Shorewall-docs/images/network.vsd new file mode 100644 index 000000000..008277007 Binary files /dev/null and b/Shorewall-docs/images/network.vsd differ diff --git a/Shorewall-docs/images/network.xpm b/Shorewall-docs/images/network.xpm new file mode 100644 index 000000000..98549c4ad --- /dev/null +++ b/Shorewall-docs/images/network.xpm @@ -0,0 +1,438 @@ +/* XPM */ +static char * network_xpm[] = { +"493 432 3 1", +" c None", +". c #FFFFFF", +"+ c #000000", +"...........................................................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+++++.....++++...+..........+.+..+.......+.............+..................+.+................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+....+...+....+..+..........+.+..++.....++.............+..................+.+................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+.....+..+.......+..........+.+..++.....++...+++....++.+...+++...+.+..+...+.+................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+.....+...++.....+...............+.+...+.+..+...+..+..++..+...+..++.++.+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+.....+.....++...+...............+.+...+.+..+...+..+...+..+...+..+..+..+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+.....+.......+..+...............+..+.+..+..+...+..+...+..+++++..+..+..+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+.....+..+....+..+...............+..+.+..+..+...+..+...+..+......+..+..+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+....+...+....+..+...............+...+...+..+...+..+..++..+...+..+..+..+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+.................+++++.....++++...+++++...........+...+...+...+++....++.+...+++...+..+..+.....................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................+..............................................................................................................+..................................................................................................................................................................", +"...........................................................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"................................................................................................................................................................................................................................................................................+............................................................................................................................................................................................................................", +"............................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+..................+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++...+++.........+....+++++...+++..........+.....+++....+++..........................+.......................................................................................................................", +"............................................................................................................................................................................................+.................+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+..+...+......+++........+..+...+.......+++....+...+..+...+.........................+.......................................................................................................................", +"............................................................................................................................................................................................+.....................+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+...+............+.......+...+...+.........+....+...+..+...+.........................+.......................................................................................................................", +"............................................................................................................................................................................................+....................+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+...+.++.........+.......+....+++..........+.....+++...+...+.........................+.......................................................................................................................", +"............................................................................................................................................................................................+...................+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+....++..+........+......+....+...+.........+....+...+..+...+.........................+.......................................................................................................................", +"............................................................................................................................................................................................+..................+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+....+...+........+......+....+...+.++++....+....+...+..+...+.........................+.......................................................................................................................", +"............................................................................................................................................................................................+.................+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+....+...+........+......+....+...+.........+....+...+..+...+.........................+.......................................................................................................................", +"++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................+.................+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+.....+...+........+.....+.....+...+.........+....+...+..+...+.........................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+++....+....+.....+......+++..........+.....+++....+++..........................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+...............................................................................................................+........................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+..............................................................................................................+.........................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+..........++++..........................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.........+....+.........................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.........+........+++...+.+.+...+...+++...+.+...........................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+..........++.....+...+..++..+...+..+...+..++............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+............++...+...+..+...+...+..+...+..+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+..............+..+++++..+....+.+...+++++..+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.........+....+..+......+....+.+...+......+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.........+....+..+...+..+.....+....+...+..+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+..........++++....+++...+.....+.....+++...+.............................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+..........+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++..+++++....................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.........+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+......+....................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+.............+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+......+.....................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+............+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+......+.....................................+..................................................+.........+.....+++....+++........+.....+++....+++.......+++........+....................++++++..+.............................+..+......................................................+.......................................................................................................................", +"+...........+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+......+......................................+..................................................+.......+++....+...+..+...+.....+++....+...+..+...+.....+...+.....+++....................+.....................................+..+......................................................+.......................................................................................................................", +"+..........+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+......+......................................+..................................................+.........+....+...+......+.......+....+......+...+.........+.......+....................+.......+..+.+..+++..+...+...+..+++...+..+......................................................+.......................................................................................................................", +"+.........+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+......+......................................+..................................................+.........+....+...+.....+........+....+.++....+++.........+........+....................+.......+..++..+...+.+...+...+.+...+..+..+......................................................+.......................................................................................................................", +"+.........+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+......+.......................................+..................................................+.........+.....++++....+.........+....++..+..+...+.......+.........+....................+++++...+..+...+...+..+..+..+......+..+..+......................................................+.......................................................................................................................", +"+.........+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+.......................................+..................................................+.........+........+...+..........+....+...+..+...+......+..........+....................+.......+..+...+++++..+..+..+...++++..+..+......................................................+.......................................................................................................................", +"+........................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++.+.........+........+..+...........+....+...+..+...+.....+...........+....................+.......+..+...+......+.+.+.+..+...+..+..+......................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.........+....+...+..+...........+....+...+..+...+.....+...........+....................+.......+..+...+...+...+...+...+...+..+..+......................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.........+.....+++...+++++..+....+.....+++....+++...+..+++++..+....+....................+.......+..+....+++....+...+....+++.+.+..+......................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+.....+++....+++........+.....+++....+++........+........+++...+++++.....+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+...............................................+++....+...+..+...+.....+++....+...+..+...+.....+++.......+...+..+........++.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+....+...+......+.......+....+......+...+.......+...........+..+.......+.+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+....+...+.....+........+....+.++....+++........+..........+...++++....+.+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+.....++++....+.........+....++..+..+...+.......+.........+........+..+..+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+........+...+..........+....+...+..+...+.......+........+.........+.+...+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+........+..+...........+....+...+..+...+.......+.......+......+...+.++++++............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+....+...+..+...........+....+...+..+...+.......+.......+......+...+.....+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+.................................................+.....+++...+++++..+....+.....+++....+++...+....+....+..+++++...+++......+.............................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"+........................................................................................................................................+..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................+........................................................................................................................................................................................+.......................................................................................................................", +"............................................................................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.......................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"....................................................................................................................................................................................................................................................................................+........................................................................................................................................................................................................................", +"............................................................................................................................................................................................................................................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+..........................++++............+..+.........+.....................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.........................+....+..............+.........+.....................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.........................+......+...+...+.+.+++..+++...+.++..................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+..........................++....+...+...+.+..+..+...+..++..+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+............................++...+..+..+..+..+..+......+...+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+..............................+..+..+..+..+..+..+......+...+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.........................+....+..+.+.+.+..+..+..+......+...+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.........................+....+...+...+...+..+..+...+..+...+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+..........................++++....+...+...+..++..+++...+...+.................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+.............................................................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+..........................................+..................................................+..................................................................................................................................................................", +"............................................................................................................................................................................................................................................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++..................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".......................................................................................................................................................................................................................................................................................+.....................................................................................................................................................................................................................", +".............................................................................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".............................................................................+.............................................................................................................+...........................................................................................................................+...............................................................................................................................+.....................................................", +".....................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++...........................................................+.........................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++", +".....................+.........................................................................................................+............++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+...+..+.+..++....+++................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+...+..++..+..+..+...+...............................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+...+..+...+.........+...............................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+...+..+....++....++++...............................................................................+............+......+...................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+...+..+......+..+...+...............................................................................+............+......+...................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+..++..+...+..+..+...+...............................................................................+............+.....+++..+++...+.+.+.+.+...+.............................................................................+.............+............................+................+....+.............................................................+.........+...........................................................................................................+", +".....................+.....++.+..+....++....+++.+..............................................................................+............+......+..+...+..++..++..+...+.............................................................................+.............+............................+................+..+++.............................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+......+......+..+...+...+...+.............................................................................+.............+.........+++....+++....++..+++..+++...+.++..+++...+.............................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+......+...++++..+...+...+..+..............................................................................+.............+........+...+..+...+..+..+..+..+...+..++..+..+....+.............................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+......+..+...+..+...+....+.+..............................................................................+.............+........+...+......+..+.....+..+...+..+...+..+....+.............................................................+.........+..............+.............+..............................................................................+", +".....................+.........................................................................................................+............+......+..+...+..+...+....+.+..............................................................................+.............+........+++++...++++...++...+..+++++..+...+..+....+.............................................................+.........+..............+.............+..............................................................................+", +".....................+.........................................................................................................+............+......++..+++.+.+...+.....+...............................................................................+.............+........+......+...+.....+..+..+......+...+..+....+.............................................................+.........+.........++...+.++...+...+..+..+...++....+++...+.++........................................................+", +".....................+.........................................................................................................+............+..........................+...............................................................................+.............+........+...+..+...+..+..+..+..+...+..++..+..+....+.............................................................+.........+........+..+..++..+..+...+..+.+...+..+..+...+..++..+.......................................................+", +".....................+.....+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++...+++.....+.....+............+.........................+................................................................................+.............+.........+++....+++.+..++...++..+++...+.++...++...+.............................................................+.........+........+.....+...+..+...+..++....+.........+..+...+.......................................................+", +".....................+....+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+..+...+....+.....+............+........................+.................................................................................+.............+......................................+.........................................................................+.........+.........++...+...+..+...+..++.....++....++++..+...+.......................................................+", +".....................+........+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+...+...+...+......+............+..........................................................................................................+.............+......................................+.........................................................................+.........+...........+..+...+..+...+..+.+......+..+...+..+...+.......................................................+", +".....................+.......+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+....+++....+......+............+..........................................................................................................+.............+......................................+.........................................................................+.........+........+..+..+...+..+..++..+..+..+..+..+...+..+...+.......................................................+", +".....................+......+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+....+...+..+.......+............+..........................................................................................................+.............+................................................................................................................+.........+.........++...+...+...++.+..+...+..++....+++.+.+...+.......................................................+", +".....................+.....+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+....+...+..+.......+............+.......+++....+++....+++........+.....+++......+........+.......+....+++........+....+++++...+++.....+....+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+....+...+..+.......+............+......+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++........+..+...+....+....+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+....+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+.....+...+.+........+............+..........+..+...+..+...........+........+...+.+........+.....+.+...+...........+.......+...+...+...+.....+.............+.........+++....+++....+++........+.....+++......+........+.......+....+++........+.....+++....+++.....+........+.........+...........................................................................................................+", +".....................+....+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+++..+........+............+.........+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.......+...+...+...+.....+.............+........+...+..+...+..+...+.....+++....+...+....++......+++......++...+...+.....+++....+...+..+...+....+........+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+......+.....++++..+......+.............+............+..+...+..+...........+........+...+.+........+.....+.+...+...........+....+...+..+...+...+.........+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+.......+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+......+........+..+......+.............+...........+...+...+..+.++........+.......+....+.+........+.....+.+...+.++........+.....+++...+...+...+.........+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+......+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+......+........+..+......+.............+..........+....+...+..++..+.......+......+....+..+........+....+..+...++..+.......+....+...+..+...+..+..........+.........+..........+.....+++....+++........+.....+++....+++........+........+++.....................................+", +".....................+.........................................................................................................+............+......+......+...+..+...+.......+....+.........+........+.......+...+...+.......+.....+.....+...+.+.......+.............+.........+.....+...+..+...+.......+.....+....+...+........+...+...+...+...+.......+....+...+..+...+..+..........+.........+........+++....+...+..+...+.....+++....+...+..+...+.....+++.......+...+....................................+", +".....................+.........................................................................................................+............+......+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+......+++..+.......+.............+........+......+...+..+...+.......+....+.....++++++.......+...++++++..+...+.......+....+...+..+...+..+..........+.........+..........+....+...+......+.......+....+......+...+.......+.......+...+....................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+........+......+...+..+...+.......+....+.........+........+.......+...+...+.......+....+...+..+...+.+...........+.........+..........+....+...+.....+........+....+.++....+++........+........+++.....................................+", +".....................+......+.....+++....+++........+.....+++....+++........+.......+++++......................................+............+..........................................................................................................+.............+........+++++...+++....+++...+....+....+++++.....+...+....+.......+....+++...+....+.....+++....+++..+...........+.........+..........+.....++++....+.........+....++..+..+...+.......+.......+...+....................................+", +".....................+....+++....+...+..+...+.....+++....+...+..+...+.....+++.......+..........................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+........+...+..........+....+...+..+...+.......+.......+...+....................................+", +".....................+......+....+...+......+.......+....+......+...+.......+.......+..........................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+........+..+...........+....+...+..+...+.......+.......+...+....................................+", +".....................+......+....+...+.....+........+....+.++....+++........+.......++++.......................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+....+...+..+...........+....+...+..+...+.......+.......+...+....................................+", +".....................+......+.....++++....+.........+....++..+..+...+.......+...........+......................................+............+..........................................................................................................+.............+................................................................................................................+.........+..........+.....+++...+++++..+....+.....+++....+++...+....+....+...+++.....................................+", +".....................+......+........+...+..........+....+...+..+...+.......+...........+......................................+............+........+.....+++....+++........+.....+++....+++........+..........+......................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+......+........+..+...........+....+...+..+...+.......+.......+...+......................................+............+......+++....+...+..+...+.....+++....+...+..+...+.....+++.........++......................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+......+....+...+..+...........+....+...+..+...+.......+.......+...+......................................+............+........+....+...+......+.......+....+......+...+.......+........+.+......................................+.............+..........+.....+++....+++........+.....+++....+++........+.......+++++.........................................+.........+...........................................................................................................+", +".....................+......+.....+++...+++++..+....+.....+++....+++...+....+....+...+++.......................................+............+........+....+...+.....+........+....+.++....+++........+........+.+......................................+.............+........+++....+...+..+...+.....+++....+...+..+...+.....+++...........+.........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+.....++++....+.........+....++..+..+...+.......+.......+..+......................................+.............+..........+....+...+......+.......+....+......+...+.......+..........+..........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+........+...+..........+....+...+..+...+.......+......+...+......................................+.............+..........+....+...+.....+........+....+.++....+++........+..........+..........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+........+..+...........+....+...+..+...+.......+......++++++.....................................+.............+..........+.....++++....+.........+....++..+..+...+.......+.........+...........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+....+...+..+...........+....+...+..+...+.......+..........+......................................+.............+..........+........+...+..........+....+...+..+...+.......+.........+...........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+........+.....+++...+++++..+....+.....+++....+++...+....+....+.....+......................................+.............+..........+........+..+...........+....+...+..+...+.......+.........+...........................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+..........+....+...+..+...........+....+...+..+...+.......+........+............................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+..........+.....+++...+++++..+....+.....+++....+++...+....+....+...+............................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+...........................................................................................................+", +".....................+.........................................................................................................+............+..........................................................................................................+.............+................................................................................................................+.........+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++", +".....................+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++............+..........................................................................................................+.............+................................................................................................................+......................................................................................................................", +"............................................................................................................................................++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++.............++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++......................................................................................................................"}; diff --git a/Shorewall-docs/images/new10.gif b/Shorewall-docs/images/new10.gif new file mode 100644 index 000000000..ab20bf61e Binary files /dev/null and b/Shorewall-docs/images/new10.gif differ diff --git a/Shorewall-docs/images/newlog.gif b/Shorewall-docs/images/newlog.gif new file mode 100644 index 000000000..96b79d7e4 Binary files /dev/null and b/Shorewall-docs/images/newlog.gif differ diff --git a/Shorewall-docs/images/ol600_01mic.png b/Shorewall-docs/images/ol600_01mic.png new file mode 100644 index 000000000..2207d1114 Binary files /dev/null and b/Shorewall-docs/images/ol600_01mic.png differ diff --git a/Shorewall-docs/images/penguin_in_red_compaq_racer.gif b/Shorewall-docs/images/penguin_in_red_compaq_racer.gif new file mode 100644 index 000000000..20a321a72 Binary files /dev/null and b/Shorewall-docs/images/penguin_in_red_compaq_racer.gif differ diff --git a/Shorewall-docs/images/poweredby.png b/Shorewall-docs/images/poweredby.png new file mode 100644 index 000000000..5a744d0be Binary files /dev/null and b/Shorewall-docs/images/poweredby.png differ diff --git a/Shorewall-docs/images/poweredbycompaqlog0.gif b/Shorewall-docs/images/poweredbycompaqlog0.gif new file mode 100644 index 000000000..63a4ce79c Binary files /dev/null and b/Shorewall-docs/images/poweredbycompaqlog0.gif differ diff --git a/Shorewall-docs/images/ppp.jpg b/Shorewall-docs/images/ppp.jpg new file mode 100644 index 000000000..8131a8cac Binary files /dev/null and b/Shorewall-docs/images/ppp.jpg differ diff --git a/Shorewall-docs/images/proxyarp.jpg b/Shorewall-docs/images/proxyarp.jpg new file mode 100644 index 000000000..6c638fca8 Binary files /dev/null and b/Shorewall-docs/images/proxyarp.jpg differ diff --git a/Shorewall-docs/images/proxyarp.png b/Shorewall-docs/images/proxyarp.png new file mode 100644 index 000000000..88b0f1b42 Binary files /dev/null and b/Shorewall-docs/images/proxyarp.png differ diff --git a/Shorewall-docs/images/proxyarp.vsd b/Shorewall-docs/images/proxyarp.vsd new file mode 100644 index 000000000..b2fbfbe93 Binary files /dev/null and b/Shorewall-docs/images/proxyarp.vsd differ diff --git a/Shorewall-docs/images/publish b/Shorewall-docs/images/publish new file mode 100644 index 000000000..d4469d8ec --- /dev/null +++ b/Shorewall-docs/images/publish @@ -0,0 +1,6 @@ +#!/bin/sh + +# scp $@ teastep@shorewall.sourceforge.net:/home/groups/s/sh/shorewall/htdocs + scp $@ root@mail:/var/www/html/images + + diff --git a/Shorewall-docs/images/pure.jpg b/Shorewall-docs/images/pure.jpg new file mode 100644 index 000000000..7c2a64f7b Binary files /dev/null and b/Shorewall-docs/images/pure.jpg differ diff --git a/Shorewall-docs/images/pureftp-d.jpg b/Shorewall-docs/images/pureftp-d.jpg new file mode 100644 index 000000000..c49908e12 Binary files /dev/null and b/Shorewall-docs/images/pureftp-d.jpg differ diff --git a/Shorewall-docs/images/sf_logo_metal2.jpg b/Shorewall-docs/images/sf_logo_metal2.jpg new file mode 100644 index 000000000..07064dbf2 Binary files /dev/null and b/Shorewall-docs/images/sf_logo_metal2.jpg differ diff --git a/Shorewall-docs/images/sflogo.png b/Shorewall-docs/images/sflogo.png new file mode 100644 index 000000000..f5c0a256d Binary files /dev/null and b/Shorewall-docs/images/sflogo.png differ diff --git a/Shorewall-docs/images/shorewall.jpg b/Shorewall-docs/images/shorewall.jpg new file mode 100644 index 000000000..d8f2a1c09 Binary files /dev/null and b/Shorewall-docs/images/shorewall.jpg differ diff --git a/Shorewall-docs/images/small-picture.gif b/Shorewall-docs/images/small-picture.gif new file mode 100644 index 000000000..a6006b13a Binary files /dev/null and b/Shorewall-docs/images/small-picture.gif differ diff --git a/Shorewall-docs/images/staticnat.jpg b/Shorewall-docs/images/staticnat.jpg new file mode 100644 index 000000000..aa50608ed Binary files /dev/null and b/Shorewall-docs/images/staticnat.jpg differ diff --git a/Shorewall-docs/images/staticnat.png b/Shorewall-docs/images/staticnat.png new file mode 100644 index 000000000..a147089b7 Binary files /dev/null and b/Shorewall-docs/images/staticnat.png differ diff --git a/Shorewall-docs/images/staticnat.vsd b/Shorewall-docs/images/staticnat.vsd new file mode 100644 index 000000000..3ce9724bd Binary files /dev/null and b/Shorewall-docs/images/staticnat.vsd differ diff --git a/Shorewall-docs/images/updated.gif b/Shorewall-docs/images/updated.gif new file mode 100644 index 000000000..83882574d Binary files /dev/null and b/Shorewall-docs/images/updated.gif differ diff --git a/Shorewall-docs/images/washington.jpg b/Shorewall-docs/images/washington.jpg new file mode 100644 index 000000000..d356e2dd2 Binary files /dev/null and b/Shorewall-docs/images/washington.jpg differ diff --git a/Shorewall-docs/index.htm b/Shorewall-docs/index.htm new file mode 100644 index 000000000..b140d6f58 --- /dev/null +++ b/Shorewall-docs/index.htm @@ -0,0 +1,23 @@ + + + + +
For information regarding configuring and building GNU/Linux kernels, see http://www.kernelnewbies.org.
+Here's a screen shot of my Network Options Configuration:
++++
While not all of the options that I've selected are required, they should be +sufficient for most applications. Here's an excerpt from the corresponding .config +file (Note: If you are running a kernel older than 2.4.17, be sure to select +CONFIG_NETLINK and CONFIG_RTNETLINK):
+ ++ ++ +#
+ +
+ # Networking options
+ #
+ CONFIG_PACKET=y
+ # CONFIG_PACKET_MMAP is not set
+ # CONFIG_NETLINK_DEV is not set
+ CONFIG_NETFILTER=y
+ CONFIG_NETFILTER_DEBUG=y
+ CONFIG_FILTER=y
+ CONFIG_UNIX=y
+ CONFIG_INET=y
+ CONFIG_IP_MULTICAST=y
+ CONFIG_IP_ADVANCED_ROUTER=y
+ CONFIG_IP_MULTIPLE_TABLES=y
+ CONFIG_IP_ROUTE_FWMARK=y
+ CONFIG_IP_ROUTE_NAT=y
+ CONFIG_IP_ROUTE_MULTIPATH=y
+ CONFIG_IP_ROUTE_TOS=y
+ CONFIG_IP_ROUTE_VERBOSE=y
+ # CONFIG_IP_ROUTE_LARGE_TABLES is not set
+ # CONFIG_IP_PNP is not set
+ CONFIG_NET_IPIP=m
+ CONFIG_NET_IPGRE=m
+ # CONFIG_NET_IPGRE_GROADCAST is not set
+ # CONFIG_IP_MROUTE is not set
+ # CONFIG_ARPD is not set
+ CONFIG_INET_ECN=y
+ CONFIG_SYN_COOKIES=y
Here's a screen shot of my Netfilter configuration:
++ ++ ++
Here's an excerpt from the corresponding .config file.
+++#
+
+ # IP: Netfilter Configuration
+ #
+ CONFIG_IP_NF_CONNTRACK=y
+ CONFIG_IP_NF_FTP=m
+ # CONFIG_IP_NF_QUEUE is not set
+ CONFIG_IP_NF_IPTABLES=y
+ CONFIG_IP_NF_MATCH_LIMIT=y
+ CONFIG_IP_NF_MATCH_MAC=y
+ CONFIG_IP_NF_MATCH_MARK=y
+ CONFIG_IP_NF_MATCH_MULTIPORT=y
+ CONFIG_IP_NF_MATCH_TOS=y
+ # CONFIG_IP_NF_MATCH_TCPMSS is not set
+ CONFIG_IP_NF_MATCH_STATE=y
+ # CONFIG_IP_NF_MATCH_UNCLEAN is not set
+ # CONFIG_IP_NF_MATCH_OWNER is not set
+ CONFIG_IP_NF_FILTER=y
+ CONFIG_IP_NF_TARGET_REJECT=y
+ # CONFIG_IP_NF_TARGET_MIRROR is not set
+ CONFIG_IP_NF_NAT=y
+ CONFIG_IP_NF_NAT_NEEDED=y
+ CONFIG_IP_NF_TARGET_MASQUERADE=y
+ CONFIG_IP_NF_TARGET_REDIRECT=y
+ CONFIG_IP_NF_NAT_FTP=m
+ CONFIG_IP_NF_MANGLE=y
+ CONFIG_IP_NF_TARGET_TOS=y
+ CONFIG_IP_NF_TARGET_MARK=y
+ CONFIG_IP_NF_TARGET_LOG=y
+ CONFIG_IP_NF_TARGET_TCPMSS=y
+ # CONFIG_IPV6 is not set
+
Note that I have built everything I need into the kernel except for the FTP +connection tracking and NAT modules. I have also run successfully with all of +the options selected above built as modules:
+ +++ ++ +
#
+ +
+ # IP: Netfilter Configuration
+ #
+ CONFIG_IP_NF_CONNTRACK=m
+ CONFIG_IP_NF_FTP=m
+ # CONFIG_IP_NF_QUEUE is not set
+ CONFIG_IP_NF_IPTABLES=m
+ CONFIG_IP_NF_MATCH_LIMIT=m
+ CONFIG_IP_NF_MATCH_MAC=m
+ CONFIG_IP_NF_MATCH_MARK=m
+ CONFIG_IP_NF_MATCH_MULTIPORT=m
+ CONFIG_IP_NF_MATCH_TOS=m
+ # CONFIG_IP_NF_MATCH_TCPMSS is not set
+ CONFIG_IP_NF_MATCH_STATE=m
+ # CONFIG_IP_NF_MATCH_UNCLEAN is not set
+ # CONFIG_IP_NF_MATCH_OWNER is not set
+ CONFIG_IP_NF_FILTER=m
+ CONFIG_IP_NF_TARGET_REJECT=m
+ # CONFIG_IP_NF_TARGET_MIRROR is not set
+ CONFIG_IP_NF_NAT=m
+ CONFIG_IP_NF_NAT_NEEDED=m
+ CONFIG_IP_NF_TARGET_MASQUERADE=m
+ CONFIG_IP_NF_TARGET_REDIRECT=m
+ CONFIG_IP_NF_NAT_FTP=m
+ CONFIG_IP_NF_MANGLE=m
+ CONFIG_IP_NF_TARGET_TOS=m
+ CONFIG_IP_NF_TARGET_MARK=m
+ CONFIG_IP_NF_TARGET_LOG=m
+ CONFIG_IP_NF_TARGET_TCPMSS=m
+ # CONFIG_IPV6 is not set
+
Last updated 3/10/2002 - +Tom +Eastep
+Copyright +© 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/Shorewall-docs/mailing_list.htm b/Shorewall-docs/mailing_list.htm new file mode 100644 index 000000000..b5faeb2e0 --- /dev/null +++ b/Shorewall-docs/mailing_list.htm @@ -0,0 +1,135 @@ + + + + + + + +
Shorewall Mailing Lists 
+Note: The list server limits posts to 120kb.
+ +If you experience problems with any of these lists, please +let me know
+ +You can report such problems by sending mail to tom dot eastep +at hp dot com.
+ +
Before subscribing please read my policy + about list traffic that bounces. Also please note that the mail server + at shorewall.net checks the sender of incoming mail against the open relay + databases at ordb.org and at + osirusoft.com.
+ +The Shorewall Users Mailing list provides a way for users to get +answers to questions and to report problems. +Information of general interest to the Shorewall user community is also posted +to this list.
+Before posting a problem report to this list, please see the +problem reporting guidelines.
+To subscribe to the mailing list, go to +http://www.shorewall.net/mailman/listinfo/shorewall-users.
+To post to the list, post to shorewall-users@shorewall.net.
+The list archives are at http://www.shorewall.net/pipermail/shorewall-users.
+Note that prior to 1/1/2002, the mailing list was hosted at Sourceforge. +The archives from that list may be found at www.geocrawler.com/lists/3/Sourceforge/9327/0/.
+This list is for announcements of general interest to the +Shorewall community. To subscribe, go to +http://www.shorewall.net/mailman/listinfo/shorewall-announce.
+The list archives are at http://www.shorewall.net/pipermail/shorewall-announce.
+The Shorewall Development Mailing list provides a forum for the +exchange of ideas about the future of Shorewall and for coordinating ongoing +Shorewall Development.
+To subscribe to the mailing list, go to +http://www.shorewall.net/mailman/listinfo/shorewall-devel.
+To post to the list, post to shorewall-devel@shorewall.net.
+The list archives are at http://www.shorewall.net/pipermail/shorewall-devel.
+There seems to be near-universal confusion about unsubscribing +from Mailman-managed lists. To unsubscribe:
+Follow the same link above that you used to subscribe to the +list.
+Down at the bottom of that page is the following text: "To +change your subscription (set options like digest and delivery modes, get a +reminder of your password, or unsubscribe from <name of list>), enter +your subscription email address:". Enter your email address in the box and click +on the "Edit Options" button.
+There will now be a box where you can enter your password and +click on "Unsubscribe"; if you have forgotten your password, there is another +button that will cause your password to be emailed to you.
+Last updated 7/26/2002 - Tom +Eastep
++Copyright © 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/mailing_list_problems.htm b/Shorewall-docs/mailing_list_problems.htm new file mode 100644 index 000000000..167b74a39 --- /dev/null +++ b/Shorewall-docs/mailing_list_problems.htm @@ -0,0 +1,52 @@ + + + + + + + +++ +++2020ca - delivery to this domain has been disabled (cause unknown) +excite.com - delivery to this domain has been disabled (cause unknown) +epacificglobal.com - delivery to this domain has been disabled (no MX record for domain) +gmx.net - delivery to this domain has been disabled (cause unknown) +hotmail.com - delivery to this domain has been disabled (Mailbox over quota) +intercom.net - delivery to this domain has been disabled (cause unknown) +initialcs.com - delivery to this domain has been disabled (cause unknown) +intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found). +khp-inc.com - delivery to this domain has been disabled (anti-virus problems) +kieninger.de - delivery to this domain has been disabled (relaying to <xxxxx@kieninger.de> prohibited by administrator) +opermail.net - delivery to this domain has been disabled (cause unknown) +penquindevelopment.com - delivery to this domain has been disabled (connection timed out) +scip-online.de - delivery to this domain has been disabled (cause unknown) +spctnet.com - connection timed out - delivery to this domain has been disabled +telusplanet.net - delivery to this domain has been disabled (cause unknown) +yahoo.com - delivery to this domain has been disabled (Mailbox over quota)+
Last updated 7/26/2002 19:39 GMT - +Tom +Eastep
+ ++ +Copyright © 2002 Thomas M. Eastep.
+ ++ + + + \ No newline at end of file diff --git a/Shorewall-docs/myfiles.htm b/Shorewall-docs/myfiles.htm new file mode 100644 index 000000000..d85d5cf6a --- /dev/null +++ b/Shorewall-docs/myfiles.htm @@ -0,0 +1,291 @@ + + + + + +
+ +
+++I have DSL service and have 5 static IP addresses (206.124.146.176-180). +My DSL "modem" (Fujitsu Speedport) is connected to eth0. I have +a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected +to eth1 (192.168.2.0/24).
++I use Static NAT for all internal systems (those connected to the switch) except my Wife's system (tarry) +and the Wireless Access Point (wap) which are +masqueraded through the primary gateway address (206.124.146.176).
++The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.19.
++My personal GNU/Linux System (wookie) is 192.168.1.3 and my personal Windows XP system (ursa) +is 192.168.1.5. Wookie +runs Samba and acts as the a WINS server. Wookie is in its own 'whitelist' zone +called 'me'.
++My laptop (eastept1) is connected to eth3 using a cross-over cable. It runs its own +Sygate firewall software and is managed by Proxy ARP. It connects to the +local network through the PopTop server running on my firewall.
++The single system in the DMZ (address 206.124.146.177) runs postfix, Courier +IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server +(Pure-ftpd). The system also runs fetchmail to fetch our email from our +old and current ISPs. That server is managed through Proxy ARP.
++The firewall system itself runs a DHCP server that serves the local network.
++All administration and publishing is done using ssh/scp.
++I run an SNMP server on my firewall to serve +MRTG running in the DMZ.
++
++
The ethernet interface in the Server is configured + with IP address 206.124.146.177, netmask + 255.255.255.0. The server's default gateway is + 206.124.146.254 (Router at my ISP. This is the same + default gateway used by the firewall itself). On the firewall, + Shorewall automatically adds a host route to + 206.124.146.177 through eth1 (192.168.2.1) because of + the entry in /etc/shorewall/proxyarp (see below).
+A similar setup is used on eth3 (192.168.3.1) which + interfaces to my laptop (206.124.146.180).
++ Note: My files use features not available before + Shorewall version 1.3.4.
+
SUBSYSLOCK=/var/lock/subsys/shorewall + STATEDIR=/var/state/shorewall + + LOGRATE= + LOGBURST= + + ADD_IP_ALIASES="Yes" + + CLAMPMSS=Yes + + MULTIPORT=Yes+
#ZONE DISPLAY COMMENTS + net Internet Internet + me Eastep My Workstation + loc Local Local networks + dmz DMZ Demilitarized zone + tx Texas Peer Network in Dallas Texas + #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE+
++ ++This is set up so that I can start the firewall before bringing up my Ethernet +interfaces.
+ +
#ZONE INTERFACE BROADCAST OPTIONS + net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping + loc eth2 192.168.1.255 dhcp + dmz eth1 206.124.146.255 - + net eth3 206.124.146.255 norfc1918 + - texas - + loc ppp+ + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE+
#ZONE HOST(S) OPTIONS + me eth2:192.168.1.3 + tx texas:192.168.9.0/24 + #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE+ +
#INTERFACE HOST(S) + eth1 206.124.146.177 + eth2 - + eth3 206.124.146.180+
. /etc/shorewall/common.def + run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP + run_iptables -A common -p tcp --dport 113 -j REJECT+ +
+ #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST + me all ACCEPT + tx me ACCEPT #Give Texas access to my personal system + all me CONTINUE #WARNING: You must be running Shorewall 1.3.1 or later for + # this policy to work as expected!!! + loc loc ACCEPT + loc net ACCEPT + $FW loc ACCEPT + $FW tx ACCEPT + loc tx ACCEPT + loc fw REJECT + net net ACCEPT + net all DROP info 10/sec:40 + all all REJECT info + #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE+
++ ++Although most of our internal systems use static NAT, my wife's system +(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.
+
#INTERFACE SUBNET ADDRESS + eth0 192.168.1.0/24 206.124.146.176 + #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE+
#EXTERNAL INTERFACE INTERNAL ALL LOCAL + 206.124.146.178 eth0 192.168.1.5 No No + 206.124.146.179 eth0 192.168.1.3 No No + #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE+ +
#ADDRESS INTERFACE EXTERNAL HAVEROUTE + 206.124.146.177 eth1 eth0 No + 206.124.146.180 eth3 eth0 No + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE+ +
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL + # PORT(S) PORT(S) PORT(S) DEST + # + # Local Network to Internet - Reject attempts by Trojans to call home + # + REJECT:info loc net tcp 6667 + # + # Local Network to Firewall + # + ACCEPT loc fw tcp ssh + ACCEPT loc fw tcp time + # + # Local Network to DMZ + # + ACCEPT loc dmz udp domain + ACCEPT loc dmz tcp smtp + ACCEPT loc dmz tcp domain + ACCEPT loc dmz tcp ssh + ACCEPT loc dmz tcp auth + ACCEPT loc dmz tcp imap + ACCEPT loc dmz tcp https + ACCEPT loc dmz tcp imaps + ACCEPT loc dmz tcp cvspserver + ACCEPT loc dmz tcp www + ACCEPT loc dmz tcp ftp + ACCEPT loc dmz tcp pop3 + ACCEPT loc dmz icmp echo-request + # + # Internet to DMZ + # + ACCEPT net dmz tcp www + ACCEPT net dmz tcp smtp + ACCEPT net dmz tcp ftp + ACCEPT net dmz tcp auth + ACCEPT net dmz tcp https + ACCEPT net dmz tcp imaps + ACCEPT net dmz tcp domain + ACCEPT net dmz tcp cvspserver + ACCEPT net dmz udp domain + ACCEPT net dmz icmp echo-request + ACCEPT net:$MIRRORS dmz tcp rsync + # + # Net to Me (ICQ chat and file transfers) + # + ACCEPT net me tcp 4000:4100 + # + # Net to Local + # + ACCEPT net loc tcp auth + REJECT net loc tcp www + # + # DMZ to Internet + # + ACCEPT dmz net icmp echo-request + ACCEPT dmz net tcp smtp + ACCEPT dmz net tcp auth + ACCEPT dmz net tcp domain + ACCEPT dmz net tcp www + ACCEPT dmz net tcp https + ACCEPT dmz net tcp whois + ACCEPT dmz net tcp echo + ACCEPT dmz net udp domain + ACCEPT dmz net:$NTPSERVERS udp ntp + ACCEPT dmz net:$POPSERVERS tcp pop3 + # + # The following compensates for a bug, either in some FTP clients or in the + # Netfilter connection tracking code that occasionally denies active mode + # FTP clients + # + ACCEPT:info dmz net tcp 1024: 20 + # + # DMZ to Firewall -- snmp + # + ACCEPT dmz fw tcp snmp + ACCEPT dmz fw udp snmp + # + # DMZ to Local Network + # + ACCEPT dmz loc tcp smtp + ACCEPT dmz loc tcp auth + ACCEPT dmz loc icmp echo-request + # Internet to Firewall + # + ACCEPT net fw tcp 1723 + ACCEPT net fw gre + REJECT net fw tcp www + # + # Firewall to Internet + # + ACCEPT fw net:$NTPSERVERS udp ntp + ACCEPT fw net udp domain + ACCEPT fw net tcp domain + ACCEPT fw net tcp www + ACCEPT fw net tcp https + ACCEPT fw net tcp ssh + ACCEPT fw net tcp whois + ACCEPT fw net icmp echo-request + # + # Firewall to DMZ + # + ACCEPT fw dmz tcp www + ACCEPT fw dmz tcp ftp + ACCEPT fw dmz tcp ssh + ACCEPT fw dmz tcp smtp + ACCEPT fw dmz udp domain + # + # Let Texas Ping + # + ACCEPT tx fw icmp echo-request + ACCEPT tx loc icmp echo-request + + #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE+ +
+Last updated 8/9/2002 + - + Tom Eastep +
+ Copyright + © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/Shorewall-docs/netfilter_overview.htm b/Shorewall-docs/netfilter_overview.htm new file mode 100644 index 000000000..399d36259 --- /dev/null +++ b/Shorewall-docs/netfilter_overview.htm @@ -0,0 +1,140 @@ + + + + + + + +
Chains of rules are organized into Tables. +Netfilter currently has three tables.
+ +Mangle Table - This allows the contents of the packet to be +changed. Shorewall uses rules in this table to mark packets for traffic +shaping/control (/etc/shorewall/tcrules file) and for setting the Type of +Service (TOS) for the packet (/etc/shorewall/tos).
+ +NAT Table - Allows modification of the source and destination IP +and port.
+ +Filter Table - This is where most ACCEPT/DROP/REJECT decisions +are made in Shorewall.
+ +Each table has a number of pre-defined chains as shown in +the table that follows. Packets flow through the chains in the order of that +table.
+ ++++
++ +Ordinal +Table +Chain +Shorewall Usage +Comments ++ +1 +Mangle +PREROUTING ++ ++
+- RFC 1918 Destination Rejections
+- Marking Packets for Traffic Control
+- TOS
++ + +2 +NAT +PREROUTING ++ ++
+- DNAT Rules
+- Static NAT DNAT mapping
+Only connection requests go here -- packets that are part of or + related to an established connection use information from the connection + tracking table. ++ +3 +Filter +INPUT +<zone>2fw filtering ++ + +3 +Filter +FORWARD +<zone>2<zone> filtering ++ + +3 +Filter +OUTPUT +fw2<zone> filtering ++ + +4 +Mangle +POSTROUTING +TOS ++ + +5 +NAT +OUTPUT +DNAT rules where the source zone is fw +Only connection requests go here -- packets that are part of or + related to an established connection use information from the connection + tracking table. ++ +5 +NAT +POSTROUTING ++ ++
+- Masquerading (/etc/shoreawll/masq)
+- SNAT (/etc/shorewall/masq)
+- Static NAT SNAT Mapping
+Only connection requests go here -- packets that are part of or + related to an established connection use information from the connection + tracking table. +
The connection tracking table can be displayed using the +"shorewall show connections" command.
+ + + + diff --git a/Shorewall-docs/ports.htm b/Shorewall-docs/ports.htm new file mode 100644 index 000000000..5a4d43b72 --- /dev/null +++ b/Shorewall-docs/ports.htm @@ -0,0 +1,110 @@ + + + + +In addition to those applications described in the +/etc/shorewall/rules documentation, here are some other +services/applications that you may need to configure your firewall to accommodate.
+ +NTP (Network Time Protocol)
+++UDP Port 123
+
rdate
+++TCP Port 37
+
UseNet (NNTP)
+++TCP Port 119
+
DNS
+++UDP Port 53. If you are configuring a DNS client, you will probably want to + open TCP Port 53 as well.
+
+ If you are configuring a server, only open TCP Port 53 if you will return long + replies to queries or if you need to enable ZONE transfers. In the latter + case, be sure that your server is properly configured.
ICQ
+++UDP Port 4000. You will also need to open a range of TCP ports which you + can specify to your ICQ client. By default, clients use 4000-4100.
+
PPTP
+++Protocol 47 (NOT port 47) and TCP Port 1723 (Lots more + information here).
+
IPSEC
+++Protocols 50 and 51 (NOT ports 50 and 51) and UDP Port 500. + These should be opened in both directions.
+
SMTP
+++TCP Port 25.
+
POP3
+++TCP Port 110.
+
TELNET
+++TCP Port 23.
+
SSH
+++TCP Port 22.
+
Auth (identd)
+++ +TCP Port 113
+
Web Access
+++TCP Ports 80 and 443.
+
FTP
+++ +Server configuration is covered on in the + /etc/shorewall/rules documentation,
+For a client, you must open outbound TCP port 21 and be sure that your + kernel is compiled to support FTP connection tracking. If you build this + support as a module, Shorewall will automatically load the module from + /var/lib/<kernel version>/kernel/net/ipv4/netfilter.
+
SMB/NMB (Samba/Windows Browsing/File Sharing)
+++ +TCP Ports 137, 139 and 445.
+
+ UDP Ports 137-139.
+
+ Also, see this page.
Traceroute
+++UDP ports 33434 through 33434+<max number of hops>-1
+
Didn't find what you are looking for -- have you looked in your own + /etc/services file?
+ +Still looking? Try + + http://www.networkice.com/advice/Exploits/Ports
+ +Last updated 7/30/2002 - +Tom +Eastep
+Copyright +© 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/Shorewall-docs/quotes.htm b/Shorewall-docs/quotes.htm new file mode 100644 index 000000000..bff768d67 --- /dev/null +++ b/Shorewall-docs/quotes.htm @@ -0,0 +1,91 @@ + + + + + + + +"I just installed Shorewall after weeks of messing with + ipchains/iptables and I had it up and running in under 20 minutes!" + -- JL, Ohio +
+ + +"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 + without any problems. Your documentation is great and I really appreciate + your network configuration info. That really helped me out alot. + THANKS!!!" -- MM. +
+ + +"[Shorewall is a] great, great project. I've used/tested may + firewall scripts but this one is till now the best." -- B.R, + Netherlands +
+ + +"Never in my +12 year career as a sys admin have I witnessed + someone so relentless in developing a secure, state of the art, save and + useful product as the Shorewall firewall package for no cost or obligation + involved." -- Mario Kericki, Toronto +
+ + +"one time more to report, that your great shorewall in the latest + release + 1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines up + and running with shorewall on several versions - starting with 1.2.2 up to + the new 1.2.9 and I never have encountered any problems!" -- SM, Germany
+ + +"You have the best support of any other package I've ever + used." -- SE, US +
+ +"Because our company has information which has been classified by the +national government as secret, our security doesn't stop by putting a fence +around our company. Information security is a hot issue. We also make use of +checkpoint firewalls, but not all of the internet servers are guarded by +checkpoint, some of them are running....Shorewall." -- Name withheld by request, +Europe
+ +"thanx for all your efforts you put into shorewall - this product stands out +against a lot of commercial stuff iŽve been working with in terms of +flexibillity, quality & support" -- RM, Austria
+ +"I have never seen such a complete firewall package that is so easy to +configure. I searched the Debian package system for firewall scripts and +Shorewall won hands down." -- RG, Toronto
+ +"My respects... I've just found and installed Shorewall 1.3.3-1 and it is a
+wonderful piece of software. I've just sent out an email to about 30 people
+recommending it. :-)
+While I had previously taken the time (maybe 40 hours) to really understand
+ipchains, then spent at least an hour per server customizing and carefully
+scrutinizing firewall rules, I've got shorewall running on my home firewall,
+with rulesets and policies that I know make sense, in under 20 minutes." -- RP,
+Guatamala
+
+
Updated +7/9/2002 - Tom Eastep + + +
+ +Copyright +© 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/samba.htm b/Shorewall-docs/samba.htm new file mode 100644 index 000000000..98d52d9a6 --- /dev/null +++ b/Shorewall-docs/samba.htm @@ -0,0 +1,93 @@ + + + + + + + +If you wish to run Samba on your firewall and access shares between the +firewall and local hosts, you need the following rules:
++++
++ + +ACTION +SOURCE +DEST ++ PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ +ACCEPT +fw +loc +udp +137:139 ++ + + +ACCEPT +fw +loc +tcp +137,139 ++ + + +ACCEPT +fw +loc +udp +1024: +137 ++ + +ACCEPT +loc +fw +udp +137:139 ++ + + +ACCEPT +loc +fw +tcp +137,139 ++ + + +ACCEPT +loc +fw +udp +1024: +137 ++
Last modified 5/29/2002 - Tom +Eastep
+Copyright © 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm new file mode 100644 index 000000000..84d500692 --- /dev/null +++ b/Shorewall-docs/seattlefirewall_index.htm @@ -0,0 +1,111 @@ + + +
+ + +The Shoreline Firewall, more commonly known as "Shorewall", is a + Netfilter (iptables) + based firewall that can be used on a dedicated firewall system, a + multi-function gateway/router/server or on a standalone GNU/Linux system.
+ +This program is free software; you can redistribute it and/or modify
+ it under the terms of Version 2 of the GNU General Public License
+ as published by the Free Software Foundation.
+
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with this program; if not, write to the Free Software Foundation,
+ Inc., 675 Mass Ave, Cambridge, MA 02139, USA
Copyright 2001, 2002 Thomas M. Eastep
+ + +8/7/2002 - STABLE branch added to CVS Repository
+ 
This branch will only be updated after I release a new version of Shorewall + so you can always update from this branch to get the latest stable tree.
+ +8/7/2002 - Upgrade Issues section added
+ to the Errata Page
+
Now there is one place to go to look for issues involved with upgrading to + recent versions of Shorewall.
+ +8/7/2002 - Shorewall 1.3.6
+
This is primarily a bug-fix rollup with a couple of new features:
+ +The
+ Shorewall Project uses facilities provided by SourceForge.
+
+ Jacques Nilo and Eric Wolzak have a LEAF distribution called Bering
+ that features Shorewall-1.3.3 and Kernel-2.4.18. You can find their work at:
+ http://leaf.sourceforge.net/devel/jnilo
|
+
+ Shorewall is free but if + you try it and find it useful, please consider making a donation to + Starlight Children's Foundation. Thanks! |
+
|---|
Updated + 8/10/2002 - Tom Eastep + + + + +
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/shoreline.htm b/Shorewall-docs/shoreline.htm new file mode 100644 index 000000000..a279a7e6e --- /dev/null +++ b/Shorewall-docs/shoreline.htm @@ -0,0 +1,101 @@ + + + + + +
+ 
Tom on the Pacific Crest Trail north of Stevens Pass,
+ Washington -- Sept
+ 1991.
+ Photo
+ by Ken Mazawa
I am currently a member of the design team for the next-generation + operating system from the NonStop Enterprise Division of HP.
+ +I became interested in Internet Security +when I established a home office in 1999 and had DSL service installed in our + home. I investigated +ipchains and developed the scripts which are now collectively known as Seattle + Firewall. Expanding on what I learned from Seattle Firewall, I then + designed and wrote Shorewall.
+ +I telework from our home in Shoreline,
+Washington
+ where I live with my wife Tarry.
+ 
Our current home network consists of:
+ +For more about our network see my Shorewall + Configuration.
+ +The PII/266 is made by Dell. All of our + other systems are made by Compaq (part + of the new HP).. All of our Tulip NICs are Netgear + FA310TXs.
+ + +
+
Last updated 8/10/2002 - + Tom Eastep +
+ Copyright + © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/Shorewall-docs/shorewall_ca_certificate.htm b/Shorewall-docs/shorewall_ca_certificate.htm new file mode 100644 index 000000000..1241ebdc7 --- /dev/null +++ b/Shorewall-docs/shorewall_ca_certificate.htm @@ -0,0 +1,27 @@ + + + + + + + +Load this certificate into your browser +to use SSL to the Shorewall Site
+ +Last updated +8/10/2002 - Tom +Eastep
+ +Copyright +© 2001, 2002 Thomas M. Eastep.
+ + + + diff --git a/Shorewall-docs/shorewall_extension_scripts.htm b/Shorewall-docs/shorewall_extension_scripts.htm new file mode 100644 index 000000000..bb81ef009 --- /dev/null +++ b/Shorewall-docs/shorewall_extension_scripts.htm @@ -0,0 +1,108 @@ + + + + + + + ++ Extension scripts are user-provided + scripts that are invoked at various points during firewall start, restart, + stop and clear. The scripts are placed in /etc/shorewall and are processed + using the Bourne shell "source" mechanism. The following scripts can be + supplied:
++ You can also supply a script with the same name as any of the filter +chains in the firewall and the script will be invoked after the /etc/shorewall/rules + file has been processed but before the /etc/shorewall/policy file has +been processed.
+ + + +The following two files receive +special treatment:
+ ++ Rather than running iptables directly, you should run it using the function + run_iptables. Similarly, rather than running "ip" directly, you should +use run_ip. These functions accept the same arguments as the underlying +command but cause the firewall to be stopped if an error occurs during +processing of the command.
+ + + ++ If you decide to create /etc/shorewall/common or /etc/shorewall/icmp.def, it + is a good idea to use the following technique (common file shown but the same + technique applies to icmpdef).
+ + + ++ /etc/shorewall/common:
+ + + +++source /etc/shorewall/common.def +<add your rules here>+
If you need to supercede a rule in the released common.def file, you can add + the superceding rule before the 'source' command. Using this technique allows + you to add new rules while still getting the benefit of the latest common.def + file.
+ + + +Remember that /etc/shorewall/common and /etc/shorewall/icmpdef define rules
+ that are only applied if the applicable policy is DROP or REJECT. These rules
+ are NOT applied if the policy is ACCEPT or CONTINUE.
+
Last updated +8/5/2002 - Tom +Eastep
+ +Copyright 2002 Thomas M. Eastep
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/shorewall_features.htm b/Shorewall-docs/shorewall_features.htm new file mode 100644 index 000000000..afd814396 --- /dev/null +++ b/Shorewall-docs/shorewall_features.htm @@ -0,0 +1,86 @@ + + + + + + + +Last updated 7/14/2002 - Tom +Eastep
++Copyright © 2001,2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/shorewall_firewall_structure.htm b/Shorewall-docs/shorewall_firewall_structure.htm new file mode 100644 index 000000000..89dcfd7b1 --- /dev/null +++ b/Shorewall-docs/shorewall_firewall_structure.htm @@ -0,0 +1,136 @@ + + + + + + + ++ Shorewall views the network in which it is running as a set of disjoint + zones. Shorewall itself defines exactly one zone called "fw" +which refers to the firewall system itself . The /etc/shorewall/zones file +is used to define additional zones and the example file provided with Shorewall +defines the zones:
+Note: You can specify the name of the firewall zone. + For ease of description in this documentation, it is assumed + that the firewall zone is named "fw".
+It can't be stressed enough that + with the exception of the firewall zone, Shorewall itself attaches no meaning to + zone names. Zone names are simply labels used to refer to a collection of + network hosts.
++ Traffic entering the + firewall is sent to an input chain. If the traffic is destined for the + firewall itself, the name of the input chain is formed by appending "_in" to + the interface name. So traffic on eth0 destined for the firewall will enter a + chain called eth0_in. The input chain for traffic that will be routed to + another system is formed by appending "_fwd" to the interface name. So traffic + from eth1 that is going to be forwarded enters a chain called eth1_fwd. + Interfaces described with the wild-card character ("+") in + /etc/shorewall/interfaces, share input chains. if ppp+ appears in + /etc/shorewall/interfaces then all PPP interfaces (ppp0, ppp1, ...) will share + the input chains ppp_in and ppp_fwd. In other words, "+" is + deleted from the name before forming the input chain names.
++ While the use of input chains may seem wasteful in simple environments, in + complex setups it substantially reduces the number of rules that each packet + must traverse.
++ Traffic directed from a zone to the firewall itself is sent through a +chain named <zone name>2fw. For example, traffic inbound from +the internet and addressed to the firewall is sent through a chain named +net2fw. Similarly, traffic originating in the firewall and being sent to +a host in a given zone is sent through a chain named fw2<zone name>. + For example, traffic originating in the firewall and destined +for a host in the local network is sent through a chain named fw2loc. + +
++ Traffic being forwarded between two zones (or from one interface to a +zone to another interface to that zone) is sent through a chain named +<source zone>2 <destination zone>. So for example, +traffic originating in a local system and destined for a remote web server +is sent through chain loc2net. This chain is referred to +as the canonical chain from <source zone> to <destination +zone>. Any destination NAT will have occurred before the packet +traverses one of these chains so rules in /etc/shorewall/rules should be +expressed in terms of the destination system's real IP address as opposed +to its apparent external address. Similarly, source NAT will occur after + the packet has traversed the appropriate forwarding chain so the rules +again will be expressed using the source system's real IP address.
++ For each record in the /etc/shorewall/policy file, a chain is created. Policies +in that file are expressed in terms of a source zone and destination zone +where these zones may be a zone defined in /etc/shorewall/zones, "fw" or +"all". Policies specifying the pseudo-zone "all" matches all defined zones +and "fw". These chains are referred to as Policy Chains. Notice that +for an ordered pair of zones (za,zb), the canonical chain (za2zb) may also +be the policy chain for the pair or the policy chain may be a different +chain (za2all, for example). Packets from one zone to another will traverse +chains as follows:
++ The canonical chain from zone za to zone zb will be created only if there +are exception rules defined in /etc/shorewall/rules for packets going from +za to zb.
++ Shorewall is built on top of the Netfilter kernel facility. Netfilter +implements connection tracking function that allow what is often referred +to as "statefull inspection" of packets. This statefull property allows + firewall rules to be defined in terms of "connections" rather than in +terms of "packets". With Shorewall, you:
++ Just because connections of a particular type are allowed between zone A + and the firewall and are also allowed between the firewall and zone B + DOES NOT mean that these connections are allowed between zone A and zone + B. It rather means that you can have a proxy running on +the firewall that accepts a connection from zone A and then establishes +its own separate connection from the firewall to zone B.
++ If you adopt the default policy of ACCEPT from the local zone to the internet +zone and you are having problems connecting from a local client to an internet +server, adding a rule won't help + (see point 3 above).
+Last modified 7/26/2002 - Tom +Eastep
+Copyright © 2001, 2002 Thomas M. Eastep. \ No newline at end of file diff --git a/Shorewall-docs/shorewall_index.htm b/Shorewall-docs/shorewall_index.htm new file mode 100644 index 000000000..0624df8b4 --- /dev/null +++ b/Shorewall-docs/shorewall_index.htm @@ -0,0 +1,25 @@ + + +
+ +If you are a current subscriber to the Shorewall mailing list at +Sourceforge, please do the following:
+Subscribe to the new mailing list at http://www.shorewall.net/mailman/listinfo/shorewall-users
Once you have successfully subscribed to the new list, go to + http://lists.sourceforge.net/lists/listinfo/shorewall-users + and at the bottom of the page, enter your subscription email address and + click the "Edit Options" button. You will be taken to a page where + you can enter your password and unsubscribe. If you have forgotten your + password, there is a place on the page where you can request that it be + emailed to you.
Last updated 1/1/2002 - Tom +Eastep
+ ++Copyright © 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/shorewall_mirrors.htm b/Shorewall-docs/shorewall_mirrors.htm new file mode 100644 index 000000000..01bf4e6ff --- /dev/null +++ b/Shorewall-docs/shorewall_mirrors.htm @@ -0,0 +1,57 @@ + + + + + + + +Remember that updates to the mirrors are often delayed for +6-12 hours after an update to the primary site.
+ +The main Shorewall Web Site is http://www.shorewall.net +and is located in Washington State, USA. +It is mirrored at:
+ +The main Shorewall FTP Site is ftp://ftp.shorewall.net/pub/shorewall/ +and is located in Washington State, USA. +It is mirrored at:
+Last Updated 7/16/2002 - Tom +Eastep
+ ++Copyright © 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/shorewall_prerequisites.htm b/Shorewall-docs/shorewall_prerequisites.htm new file mode 100644 index 000000000..2a3eb83d4 --- /dev/null +++ b/Shorewall-docs/shorewall_prerequisites.htm @@ -0,0 +1,50 @@ + + + + + + + ++
Last updated 8/4/2002 - Tom +Eastep
+ ++Copyright © 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/shorewall_quickstart_guide.htm b/Shorewall-docs/shorewall_quickstart_guide.htm new file mode 100644 index 000000000..5c3d47df5 --- /dev/null +++ b/Shorewall-docs/shorewall_quickstart_guide.htm @@ -0,0 +1,143 @@ + + + + + + + +With thanks to Richard who reminded me once again that we must +all first walk before we can run.
+ +These guides provide step-by-step instructions for configuring Shorewall in +common firewall setups.
+The following guides are for firewalls with a single external IP address:
+The above guides are designed to get your first firewall up and running +quickly in the three most common Shorewall configurations.
+The Shorewall Setup Guide outlines +the steps necessary to set up a firewall where there are multiple public IP +addresses involved or if you want to learn more about Shorewall than is +explained in the single-address guides above.
+The following documentation covers a variety of topics and supplements the +QuickStart Guides described above.
+If you use one of these guides and have a suggestion for improvement +please let me know.
+Copyright 2002 Thomas M. Eastep
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/shorewall_setup_guide.htm b/Shorewall-docs/shorewall_setup_guide.htm new file mode 100644 index 000000000..e99e5abfe --- /dev/null +++ b/Shorewall-docs/shorewall_setup_guide.htm @@ -0,0 +1,2357 @@ + + + + + + + +1.0 Introduction
+2.0 Shorewall Concepts
+3.0 Network Interfaces
+4.0 Addressing, Subnets and Routing
++ +4.1 IP Addresses
+
+4.2 Subnets
+4.3 Routing
+4.4 Address Resolution Protocol
+4.5 RFC 1918
+ +++ ++ +
6.0 DNS
+7.0 Starting and Stopping the Firewall
This guide is intended for users who are setting up Shorewall in an +environment where a set of public IP addresses must be managed or who want to +know more about Shorewall than is contained in the +single-address +guides. Because the +range of possible applications is so broad, the Guide will give you general +guidelines and will point you to other resources as necessary.
+This guide assumes that you have the iproute/iproute2 package installed (on +RedHat, the package is called iproute). You can tell if this +package is installed by the presence of an ip program on your firewall +system. As root, you can use the 'which' command to check for this program:
+[root@gateway root]# which ip + /sbin/ip + [root@gateway root]#
I recommend that you first read through the
+guide to familiarize yourself with what's involved then go back through it again
+making your configuration changes. Points at which configuration changes are
+recommended are flagged with 
.
+If you edit your configuration files on a Windows system, you must save them as
+Unix files if your editor supports that option or you must run them through
+dos2unix before trying to use them with Shorewall. Similarly, if you copy a configuration file
+from your Windows hard drive to a floppy disk, you must run dos2unix against the
+copy before using it with Shorewall.
The configuration files for Shorewall are contained in the directory +/etc/shorewall -- for most setups, you will only need to deal with a few of +these as described in this guide. Skeleton files are created during the +Shorewall Installation Process.
+As each file is introduced, I suggest that you +look through the actual file on your system -- each file contains detailed +configuration instructions and some contain default entries.
+Shorewall views the network where it is running as being composed of a set of +zones. In the default installation, the following zone names are used:
+| Name | +Description | +
| net | +The Internet | +
| loc | +Your Local Network | +
| dmz | +Demilitarized Zone | +
Zones are defined in the +/etc/shorewall/zones file.
+Shorewall also recognizes the firewall system as its own zone - by default, +the firewall itself is known as fw but that may be changed in the +/etc/shorewall/shorewall.conf file. In +this guide, the default name (fw) will be used.
+With the exception of fw, Shorewall attaches absolutely no meaning to +zone names. Zones are entirely what YOU make of them. That means that you should +not expect Shorewall to do something special "because this is the internet zone" +or "because that is the DMZ".
+ Edit the
+/etc/shorewall/zones file and make any changes necessary.
Rules about what traffic to allow and what traffic to deny are expressed in +terms of zones.
++ Shorewall is built on top of the Netfilter kernel facility. Netfilter +implements a + connection tracking function that allows what is often referred +to as stateful inspection of packets. This stateful property allows + firewall rules to be defined in terms of connections rather than in +terms of packets. With Shorewall, you:
++ Just because connections of a particular type are allowed from zone A to the + firewall and are also allowed from the firewall to zone B + DOES NOT mean that these connections are allowed from zone A to zone + B. It rather means that you can have a proxy running on +the firewall that accepts a connection from zone A and then establishes +its own separate connection from the firewall to zone B.
+For each connection request entering the firewall, the request is first +checked against the /etc/shorewall/rules file. If no rule in that file matches +the connection request then the first policy in /etc/shorewall/policy that +matches the request is applied. If that policy is REJECT or DROP the +request is first checked against the rules in /etc/shorewall/common.def.
+The default /etc/shorewall/policy file has the +following policies:
++++
++ +Source Zone +Destination Zone +Policy +Log Level +Limit:Burst ++ +loc +net +ACCEPT ++ + + +net +all +DROP +info ++ + +all +all +REJECT +info ++
The above policy will:
+ At this point, edit your /etc/shorewall/policy and make any changes that you
+wish.
For the remainder of this guide, we'll refer to the following +diagram. While it may not look like your own network, it can be used to +illustrate the important aspects of Shorewall configuration.
+In this diagram:
+
+
The simplest way to define zones is to simply associate the zone +name (previously defined in /etc/shorewall/zones) with a network interface. This +is done in the /etc/shorewall/interfaces +file.
+The firewall illustrated above has three network interfaces. +Where Internet connectivity is through a cable or DSL "Modem", the External +Interface will be the Ethernet adapter that is connected to that "Modem" +(e.g., eth0) +unless you connect via Point-to-Point Protocol +over Ethernet (PPPoE) or Point-to-Point Tunneling +Protocol (PPTP) in which case the External Interface will be a ppp +interface (e.g., ppp0). If you connect via a regular modem, your External +Interface will also be ppp0. If you connect using ISDN, you external +interface will be ippp0.
+
If
+your external interface is ppp0 or ippp0 then you will want to set
+CLAMPMSS=yes in
+/etc/shorewall/shorewall.conf.
Your Local Interface will be an Ethernet adapter (eth0, +eth1 or eth2) and will be connected to a hub or switch. Your local computers +will be connected to the same switch (note: If you have only a single local system, +you can connect the firewall directly to the computer using a cross-over +cable).
+Your DMZ Interface will also be an Ethernet adapter (eth0, +eth1 or eth2) and will be connected to a hub or switch. Your DMZ computers will +be connected to the same switch (note: If you have only a single DMZ system, +you can connect the firewall directly to the computer using a cross-over +cable).
+
+Do not connect more than one interface
+to the same hub or switch (even for testing). It won't work the way that you
+expect it to and you will end up confused and believing that Linux networking doesn't work at all.
For the remainder of this Guide, we will assume that:
+The external interface is eth0.
+The Local interface is eth1.
+The DMZ interface is eth2.
+The Shorewall default configuration does not define the contents +of any zone. To define the above configuration using the +/etc/shorewall/interfaces file, that file would might contain:
++++
++ +Zone +Interface +Broadcast +Options ++ +net +eth0 +detect +norfc1918 ++ +loc +eth1 +detect ++ + +dmz +eth2 +detect ++
+Edit the /etc/shorewall/interfaces file and define the network interfaces on
+your firewall and associate each interface with a zone. If you have a zone that
+is interfaced through more than one interface, simply include one entry for each
+interface and repeat the zone name as many times as necessary.
Example:
++++
++ +Zone +Interface +Broadcast +Options ++ +net +eth0 +detect +norfc1918 ++ +loc +eth1 +detect ++ + +loc +eth2 +detect +dhcp +
When you have more than one interface to a zone, you will + usually want a policy that permits intra-zone traffic:
+++
++ +Source Zone +Destination Zone +Policy +Log Level +Limit:Burst ++ +loc +loc +ACCEPT ++ +
+You may define more complicated zones using the
+/etc/shorewall/hosts file but in most
+cases, that isn't necessary.
Normally, your ISP will assign you a set of +Public IP addresses. You will configure your firewall's external interface to use +one of those addresses permanently and you will then have to decide how you are +going to use the rest of your addresses. Before we tackle that question though, some +background is in order.
+If you are thoroughly familiar with IP addressing and routing, +you may go to the next section.
+The following discussion barely scratches the surface of addressing and routing. If you are interested in learning more about +this subject, I highly recommend "IP Fundamentals: What Everyone +Needs to Know about Addressing & Routing", Thomas A. Maufer, Prentice-Hall, +1999, ISBN 0-13-975483-0.
+IP version 4 (IPv4) addresses are 32-bit numbers. The notation w.x.y.z refers to an address where the high-order byte has value "w", the next +byte has value "x", etc. If we take the address 192.0.2.14 and express it in +hexadecimal, +we get:
+++C0.00.02.0E
+
or looking at it as a 32-bit integer
+++C000020E
+
You will still hear the terms "Class A network", "Class B +network" and "Class C network". In the early days of IP, networks only came +in three sizes (there were also Class D networks but they were used differently):
+++Class A - netmask 255.0.0.0, size = 2 ** 24
+Class B - netmask 255.255.0.0, size = 2 ** 16
+Class C - netmask 255.255.255.0, size = 256
+
The class of a network was uniquely determined by the value of the high +order byte of its address so you could look at an IP address and immediately +determine the associated netmask. The netmask is a number that when +logically ANDed with an address isolates the network number; the +remainder of the address is the host number. For example, in the Class C +address 192.0.2.14, the network number is hex C00002 and the host number is hex +0E.
+As the internet grew, it became clear that such a gross +partitioning of the 32-bit address space was going to be very limiting (early +on, large corporations and universities were assigned their own class A +network!). After some false starts, the current technique of subnetting +these networks into smaller subnetworks evolved -- today, any system that +you are likely to work with will understand subnetting and Class-based networking is largely a +thing of the past.
+A subnetwork (often referred to as a subnet) is + a contiguous set of IP addresses such that:
+The number of addresses in the set is a power of 2; and
+The first address in the set is a multiple of the set size.
+The first address in the subnet is reserved and is referred to as the + subnet address.
+The last address in the subnet is reserved as the subnet's broadcast + address.
+As you can see by this definition, in each subnet of size n + there are (n - 2) usable addresses (addresses that can be assigned to + hosts). The first and last address in the subnet are used for the subnet + address and subnet broadcast address respectively. Consequently, small + subnetworks are more wasteful of IP addresses than are large ones.
+Since n is a power of two, we can easily calculate the + Natural Logarithm (log2) of n. For the more common subnet sizes, the size and its natural logarithm are given in the + following table:
++++
++ +n +log2 n +(32 - log2 n) ++ +8 +3 +29 ++ +16 +4 +28 ++ +32 +5 +27 ++ +64 +6 +26 ++ +128 +7 +25 ++ +256 +8 +24 ++ +512 +9 +23 ++ +1024 +10 +22 ++ +2048 +11 +21 ++ +4096 +12 +20 ++ +8192 +13 +19 ++ +16384 +14 +18 ++ +32768 +15 +17 ++ +65536 +16 +16 +
You will notice that the above table also contains a column + for (32 - log2 n). That number is the Variable Length Subnet Mask for a network of size n. + From the above table, we can derive the following one which is a little easier to use.
++++
++ +Size of Subnet +VLSM +Subnet Mask ++ +8 +/29 +255.255.255.248 ++ +16 +/28 +255.255.255.240 ++ +32 +/27 +255.255.255.224 ++ +64 +/26 +255.255.255.192 ++ +128 +/25 +255.255.255.128 ++ +256 +/24 +255.255.255.0 ++ +512 +/23 +255.255.254.0 ++ +1024 +/22 +255.255.252.0 ++ +2048 +/21 +255.255.248.0 ++ +4096 +/20 +255.255.240.0 ++ +8192 +/19 +255.255.224.0 ++ +16384 +/18 +255.255.192.0 ++ +32768 +/17 +255.255.128.0 ++ +65536 +/16 +255.255.0.0 ++ +2 ** 24 +/8 +255.0.0.0 +
Notice that the VLSM is written with a slash ("/") -- you will + often hear a subnet of size 64 referred to as a "slash 26" subnet and one of + size 8 referred to as a "slash 29".
+The subnet's mask (also referred to as its netmask) is simply a 32-bit number with the first "VLSM" + bits set to one and the remaining bits set to zero. For example, for a subnet + of size 64, the subnet mask has 26 leading one bits:
+++11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0 = + 255.255.255.192
+
The subnet mask has the property that if you logically AND the + subnet mask with an address in the subnet, the result is the subnet address. + Just as important, if you logically AND the subnet mask with an address + outside the subnet, the result is NOT the subnet address. As we will see + below, this property of subnet masks is very useful in routing.
+For a subnetwork whose address is a.b.c.d and whose + Variable Length Subnet Mask is /v, we denote the subnetwork as "a.b.c.d/v" + using VLSM Notation.
+Example:
++++
++ +Subnet: +10.10.10.0 - 10.10.10.127 ++ +Subnet Size: +128 ++ +Subnet Address: +10.10.10.0 ++ +Broadcast Address: +10.10.10.127 ++ +VLSM Notation: +10.10.10.0/25 +
There are two degenerate subnets that need mentioning; namely, the +subnet with one member and the subnet with 2 ** 32 members.
++++
++ +Size of Subnetwork +VLSM Length +Subnet Mask +VLSM Notation ++ +1 +32 +255.255.255.255 +a.b.c.d/32 ++ +2 ** 32 +0 +0.0.0.0 +0.0.0.0/0 +
So any address a.b.c.d may also be written +a.b.c.d/32 and the set of all possible IP addresses is written 0.0.0.0/0.
+Later in this guide, you will see the notation a.b.c.d/v +used to describe the ip configuration of a network interface (the 'ip' utility +also uses this syntax). This simply means that the interface is configured with +ip address a.b.c.d and with the netmask that corresponds to VLSM /v.
+Example: 192.0.2.65/29
+The interface is configured with IP address +192.0.2.65 and netmask 255.255.255.248.
+One of the purposes of subnetting is that it forms the basis +for routing. Here's the routing table on my firewall:
+++[root@gateway root]# netstat -nr +Kernel IP routing table +Destination Gateway Genmask Flags MSS Window irtt Iface +192.168.9.1 0.0.0.0 255.255.255.255 UH 40 0 0 texas +206.124.146.177 0.0.0.0 255.255.255.255 UH 40 0 0 eth1 +206.124.146.180 0.0.0.0 255.255.255.255 UH 40 0 0 eth3 +192.168.3.0 0.0.0.0 255.255.255.0 U 40 0 0 eth3 +192.168.2.0 0.0.0.0 255.255.255.0 U 40 0 0 eth1 +192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2 +206.124.146.0 0.0.0.0 255.255.255.0 U 40 0 0 eth0 +192.168.9.0 192.0.2.223 255.255.255.0 UG 40 0 0 texas +127.0.0.0 0.0.0.0 255.0.0.0 U 40 0 0 lo +0.0.0.0 206.124.146.254 0.0.0.0 UG 40 0 0 eth0 +[root@gateway root]#+
The device texas is a GRE tunnel to a peer site in the
+Dallas, Texas area.
+
+The first three routes are host routes since they indicate how to get to
+a single host. In the 'netstat' output this can be seen by the "Genmask" (Subnet
+Mask) of 255.255.255.255 and the "H" in the Flags column. The remainder are 'net' routes since they tell the
+kernel how to route packets to a subnetwork. The last route is the default
+route and the gateway mentioned in that route is called the default
+gateway.
When the kernel is trying to send a packet to IP address A, +it starts at the top of the routing table and:
+A is logically ANDed with the 'Genmask' value in the +table entry.
+The result is compared with the 'Destination' value in the table +entry.
+If the result and the 'Destination' value are the same, then:
+If the 'Gateway' column is non-zero, the packet is sent to the +gateway over the interface named in the 'Iface' column.
+Otherwise, the packet is sent directly to A over the +interface named in the 'iface' column.
+Otherwise, the above steps are repeated on the next entry in the +table.
+Since the default route matches any IP address (A land +0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table +entries are sent to the default gateway which is usually a router at your +ISP.
+Lets take an example. Suppose that we want to route a packet to +192.168.1.5. That address clearly doesn't match any of the host routes in the +table but if we logically and that address with 255.255.255.0, the result is +192.168.1.0 which matches this routing table entry:
+++192.168.1.0 0.0.0.0 255.255.255.0 U 40 0 0 eth2+
So to route a packet to 192.168.1.5, the packet is sent directly over eth2.
When sending packets over Ethernet, IP addresses aren't used. +Rather Ethernet addressing is based on Media Access Control (MAC) +addresses. Each Ethernet device has it's own unique MAC address which is +burned into a PROM on the device during manufacture. You can obtain the MAC of +an Ethernet device using the 'ip' utility:
+++++[root@gateway root]# ip addr show eth0 +2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100 +link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff +inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0 +inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0 +inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0 +[root@gateway root]#+
As you can see from the above output, the MAC is 6 bytes (48 + bits) wide. A card's MAC is usually also printed on a label attached to the card + itself. +
Because IP uses IP addresses and Ethernet uses MAC addresses, + a mechanism is required to translate an IP address into a MAC address; that is + the purpose of the Address Resolution Protocol (ARP). Here is ARP in + action:
++++[root@gateway root]# tcpdump -nei eth2 arp +tcpdump: listening on eth2 +09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42: arp who-has 192.168.1.19 tell 192.168.1.254 +09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60: arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0 + +2 packets received by filter +0 packets dropped by kernel +[root@gateway root]# ++
In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants to +know the MAC of the device with IP address 192.168.1.19. The system having that +IP address is responding that the MAC address of the device with IP address +192.168.1.19 is 0:6:25:aa:8a:f0.
+In order to avoid having to exchange ARP information each time +that an IP packet is to be sent, systems maintain an ARP cache of +IP<->MAC correspondences. You can see the ARP cache on your system (including +your Windows system) using the 'arp' command:
+++++[root@gateway root]# arp -na +? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1 +? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2 +? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2 +? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0 +? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2+
The leading question marks are a result of my having specified +the 'n' option (Windows 'arp' doesn't allow that option) which causes the 'arp' +program to forego IP->DNS name translation. Had I not given that option, the +question marks would have been replaced with the FQDN corresponding to each IP +address. Notice that the last entry in the table records the information we saw +using tcpdump above.
+IP addresses are allocated by the +Internet Assigned Number Authority (IANA) +who delegates allocations on a geographic basis to Regional Internet +Registries (RIRs). For example, allocation for the Americas and for +sub-Sahara Africa is delegated to the American +Registry for Internet Numbers (ARIN). These RIRs may in turn delegate to +national registries. Most of us don't deal with these registrars but rather get +our IP addresses from our ISP.
+It's a fact of life that most of us can't afford as many Public +IP addresses as we have devices to assign them to so we end up making use of +Private IP addresses. RFC 1918 reserves several IP address ranges for this +purpose:
+10.0.0.0 - 10.255.255.255 + 172.16.0.0 - 172.31.255.255 + 192.168.0.0 - 192.168.255.255+
The addresses reserved by RFC 1918 are sometimes referred to + as non-routable because the Internet backbone routers don't forward + packets which have an RFC-1918 destination address. This is understandable + given that anyone can select any of these addresses for their private use.
When selecting addresses from these ranges, there's a couple + of things to keep in mind:
As the IPv4 address space becomes depleted, more and more + organizations (including ISPs) are beginning to use RFC 1918 addresses in + their infrastructure.
You don't want to use addresses that are being used by + your ISP or by another organization with whom you want to establish a VPN + relationship.
So it's a good idea to check with your ISP to see if they are + using (or are planning to use) private addresses before you decide the + addresses that you are going to use.
The choice of how to set up your network depends primarily on + how many Public IP addresses you have vs. how many addressable entities you + have in your network. Regardless of how many addresses you have, your ISP will + handle that set of addresses in one of two ways:
Routed - Traffic to any of your addresses will be + routed through a single gateway address. This will generally only be + done if your ISP has assigned you a complete subnet (/29 or larger). In this + case, you will assign the gateway address as the IP address of your + firewall/router's external interface.
Non-routed - Your ISP will send traffic to each of your + addresses directly.
In the subsections that follow, we'll look at each of these + separately.
Let's assume that your ISP has assigned you the subnet + 192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses + 192.0.2.64 - 192.0.2.79 and that your firewall's external IP address is + 192.0.2.65. Your ISP has also told you that you should use a netmask of + 255.255.255.0 (so your /28 is part of a larger /24). With this many IP + addresses, you are able to subnet your /28 into two /29's and set up your + network as shown in the following diagram.
+ 
Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local + network is 192.0.2.72/29. The default gateway for hosts in the DMZ would be + configured to 192.0.2.66 and the default gateway for hosts in the local + network would be 192.0.2.73.
Notice that this arrangement is rather wasteful of public IP + addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet addresses, + 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and 192.0.2.66 and + 168.0.2.73 for internal addresses on the firewall/router. Nevertheless, it + shows how subnetting can work and if we were dealing with a /24 rather than a + /28 network, the use of 6 IP addresses out of 256 would be justified because + of the simplicity of the setup.
The astute reader may have noticed that the Firewall/Router's + external interface is actually part of the DMZ subnet (192.0.2.64/29). What if + DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The routing table on + DMZ 1 will look like this:
++Kernel IP routing table +Destination Gateway Genmask Flags MSS Window irtt Iface +192.0.2.64 0.0.0.0 255.255.255.248 U 40 0 0 eth0 +0.0.0.0 192.0.2.66 0.0.0.0 UG 40 0 0 eth0+
This means that DMZ 1 will send an ARP "who-has 192.0.2.65" + request and no device on the DMZ Ethernet segment has that IP address. Oddly + enough, the firewall will respond to the request with the MAC address of its + DMZ Interface!! DMZ 1 can then send Ethernet frames addressed to that + MAC address and the frames will be received (correctly) by the firewall/router.
It is this rather unexpected ARP behavior on the part of the + Linux Kernel that prompts the warning earlier in this guide regarding the + connecting of multiple firewall/router interfaces to the same hub or switch. + When an ARP request for one of the firewall/router's IP addresses is sent by + another system connected to the hub/switch, all + of the firewall's interfaces that connect to the hub/switch can respond! It + is then a race as to which "here-is" response reaches the sender first.
If you have the above situation but it is + non-routed, you can configure your network exactly as described above with one + additional twist; simply specify the "proxyarp" option on all three firewall + interfaces in the /etc/shorewall/interfaces file.
Most of us don't have the luxury of having enough public IP + addresses to set up our networks as shown in the preceding example (even if + the setup is routed).
For the remainder of this section, assume that your ISP has + assigned you IP addresses 192.0.2.176-180 and has told you to use netmask + 255.255.255.0 and default gateway 192.0.2.254.
Clearly, that set of addresses doesn't comprise a subnetwork + and there aren't enough addresses for all of the network interfaces. There are + four different techniques that can be used to work around this problem.
Source Network Address Translation (SNAT).
Destination Network Address Translation (DNAT) also + known as Port Forwarding.
Proxy ARP.
Network Address Translation (NAT) also referred to as + Static NAT.
Often a combination of these techniques is used. Each of these + will be discussed in the sections that follow.
With SNAT, an internal LAN segment is configured using RFC 1918 + addresses. When a host A on this internal segment initiates a + connection to host B on the internet, the firewall/router rewrites the + IP header in the request to use one of your public IP addresses as the source + address. When B responds and the response is received by the firewall, + the firewall changes the destination address back to the RFC 1918 address of + A and forwards the response back to A.
Let's suppose that you decide to use SNAT on your local zone + and use public address 192.0.2.176 as both your firewall's external IP address + and the source IP address of internet requests sent from that zone.
The systems in
+ the local zone would be configured with a default gateway of 192.168.201.1
+ (the IP address of the firewall's local interface). SNAT is
+ configured in Shorewall using the
+ /etc/shorewall/masq file.+++
++ +INTERFACE +SUBNET +ADDRESS ++ +eth0 +192.168.201.0/29 +192.0.2.176 +
This example used the normal technique of assigning the same + public IP address for the firewall external interface and for SNAT. If you + wanted to use a different IP address, you would either have to use your + distributions network configuration tools to add that IP address to the + external interface or you could set ADD_SNAT_ALIASES=Yes in + /etc/shorewall/shorewall.conf and Shorewall will add the address for you.
When SNAT is used, it is impossible for hosts on the internet + to initiate a connection to one of the internal systems since those systems do + not have a public IP address. DNAT provides a way to allow selected + connections from the internet.
+ Suppose that your daughter wants to run a web server on her system "Local 3". You
+ could allow connections to the internet to her server by adding the following
+ entry in /etc/shorewall/rules:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL DESTINATION ++ +DNAT +net +loc:192.168.201.4 +tcp +www +- +192.0.2.176 +
If one of your daughter's friends at address A wants to + access your daughter's server, she can connect to + http://192.0.2.176 (the firewall's external IP address) and the firewall + will rewrite the destination IP address to 192.168.201.4 (your daughter's system) + and forward the request. When your daughter's server responds, the firewall will + rewrite the source address back to 192.0.2.176 and send the response back to + A.
This example used the firewall's external IP address for DNAT. + You can use another of your public IP addresses but Shorewall will not add + that address to the firewall's external interface for you.
The idea behind proxy ARP is that:
A host H behind your firewall is assigned one of your + public IP addresses (A) and is assigned the same netmask (M) as + the firewall's external interface.
The firewall responds to ARP "who has" requests for A.
When H issues an ARP "who has" request for an address + in the subnetwork defined by A and M, the firewall will respond + (with the MAC if the firewall interface to H).
Let suppose that we decide to use Proxy ARP on the DMZ in our + example network.
+ 
The Shorewall
+ configuration of Proxy ARP is done using the
+ /etc/shorewall/proxyarp file.+++
++ +ADDRESS +INTERFACE +EXTERNAL +HAVE ROUTE ++ +192.0.2.177 +eth2 +eth0 +No ++ +192.0.2.178 +eth2 +eth0 +No +
Because the HAVE ROUTE column contains No, Shorewall will add + host routes thru eth2 to 192.0.2.177 and 192.0.2.178.
A word of warning is in order here. ISPs typically configure + there routers with a long ARP cache timeout. If you move a system from + parallel to your firewall to behind your firewall with Proxy ARP, it will + probably be HOURS before that system can communicate with the internet. You + can call your ISP and ask them to purge the stale ARP cache entry but many + either can't or won't purge individual entries. You can determine if your + ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we + suspect that the gateway router has a stale ARP cache entry for 192.0.2.177. + On the firewall, run tcpdump as follows:
tcpdump -nei eth0 icmp+
Now from 192.0.2.177, ping the default gateway (which we are + assuming is 192.0.2.254):
ping 192.0.2.254+
We can now observe the tcpdump output:
13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 192.0.2.177 > 192.0.2.254: icmp: echo request (DF) + 13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 192.0.2.254 > 192.0.2.177 : icmp: echo reply+
Notice that the source MAC address in the echo request is + different from the destination MAC address in the echo reply!! In this case + 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 + was the MAC address of DMZ 1. In other words, the gateway's ARP cache still + associates 192.0.2.177 with the NIC in DMZ 1 rather than with the firewall's + eth0.
With static NAT, you assign local systems RFC 1918 addresses + then establish a one-to-one mapping between those addresses and public IP + addresses. For outgoing connections SNAT occurs and on incoming connections + DNAT occurs. Let's go back to our earlier example involving your daughter's web + server running on system Local 3.
Recall that in this setup, the local network is using SNAT and + is sharing the firewall external IP (192.0.2.176) for outbound connections. + This is done with the following entry in /etc/shorewall/masq:
+++
++ +INTERFACE +SUBNET +ADDRESS ++ +eth0 +192.168.201.0/29 +192.0.2.176 +
+ Suppose now that you have decided to give your daughter her own IP address
+ (192.0.2.179) for both inbound and outbound connections. You would do that by
+ adding an entry in /etc/shorewall/nat.
+++
++ +EXTERNAL +INTERFACE +INTERNAL +ALL INTERFACES +LOCAL ++ +192.0.2.179 +eth0 +192.168.201.4 +No +No +
With this entry in place, you daughter has her own IP address + and the other two local systems share the firewall's IP address.
+ Once the relationship between 192.0.2.179 and 192.168.201.4 is established by
+ the nat file entry above, it is no longer
+ appropriate to use a DNAT rule for you daughter's web server -- you would
+ rather just use an ACCEPT rule:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL DESTINATION ++ +ACCEPT +net +loc:192.168.201.4 +tcp +www ++ +
+ With the default policies, your local systems (Local 1-3) can access any
+ servers on the internet and the DMZ can't access any other host (including the
+ firewall). With the exception of DNAT rules which cause
+ address translation and allow the translated connection request to pass
+ through the firewall, the way to allow connection requests through your
+ firewall is to use ACCEPT rules.
NOTE: Since the SOURCE PORT and ORIG. DEST. Columns aren't + used in this section, they won't be shown
You probably want to allow ping between your zones:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT ++ +ACCEPT +net +dmz +icmp +echo-request ++ +ACCEPT +net +loc +icmp +echo-request ++ +ACCEPT +dmz +loc +icmp +echo-request ++ +ACCEPT +loc +dmz +icmp +echo-request +
Let's suppose that you run mail and pop3 servers on DMZ 2 and + a Web Server on DMZ 1. The rules that you would need are:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +COMMENTS ++ +ACCEPT +net +dmz:192.0.2.178 +tcp +smtp +# Mail from the Internet ++ +ACCEPT +net +dmz:192.0.2.178 +tcp +pop3 +# Pop3 from the Internet ++ +ACCEPT +loc +dmz:192.0.2.178 +tcp +smtp +# Mail from the Local Network ++ +ACCEPT +loc +dmz:192.0.2.178 +tcp +pop3 +# Pop3 from the Local Network ++ +ACCEPT +fw +dmz:192.0.2.178 +tcp +smtp +# Mail from the Firewall ++ +ACCEPT +dmz:192.0.2.178 +net +tcp +smtp +# Mail to the Internet ++ +ACCEPT +net +dmz:192.0.2.177 +tcp +http +# WWW from the Net ++ +ACCEPT +net +dmz:192.0.2.177 +tcp +https +# Secure HTTP from the Net ++ +ACCEPT +loc +dmz:192.0.2.177 +tcp +https +# Secure HTTP from the Local Net +
If you run a public DNS server on 192.0.2.177, you would need + to add the following rules:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +COMMENTS ++ +ACCEPT +net +dmz:192.0.2.177 +udp +domain +# UDP DNS from the Internet ++ +ACCEPT +net +dmz:192.0.2.177 +tcp +domain +# TCP DNS from the internet ++ +ACCEPT +fw +dmz:192.0.2.177 +udp +domain +# UDP DNS from firewall ++ +ACCEPT +fw +dmz:192.0.2.177 +tcp +domain +# TCP DNS from firewall ++ +ACCEPT +loc +dmz:192.0.2.177 +udp +domain +# UDP DNS from the local Net ++ +ACCEPT +loc +dmz:192.0.2.177 +tcp +domain +# TCP DNS from the local Net ++ +ACCEPT +dmz:192.0.2.177 +net +udp +domain +# UDP DNS to the Internet ++ +ACCEPT +dmz:192.0.2.177 +net +tcp +domain +# TCP DNS to the Internet +
You probably want some way to communicate with your firewall + and DMZ systems from the local network -- I recommend SSH which through its + scp utility can also do publishing and software update distribution.
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +COMMENTS ++ +ACCEPT +loc +dmz +tcp +ssh +# SSH to the DMZ ++ +ACCEPT +loc +fw +tcp +ssh +# SSH to the Firewall +
The above discussion reflects my personal preference for using + Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I prefer + to use NAT only in cases where a system that is part of an RFC 1918 subnet + needs to have it's own public IP.
+ If you haven't already, it would be a good idea to browse through
+ /etc/shorewall/shorewall.conf just to see
+ if there is anything there that might be of interest. You might also want to
+ look at the other configuration files that you haven't touched yet just to get
+ a feel for the other things that Shorewall can do.
In case you haven't been keeping score, here's the final set + of configuration files for our sample network. Only those that were modified + from the original installation are shown.
/etc/shorewall/interfaces (The "options" will be very + site-specific).
+++
++ +Zone +Interface +Broadcast +Options ++ +net +eth0 +detect +norfc1918,routefilter ++ +loc +eth1 +detect ++ + +dmz +eth2 +detect ++
The setup described here requires that your network interfaces + be brought up before Shorewall can start. This opens a short window during + which you have no firewall protection. If you replace 'detect' with the actual + broadcast addresses in the entries above, you can bring up Shorewall before + you bring up your network interfaces.
+++
++ +Zone +Interface +Broadcast +Options ++ +net +eth0 +192.0.2.255 +norfc1918,routefilter ++ +loc +eth1 +192.168.201.7 ++ + +dmz +eth2 +192.168.202.7 ++
/etc/shorewall/masq - Local subnet
+++
++ +INTERFACE +SUBNET +ADDRESS ++ +eth0 +192.168.201.0/29 +192.0.2.176 +
/etc/shorewall/proxyarp - DMZ
+++
++ +ADDRESS +INTERFACE +EXTERNAL +HAVE ROUTE ++ +192.0.2.177 +eth2 +eth0 +No ++ +192.0.2.178 +eth2 +eth0 +No +
/etc/shorewall/nat- Daughter's System
+++
++ +EXTERNAL +INTERFACE +INTERNAL +ALL INTERFACES +LOCAL ++ +192.0.2.179 +eth0 +192.168.201.4 +No +No +
/etc/shorewall/rules
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +COMMENTS ++ +ACCEPT +net +dmz:192.0.2.178 +tcp +smtp +# Mail from the Internet ++ +ACCEPT +net +dmz:192.0.2.178 +tcp +pop3 +# Pop3 from the Internet ++ +ACCEPT +loc +dmz:192.0.2.178 +tcp +smtp +# Mail from the Local Network ++ +ACCEPT +loc +dmz:192.0.2.178 +tcp +pop3 +# Pop3 from the Local Network ++ +ACCEPT +fw +dmz:192.0.2.178 +tcp +smtp +# Mail from the Firewall ++ +ACCEPT +dmz:192.0.2.178 +net +tcp +smtp +# Mail to the Internet ++ +ACCEPT +net +dmz:192.0.2.178 +tcp +http +# WWW from the Net ++ +ACCEPT +net +dmz:192.0.2.178 +tcp +https +# Secure HTTP from the Net ++ +ACCEPT +loc +dmz:192.0.2.178 +tcp +https +# Secure HTTP from the Local Net ++ +ACCEPT +net +dmz:192.0.2.177 +udp +domain +# UDP DNS from the Internet ++ +ACCEPT +net +dmz:192.0.2.177 +tcp +domain +# TCP DNS from the internet ++ +ACCEPT +fw +dmz:192.0.2.177 +udp +domain +# UDP DNS from firewall ++ +ACCEPT +fw +dmz:192.0.2.177 +tcp +domain +# TCP DNS from firewall ++ +ACCEPT +loc +dmz:192.0.2.177 +udp +domain +# UDP DNS from the local Net ++ +ACCEPT +loc +dmz:192.0.2.177 +tcp +domain +# TCP DNS from the local Net ++ +ACCEPT +dmz:192.0.2.177 +net +udp +domain +# UDP DNS to the Internet ++ +ACCEPT +dmz:192.0.2.177 +net +tcp +domain +# TCP DNS to the Internet ++ +ACCEPT +net +dmz +icmp +echo-request +# Ping ++ +ACCEPT +net +loc +icmp +echo-request +# " ++ +ACCEPT +dmz +loc +icmp +echo-request +# " ++ +ACCEPT +loc +dmz +icmp +echo-request +# " ++ +ACCEPT +loc +dmz +tcp +ssh +# SSH to the DMZ ++ +ACCEPT +loc +fw +tcp +ssh +# SSH to the Firewall +
Given the collection of RFC 1918 and public addresses in this + setup, it only makes sense to have separate internal and external DNS servers. + You can combine the two into a single BIND 9 server using Views. + + If you are not interested in Bind 9 views, you can + go to the next section.
Suppose that your domain is foobar.net and you want the two + DMZ systems named www.foobar.net and mail.foobar.net and you want the three + local systems named "winken.foobar.net, blinken.foobar.net and nod.foobar.net. + You want your firewall to be known as firewall.foobar.net externally and it's + interface to the local network to be know as gateway.foobar.net and its + interface to the dmz as dmz.foobar.net. Let's have the DNS server on + 192.0.2.177 which will also be known by the name ns1.foobar.net.
The /etc/named.conf file would look like this:
++++options { + directory "/var/named"; + listen-on { 127.0.0.1 ; 192.0.2.177; }; +}; + +logging { + channel xfer-log { + file "/var/log/named/bind-xfer.log"; + print-category yes; + print-severity yes; + print-time yes; + severity info; + }; + category xfer-in { xfer-log; }; + category xfer-out { xfer-log; }; + category notify { xfer-log; }; +};+++# +# This is the view presented to our internal systems +# + +view "internal" { + # + # These are the clients that see this view + # + match-clients { 192.168.201.0/29; + 192.168.202.0/29; + 127.0.0/24; + 192.0.2.176/32; + 192.0.2.178/32; + 192.0.2.179/32; + 192.0.2.180/32; }; + # + # If this server can't complete the request, it should use outside + # servers to do so + # + recursion yes; + + zone "." in { + type hint; + file "int/root.cache"; + }; + + zone "foobar.net" in { + type master; + notify no; + allow-update { none; }; + file "int/db.foobar"; + }; + + zone "0.0.127.in-addr.arpa" in { + type master; + notify no; + allow-update { none; }; + file "int/db.127.0.0"; + }; + + zone "201.168.192.in-addr.arpa" in { + type master; + notify no; + allow-update { none; }; + file "int/db.192.168.201"; + }; + + zone "202.168.192.in-addr.arpa" in { + type master; + notify no; + allow-update { none; }; + file "int/db.192.168.202"; + }; + + zone "176.2.0.192.in-addr.arpa" in { + type master; + notify no; + allow-update { none; }; + file "db.192.0.2.176"; + }; + + zone "177.2.0.192.in-addr.arpa" in { + type master; + notify no; + allow-update { none; }; + file "db.192.0.2.177"; + }; + + zone "178.2.0.192.in-addr.arpa" in { + type master; + notify no; + allow-update { none; }; + file "db.192.0.2.178"; + }; + + zone "179.2.0.192.in-addr.arpa" in { + type master; + notify no; + allow-update { none; }; + file "db.206.124.146.179"; + }; + +}; +# +# This is the view that we present to the outside world +# +view "external" { + match-clients { any; }; + # + # If we can't answer the query, we tell the client so + # + recursion no; + + zone "foobar.net" in { + type master; + notify yes; + allow-update {none; }; + allow-transfer { <secondary NS IP>; }; + file "ext/db.foobar"; + }; + + zone "176.2.0.192.in-addr.arpa" in { + type master; + notify yes; + allow-update { none; }; + allow-transfer { <secondary NS IP>; }; + file "db.192.0.2.176"; + }; + + zone "177.2.0.192.in-addr.arpa" in { + type master; + notify yes; + allow-update { none; }; + allow-transfer { <secondary NS IP>; }; + file "db.192.0.2.177"; + }; + + zone "178.2.0.192.in-addr.arpa" in { + type master; + notify yes; + allow-update { none; }; + allow-transfer { <secondary NS IP>; }; + file "db.192.0.2.178"; + }; + + zone "179.2.0.192.in-addr.arpa" in { + type master; + notify yes; + allow-update { none; }; + allow-transfer { <secondary NS IP>; }; + file "db.192.0.2.179"; + }; +};+
Here are the files in /var/named (those not shown are usually + included in your bind disbribution).
db.192.0.2.176 - This is + the reverse zone for the firewall's external interface
++; ############################################################ +; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32 +; Filename: db.192.0.2.176 +; ############################################################ +@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( + 2001102303 ; serial + 10800 ; refresh (3 hour) + 3600 ; retry (1 hour) + 604800 ; expire (7 days) + 86400 ) ; minimum (1 day) +; +; ############################################################ +; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) +; ############################################################ +@ 604800 IN NS ns1.foobar.net. +@ 604800 IN NS <name of secondary ns>. +; +; ############################################################ +; Iverse Address Arpa Records (PTR's) +; ############################################################ +176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net. ++
++; ############################################################ +; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32 +; Filename: db.192.0.2.177 +; ############################################################ +@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( + 2001102303 ; serial + 10800 ; refresh (3 hour) + 3600 ; retry (1 hour) + 604800 ; expire (7 days) + 86400 ) ; minimum (1 day) +; +; ############################################################ +; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) +; ############################################################ +@ 604800 IN NS ns1.foobar.net. +@ 604800 IN NS <name of secondary ns>. +; +; ############################################################ +; Iverse Address Arpa Records (PTR's) +; ############################################################ +177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net. ++
++; ############################################################ +; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32 +; Filename: db.192.0.2.178 +; ############################################################ +@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( + 2001102303 ; serial + 10800 ; refresh (3 hour) + 3600 ; retry (1 hour) + 604800 ; expire (7 days) + 86400 ) ; minimum (1 day) +; +; ############################################################ +; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) +; ############################################################ +@ 604800 IN NS ns1.foobar.net. +@ 604800 IN NS <name of secondary ns>. +; +; ############################################################ +; Iverse Address Arpa Records (PTR's) +; ############################################################ +178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net. ++
++; ############################################################ +; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32 +; Filename: db.192.0.2.179 +; ############################################################ +@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( + 2001102303 ; serial + 10800 ; refresh (3 hour) + 3600 ; retry (1 hour) + 604800 ; expire (7 days) + 86400 ) ; minimum (1 day) +; +; ############################################################ +; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) +; ############################################################ +@ 604800 IN NS ns1.foobar.net. +@ 604800 IN NS <name of secondary ns>. +; +; ############################################################ +; Iverse Address Arpa Records (PTR's) +; ############################################################ +179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net. ++
int/db.127.0.0 - The reverse zone for localhost
++; ############################################################ +; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8 +; Filename: db.127.0.0 +; ############################################################ +@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( + 2001092901 ; serial + 10800 ; refresh (3 hour) + 3600 ; retry (1 hour) + 604800 ; expire (7 days) + 86400 ) ; minimum (1 day) +; ############################################################ +; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) +; ############################################################ +@ 604800 IN NS ns1.foobar.net. + +; ############################################################ +; Iverse Address Arpa Records (PTR's) +; ############################################################ +1 86400 IN PTR localhost.foobar.net.+
int/db.192.168.201 - Reverse zone for the local net. This is + only shown to internal clients
++; ############################################################ +; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29 +; Filename: db.192.168.201 +; ############################################################ +@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. ( + 2002032501 ; serial + 10800 ; refresh (3 hour) + 3600 ; retry (1 hour) + 604800 ; expire (7 days) + 86400 ) ; minimum (1 day) + +; ############################################################ +; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) +; ############################################################ +@ 604800 IN NS ns1.foobar.net. + +; ############################################################ +; Iverse Address Arpa Records (PTR's) +; ############################################################ +1 86400 IN PTR gateway.foobar.net. +2 86400 IN PTR winken.foobar.net. +3 86400 IN PTR blinken.foobar.net. +4 86400 IN PTR nod.foobar.net.+
int/db.192.168.202 - Reverse zone for the firewall's DMZ + interface
++++; ############################################################ +; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29 +; Filename: db.192.168.202 +; ############################################################ +@ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. ( + 2002032501 ; serial + 10800 ; refresh (3 hour) + 3600 ; retry (1 hour) + 604800 ; expire (7 days) + 86400 ) ; minimum (1 day) + +; ############################################################ +; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA) +; ############################################################ +@ 604800 IN NS ns1.foobar.net. + +; ############################################################ +; Iverse Address Arpa Records (PTR's) +; ############################################################ +1 86400 IN PTR dmz.foobar.net.+
int/db.foobar - Forward zone for use by internal clients.
++;############################################################## +; Start of Authority for foobar.net. +; Filename: db.foobar +;############################################################## +@ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. ( + 2002071501 ; serial + 10800 ; refresh (3 hour) + 3600 ; retry (1 hour) + 604800 ; expire (7 days) + 86400 ); minimum (1 day) +;############################################################ +; foobar.net Nameserver Records (NS) +;############################################################ +@ 604800 IN NS ns1.foobar.net. + +;############################################################ +; Foobar.net Office Records (ADDRESS) +;############################################################ +localhost 86400 IN A 127.0.0.1 + +firewall 86400 IN A 192.0.2.176 +www 86400 IN A 192.0.2.177 +ns1 86400 IN A 192.0.2.177 +www 86400 IN A 192.0.2.177 + +gateway 86400 IN A 192.168.201.1 +winken 86400 IN A 192.168.201.2 +blinken 86400 IN A 192.168.201.3 +nod 86400 IN A 192.168.201.4+
ext/db.foobar - Forward zone for external clients
++++;############################################################## +; Start of Authority for foobar.net. +; Filename: db.foobar +;############################################################## +@ 86400 IN SOA ns1.foobar.net. netadmin.foobar.net. ( + 2002052901 ; serial + 10800 ; refresh (3 hour) + 3600 ; retry (1 hour) + 604800 ; expire (7 days) + 86400 ); minimum (1 day) +;############################################################ +; Foobar.net Nameserver Records (NS) +;############################################################ +@ 86400 IN NS ns1.foobar.net. +@ 86400 IN NS <secondary NS>. +;############################################################ +; Foobar.net Foobar Wa Office Records (ADDRESS) +;############################################################ +localhost 86400 IN A 127.0.0.1 +; +; The firewall itself +; +firewall 86400 IN A 192.0.2.176 +; +; The DMZ +; +ns1 86400 IN A 192.0.2.177 +www 86400 IN A 192.0.2.177 +mail 86400 IN A 192.0.2.178 +; +; The Local Network +; +nod 86400 IN A 192.0.2.179 + +;############################################################ +; Current Aliases for foobar.net (CNAME) +;############################################################ + +;############################################################ +; foobar.net MX Records (MAIL EXCHANGER) +;############################################################ +foobar.net. 86400 IN A 192.0.2.177 + 86400 IN MX 0 mail.foobar.net. + 86400 IN MX 1 <backup MX>.+
The installation procedure + configures your system to start Shorewall at system boot.
The firewall is started using the "shorewall start" command + and stopped using "shorewall stop". When the firewall is stopped, routing is + enabled on those hosts that have an entry in + /etc/shorewall/routestopped. A + running firewall may be restarted using the "shorewall restart" command. If + you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".
+ Edit the /etc/shorewall/routestopped file and configure those systems that you
+ want to be able to access the firewall when it is stopped.
WARNING: If you are connected to your firewall from the + internet, do not issue a "shorewall stop" command unless you have added an + entry for the IP address that you are connected from to + /etc/shorewall/routestopped. + Also, I don't recommend using "shorewall restart"; it is better to create an + alternate configuration and + test it using the "shorewall try" command.
Last updated +8/10/2002 - Tom +Eastep
+ +Copyright 2002 Thomas M. Eastep
+ + + + diff --git a/Shorewall-docs/spam_filters.htm b/Shorewall-docs/spam_filters.htm new file mode 100644 index 000000000..e78e581f0 --- /dev/null +++ b/Shorewall-docs/spam_filters.htm @@ -0,0 +1,37 @@ + + + + + + + +Like all of you, I'm concerned about the increasing volume of Unsolicited +Commercial Email (UCE or SPAM). I am therefore sympathetic with those of you who +are installing SPAM filters on your mail servers. A couple of recent incidents +involving mis-configured filters have prompted me to establish this page to spell +out what I will do when these filters bounce list postings.
+When your SPAM filter bounces/rejects list mail, I will:
+When you have corrected the problem, please let me know and I will re-enable +delivery (or you can reenable delivery yourself).
+Last Updated 3/21/2002 - Tom Eastep
+ +Copyright +© 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/standalone.htm b/Shorewall-docs/standalone.htm new file mode 100644 index 000000000..b14242d05 --- /dev/null +++ b/Shorewall-docs/standalone.htm @@ -0,0 +1,313 @@ + + + + + + + +Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the +documentation.
+This guide doesn't attempt to acquaint you with all of the features of +Shorewall. It rather focuses on what is required to configure Shorewall in one +of its +most common configurations:
+This guide assumes that you have the iproute/iproute2 package installed (on +RedHat, the package is called iproute). You can tell if this +package is installed by the presence of an ip program on your firewall +system. As root, you can use the 'which' command to check for this program:
+[root@gateway root]# which ip + /sbin/ip + [root@gateway root]#
I recommend that you read through the guide
+first to familiarize yourself with what's involved then go back through it again
+making your configuration changes. Points at which configuration changes
+are recommended are flagged with .
+If you edit your configuration files on a Windows system, you must save them as
+Unix files if your editor supports that option or you must run them through
+dos2unix before trying to use them. Similarly, if you copy a configuration file
+from your Windows hard drive to a floppy disk, you must run dos2unix against the
+copy before using it with Shorewall.
The configuration files for Shorewall are contained in the directory +/etc/shorewall -- for simple setups, you only need to deal with a few of +these as described in this guide. After you have installed Shorewall, +download the one-interface sample, un-tar it +(tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall +(they will replace files with the same names that were placed in /etc/shorewall +during Shorewall installation).
+As each file is introduced, I suggest that you +look through the actual file on your system -- each file contains detailed +configuration instructions and default entries.
+Shorewall views the network where it is running as being composed of a set of +zones. In the one-interface sample configuration, only one zone is +defined:
+| Name | +Description | +
| net | +The Internet | +
Shorewall zones are defined in +/etc/shorewall/zones.
+Shorewall also recognizes the firewall system as its own zone - by default, +the firewall itself is known as fw.
+Rules about what traffic to allow and what traffic to deny are expressed in +terms of zones.
+For each connection request entering the firewall, the request is first checked against the +/etc/shorewall/rules file. If no rule in that file matches the connection +request then the first policy in /etc/shorewall/policy that matches the + +request is applied. If that policy is REJECT or DROP the request is first +checked against the rules in /etc/shorewall/common (the samples provide that +file for you).
+The /etc/shorewall/policy file included with the one-interface sample has the +following policies:
++++
++ +SOURCE ZONE +DESTINATION ZONE +POLICY +LOG LEVEL +LIMIT:BURST ++ +fw +net +ACCEPT ++ + + +net +net +DROP +info ++ + +all +all +REJECT +info ++
fw net ACCEPT + net all DROP info + all all REJECT info+
The above policy will:
+At this point, edit your /etc/shorewall/policy and make any changes that you +wish.
+The firewall has a single network interface. Where Internet +connectivity is through a cable or DSL "Modem", the External Interface +will be the ethernet adapter (eth0) that is connected to that "Modem" +unless you connect via Point-to-Point Protocol +over Ethernet (PPPoE) or Point-to-Point Tunneling +Protocol (PPTP) in which case the External Interface will be a ppp0. If you connect via a regular modem, your External +Interface will also be ppp0. If you connect using ISDN, your external +interface will be ippp0.
+
The Shorewall one-interface sample configuration assumes that
+the external interface is eth0.
+If your configuration is different, you will have to modify the sample
+/etc/shorewall/interfaces file accordingly. While you are there, you may wish to
+review the list of options that are specified for the interface. Some hints:
If your external interface is ppp0 or ippp0, you can replace the + "detect" in the second column with "-".
If your external interface is ppp0 or ippp0 or if you have a static IP + address, you can remove "dhcp" from the option list.
RFC 1918 reserves several Private IP address ranges for +use in private networks:
+10.0.0.0 - 10.255.255.255 + 172.16.0.0 - 172.31.255.255 + 192.168.0.0 - 192.168.255.255+
These addresses are sometimes referred to as non-routable + because the Internet backbone routers will not forward a packet whose + destination address is reserved by RFC 1918. In some cases though, ISPs are + assigning these addresses then using Network Address Translation to + rewrite packet headers when forwarding to/from the internet.
+
+ Before starting Shorewall, you should look at the IP address of your external
+ interface and if it is one of the above ranges, you should remove the
+ 'norfc1918' option from the entry in /etc/shorewall/interfaces.
If you wish to enable connections from the internet to your firewall, the general format is:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +net +fw +<protocol> +<port> ++ +
Example - You want to run a Web Server and a POP3 Server on your firewall + system:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +net +fw +tcp +80 ++ + + +ACCEPT +net +fw +tcp +110 ++ +
If you don't know what port and protocol a particular + application uses, see here.
Important: I don't recommend enabling telnet to/from + the internet because it uses clear text (even for login!). If you want shell + access to your firewall from the internet, use SSH:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +net +fw +tcp +22 ++ +
ACCEPT net fw tcp 22+
At this point, edit
+ /etc/shorewall/rules to add other connections as desired.
The installation procedure + configures your system to start Shorewall at system boot.
The firewall is started using the "shorewall start" command + and stopped using "shorewall stop". When the firewall is stopped, routing is + enabled on those hosts that have an entry in + /etc/shorewall/routestopped. A + running firewall may be restarted using the "shorewall restart" command. If + you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".
WARNING: If you are connected to your firewall from the + internet, do not issue a "shorewall stop" command unless you have added an + entry for the IP address that you are connected from to + /etc/shorewall/routestopped. + Also, I don't recommend using "shorewall restart"; it is better to create an + alternate configuration and + test it using the "shorewall try" command.
Last updated +7/23/2002 - Tom +Eastep
+ +Copyright 2002 Thomas M. Eastep
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/starting_and_stopping_shorewall.htm b/Shorewall-docs/starting_and_stopping_shorewall.htm new file mode 100644 index 000000000..89bf70f77 --- /dev/null +++ b/Shorewall-docs/starting_and_stopping_shorewall.htm @@ -0,0 +1,178 @@ + + + + + + + ++ If you have a permanent internet connection such as DSL or Cable, I +recommend that you start the firewall automatically at boot. Once you +have installed "firewall" in your init.d directory, simply type "chkconfig +--add firewall". This will start the firewall in run levels 2-5 and stop +it in run levels 1 and 6. If you want to configure your firewall differently +from this default, you can use the "--level" option in chkconfig +(see "man chkconfig") or using your favorite graphical run-level editor.
+ + + ++ + Important Note:
+ + + ++ If you use dialup, you may want to start the firewall in your /etc/ppp/ip-up.local + script. I recommend just placing "shorewall restart" in that script. + +
+ + + ++ You can manually start and stop Shoreline Firewall using the "shorewall" + shell program:
+ ++ The "shorewall" program may also be used to monitor the firewall.
+ ++ The shorewall start, shorewall restart, shorewall check and + shorewall try commands allow you to specify which + Shorewall configuration + to use:
+ ++ ++ ++ shorewall [ -c configuration-directory ] {start|restart|check}
+
+ shorewall try configuration-directory
+ If a configuration-directory is specified, each time that Shorewall + is going to use a file in /etc/shorewall it will first look in the configuration-directory + . If the file is present in the configuration-directory, that file + will be used; otherwise, the file in /etc/shorewall will be used.
+ + + ++ When changing the configuration of a production firewall, I recommend the + following:
+ + + ++ If the configuration starts but doesn't work, just "shorewall restart" to + restore the old configuration. If the new configuration fails to start, the + "try" command will automatically start the old one for you.
+ + + ++ When the new configuration works then just
+ + + ++ Updated 8/8/2002 - Tom +Eastep +
+ + + +Copyright + © 2001, 2002 Thomas M. Eastep.
+ + + + + + \ No newline at end of file diff --git a/Shorewall-docs/subnet_masks.htm b/Shorewall-docs/subnet_masks.htm new file mode 100644 index 000000000..5eb644ecc --- /dev/null +++ b/Shorewall-docs/subnet_masks.htm @@ -0,0 +1,73 @@ + + + + + + + +IP addresses and subnet masks are 32-bit numbers. The notation +w.x.y.z refers to an address where the high-order byte has value "w", the next +byte has value "x", etc. If we take 255.255.255.0 and express it in +hexadecimal, +we get:
+++FF.FF.FF.00
+
or looking at it as a 32-bit integer
+++FFFFFF00
+
Each "F" represents the bit pattern "1111" so if we look at the +number in binary, we have:
+++11111111111111111111111100000000
+
Counting the leading "1" bits, we see that there are 24 -- /24 +in VLSM notation.
+It is handy to remember that the size of the subnet can be +obtained by subtracting the number of consecutive leading "1" bits from 32 and +raising 2 to that power. In the above case, 32 - 24 = 8 and 2 ** 8 = 256 +addresses. Remember that the number of usable addresses is two less than that +(254) because the first and last address in the subnet are reserved as the +sub-network and broadcast addresses respectively.
+The size of a subnet can be any power of two so long as the +address of the subnet is a multiple of it's size. For example, if you want a +subnet of size 8, you could choose 192.168.12.8/29 (8 = 2 ** 3 and 32 - 3 = 29). +The subnet mask would be:
+++11111111111111111111111111111000 = FFFFFFF8 = 255.255.255.248.
+
This subnet would have 6 usable addresses: 192.168.12.9 - +192.168.12.14.
+You will still hear the terms "Class A network", "Class B +network" and "Class C network". In the early days of IP, sub-networks only came +in three sizes:
+++Class A - Subnet mask 255.0.0.0, size = 2 ** 24
+Class B - Subnet mask 255.255.0.0, size = 2 ** 16
+Class C - Subnet mask 255.255.255.0, size = 256
+
The class of a network was determined by the value of the high +order byte of its address so you could look at an IP address and immediately +determine the associated subnet mask.
+As the internet grew, it became clear that such a gross +partitioning of the 32-bit address space was going to be very limiting (early +on, large corporations and universities were assigned their own class A +network!). It was then that VLSM was devised -- today, any system that you are +likely to work with understands VLSM and Class-based subnetworking is largely a +thing of the past.
+Last updated +7/15/2002 - Tom +Eastep
+Copyright 2002 Thomas M. Eastep
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/support.htm b/Shorewall-docs/support.htm new file mode 100644 index 000000000..befd8a1cb --- /dev/null +++ b/Shorewall-docs/support.htm @@ -0,0 +1,118 @@ + + + + + + + ++ +++"It is easier to post a problem than to use your own brain" -- +Weitse Venema (creator of Postfix)
+
There are a number of sources for problem solution information.
+++ +The archives from the mailing List are at http://www.shorewall.net/pipermail/shorewall-users.
+ +Search the Mailing List Archives at Shorewall.net
+ + + +
Please post your question or problem to the +Shorewall users mailing list; +there are lots of folks there who are willing to help you. Your question/problem +description and their responses will be placed in the mailing list archives to +help people who have a similar question or problem in the future.
+++"It irks me when people believe that free software + comes at no cost. The cost is incredibly high." - + Weitse Venema
+
I do not answer questions or work on problems sent to me personally but I try +to respond promptly to mailing list posts. -Tom
+To Subscribe to the mailing list go to http://www.shorewall.net/mailman/listinfo/shorewall-users + .
+ +Last Updated 8/5/2002 - Tom +Eastep
+ ++Copyright © 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/three-interface.htm b/Shorewall-docs/three-interface.htm new file mode 100644 index 000000000..ea100a5b6 --- /dev/null +++ b/Shorewall-docs/three-interface.htm @@ -0,0 +1,851 @@ + + + + + + + +Setting up a Linux system as a firewall for a small network with +DMZ is a +fairly straight-forward task if you understand the basics and follow the +documentation.
+This guide doesn't attempt to acquaint you with all of the features of +Shorewall. It rather focuses on what is required to configure Shorewall in one +of its more popular configurations:
+Here is a schematic of a typical installation.
+
+
This guide assumes that you have the iproute/iproute2 package installed (on +RedHat, the package is called iproute). You can tell if this +package is installed by the presence of an ip program on your firewall +system. As root, you can use the 'which' command to check for this program:
+[root@gateway root]# which ip + /sbin/ip + [root@gateway root]#
I recommend that you first read through the guide
+
+to familiarize yourself with what's involved then go back through it again
+making your configuration changes. Points at which configuration changes are
+recommended are flagged with
+If you edit your configuration files on a Windows system, you must save them as
+Unix files if your editor supports that option or you must run them through
+dos2unix before trying to use them. Similarly, if you copy a configuration file
+from your Windows hard drive to a floppy disk, you must run dos2unix against the
+copy before using it with Shorewall.
The configuration files for Shorewall are contained in the directory +/etc/shorewall -- for simple setups, you will only need to deal with a few of +these as described in this guide. After you have installed Shorewall, +download the three-interface sample, un-tar it +(tar -zxvf three-interfaces.tgz) and and copy the files to /etc/shorewall +(the files will replace files with the same names that were placed in +/etc/shorewall when Shorewall was installed).
+As each file is introduced, I suggest that you +look through the actual file on your system -- each file contains detailed +configuration instructions and default entries.
+Shorewall views the network where it is running as being composed of a set of +zones. In the three-interface sample configuration, the following zone names are used:
+| Name | +Description | +
| net | +The Internet | +
| loc | +Your Local Network | +
| dmz | +Demilitarized Zone | +
Zone names are defined in +/etc/shorewall/zones.
+Shorewall also recognizes the firewall system as its own zone - by default, +the firewall itself is known as fw.
+Rules about what traffic to allow and what traffic to deny are expressed in +terms of zones.
+For each connection request entering the firewall, the request is first checked against the +/etc/shorewall/rules file. If no rule in that file matches the connection +request then the first policy in /etc/shorewall/policy that matches the + +request is applied. If that policy is REJECT or DROP the request is first +checked against the rules in /etc/shorewall/common (the samples provide that +file for you).
+The /etc/shorewall/policy file included with the three-interface sample has the +following policies:
++++
++ +Source Zone +Destination Zone +Policy +Log Level +Limit:Burst ++ +loc +net +ACCEPT ++ + + +net +all +DROP +info ++ + +all +all +REJECT +info ++
++In the three-interface sample, the line below is included but commented out. If +you want your firewall system to have full access to servers on the internet, +uncomment that line.
++
++ +Source Zone +Destination Zone +Policy +Log Level +Limit:Burst ++ +fw +net +ACCEPT ++ +
The above policy will:
+ At this point, edit your /etc/shorewall/policy
+file and make any changes that you
+wish.
+
The firewall has three network interfaces. Where Internet +connectivity is through a cable or DSL "Modem", the External Interface +will be the ethernet adapter that is connected to that "Modem" (e.g., eth0) +unless you connect via Point-to-Point Protocol +over Ethernet (PPPoE) or Point-to-Point Tunneling +Protocol (PPTP) in which case the External Interface will be a ppp +interface (e.g., ppp0). If you connect via a regular modem, your External +Interface will also be ppp0. If you connect using ISDN, you external +interface will be ippp0.
+ If your external interface is ppp0
+or ippp0 then you will want to
+set CLAMPMSS=yes in
+/etc/shorewall/shorewall.conf.
Your Local Interface will be an ethernet adapter (eth0, +eth1 or eth2) and will be connected to a hub or switch. Your local computers +will be connected to the same switch (note: If you have only a single local system, +you can connect the firewall directly to the computer using a cross-over +cable).
+Your DMZ Interface will also be an ethernet adapter (eth0, +eth1 or eth2) and will be connected to a hub or switch. Your DMZ computers will +be connected to the same switch (note: If you have only a single DMZ system, +you can connect the firewall directly to the computer using a cross-over +cable).
+
+Do not connect more than one interface
+to the same hub or switch (even for testing). It won't work the way that you
+expect it to and you will end up confused and
+believing that Shorewall doesn't work at all.
The Shorewall three-interface sample configuration assumes that
+the external interface is eth0, the local interface is eth1 and
+the DMZ interface is
+eth2.
+If your configuration is different, you will have to modify the sample
+/etc/shorewall/interfaces file accordingly. While you are there, you may wish to
+review the list of options that are specified for the interfaces. Some hints:
If your external interface is ppp0 or ippp0, you can replace the + "detect" in the second column with "-".
If your external interface is ppp0 or ippp0 or if you have a static IP + address, you can remove "dhcp" from the option list.
Before going further, we should say a few words about Internet +Protocol (IP) addresses. Normally, your ISP will assign you a single +Public IP address. This address may be assigned via the Dynamic Host +Configuration Protocol (DHCP) or as part of establishing your connection +when you dial in (standard modem) or establish your PPP connection. In rare +cases, your ISP may assign you a static IP address; that means that you +configure your firewall's external interface to use that address permanently. +Regardless of how the address is assigned, it will be shared by all of your +systems when you access the Internet. You will have to assign your own addresses +for your internal network (the local and DMZ Interfaces on your firewall plus your other +computers). RFC 1918 reserves several Private IP address ranges for this +purpose:
+10.0.0.0 - 10.255.255.255 + 172.16.0.0 - 172.31.255.255 + 192.168.0.0 - 192.168.255.255+
+ Before starting Shorewall, you should look at the IP address of your external
+ interface and if it is one of the above ranges, you should remove the
+ 'norfc1918' option from the external interface's entry in
+ /etc/shorewall/interfaces.
You will want to assign your local addresses from one + sub-network or subnet and your DMZ addresses from another subnet. For our purposes, we can consider a subnet + to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will + have a Subnet Mask of 255.255.255.0. The address x.y.z.0 is reserved as + the Subnet Address and x.y.z.255 is reserved as the Subnet Broadcast + Address. In Shorewall, a subnet is described using + Variable-Length + Subnet Mask (VLSM) notation with consists of the subnet address followed + by "/24". The "24" refers to the number of + consecutive "1" bits from the left of the subnet mask. +
Example sub-network:
+++
++ +Range: +10.10.10.0 - 10.10.10.255 ++ +Subnet Address: +10.10.10.0 ++ +Broadcast Address: +10.10.10.255 ++ +VLSM Notation: +10.10.10.0/24 +
It is conventional to assign the internal interface either the + first usable address in the subnet (10.10.10.1 in the above example) or the + last usable address (10.10.10.254).
One of the purposes of subnetting is to allow all computers in the + subnet to understand which other computers can be communicated with directly. + To communicate with systems outside of the subnetwork, systems send packets + through a gateway (router).
Your local computers
+ (Local Computers 1 & 2) should be configured with their
+ default gateway set to the IP address of the firewall's internal interface
+ and your DMZ computers ( DMZ Computers 1 & 2) should be configured with their
+ default gateway set to the IP address of the firewall's DMZ interface.
+
The foregoing short discussion barely scratches the surface +regarding subnetting and routing. If you are interested in learning more about +IP addressing and routing, I highly recommend "IP Fundamentals: What Everyone +Needs to Know about Addressing & Routing", Thomas A. Maufer, Prentice-Hall, +1999, ISBN 0-13-975483-0.
+The remainder of this quide will assume that you have configured +your network as shown here:
+
+
The default gateway for the DMZ computers would be 10.10.10.254 +and the default gateway for the Local computers would be 10.10.10.254.
+The addresses reserved by RFC 1918 are sometimes referred to as +non-routable because the Internet backbone routers don't forward packets +which have an RFC-1918 destination address. When one of your local systems +(let's assume local computer 1) sends a connection request to an internet host, the +firewall must perform Network Address Translation (NAT). The firewall +rewrites the source address in the packet to be the address of the firewall's +external interface; in other words, the firewall makes it look as if the firewall +itself is initiating the connection. This is necessary so that the +destination host will be able to route return packets back to the firewall +(remember that packets whose destination address is reserved by RFC 1918 can't +be routed accross the internet). When the firewall receives a return packet, it +rewrites the destination address back to 10.10.10.1 and +forwards the packet on to local computer 1.
+On Linux systems, the above process is often referred to as +IP Masquerading and you will also see the term Source Network Address +Translation (SNAT) used. Shorewall follows the convention used with +Netfilter:
+Masquerade describes the case where you let your + firewall system automatically detect the external interface address.
SNAT refers to the case when you explicitly specify the + source address that you want outbound packets from your local network to use. +
In Shorewall, both Masquerading and SNAT are configured with +entries in the /etc/shorewall/masq file.
+ If your external firewall interface is eth0, your local
+interface eth1 and your DMZ interface is eth2 then you do not
+need to modify the file provided with the sample. Otherwise, edit
+/etc/shorewall/masq and change it to match your configuration.
If your external IP
+is static, you can enter it in the third column in the /etc/shorewall/masq entry
+if you like although your firewall will work fine if you leave that column
+empty. Entering your static IP in column 3 makes processing outgoing packets a
+little more efficient.
One of your goals will be to run one or more servers on your DMZ computers. Because these computers have RFC-1918 addresses, it is not +possible for clients on the internet to connect directly to them. It is rather +necessary for those clients to address their connection requests to your firewall +who rewrites the destination address to the address of your server and forwards +the packet to that server. When your server responds, the firewall automatically +performs SNAT to rewrite the source address in the response.
+The above process is called Port Forwarding or +Destination Network Address Translation (DNAT). You configure port +forwarding using DNAT rules in the /etc/shorewall/rules file.
+The general form of a simple port forwarding rule in +/etc/shorewall/rules is:
++++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +DNAT +net +dmz:<server local ip address> [:<server port>] +<protocol> +<port> ++ +
If you don't specify the <server port>, it is assumed to be the same +as <port>.
+Example - you run a Web Server on DMZ 2 and you want to forward incoming +TCP port 80 to that system:
++++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +DNAT +net +dmz:10.10.11.2 +tcp +80 +# Forward port 80 +from the internet ++ +ACCEPT +loc +dmz:10.10.11.2 +tcp +80 +#Allow connections +from the local network +
A +couple of important points +to keep in mind:
++++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +DNAT +net +dmz:10.10.11.2:80 +tcp +5000 ++ +
If you want to be able +to access your server from the local network using your external address, then +if you have a static external IP you can replace the loc->dmz rule above with:
++++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +DNAT +net +dmz:10.10.11.2:80 +tcp +80 +- +<external IP> +
If you have a dynamic ip then you must ensure that your external interface is +up before starting Shorewall and you must take steps as follows (assume that +your external interface is eth0):
++++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +DNAT +net +dmz:10.10.11.2:80 +tcp +80 +- +$ETH0_IP +
If you want to access your server from the DMZ using your external IP +address, see FAQ 2a.
+ At this point, add the DNAT and
+ACCEPT rules for your servers.
Normally, when you connect to your ISP, as part of getting an IP +address your firewall's Domain Name Service (DNS) resolver will be +automatically configured (e.g., the /etc/resolv.conf file will be written). +Alternatively, your ISP may have given you the IP address of a pair of DNS +name servers for you to manually configure as your primary and secondary +name servers. It is your responsibility to configure the resolver in your +internal systems. You can take one of two approaches:
+You can configure your internal systems to use your ISP's name + servers. If you ISP gave you the addresses of their servers or if those + addresses are available on their web site, you can configure your internal + systems to use those addresses. If that information isn't available, look in + /etc/resolv.conf on your firewall system -- the name servers are given in + "nameserver" records in that file.
You can configure a Caching Name Server on your
+ firewall or in your DMZ. Red Hat has an RPM for a caching name server (which also
+ requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you
+ take this approach, you configure your internal systems to use the caching
+ name server as their primary (and only) name server. You use the internal IP
+ address of the firewall (10.10.10.254 in the example above) for the name
+ server address if you choose to run the name server on your firewall. To allow your local systems to talk to your caching name
+ server, you must open port 53 (both UDP and TCP) from the local network to the
+ server; you do that by adding the rules in /etc/shorewall/rules.
++If you run the name server on the firewall:
+
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +loc +fw +tcp +53 ++ + + +ACCEPT +loc +fw +udp +53 ++ + + +ACCEPT +dmz +fw +tcp +53 ++ + + +ACCEPT +dmz +fw +udp +53 ++ +
++Run name server on DMZ computer 1
++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +loc +dmz:10.10.11.1 +tcp +53 ++ + + +ACCEPT +loc +dmz:10.10.11.1 +udp +53 ++ + + +ACCEPT +fw +dmz:10.10.10.1 +tcp +53 ++ + + +ACCEPT +fw +dmz:10.10.10.1 +udp +53 ++ +
The three-interface sample includes the following rules:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +fw +net +udp +53 ++ + + +ACCEPT +fw +net +tcp +53 ++ +
Those rules allow DNS access from your firewall and may be + removed if you commented out the line in /etc/shorewall/policy allowing all + connections from the firewall to the internet.
The sample also includes:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +loc +fw +tcp +22 ++ + + +ACCEPT +loc +dmz +tcp +22 ++ +
That rule allows you to run an SSH server on your firewall and + in each of your DMZ systems and + to connect to those servers from your local systems.
If you wish to enable other connections between your systems, the general format is:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +<source zone> +<destination zone> +<protocol> +<port> ++ +
Example - You want to run a publicly-available DNS server on your firewall + system:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +net +fw +tcp +53 +#Allow DNS access +from the internet ++ +ACCEPT +net +fw +tcp +53 +#Allow DNS access +from the internet +
Those two rules would of course be in addition to the rules + listed above under "If you run the name server on your firewall".
If you don't know what port and protocol a particular + application uses, look here.
Important: I don't recommend enabling telnet to/from + the internet because it uses clear text (even for login!). If you want shell + access to your firewall from the internet, use SSH:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +net +fw +tcp +22 ++ +
Now modify
+ /etc/shorewall/rules to add or remove other connections as required.
The installation procedure + configures your system to start Shorewall at system boot.
The firewall is started using the "shorewall start" command + and stopped using "shorewall stop". When the firewall is stopped, routing is + enabled on those hosts that have an entry in + /etc/shorewall/routestopped. A + running firewall may be restarted using the "shorewall restart" command. If + you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".
The three-interface sample assumes that you want to enable
+ routing to/from eth1 (your local network) and eth2 (DMZ) when Shorewall is stopped.
+ If these two interfaces don't connect to your local network and DMZ or if you
+ want to enable a different set of hosts, modify /etc/shorewall/routestopped
+ accordingly.
WARNING: If you are connected to your firewall from the + internet, do not issue a "shorewall stop" command unless you have added an + entry for the IP address that you are connected from to + /etc/shorewall/routestopped. + Also, I don't recommend using "shorewall restart"; it is better to create an + alternate configuration and + test it using the "shorewall try" command.
Last updated +7/27/2002 - Tom +Eastep
+ +Copyright 2002 Thomas M. Eastep
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/traffic_shaping.htm b/Shorewall-docs/traffic_shaping.htm new file mode 100644 index 000000000..12e2fc37b --- /dev/null +++ b/Shorewall-docs/traffic_shaping.htm @@ -0,0 +1,206 @@ + + + + + + + +Beginning with version 1.2.0, Shorewall has limited support for traffic +shaping/control. In order to use traffic shaping under Shorewall, it is +essential that you get a copy of the Linux Advanced Routing +and Shaping HOWTO, version 0.3.0 or later. You must also install +the iproute (iproute2) package to provide the "ip" and "tc" +utilities.
+ +Shorewall traffic shaping support consists of the following:
+ +The fwmark classifier provides a convenient way to classify +packets for traffic shaping. The /etc/shorewall/tcrules file provides a means +for specifying these marks in a tabular fashion.
+Columns in the file are as follows:
+Example 1 - All packets arriving on eth1 should be marked with +1. All packets arriving on eth2 should be marked with 2. All packets originating +on the firewall itself should be marked with 3.
+| MARK | +SOURCE | +DEST | +PROTO | +PORT(S) | +CLIENT PORT(S) | +
| 1 | +eth1 | +0.0.0.0/0 | +all | ++ | + |
| 2 | +eth2 | +0.0.0.0/0 | +all | ++ | + |
| 3 | +fw | +0.0.0.0/0 | +all | ++ | + |
Example 2 - All GRE (protocol 47) packets not originating on the +firewall and destined for 155.186.235.151 should be marked with 12.
+| MARK | +SOURCE | +DEST | +PROTO | +PORT(S) | +CLIENT PORT(S) | +
| 12 | +0.0.0.0/0 | +155.186.235.151 | +47 | ++ | + |
Example 3 - All SSH packets originating in 192.168.1.0/24 and +destined for 155.186.235.151 should be marked with 22.
+| MARK | +SOURCE | +DEST | +PROTO | +PORT(S) | +CLIENT PORT(S) | +
| 22 | +192.168.1.0/24 | +155.186.235.151 | +tcp | +22 | ++ |
I personally use HTB. I have found a couple of things that may be of +use to others.
+++run_tc qdisc add dev eth0 root handle 1: htb default 30
+
+
+ run_tc class add dev eth0 parent 1: classid 1:1 htb rate 10mbit burst 15k
+
+ run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 150kbit ceil 10mbit burst 15k
+ run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 234kbit ceil 10mbit burst 15k
+ run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 1kbit ceil + 10mbit burst 15k
+
+ run_tc qdisc add dev eth0 parent 1:10 sfq perturb 10
+ run_tc qdisc add dev eth0 parent 1:20 sfq perturb 10
+ run_tc qdisc add dev eth0 parent 1:30 sfq perturb 10
+
+ run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
+ run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 2 fw classid 1:20
+ run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30 +My tcrules file is shown in Example 1 above. You can look at my network + configuration to get an idea of why I want these particular rules.
+
+
Last Updated 6/18/2002 - Tom +Eastep
+ +Copyright +© 2001, 2002 Thomas M. Eastep.
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/troubleshoot.htm b/Shorewall-docs/troubleshoot.htm new file mode 100644 index 000000000..c184d0703 --- /dev/null +++ b/Shorewall-docs/troubleshoot.htm @@ -0,0 +1,189 @@ + + + + + +Check the Shorewall Errata + to be sure that there isn't an update that you are missing for your version +of the firewall.
+ +Check the FAQs for solutions to common problems.
+ + + +Many times when people have problems with Shorewall, the problem is + actually an ill-conceived test setup. Here are several popular snafus:
+If the appropriate policy for the connection that you +are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING +TO MAKE IT WORK. Such additional rules will NEVER make it work, they add +clutter to your rule set and they represent a big security hole in the event +that you forget to remove them later.
+ +I also recommend against setting all of your policies to + ACCEPT in an effort to make something work. That robs you of one of your + best diagnostic tools - the "Shorewall" messages that Netfilter will + generate when you try to connect in a way that isn't permitted by your + rule set.
+ +Check your log. If you don't see Shorewall messages, +then your problem is probably NOT a Shorewall problem. If you DO see packet +messages, it is an indication that you are missing one or more rules.
+ +While you are troubleshooting, it is a good idea to clear + two variables in /etc/shorewall/shorewall.conf:
+ +LOGRATE=""
+ LOGBURST=""
This way, you will see all of the log messages being + generated (be sure to restart shorewall after clearing these variables).
+ +Example:
+ + + +Jun 27 15:37:56 gateway kernel: + Shorewall:all2all:REJECT:IN=eth2 +OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 +ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47
+ + + +Let's look at the important parts of this message:
+ +In this case, 192.168.2.2 was in the "dmz" zone and +192.168.1.3 is in the "loc" zone. I was missing the rule:
+ +ACCEPT dmz loc udp 53
+ + + +See the support page.
+ + + ++ + + +
Last updated 7/27/2002 - +Tom Eastep +
+ +Copyright + © 2001, 2002 Thomas M. Eastep.
+ + + \ No newline at end of file diff --git a/Shorewall-docs/two-interface.htm b/Shorewall-docs/two-interface.htm new file mode 100644 index 000000000..3ed7f1775 --- /dev/null +++ b/Shorewall-docs/two-interface.htm @@ -0,0 +1,686 @@ + + + + + + + +Setting up a Linux system as a firewall for a small network is a +fairly straight-forward task if you understand the basics and follow the +documentation.
+This guide doesn't attempt to acquaint you with all of the features of +Shorewall. It rather focuses on what is required to configure Shorewall in its +most common configuration:
+Here is a schematic of a typical installation.
+
+
This guide assumes that you have the iproute/iproute2 package installed (on +RedHat, the package is called iproute). You can tell if this +package is installed by the presence of an ip program on your firewall +system. As root, you can use the 'which' command to check for this program:
+[root@gateway root]# which ip + /sbin/ip + [root@gateway root]#
I recommend that you first read through the
+guide to familiarize yourself with what's involved then go back through it again
+making your configuration changes. Points at which configuration changes are
+recommended are flagged with .
+If you edit your configuration files on a Windows system, you must save them as
+Unix files if your editor supports that option or you must run them through
+dos2unix before trying to use them. Similarly, if you copy a configuration file
+from your Windows hard drive to a floppy disk, you must run dos2unix against the
+copy before using it with Shorewall.
The configuration files for Shorewall are contained in the directory +/etc/shorewall -- for simple setups, you will only need to deal with a few of +these as described in this guide. After you have installed Shorewall, +download the +two-interface sample, un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall +(these files will replace files with the same name).
+As each file is introduced, I suggest that you +look through the actual file on your system -- each file contains detailed +configuration instructions and default entries.
+Shorewall views the network where it is running as being composed of a set of +zones. In the two-interface sample configuration, the following zone names are used:
+| Name | +Description | +
| net | +The Internet | +
| loc | +Your Local Network | +
Zones are defined in the +/etc/shorewall/zones file.
+Shorewall also recognizes the firewall system as its own zone - by default, +the firewall itself is known as fw.
+Rules about what traffic to allow and what traffic to deny are expressed in +terms of zones.
+For each connection request entering the firewall, the request is first checked against the +/etc/shorewall/rules file. If no rule in that file matches the connection +request then the first policy in /etc/shorewall/policy that matches the + +request is applied. If that policy is REJECT or DROP the request is first +checked against the rules in /etc/shorewall/common (the samples provide that +file for you).
+The /etc/shorewall/policy file included with the two-interface sample has the +following policies:
++++
++ +Source Zone +Destination Zone +Policy +Log Level +Limit:Burst ++ +loc +net +ACCEPT ++ + + +net +all +DROP +info ++ + +all +all +REJECT +info ++
++In the two-interface sample, the line below is included but commented out. If +you want your firewall system to have full access to servers on the internet, +uncomment that line.
++
++ +Source Zone +Destination Zone +Policy +Log Level +Limit:Burst ++ +fw +net +ACCEPT ++ +
The above policy will:
+ At this point, edit your /etc/shorewall/policy and make any changes that you
+wish.
+
The firewall has two network interfaces. Where Internet +connectivity is through a cable or DSL "Modem", the External Interface +will be the ethernet adapter that is connected to that "Modem" (e.g., eth0) +unless you connect via Point-to-Point Protocol +over Ethernet (PPPoE) or Point-to-Point Tunneling +Protocol (PPTP) in which case the External Interface will be a ppp +interface (e.g., ppp0). If you connect via a regular modem, your External +Interface will also be ppp0. If you connect via ISDN, your external +interface will be ippp0.
+ If your external interface is ppp0
+or ippp0 then you will want to
+set CLAMPMSS=yes in
+/etc/shorewall/shorewall.conf.
Your Internal Interface will be an ethernet adapter (eth1 +or eth0) and will be connected to a hub or switch. Your other computers will be +connected to the same hub/switch (note: If you have only a single internal system, +you can connect the firewall directly to the computer using a cross-over +cable).
+
+Do not connect the internal and external interface
+to the same hub or switch (even for testing). It won't work the way that you think that it will and you will end up confused and
+believing that Shorewall doesn't work at all.
The Shorewall two-interface sample configuration assumes that
+the external interface is eth0 and the internal interface is eth1.
+If your configuration is different, you will have to modify the sample
+/etc/shorewall/interfaces file accordingly. While you are there, you may wish to
+review the list of options that are specified for the interfaces. Some hints:
If your external interface is ppp0 or ippp0, you can replace the + "detect" in the second column with "-".
If your external interface is ppp0 or ippp0 or if you have a static IP + address, you can remove "dhcp" from the option list.
Before going further, we should say a few words about Internet +Protocol (IP) addresses. Normally, your ISP will assign you a single +Public IP address. This address may be assigned via the Dynamic Host +Configuration Protocol (DHCP) or as part of establishing your connection +when you dial in (standard modem) or establish your PPP connection. In rare +cases, your ISP may assign you a static IP address; that means that you +configure your firewall's external interface to use that address permanently. +However your external address is assigned, it will be shared by all of your systems when you access the +Internet. You will have to assign your own addresses in your +internal network (the Internal Interface on your firewall plus your other +computers). RFC 1918 reserves several Private IP address ranges for this +purpose:
+10.0.0.0 - 10.255.255.255 + 172.16.0.0 - 172.31.255.255 + 192.168.0.0 - 192.168.255.255+
+ Before starting Shorewall, you should look at the IP address of your external
+ interface and if it is one of the above ranges, you should remove the
+ 'norfc1918' option from the external interface's entry in
+ /etc/shorewall/interfaces.
You will want to assign your addresses from the same + sub-network (subnet). For our purposes, we can consider a subnet + to consists of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will + have a Subnet Mask of 255.255.255.0. The address x.y.z.0 is reserved as + the Subnet Address and x.y.z.255 is reserved as the Subnet Broadcast + Address. In Shorewall, a subnet is described using + Variable-Length + Subnet Mask (VLSM) notation with consists of the subnet address followed + by "/24". The "24" refers to the number of + consecutive leading "1" bits from the left of the subnet mask. +
Example sub-network:
+++
++ +Range: +10.10.10.0 - 10.10.10.255 ++ +Subnet Address: +10.10.10.0 ++ +Broadcast Address: +10.10.10.255 ++ +VLSM Notation: +10.10.10.0/24 +
It is conventional to assign the internal interface either the + first usable address in the subnet (10.10.10.1 in the above example) or the + last usable address (10.10.10.254).
One of the purposes of subnetting is to allow all computers in the + subnet to understand which other computers can be communicated with directly. + To communicate with systems outside of the subnetwork, systems send packets + through a gateway (router).
Your local computers (computer
+ 1 and computer 2 in the above diagram) should be configured with their
+ default gateway to be the IP address of the firewall's internal
+ interface.
+
The foregoing short discussion barely scratches the surface +regarding subnetting and routing. If you are interested in learning more about +IP addressing and routing, I highly recommend "IP Fundamentals: What Everyone +Needs to Know about Addressing & Routing", Thomas A. Maufer, Prentice-Hall, +1999, ISBN 0-13-975483-0.
+The remainder of this quide will assume that you have configured +your network as shown here:
+
+
The default gateway for computer's 1 & 2 would be 10.10.10.254.
+The addresses reserved by RFC 1918 are sometimes referred to as +non-routable because the Internet backbone routers don't forward packets +which have an RFC-1918 destination address. When one of your local systems +(let's assume computer 1) sends a connection request to an internet host, the +firewall must perform Network Address Translation (NAT). The firewall +rewrites the source address in the packet to be the address of the firewall's +external interface; in other words, the firewall makes it look as if the firewall +itself is initiating the connection. This is necessary so that the +destination host will be able to route return packets back to the firewall +(remember that packets whose destination address is reserved by RFC 1918 can't +be routed across the internet so the remote host can't address its response to +computer 1). When the firewall receives a return packet, it +rewrites the destination address back to 10.10.10.1 and +forwards the packet on to computer 1.
+On Linux systems, the above process is often referred to as +IP Masquerading but you will also see the term Source Network Address +Translation (SNAT) used. Shorewall follows the convention used with +Netfilter:
+Masquerade describes the case where you let your + firewall system automatically detect the external interface address.
SNAT refers to the case when you explicitly specify the + source address that you want outbound packets from your local network to use. +
In Shorewall, both Masquerading and SNAT are configured with +entries in the /etc/shorewall/masq file. You will normally use Masquerading if +your external IP is dynamic and SNAT if the IP is static.
+ If your external firewall interface is eth0, you do not
+need to modify the file provided with the sample. Otherwise, edit
+/etc/shorewall/masq and change the first column to the name of your external
+interface and the second column to the name of your internal interface.
If your external IP is
+static, you can enter it in the third column in the /etc/shorewall/masq entry if
+you like although your firewall will work fine if you leave that column empty.
+Entering your static IP in column 3 makes processing outgoing packets a little
+more efficient.
One of your goals may be to run one or more servers on your +local computers. Because these computers have RFC-1918 addresses, it is not +possible for clients on the internet to connect directly to them. It is rather +necessary for those clients to address their connection requests to the firewall +who rewrites the destination address to the address of your server and forwards +the packet to that server. When your server responds, the firewall automatically +performs SNAT to rewrite the source address in the response.
+The above process is called Port Forwarding or +Destination Network Address Translation (DNAT). You configure port +forwarding using DNAT rules in the /etc/shorewall/rules file.
+The general form of a simple port forwarding rule in +/etc/shorewall/rules is:
++++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +DNAT +net +loc:<server local ip address> [:<server port>] +<protocol> +<port> ++ +
Example - you run a Web Server on computer 2 and you want to forward incoming +TCP port 80 to that system:
++++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +DNAT +net +loc:10.10.10.2 +tcp +80 ++ +
A couple of important points +to keep in mind:
++++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +DNAT +net +loc:10.10.10.2:80 +tcp +5000 ++ +
+ At this point, modify
+/etc/shorewall/rules to add any DNAT rules that you require.
Normally, when you connect to your ISP, as part of getting an IP +address your firewall's Domain Name Service (DNS) resolver will be +automatically configured (e.g., the /etc/resolv.conf file will be written). +Alternatively, your ISP may have given you the IP address of a pair of DNS +name servers for you to manually configure as your primary and secondary +name servers. Regardless of how DNS gets configured on your firewall, it is your responsibility to configure the resolver in your +internal systems. You can take one of two approaches:
+You can configure your internal systems to use your ISP's name + servers. If you ISP gave you the addresses of their servers or if those + addresses are available on their web site, you can configure your internal + systems to use those addresses. If that information isn't available, look in + /etc/resolv.conf on your firewall system -- the name servers are given in + "nameserver" records in that file.
You can configure a Caching Name Server on your
+ firewall. Red Hat has an RPM for a caching name server (the RPM also
+ requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you
+ take this approach, you configure your internal systems to use the firewall
+ itself as their primary (and only) name server. You use the internal IP
+ address of the firewall (10.10.10.254 in the example above) for the name
+ server address. To allow your local systems to talk to your caching name
+ server, you must open port 53 (both UDP and TCP) from the local network to the
+ firewall; you do that by adding the following rules in /etc/shorewall/rules.
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +loc +fw +tcp +53 ++ + + +ACCEPT +loc +fw +udp +53 ++ +
The two-interface sample includes the following rules:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +fw +net +tcp +53 ++ + + +ACCEPT +fw +net +udp +53 ++ +
Those rules allow DNS access from your firewall and may be + removed if you commented out the line in /etc/shorewall/policy allowing all + connections from the firewall to the internet.
The sample also includes:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +loc +fw +tcp +22 ++ +
That rule allows you to run an SSH server on your firewall and + connect to that server from your local systems.
If you wish to enable other connections between your firewall + and other systems, the general format is:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +<source zone> +<destination zone> +<protocol> +<port> ++ +
Example - You want to run a Web Server on your firewall + system:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +net +fw +tcp +80 +#Allow web access +from the internet ++ +ACCEPT +loc +fw +tcp +80 +#Allow web access +from the local network +
Those two rules would of course be in addition to the rules + listed above under "You can configure a Caching Name Server on your firewall"
If you don't know what port and protocol a particular + application uses, look here.
Important: I don't recommend enabling telnet to/from + the internet because it uses clear text (even for login!). If you want shell + access to your firewall from the internet, use SSH:
+++
++ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE PORT +ORIGINAL ADDRESS ++ +ACCEPT +net +fw +tcp +22 ++ +
Now edit your
+ /etc/shorewall/rules file to add or delete other connections as required.
The installation procedure + configures your system to start Shorewall at system boot.
The firewall is started using the "shorewall start" command + and stopped using "shorewall stop". When the firewall is stopped, routing is + enabled on those hosts that have an entry in + /etc/shorewall/routestopped. A + running firewall may be restarted using the "shorewall restart" command. If + you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".
The two-interface sample assumes that you want to enable
+ routing to/from eth1 (the local network) when Shorewall is stopped. If
+ your local network isn't connected to eth1 or if you wish to enable
+ access to/from other hosts, change /etc/shorewall/routestopped accordingly.
WARNING: If you are connected to your firewall from the + internet, do not issue a "shorewall stop" command unless you have added an + entry for the IP address that you are connected from to + /etc/shorewall/routestopped. + Also, I don't recommend using "shorewall restart"; it is better to create an + alternate configuration and + test it using the "shorewall try" command.
Last updated +7/26/2002 - Tom +Eastep
+ +Copyright 2002 Thomas M. Eastep
+ + + + \ No newline at end of file diff --git a/Shorewall-docs/whitelisting_under_shorewall.htm b/Shorewall-docs/whitelisting_under_shorewall.htm new file mode 100644 index 000000000..d8b9776e6 --- /dev/null +++ b/Shorewall-docs/whitelisting_under_shorewall.htm @@ -0,0 +1,276 @@ + + + + + + + +For a brief time, the 1.2 version of Shorewall supported an +/etc/shorewall/whitelist file. This file was intended to contain a list of IP +addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was +implemented as a stop-gap measure until the facilities necessary for +implementing white lists using zones was in place. As of Version 1.3 RC1, those +facilities were available.
+White lists are most often used to give special privileges to a +set of hosts within an organization. Let us suppose that we have the +following environment:
+The basic approach will be that we will place the operations +staff's class C in its own zone called ops. Here are the appropriate +configuration files:
++++
++ + ++ ZONE ++ DISPLAY ++ COMMENTS ++ +net +Net +Internet ++ +ops +Operations +Operations Staff's Class C ++ +loc +Local +Local Class B ++ + +dmz +DMZ +Demilitarized zone +
The ops zone has been added to the standard 3-zone zones file -- since +ops is a sub-zone of loc, we list it BEFORE loc.
++++
++ ++ ZONE ++ INTERFACE ++ BROADCAST ++ OPTIONS ++ +net +eth0 +<whatever> +<options> ++ +dmz +eth1 +<whatever> +routestopped ++ + +- +eth2 +10.10.255.255 ++
Because eth2 interfaces to two zones (ops and loc), we +don't specify a zone for it here.
++++
++ ++ ZONE ++ HOST(S) ++ OPTIONS ++ +ops +eth2:10.10.10.0/24 + + + +routestopped + ++ + +loc +eth2:0.0.0.0/0 ++
Here we define the ops and loc zones. When Shorewall is +stopped, only the hosts in the ops zone will be allowed to access the +firewall and the DMZ. I use 0.0.0.0/0 to define the loc zone rather than +10.10.0.0/16 so that the limited broadcast address (255.255.255.255) falls into +that zone. If I used 10.10.0.0/16 then I would have to have a separate entry for +that special address.
++++
++ +SOURCE +DEST ++ POLICY ++ LOG LEVEL +LIMIT:BURST ++ +ops +all +ACCEPT + + ++ + + + + +all +ops +CONTINUE + + ++ + + + + +loc +net +ACCEPT + + + ++ + + + + + +net +all +DROP +info ++ + + + +all +all +REJECT +info ++
Two entries for ops have been added to the standard 3-zone policy file. +WARNING: You must be running Shorewall 1.3.1 or later +for the above to work properly.
++++
++ + +ACTION +SOURCE +DEST ++ PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ +REDIRECT +loc!ops +3128 +tcp +http ++ + + + + +... ++ + + + + +
This is the rule that transparently redirects web traffic to the transparent +proxy running on the firewall. The SOURCE column explicitly excludes the ops +zone from the rule.
+ + + ++ Updated 5/31/2002 - Tom +Eastep +
+ + + + + + + + + + \ No newline at end of file
