diff --git a/Shorewall-docs2/FAQ.xml b/Shorewall-docs2/FAQ.xml index 1e7581c56..5b7e85273 100644 --- a/Shorewall-docs2/FAQ.xml +++ b/Shorewall-docs2/FAQ.xml @@ -31,7 +31,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -53,11 +54,14 @@ If you install using the .deb, you will find that your /etc/shorewall directory is empty. This is intentional. The released configuration file skeletons may be found on - your system in the directory /usr/share/doc/shorewall/default-config. + your system in the directory /usr/share/doc/shorewall/default-config. Simply copy the files you need from that directory to /etc/shorewall and modify the copies. + class="directory">/etc/shorewall and modify the + copies. - Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf + Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even if you do not modify those files. @@ -69,8 +73,8 @@
(FAQ 1) I want to forward UDP port 7777 to my my personal PC with - IP address 192.168.1.5. I've looked everywhere and can't find - how to do it. + IP address 192.168.1.5. I've looked everywhere and can't find how to do + it. Answer: The first example in the rules file documentation @@ -78,7 +82,7 @@ port-forwarding rule to a local system is as follows: #ACTION SOURCE DEST PROTO DEST PORT -DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> +DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> So to forward UDP port 7777 to internal system 192.168.1.5, the rule is: @@ -87,18 +91,19 @@ DNAT net loc:<local IP address>[:< DNAT net loc:192.168.1.5 udp 7777 If you want to forward requests directed to a particular address ( - <external IP> ) on your firewall to an + <external IP> ) on your firewall to an internal system: #ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL # PORT DEST. -DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> - <external IP> +DNAT net loc:<local IP address>[:<local port>] <protocol> <port #> - <external IP> Finally, if you need to forward a range of ports, in the PORT - column specify the range as <low-port>:<high-port>. + column specify the range as + <low-port>:<high-port>.
- (FAQ 1a) Ok -- I followed those instructions but it doesn't + <title>(FAQ 1a) Ok -- I followed those instructions but it doesn't work Answer: That is usually the @@ -107,14 +112,14 @@ DNAT net loc:<local IP address>[:< You are trying to test from inside your firewall (no, that - won't work -- see ). + won't work -- see ). You have a more basic problem with your local system (the one that you are trying to forward to) such as an incorrect default gateway (it should be set to the IP address of your - firewall's internal interface). + firewall's internal interface). @@ -124,40 +129,42 @@ DNAT net loc:<local IP address>[:< You are running Mandrake Linux and have configured Internet Connection Sharing. In that case, the name of your local zone is - 'masq' rather than 'loc' (change all instances of - 'loc' to 'masq' in your rules). You may want to - consider re-installing Shorewall in a configuration which matches - the Shorewall documentation. See the two-interface QuickStart Guide for - details. + 'masq' rather than 'loc' (change all instances of 'loc' to 'masq' + in your rules). You may want to consider re-installing Shorewall + in a configuration which matches the Shorewall documentation. See + the two-interface QuickStart + Guide for details.
- (FAQ 1b) I'm still having problems with port forwarding + (FAQ 1b) I'm still having problems with port forwarding Answer: To further diagnose this problem: - As root, type iptables -t nat -Z. - This clears the NetFilter counters in the nat table. + As root, type iptables -t nat + -Z. This clears the NetFilter counters in the + nat table. - Try to connect to the redirected port from an external host. + Try to connect to the redirected port from an external + host. - As root type shorewall show nat + As root type shorewall show + nat Locate the appropriate DNAT rule. It will be in a chain - called <source zone>_dnat (net_dnat - in the above examples). + called <source zone>_dnat + (net_dnat in the above examples). @@ -166,7 +173,7 @@ DNAT net loc:<local IP address>[:< @@ -183,12 +190,13 @@ DNAT net loc:<local IP address>[:<you are trying to connect to a secondary IP address on your firewall and your rule is only redirecting the primary IP address (You need to specify the secondary IP address in the - ORIG. DEST. column in your DNAT rule); or + ORIG. DEST. column in your DNAT rule); + or - your DNAT rule doesn't match the connection request - in some other way. In that case, you may have to use a packet + your DNAT rule doesn't match the connection request in + some other way. In that case, you may have to use a packet sniffer such as tcpdump or ethereal to further diagnose the problem. @@ -210,8 +218,8 @@ DNAT net loc:192.168.3:22 tcp 1022
- (FAQ 30) I'm confused about when to use DNAT rules and when - to use ACCEPT rules. + (FAQ 30) I'm confused about when to use DNAT rules and when to + use ACCEPT rules. It would be a good idea to review the QuickStart Guide @@ -229,7 +237,8 @@ DNAT net loc:192.168.3:22 tcp 1022 (FAQ 38) Where can I find more information about DNAT? Ian Allen has written a Paper about DNAT and Linux. + url="http://ian.idallen.ca/dnat.txt">Paper about DNAT and + Linux.
@@ -240,7 +249,7 @@ DNAT net loc:192.168.3:22 tcp 1022 (FAQ 2) I port forward www requests to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse http://www.mydomain.com but internal clients - can't. + can't. Answer: I have two objections to this setup. @@ -249,7 +258,7 @@ DNAT net loc:192.168.3:22 tcp 1022 Having an internet-accessible server in your local network is like raising foxes in the corner of your hen house. If the server is - compromised, there's nothing between that server and your other + compromised, there's nothing between that server and your other internal systems. For the cost of another NIC and a cross-over cable, you can put your server in a DMZ such that it is isolated from your local systems - assuming that the Server can be located @@ -258,11 +267,11 @@ DNAT net loc:192.168.3:22 tcp 1022 The accessibility problem is best solved using Bind Version 9 views - (or using a separate DNS server for local clients) such that - www.mydomain.com resolves to 130.141.100.69 externally and - 192.168.1.5 internally. That's what I do here at shorewall.net - for my local systems that use one-to-one NAT. + url="shorewall_setup_guide.htm#DNS">Bind Version 9 + views (or using a separate DNS server for + local clients) such that www.mydomain.com resolves to 130.141.100.69 + externally and 192.168.1.5 internally. That's what I do here at + shorewall.net for my local systems that use one-to-one NAT. @@ -278,9 +287,11 @@ DNAT net loc:192.168.3:22 tcp 1022 If you are running Shorewall 1.4.1 or Shorewall 1.4.1a, please upgrade to Shorewall 1.4.2 or later. - Otherwise:In this configuration, all loc->loc - traffic will look to the server as if it came from the firewall rather - than from the original client! + Otherwise: + In this configuration, all loc->loc traffic will look to + the server as if it came from the firewall rather than from the + original client! + @@ -294,7 +305,7 @@ loc eth1 detect routeback

In /etc/shorewall/masq: #INTERFACE SUBNET ADDRESS PROTO PORT(S) -eth1 eth1 192.168.1.254 tcp www +eth1:192.168.1.5 eth1 192.168.1.254 tcp www @@ -306,7 +317,8 @@ DNAT loc loc:192.168.1.5 tcp www - 130.15 That rule only works of course if you have a static external IP address. If you have a dynamic IP address and are running - Shorewall 1.3.4 or later then include this in /etc/shorewall/init: + Shorewall 1.3.4 or later then include this in + /etc/shorewall/init: ETH0_IP=`find_interface_address eth0` @@ -326,14 +338,14 @@ DNAT loc loc:192.168.1.5 tcp www - $ETH0 (FAQ 2a) I have a zone <quote>Z</quote> with an RFC1918 subnet and I use one-to-one NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot communicate with each other using their external - (non-RFC1918 addresses) so they can't access each other using - their DNS names. + (non-RFC1918 addresses) so they can't access each other using their + DNS names. If the ALL INTERFACES column in /etc/shorewall/nat is empty or contains Yes, you will also see log messages like the following when trying to access a host in Z from another host in Z - using the destination hosts's public address: + using the destination hosts's public address: Oct 4 10:26:40 netgw kernel: Shorewall:FORWARD:REJECT:IN=eth1 OUT=eth1 SRC=192.168.118.200 @@ -344,19 +356,19 @@ DNAT loc loc:192.168.1.5 tcp www - $ETH0 Answer: This is another problem that is best solved using Bind Version 9 views. It allows both external and internal clients to access a NATed host using - the host's DNS name. + the host's DNS name. Another good way to approach this problem is to switch from one-to-one NAT to Proxy ARP. That way, the hosts in Z have non-RFC1918 addresses and can be accessed externally and internally using the same address. - If you don't like those solutions and prefer routing all - Z->Z traffic through your firewall then: + If you don't like those solutions and prefer routing all Z->Z + traffic through your firewall then: - Set the Z->Z policy to ACCEPT. + Set the Z->Z policy to ACCEPT. @@ -372,7 +384,7 @@ DNAT loc loc:192.168.1.5 tcp www - $ETH0 Yes. - In this configuration, all Z->Z traffic will look to + In this configuration, all Z->Z traffic will look to the server as if it came from the firewall rather than from the original client! I DO NOT RECOMMEND THIS SETUP. @@ -420,13 +432,13 @@ eth2 192.168.2.0/24 following:
- > I know PoM -ng is going to address this issue, but till it is ready, and -> all the extras are ported to it, is there any way to use the h.323 -> contrack module kernel patch with a 2.6 kernel? -> Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade is not -> an option... The module is not ported yet to 2.6, sorry. -> Do I have any options besides a gatekeeper app (does not work in my -> network) or a proxy (would prefer to avoid them)? + > I know PoM -ng is going to address this issue, but till it is ready, and +> all the extras are ported to it, is there any way to use the h.323 +> contrack module kernel patch with a 2.6 kernel? +> Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade is not +> an option... The module is not ported yet to 2.6, sorry. +> Do I have any options besides a gatekeeper app (does not work in my +> network) or a proxy (would prefer to avoid them)? I suggest everyone to setup a proxy (gatekeeper) instead: the module is really dumb and does not deserve to exist at all. It was an excellent tool @@ -436,7 +448,8 @@ to debug/develop the newnat interface. Look here for a solution for MSN IM but be aware that there are significant security risks involved with this solution. Also check the Netfilter - mailing list archives at http://www.netfilter.org. + mailing list archives at http://www.netfilter.org. @@ -460,14 +473,15 @@ to debug/develop the newnat interface. cuts down slightly on the amount of Windows chatter on LAN segments connected to the Firewall. - If you are seeing port 80 being closed, that's + If you are seeing port 80 being closed, that's probably your ISP preventing you from running a web server in violation of your Service Agreement. You can change the default behavior of Shorewall through use of an /etc/shorewall/common file. See the Extension Script Section. + url="shorewall_extension_scripts.htm">Extension Script + Section. @@ -482,14 +496,16 @@ to debug/develop the newnat interface. the default policy to all zone from the internet is DROP. The Drop action is defined in /etc/shorewall/action.Drop which in turn invokes the RejectAuth - action (defined in /etc/shorewall/action.RejectAuth). - This is necessary to prevent outgoing connection problems to services - that use the Auth mechanism for identifying requesting - users. That is the only service which the default setup rejects. + action (defined in + /etc/shorewall/action.RejectAuth). This is + necessary to prevent outgoing connection problems to services that use + the Auth mechanism for identifying requesting users. That + is the only service which the default setup rejects. If you are seeing closed TCP ports other than 113 (auth) then either you have added rules to REJECT those ports or a router outside of - your firewall is responding to connection requests on those ports. + your firewall is responding to connection requests on those + ports.
(FAQ 4a) I just ran an nmap UDP scan of my firewall and it @@ -499,12 +515,12 @@ to debug/develop the newnat interface.</programlisting></para> read the nmap man page section about UDP scans. If nmap gets <emphasis role="bold">nothing</emphasis> back from your firewall then it reports the port as open. If you want to see which UDP ports are really open, - temporarily change your net->all policy to REJECT, restart + temporarily change your net->all policy to REJECT, restart Shorewall and do the nmap UDP scan again.</para> </section> <section id="faq4b"> - <title>(FAQ 4b) I have a port that I can't close no matter how I + <title>(FAQ 4b) I have a port that I can't close no matter how I change my rules. I had a rule that allowed telnet from my local network to my @@ -522,8 +538,9 @@ to debug/develop the newnat interface. (FAQ 4c) How to I use Shorewall with PortSentry? Here's - a writeup on a nice integration of Shorewall and PortSentry. + url="http://www.shorewall.net/pub/shorewall/contrib/PortsentryHOWTO.txt">Here's + a writeup on a nice integration of Shorewall and + PortSentry.
@@ -532,8 +549,8 @@ to debug/develop the newnat interface. Connection Problems
- (FAQ 5) I've installed Shorewall and now I can't ping - through the firewall + (FAQ 5) I've installed Shorewall and now I can't ping through the + firewall Answer: For a complete description of Shorewall ping management, see
- (FAQ 15) My local systems can't see out to the net + (FAQ 15) My local systems can't see out to the net Answer: Every time I read - systems can't see out to the net, I wonder where the + systems can't see out to the net, I wonder where the poster bought computers with eyes and what those computers will see when things are working properly. That aside, the most common causes of this problem are: - The default gateway on each local system isn't set to the - IP address of the local firewall interface. + The default gateway on each local system isn't set to the IP + address of the local firewall interface. @@ -562,32 +579,34 @@ to debug/develop the newnat interface. The DNS settings on the local systems are wrong or the user is - running a DNS server on the firewall and hasn't enabled UDP and - TCP port 53 from the firewall to the internet. + running a DNS server on the firewall and hasn't enabled UDP and TCP + port 53 from the firewall to the internet.
- (FAQ 29) FTP Doesn't Work + (FAQ 29) FTP Doesn't Work - See the Shorewall and FTP page. + See the Shorewall and FTP + page.
(FAQ 33) From clients behind the firewall, connections to some sites fail. Connections to the same sites from the firewall itself work - fine. What's wrong. + fine. What's wrong. Answer: Most likely, you need to - set CLAMPMSS=Yes in /etc/shorewall/shorewall.conf. + set CLAMPMSS=Yes in /etc/shorewall/shorewall.conf.
(FAQ 35) I have two Ethernet interfaces to my local network which - I have bridged. When Shorewall is started, I'm unable to pass - traffic through the bridge. I have defined the bridge interface (br0) as - the local interface in /etc/shorewall/interfaces; the bridged Ethernet + I have bridged. When Shorewall is started, I'm unable to pass traffic + through the bridge. I have defined the bridge interface (br0) as the + local interface in /etc/shorewall/interfaces; the bridged Ethernet interfaces are not defined to Shorewall. How do I tell Shorewall to allow traffic through the bridge? @@ -605,37 +624,39 @@ to debug/develop the newnat interface. the destination? Answer: NetFilter uses the - kernel's equivalent of syslog (see man syslog) to log - messages. It always uses the LOG_KERN (kern) facility (see - man openlog) and you get to choose the log level (again, - see man syslog) in your man syslog) to log + messages. It always uses the LOG_KERN (kern) facility (see man + openlog) and you get to choose the log level (again, see + man syslog) in your policies and rules. The destination for - messaged logged by syslog is controlled by /etc/syslog.conf - (see man syslog.conf). When you have changed - /etc/syslog.conf, be sure to restart syslogd (on a RedHat system, - service syslog restart). + messaged logged by syslog is controlled by + /etc/syslog.conf (see man + syslog.conf). When you have changed /etc/syslog.conf, be sure to + restart syslogd (on a RedHat system, service syslog + restart). By default, older versions of Shorewall ratelimited log messages through settings in /etc/shorewall/shorewall.conf -- If you want to log all messages, set: - LOGLIMIT="" -LOGBURST="" + LOGLIMIT="" +LOGBURST="" Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages to a separate file.
- (FAQ 6a) Are there any log parsers that work with Shorewall? + (FAQ 6a) Are there any log parsers that work with + Shorewall? Answer: Here are several links that may be helpful: http://www.shorewall.net/pub/shorewall/parsefw/ + url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/pub/shorewall/parsefw/ http://www.fireparse.com http://cert.uni-stuttgart.de/projects/fwlogwatch http://www.logwatch.org @@ -725,10 +746,23 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p - ExampleMAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00Destination - MAC address = 00:04:4c:dc:e2:28Source - MAC address = 00:b0:8e:cf:3c:4cEthernet - Frame Type = 08:00 (IP Version 4) + + Example + + MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00 + + Destination MAC address = 00:04:4c:dc:e2:28 + + + + Source MAC address = 00:b0:8e:cf:3c:4c + + + + Ethernet Frame Type = 08:00 (IP Version 4) + + +
@@ -737,22 +771,23 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p making it unusable! Answer: If you are running - Shorewall version 1.4.4 or 1.4.4a then check the errata. - Otherwise: + Shorewall version 1.4.4 or 1.4.4a then check the errata. Otherwise: Find where klogd is being started (it will be from one of the files in /etc/init.d -- sysklogd, klogd, ...). Modify that file or the appropriate configuration file so that klogd is started with - -c <n> where - <n> is a log level of 5 or less; or + -c <n> where + <n> is a log level of 5 or less; + or - See the dmesg man page (man dmesg). - You must add a suitable dmesg command to your startup - scripts or place it in /etc/shorewall/start. + See the dmesg man page (man + dmesg). You must add a suitable dmesg command + to your startup scripts or place it in /etc/shorewall/start. @@ -788,9 +823,10 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p man1918 or logdrop - The destination address is listed in /usr/share/shorewall/rfc1918 - with a logdrop target -- see - /usr/share/shorewall/rfc1918. + The destination address is listed in + /usr/share/shorewall/rfc1918 with a logdrop target -- see /usr/share/shorewall/rfc1918. @@ -806,23 +842,25 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p - all2<zone>, <zone>2all or all2all + all2<zone>, <zone>2all or all2all - You have a policy - that specifies a log level and this packet is being logged under - that policy. If you intend to ACCEPT this traffic then you need a - rule to that effect. + You have a policy that specifies a log + level and this packet is being logged under that policy. If you + intend to ACCEPT this traffic then you need a rule to that effect. - <zone1>2<zone2> + <zone1>2<zone2> - Either you have a policy - for <zone1> to <zone2> that specifies a log level + Either you have a policy for <zone1> to <zone2> that specifies a log level and this packet is being logged under that policy or this packet matches a rule that includes a log level. @@ -830,11 +868,13 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p - <interface>_mac + <interface>_mac - The packet is being logged under the maclist - interface option. + The packet is being logged under the maclist interface + option. @@ -842,8 +882,10 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p logpkt - The packet is being logged under the logunclean - interface option. + The packet is being logged under the logunclean interface + option. @@ -851,10 +893,12 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p badpkt - The packet is being logged under the dropunclean - interface option - as specified in the LOGUNCLEAN - setting in /etc/shorewall/shorewall.conf. + The packet is being logged under the dropunclean interface option as + specified in the LOGUNCLEAN + setting in /etc/shorewall/shorewall.conf. @@ -876,8 +920,9 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p The packet is being logged because it is a TCP packet that is not part of any current connection yet it is not a syn packet. Options affecting the logging of such packets include NEWNOTSYN and LOGNEWNOTSYN - in /etc/shorewall/shorewall.conf. + role="bold">NEWNOTSYN and LOGNEWNOTSYN in /etc/shorewall/shorewall.conf. @@ -885,12 +930,12 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p INPUT or FORWARD - The packet has a source IP address that isn't in any of - your defined zones (shorewall check and look at the + The packet has a source IP address that isn't in any of your + defined zones (shorewall check and look at the printed zone definitions) or the chain is FORWARD and the - destination IP isn't in any of your defined zones. Also see - for another cause of packets being logged - in the FORWARD chain. + destination IP isn't in any of your defined zones. Also see for another cause of packets being logged in + the FORWARD chain. @@ -900,7 +945,8 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p The packet is being logged because it failed the checks implemented by the tcpflags - interface option. + interface + option. @@ -910,22 +956,23 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 + role="bold">IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3 LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP + role="bold">PROTO=UDP SPT=1803 DPT=53 LEN=47 - Let's look at the important parts of this message: + Let's look at the important parts of this message: all2all:REJECT - This packet was REJECTed out of the all2all - chain -- the packet was rejected under the all->all - REJECT policy ( above). + This packet was REJECTed out of the all2all chain -- the packet was rejected + under the all->all REJECT + policy ( above). @@ -986,7 +1033,8 @@ role="bold">PROTO=UDP url="http://logi.cc/linux/netfilter-log-format.php3">http://logi.cc/linux/netfilter-log-format.php3. In this case, 192.168.2.2 was in the dmz zone and - 192.168.1.3 is in the loc zone. I was missing the rule: + 192.168.1.3 is in the loc zone. I was missing the + rule: ACCEPT dmz loc udp 53 @@ -1027,15 +1075,15 @@ role="bold">PROTO=UDP UDP port 2857. This causes a port unreachable (type 3, code 3) to be generated back to 192.0.2.3. As this packet is sent back through 206.124.146.179, that box correctly changes the source address in the - packet to 206.124.146.179 but doesn't reset the DST IP in the - original DNS response similarly. When the ICMP reaches your firewall - (192.0.2.3), your firewall has no record of having sent a DNS reply to - 172.16.1.10 so this ICMP doesn't appear to be related to anything - that was sent. The final result is that the packet gets logged and - dropped in the all2all chain. I have also seen cases where the source IP - in the ICMP itself isn't set back to the external IP of the remote - NAT gateway; that causes your firewall to log and drop the packet out of - the rfc1918 chain because the source IP is reserved by RFC 1918. + packet to 206.124.146.179 but doesn't reset the DST IP in the original + DNS response similarly. When the ICMP reaches your firewall (192.0.2.3), + your firewall has no record of having sent a DNS reply to 172.16.1.10 so + this ICMP doesn't appear to be related to anything that was sent. The + final result is that the packet gets logged and dropped in the all2all + chain. I have also seen cases where the source IP in the ICMP itself + isn't set back to the external IP of the remote NAT gateway; that causes + your firewall to log and drop the packet out of the rfc1918 chain + because the source IP is reserved by RFC 1918. @@ -1082,7 +1130,8 @@ eth1 eth2 url="http://www.lartc.org">LARTC HOWTO and has not been verified by the author. If you have questions or problems with the instructions given below, please post to the LARTC mailing list. + url="http://www.lartc.org/#mailinglist">LARTC mailing + list. A common configuration is the following, in which there are two @@ -1118,15 +1167,17 @@ eth1 eth2 Let us first set some symbolical names. Let $IF1 be the name of the first interface (if1 in the picture above) and $IF2 the name - of the second interface. Then let $IP1 - be the IP address associated with $IF1 - and $IP2 the IP address associated - with $IF2. Next, let $IP1 be the IP address associated with + $IF1 and $IP2 the IP address associated with $IF2. Next, let $P1 be the IP address of the gateway at Provider 1, and $P2 the IP address of - the gateway at provider 2. Finally, let $P1_NET - be the IP network $P1 is in, and - $P2_NET the IP network $P1_NET be the IP network $P1 is in, and $P2_NET the IP network $P2 is in. One creates two additional routing tables, say Next you set up the main routing table. It is a good idea to route things to the direct neighbour through the interface connected - to that neighbour. Note the `src' arguments, they make sure the - right outgoing IP address is chosen. + to that neighbour. Note the `src' arguments, they make sure the right + outgoing IP address is chosen. ip route add $P1_NET dev $IF1 src $IP1 ip route add $P2_NET dev $IF2 src $IP2 @@ -1170,8 +1221,8 @@ ip rule add from $IP2 table T2 on a particular interface get answered from that interface. - 'If $P0_NET is the local network and $IF0 is its - interface, the following additional entries are desirable: + 'If $P0_NET is the local network and $IF0 is its interface, + the following additional entries are desirable: ip route add $P0_NET dev $IF0 table T1 ip route add $P2_NET dev $IF2 table T1 @@ -1215,9 +1266,9 @@ ip route add 127.0.0.0/8 dev lo table T2 Furthermore, if you really want to do this, you probably also - want to look at Julian Anastasov's patches at http://www.ssi.bg/~ja/#routes - , Julian's route patch page. They will make things nicer to work + , Julian's route patch page. They will make things nicer to work with. @@ -1242,7 +1293,8 @@ ip route add 127.0.0.0/8 dev lo table T2 url="http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound">http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-inbound For the use of multiple outbound links to the Internet, there - are a number of different techniques. The simplest is identified here: + are a number of different techniques. The simplest is identified + here: http://linux-ip.net/html/adv-multi-internet.html#adv-multi-internet-outbound @@ -1250,7 +1302,8 @@ ip route add 127.0.0.0/8 dev lo table T2 Better (and more robust) techniques are available after a kernel routing patch by Julian Anastasov. See the famous nano-howto. - http://www.ssi.bg/~ja/ + http://www.ssi.bg/~ja/ @@ -1259,19 +1312,20 @@ ip route add 127.0.0.0/8 dev lo table T2 Starting and Stopping
- (FAQ 7) When I stop Shorewall using <quote>shorewall stop</quote>, - I can't connect to anything. Why doesn't that command work? + (FAQ 7) When I stop Shorewall using <quote>shorewall + stop</quote>, I can't connect to anything. Why doesn't that command + work? The stop command is intended to place your firewall into a safe state whereby only those hosts listed in - /etc/shorewall/routestopped' are activated. If - you want to totally open up your firewall, you must use the + /etc/shorewall/routestopped' are activated. If you + want to totally open up your firewall, you must use the shorewall clear command.
(FAQ 8) When I try to start Shorewall on RedHat, I get messages - about insmod failing -- what's wrong? + about insmod failing -- what's wrong? Answer: The output you will see looks something like this: @@ -1281,7 +1335,7 @@ Hint: insmod errors can be caused by incorrect module parameters, including inva /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed -iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?) +iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?) Perhaps iptables or your kernel needs to be upgraded. This problem is usually corrected through the following sequence @@ -1300,12 +1354,13 @@ rmmod ipchains message referring me to FAQ #8 Answer: This is usually cured - by the sequence of commands shown above in . + by the sequence of commands shown above in .
- (FAQ 9) Why can't Shorewall detect my interfaces properly at + <title>(FAQ 9) Why can't Shorewall detect my interfaces properly at startup? I just installed Shorewall and when I issue the start command, I @@ -1327,18 +1382,18 @@ Deleting user chains... Creating input Chains... ... - Why can't Shorewall detect my interfaces properly? + Why can't Shorewall detect my interfaces properly? Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local zone is defined as all hosts connected through eth1. If you are running Shorewall 1.4.10 or later, you can consider setting the - detectnets - interface option on your local interface (eth1 in the above example). That will - cause Shorewall to restrict the local zone to only those networks routed - through that interface. + detectnets interface option on your local + interface (eth1 in the above + example). That will cause Shorewall to restrict the local zone to only + those networks routed through that interface.
@@ -1346,24 +1401,24 @@ Creating input Chains... Shorewall starts. Which file do I put them in? You can place these commands in one of the Shorewall Extension Scripts. - Be sure that you look at the contents of the chain(s) that you will be - modifying with your commands to be sure that the commands will do what - they are intended. Many iptables commands published in HOWTOs and other - instructional material use the -A command which adds the rules to the - end of the chain. Most chains that Shorewall constructs end with an - unconditional DROP, ACCEPT or REJECT rule and any rules that you add - after that will be ignored. Check man iptables and look - at the -I (--insert) command. + url="shorewall_extension_scripts.htm">Shorewall Extension + Scripts. Be sure that you look at the contents of the chain(s) + that you will be modifying with your commands to be sure that the + commands will do what they are intended. Many iptables commands + published in HOWTOs and other instructional material use the -A command + which adds the rules to the end of the chain. Most chains that Shorewall + constructs end with an unconditional DROP, ACCEPT or REJECT rule and any + rules that you add after that will be ignored. Check man + iptables and look at the -I (--insert) command.
(FAQ 34) How can I speed up start (restart)? Using a light-weight shell such as ash can - dramatically decrease the time required to start - or restart Shorewall. See the - SHOREWALL_SHELL variable in start or restart + Shorewall. See the SHOREWALL_SHELL variable in shorewall.conf. Beginning with Shorewall version 2.0.2 Beta 1, Shorewall supports @@ -1380,8 +1435,9 @@ Creating input Chains... Use the -f option to the start command (e.g., shorewall -f start). This - causes Shorewall to look for the /var/lib/shorewall/restore - script and if that script exists, it is run. Running + causes Shorewall to look for the + /var/lib/shorewall/restore script and if that + script exists, it is run. Running /var/lib/shorewall/restore takes much less time than a full shorewall start. @@ -1411,18 +1467,19 @@ Creating input Chains... Likewise, if you change your Shorewall configuration then once you are satisfied that it is working properly, you must do another shorewall save. Otherwise at the next reboot, you - will revert to the old configuration stored in /var/lib/shorewall/restore. + will revert to the old configuration stored in + /var/lib/shorewall/restore.
(FAQ 34a) I get errors about a host or network not found when I run<filename>/var/lib/shorewall/restore</filename>. The - <command>shorewall restore</command> and <command>shorewall -f start</command> - commands gives the same result. + shorewall restore and shorewall -f + start commands gives the same result. Answer: iptables 1.2.9 is broken with respect to iptables-save and the connection tracking match extension. You must patch your - iptables using the patch available from the Shorewall - errata page. + iptables using the patch available from the Shorewall errata page.
@@ -1434,7 +1491,8 @@ Creating input Chains... (FAQ 10) What Distributions does it work with? Shorewall works with any GNU/Linux distribution that includes the - proper prerequisites. + proper + prerequisites.
@@ -1466,14 +1524,15 @@ Creating input Chains...
(FAQ 23) Why do you use such ugly fonts on your web site? - The Shorewall web site is almost font neutral (it doesn't + The Shorewall web site is almost font neutral (it doesn't explicitly specify fonts except on a few pages) so the fonts you see are - largely the default fonts configured in your browser. If you don't - like them then reconfigure your browser. + largely the default fonts configured in your browser. If you don't like + them then reconfigure your browser.
- (FAQ 25) How to I tell which version of Shorewall I am running? + (FAQ 25) How to I tell which version of Shorewall I am + running? At the shell prompt, type: @@ -1494,7 +1553,8 @@ Creating input Chains... - Tear Drop: Sending packets that contain overlapping fragments? + Tear Drop: Sending packets that contain overlapping + fragments? Answer: This is the responsibility of the IP stack, not the @@ -1512,7 +1572,8 @@ Creating input Chains... blacklisting facility. Shorewall versions 2.0.0 and later filter these packets under the nosmurfs interface option in - /etc/shorewall/interfaces. + /etc/shorewall/interfaces. @@ -1522,8 +1583,8 @@ Creating input Chains... Answer: Yes, if the routefilter interface option - is selected. + url="Documentation.htm#Interfaces">routefilter interface + option is selected. @@ -1532,10 +1593,10 @@ Creating input Chains... Answer: Shorewall has facilities for limiting SYN and ICMP - packets. Netfilter as included in standard Linux kernels - doesn't support per-remote-host limiting except by explicit - rule that specifies the host IP address; that form of limiting is - supported by Shorewall. + packets. Netfilter as included in standard Linux kernels doesn't + support per-remote-host limiting except by explicit rule that + specifies the host IP address; that form of limiting is supported + by Shorewall. @@ -1556,20 +1617,22 @@ Creating input Chains...
(FAQ 36) Does Shorewall Work with the 2.6 Linux Kernel? - Shorewall works with the 2.6 Kernels with a couple of caveats: + Shorewall works with the 2.6 Kernels with a couple of + caveats: - Netfilter/iptables doesn't fully support IPSEC in the 2.6 + Netfilter/iptables doesn't fully support IPSEC in the 2.6 Kernels -- there are interim instructions linked from the Shorewall IPSEC page. The 2.6 Kernels do not provide support for the logunclean and - dropunclean options in /etc/shorewall/interfaces. - Note that support for those options was also removed from Shorewall - in version 2.0.0. + dropunclean options in + /etc/shorewall/interfaces. Note that support + for those options was also removed from Shorewall in version + 2.0.0.
@@ -1579,10 +1642,10 @@ Creating input Chains... RFC 1918
- (FAQ 14) I'm connected via a cable modem and it has an - internal web server that allows me to configure/monitor it but as - expected if I enable rfc1918 blocking for my eth0 interface (the - internet one), it also blocks the cable modems web server. + (FAQ 14) I'm connected via a cable modem and it has an internal + web server that allows me to configure/monitor it but as expected if I + enable rfc1918 blocking for my eth0 interface (the internet one), it + also blocks the cable modems web server. Is there any way it can add a rule before the rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address of the @@ -1600,7 +1663,8 @@ Creating input Chains... first copy /usr/share/shorewall/rfc1918 to /etc/shorewall/rfc1918): - Be sure that you add the entry ABOVE the entry for 192.168.0.0/16. + Be sure that you add the entry ABOVE the entry for + 192.168.0.0/16. #SUBNET TARGET 192.168.100.1 RETURN @@ -1618,10 +1682,9 @@ Creating input Chains...
- (FAQ 14a) Even though it assigns public IP addresses, my - ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 - filtering on my external interface, my DHCP client cannot renew its - lease. + (FAQ 14a) Even though it assigns public IP addresses, my ISP's + DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on + my external interface, my DHCP client cannot renew its lease. The solution is the same as above. Simply substitute the IP address of your ISPs DHCP server. @@ -1647,9 +1710,9 @@ Creating input Chains...
(FAQ 19) I have added entries to /etc/shorewall/tcrules but they - don't seem to do anything. Why? + don't seem to do anything. Why? - You probably haven't set TC_ENABLED=Yes in + You probably haven't set TC_ENABLED=Yes in /etc/shorewall/shorewall.conf so the contents of the tcrules file are simply being ignored.
@@ -1658,19 +1721,21 @@ Creating input Chains... (FAQ 20) I have just set up a server. Do I have to change Shorewall to allow access to my server from the internet? - Yes. Consult the QuickStart - guide that you used during your initial setup for information - about how to set up rules for your server. + Yes. Consult the QuickStart guide that you + used during your initial setup for information about how to set up rules + for your server.
- (FAQ 24) How can I allow conections to let's say the ssh port + <title>(FAQ 24) How can I allow conections to let's say the ssh port only from specific IP Addresses on the internet? In the SOURCE column of the rule, follow net by a - colon and a list of the host/subnet addresses as a comma-separated list. + colon and a list of the host/subnet addresses as a comma-separated + list. - net:<ip1>,<ip2>,... + net:<ip1>,<ip2>,... Example: @@ -1682,15 +1747,16 @@ Creating input Chains...
(FAQ 26) When I try to use any of the SYN options in nmap on or behind the firewall, I get <quote>operation not permitted</quote>. How - can I use nmap with Shorewall?" + can I use nmap with Shorewall?" - Edit /etc/shorewall/shorewall.conf and change NEWNOTSYN=No - to NEWNOTSYN=Yes then restart Shorewall. + Edit /etc/shorewall/shorewall.conf and change + NEWNOTSYN=No to NEWNOTSYN=Yes then restart + Shorewall.
(FAQ 26a) When I try to use the <quote>-O</quote> option of - nmap from the firewall system, I get <quote>operation not permitted</quote>. - How do I allow this option? + nmap from the firewall system, I get operation not + permitted. How do I allow this option? Add this command to your /etc/shorewall/start file: @@ -1699,34 +1765,35 @@ Creating input Chains...
- (FAQ 27) I'm compiling a new kernel for my firewall. What - should I look out for? + (FAQ 27) I'm compiling a new kernel for my firewall. What should + I look out for? First take a look at the Shorewall kernel configuration page. You probably also want to be sure that you have selected the NAT of local connections (READ HELP) on the Netfilter Configuration menu. - Otherwise, DNAT rules with your firewall as the source zone won't - work with your new kernel. + Otherwise, DNAT rules with your firewall as the source zone won't work + with your new kernel.
(FAQ 27a) I just built and installed a new kernel and now - Shorewall won't start. I know that my kernel options are correct. + Shorewall won't start. I know that my kernel options are + correct. The last few lines of a startup trace are these: + run_iptables2 -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE -+ '[' 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j -MASQUERADE' = 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0. -0/0 -j MASQUERADE' ']' ++ '[' 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j +MASQUERADE' = 'x-t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0. +0/0 -j MASQUERADE' ']' + run_iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE + iptables -t nat -A eth0_masq -s 192.168.2.0/24 -d 0.0.0.0/0 -j MASQUERADE iptables: Invalid argument -+ '[' -z '' ']' ++ '[' -z '' ']' + stop_firewall + set +x @@ -1748,40 +1815,316 @@ iptables: Invalid argument Revision History - 1.282004-07-14TEInsert - link to Ian Allen's DNAT paper (FAQ 38)1.272004-06-18TECorrect - formatting in H323 quote.1.262004-05-18TEDelete - obsolete ping information.1.252004-05-18TEEmpty - /etc/shorewall on Debian.1.252004-05-08TEUpdate - for Shorewall 2.0.21.242004-04-25TEAdd - MA Brown's notes on multi-ISP routing.1.232004-04-22TERefined - SNAT rule in FAQ #2.1.222004-04-06TEAdded - FAQ 36.1.212004-03-05TEAdded - Bridging link.1.202004-02-27TEAdded - FAQ 35.1.192004-02-22TEAdded - mention of nosmurfs option under FAQ 31.1.182004-02-15TEAdded - FAQ 34.1.172004-02-11TEAdded - FAQ 33.1.162004-02-03TEUpdated - for Shorewall 2.0.1.152004-01-25TEUpdated - FAQ 32 to mention masquerading. Remove tables.1.142004-01-24TEAdded - FAQ 27a regarding kernel/iptables incompatibility.1.132004-01-24TEAdd - a note about the detectnets interface - option in FAQ 9.1.122004-01-20TEImprove - FAQ 16 answer.1.112004-01-14TECorrected - broken link1.102004-01-09TEAdded - a couple of more legacy FAQ numbers.1.92004-01-08TECorrected - typo in FAQ 26a. Added warning to FAQ 2 regarding source address of - redirected requests.1.82003-12-31TEAdditions - to FAQ 4.1.72003-12-30TERemove - dead link from FAQ 1.1.62003.12-18TEAdd - external link reference to FAQ 17.1.52003-12-16TEAdded - a link to a Sys Admin article about multiple internet interfaces. Added - Legal Notice. Moved "abstract" to the body of the document. Moved - Revision History to this Appendix.1.42003-12-13TECorrected - formatting problems1.32003-12-10TEChanged - the title of FAQ 171.22003-12-09TEAdded - Copyright and legacy FAQ numbers1.12003-12-04MNConverted - to Simplified DocBook XML1.02002-08-13TEInitial - revision + + + 1.28 + + 2004-07-14 + + TE + + Insert link to Ian Allen's DNAT paper (FAQ + 38) + + + + 1.27 + + 2004-06-18 + + TE + + Correct formatting in H323 quote. + + + + 1.26 + + 2004-05-18 + + TE + + Delete obsolete ping information. + + + + 1.25 + + 2004-05-18 + + TE + + Empty /etc/shorewall on Debian. + + + + 1.25 + + 2004-05-08 + + TE + + Update for Shorewall 2.0.2 + + + + 1.24 + + 2004-04-25 + + TE + + Add MA Brown's notes on multi-ISP routing. + + + + 1.23 + + 2004-04-22 + + TE + + Refined SNAT rule in FAQ #2. + + + + 1.22 + + 2004-04-06 + + TE + + Added FAQ 36. + + + + 1.21 + + 2004-03-05 + + TE + + Added Bridging link. + + + + 1.20 + + 2004-02-27 + + TE + + Added FAQ 35. + + + + 1.19 + + 2004-02-22 + + TE + + Added mention of nosmurfs option under FAQ + 31. + + + + 1.18 + + 2004-02-15 + + TE + + Added FAQ 34. + + + + 1.17 + + 2004-02-11 + + TE + + Added FAQ 33. + + + + 1.16 + + 2004-02-03 + + TE + + Updated for Shorewall 2.0. + + + + 1.15 + + 2004-01-25 + + TE + + Updated FAQ 32 to mention masquerading. Remove + tables. + + + + 1.14 + + 2004-01-24 + + TE + + Added FAQ 27a regarding kernel/iptables + incompatibility. + + + + 1.13 + + 2004-01-24 + + TE + + Add a note about the detectnets interface option in FAQ + 9. + + + + 1.12 + + 2004-01-20 + + TE + + Improve FAQ 16 answer. + + + + 1.11 + + 2004-01-14 + + TE + + Corrected broken link + + + + 1.10 + + 2004-01-09 + + TE + + Added a couple of more legacy FAQ numbers. + + + + 1.9 + + 2004-01-08 + + TE + + Corrected typo in FAQ 26a. Added warning to FAQ 2 + regarding source address of redirected requests. + + + + 1.8 + + 2003-12-31 + + TE + + Additions to FAQ 4. + + + + 1.7 + + 2003-12-30 + + TE + + Remove dead link from FAQ 1. + + + + 1.6 + + 2003.12-18 + + TE + + Add external link reference to FAQ 17. + + + + 1.5 + + 2003-12-16 + + TE + + Added a link to a Sys Admin article about multiple + internet interfaces. Added Legal Notice. Moved "abstract" to the + body of the document. Moved Revision History to this + Appendix. + + + + 1.4 + + 2003-12-13 + + TE + + Corrected formatting problems + + + + 1.3 + + 2003-12-10 + + TE + + Changed the title of FAQ 17 + + + + 1.2 + + 2003-12-09 + + TE + + Added Copyright and legacy FAQ numbers + + + + 1.1 + + 2003-12-04 + + MN + + Converted to Simplified DocBook XML + + + + 1.0 + + 2002-08-13 + + TE + + Initial revision + + \ No newline at end of file diff --git a/Shorewall-docs2/IPSEC-2.6.xml b/Shorewall-docs2/IPSEC-2.6.xml new file mode 100644 index 000000000..c240c8b33 --- /dev/null +++ b/Shorewall-docs2/IPSEC-2.6.xml @@ -0,0 +1,294 @@ + + +
+ + + + IPSEC using Linux Kernel 2.6 + + + + Tom + + Eastep + + + + 2004-08-15 + + + 2004 + + Thomas M. Eastep + + + + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. + + + + + To use this support, your kernel and iptables must include the + Netfilter+ipsec patches and policy match support and you must be running + Shorewall 2.1.4 or later. + + + + As of this writing, the Netfilter+ipsec and policy match support are + broken when used with a bridge device. The problem has been reported to + the responsible Netfilter developer who has confirmed the problem. + + +
+ IPSec Gateway on the Firewall System + + Suppose that we have the following sutuation: + + + + We want systems in the 192.168.1.0/24 sub-network to be able to + communicate with systems in the 10.0.0.0/8 network. We assume that on both + systems A and B, eth0 is the internet interface. + + To make this work, we need to do two things: + + + + Open the firewall so that the IPSEC tunnel can be established + (allow the ESP and AH protocols and UDP Port 500). + + + + Allow traffic through the tunnel. + + + + Opening the firewall for the IPSEC tunnel is accomplished by adding + an entry to the /etc/shorewall/tunnels file. + + In /etc/shorewall/tunnels on system A, we need + the following + +
+ /etc/shorewall/tunnels — System A: + + #TYPE ZONE GATEWAY GATEWAY ZONE +ipsec net 134.28.54.2 +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + + /etc/shorewall/tunnels — System B: + + #TYPE ZONE GATEWAY GATEWAY ZONE +ipsec net 206.161.148.9 +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
+ + + If either of the endpoints is behind a NAT gateway then the + tunnels file entry on the other + endpoint should specify a tunnel type of ipsecnat rather than ipsec and + the GATEWAY address should specify the external address of the NAT + gateway. + + + You need to define a zone for the remote subnet or include it in + your local zone. In this example, we'll assume that you have created a + zone called vpn to represent the remote subnet. + +
+ /etc/shorewall/zones — Systems A and + B: + + #ZONE DISPLAY COMMENTS +net Internet The big bad internet +vpn VPN Virtual Private Network +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
+ + Remember the assumption that both systems A and B have eth0 as their + internet interface. + + You must define the vpn zone using the + /etc/shorewall/hosts file. + +
+ /etc/shorewall/hosts — System A + + #ZONE HOSTS OPTIONS +vpn eth0:10.0.0.0/8 ipsec +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + + /etc/shorewall/hosts — System B + + #ZONE HOSTS OPTIONS +vpn eth0:192.168.1.0/24 ipsec +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
+ + Once you have these entries in place, restart Shorewall (type + shorewall restart); you are now ready to configure IPSEC. +
+ +
+ Mobile System (Road Warrior) + + Suppose that you have a laptop system (B) that you take with you + when you travel and you want to be able to establish a secure connection + back to your local network. + + + + + Road Warrior VPN + + You need to define a zone for the laptop or include it in your + local zone. In this example, we'll assume that you have created a zone + called vpn to represent the remote host. + +
+ /etc/shorewall/zones — System A + + #ZONE DISPLAY COMMENTS +net Internet The big bad internet +vpn VPN Road Warriors +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
+ + In this instance, the mobile system (B) has IP address 134.28.54.2 + but that cannot be determined in advance. In the + /etc/shorewall/tunnels file on system A, the + following entry should be made:
+ #TYPE ZONE GATEWAY GATEWAY ZONE +ipsec net 0.0.0.0/0 vpn +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
+ + + the GATEWAY ZONE column contains the name of the zone + corresponding to peer subnetworks. This indicates that the gateway + system itself comprises the peer subnetwork; in other words, the + remote gateway is a standalone system. + + + The VPN zone is defined using the /etc/shorewall/hosts + file: + +
+ /etc/shorewall/hosts — System A: + + #ZONE HOSTS OPTIONS +vpn eth0:0.0.0.0/0 ipsec +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE +
+ + You will need to configure your through the tunnel + policy as shown under the first example above. + +
+ +
+ Transport Mode + + In today's wireless world, it is often the case that individual + hosts in a network need to establish secure connections with the other + hosts in that network. In that case, IPSEC transport mode is an + appropriate solution. + + Here's an example + using the ipsec-tools package. The files shown are from host + 192.168.20.10; the configuration of the other nodes is similar. + +
+ /etc/racoon/racoon.conf: + + path pre_shared_key "/etc/racoon/psk.txt" ; + +remote anonymous +{ + exchange_mode aggressive ; + my_identifier user_fqdn "teastep@shorewall.net" ; + lifetime time 24 hour ; + proposal { + encryption_algorithm 3des; + hash_algorithm sha1; + authentication_method pre_shared_key ; + dh_group 2 ; + } +} + +sainfo anonymous +{ + pfs_group 2; + lifetime time 12 hour ; + encryption_algorithm 3des, blowfish, des, rijndael ; + authentication_algorithm hmac_sha1, hmac_md5 ; + compression_algorithm deflate ; +} + + + /etc/racoon/setkey.conf: + + # First of all flush the SPD database +spdflush; + +# Add some SPD rules + +spdadd 192.168.20.10/32 192.168.20.20/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.20/require; +spdadd 192.168.20.20/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.20.20-192.168.20.10/require; +spdadd 192.168.20.10/32 192.168.20.30/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.30/require; +spdadd 192.168.20.30/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.20.30-192.168.20.10/require; +spdadd 192.168.20.10/32 192.168.20.40/32 any -P out ipsec esp/transport/192.168.20.10-192.168.20.40/require; +spdadd 192.168.20.40/32 192.168.20.10/32 any -P in ipsec esp/transport/192.168.20.40-192.168.20.10/require; + + + /etc/racoon/psk.txt: + + teastep@shorewall.net <key> +
+ + Shorewall configuration goes as follows: + +
+ /etc/shorewall/zones: + + #ZONE DISPLAY COMMENTS +loc Local Local Network +net Net Internet +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + + /etc/shorewall/interfaces: + + #ZONE INTERFACE BROADCAST OPTIONS +net eth0 detect routefilter,dhcp,tcpflags +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE + + /etc/shorewall/hosts: + + #ZONE HOST(S) OPTIONS +loc eth0:192.168.20.0/24 ipsec +#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE + + /etc/shorewall/policy: + + #SOURCE DEST POLICY LOG LEVEL LIMIT:BURST +fw all ACCEPT +loc fw ACCEPT +net loc NONE +loc net NONE +net all DROP info +# The FOLLOWING POLICY MUST BE LAST +all all REJECT info +#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE + + Since there are no cases where net<->loc traffic should + occur, NONE policies are used. +
+
+
\ No newline at end of file diff --git a/Shorewall-docs2/IPSEC.xml b/Shorewall-docs2/IPSEC.xml index cd765a5c3..0b483a505 100644 --- a/Shorewall-docs2/IPSEC.xml +++ b/Shorewall-docs2/IPSEC.xml @@ -15,7 +15,7 @@ - 2004-08-13 + 2004-08-15 2001-2004 @@ -39,6 +39,12 @@ Kernel. Netfilter currently lacks full support for the 2.6 kernel's implementation of IPSEC. Until that implementation is complete, only a simple network-network tunnel is described for 2.6. + + UPDATE: Some distributions such as SuSE are + now shipping Kernels and iptables with the IPSEC-Netfilter patches and + policy match support. Check this + article for information concerning this support and + Shorewall.
diff --git a/Shorewall-docs2/images/TransportMode.png b/Shorewall-docs2/images/TransportMode.png index 7188ccc77..9f9f82b25 100755 Binary files a/Shorewall-docs2/images/TransportMode.png and b/Shorewall-docs2/images/TransportMode.png differ diff --git a/Shorewall-docs2/three-interface.xml b/Shorewall-docs2/three-interface.xml index f6575ca64..3c71bb3d3 100755 --- a/Shorewall-docs2/three-interface.xml +++ b/Shorewall-docs2/three-interface.xml @@ -15,7 +15,7 @@ - 2004-07-31 + 2004-08-10 2002-2004 @@ -29,7 +29,8 @@ 1.2 or any later version published by the Free Software Foundation; with no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the license is included in the section entitled - GNU Free Documentation License. + GNU Free Documentation + License. @@ -40,9 +41,9 @@ is a fairly straight-forward task if you understand the basics and follow the documentation. - This guide doesn't attempt to acquaint you with all of the - features of Shorewall. It rather focuses on what is required to configure - Shorewall in one of its more popular configurations: + This guide doesn't attempt to acquaint you with all of the features + of Shorewall. It rather focuses on what is required to configure Shorewall + in one of its more popular configurations: @@ -55,8 +56,9 @@ If you have more than one public IP address, this is not the - guide you want -- see the Shorewall - Setup Guide instead. + guide you want -- see the Shorewall Setup Guide + instead. @@ -85,12 +87,13 @@
Requirements - Shorewall requires that you have the iproute/iproute2 - package installed (on RedHat, the package is - called iproute). You can tell if this package is - installed by the presence of an ip program on your - firewall system. As root, you - can use the which command to check for this program: + Shorewall requires that you have the + iproute/iproute2 package installed + (on RedHat, the package is called + iproute). You can tell if this package is installed + by the presence of an ip program on your firewall + system. As root, you can use + the which command to check for this program: [root@gateway root]# which ip /sbin/ip @@ -101,8 +104,8 @@ Before you start I recommend that you first read through the guide to familiarize - yourself with what's involved then go back through it again making - your configuration changes. + yourself with what's involved then go back through it again making your + configuration changes. If you edit your configuration files on a @@ -121,7 +124,8 @@ - Linux + Linux Version of dos2unix @@ -132,7 +136,8 @@ Conventions Points at which configuration changes are recommended are flagged - with . + with . Configuration notes that are unique to LEAF/Bering are marked with . @@ -145,9 +150,10 @@ If you have an ADSL Modem and you use PPTP to communicate with a - server in that modem, you must make the changes - recommended here in addition to those detailed below. ADSL with - PPTP is most commonly found in Europe, notably in Austria. + server in that modem, you must make the changes recommended here in addition to + those detailed below. ADSL with PPTP is most commonly found in Europe, + notably in Austria.
@@ -157,23 +163,30 @@ The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you will only - need to deal with a few of these as described in this guide.Note to Debian UsersIf you install - using the .deb, you will find that your /etc/shorewall - directory is empty. This is intentional. The released configuration file - skeletons may be found on your system in the directory /usr/share/doc/shorewall/default-config. - Simply copy the files you need from that directory to /etc/shorewall and modify the copies.Note - that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf - and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even - if you do not modify those files. + need to deal with a few of these as described in this guide. + Note to Debian Users + + If you install using the .deb, you will find that your /etc/shorewall directory is empty. This + is intentional. The released configuration file skeletons may be found + on your system in the directory /usr/share/doc/shorewall/default-config. + Simply copy the files you need from that directory to /etc/shorewall and modify the + copies. + + Note that you must copy /usr/share/doc/shorewall/default-config/shorewall.conf + and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall + even if you do not modify those files. + After you have installed Shorewall, download the three-interface sample, - un-tar it (tar three-interfaces.tgz) - and and copy the files to /etc/shorewall (the files - will replace files with the same names that were placed in + url="http://shorewall.net/pub/shorewall/Samples">three-interface + sample, un-tar it (tar + three-interfaces.tgz) and and copy the + files to /etc/shorewall (the files will replace files + with the same names that were placed in /etc/shorewall when Shorewall was installed). As each file is introduced, I suggest that you look through the @@ -216,7 +229,8 @@ - Zone names are defined in /etc/shorewall/zones. + Zone names are defined in + /etc/shorewall/zones. Shorewall also recognizes the firewall system as its own zone - by default, the firewall itself is known as fw. @@ -227,7 +241,8 @@ You express your default policy for connections from one zone to - another zone in the /etc/shorewall/policy file. + another zone in the /etc/shorewall/policy + file. @@ -311,31 +326,37 @@ fw net ACCEPT Modem (e.g., eth0) unless you connect via Point-to-Point Protocol over Ethernet (PPPoE) or Point-to-Point Tunneling Protocol - (PPTP) in which case the External Interface will be a ppp - interface (e.g., ppp0). If you - connect via a regular modem, your External Interface will also be - ppp0. If you connect using ISDN, - you external interface will be ippp0. + (PPTP) in which case the External Interface will be a + ppp interface (e.g., ppp0). If you connect via a regular modem, + your External Interface will also be ppp0. If you connect using ISDN, you + external interface will be ippp0. - If your external interface is ppp0 - or ippp0 then you will want to set - CLAMPMSS=yes in /etc/shorewall/shorewall.conf. + If your external interface is ppp0 or ippp0 then you will want to set + CLAMPMSS=yes in + /etc/shorewall/shorewall.conf. Your Local Interface will be an ethernet adapter (eth0, eth1 - or eth2) and will be connected to - a hub or switch. Your local computers will be connected to the same switch - (note: If you have only a single local system, you can connect the - firewall directly to the computer using a cross-over cable). + class="devicefile">eth0, eth1 or eth2) and will be connected to a hub or + switch. Your local computers will be connected to the same switch (note: + If you have only a single local system, you can connect the firewall + directly to the computer using a cross-over cable). Your DMZ Interface will also be an ethernet adapter (eth0, eth1 - or eth2) and will be connected to - a hub or switch. Your DMZ computers will be connected to the same switch - (note: If you have only a single DMZ system, you can connect the firewall - directly to the computer using a cross-over cable). + class="devicefile">eth0, eth1 or eth2) and will be connected to a hub or + switch. Your DMZ computers will be connected to the same switch (note: If + you have only a single DMZ system, you can connect the firewall directly + to the computer using a cross-over cable). Do not connect the internal and external interface to the same hub @@ -359,23 +380,25 @@ fw net ACCEPT for the interfaces. Some hints: - If your external interface is ppp0 - or ippp0, you can replace the + If your external interface is ppp0 or ippp0, you can replace the detect in the second column with - (without the quotes). - If your external interface is ppp0 - or ippp0 or if you have a static - IP address, you can remove dhcp from the option list. + If your external interface is ppp0 or ippp0 or if you have a static IP address, + you can remove dhcp from the option list. If you specify nobogons for your external interface, you will want to check the Shorewall - Errata periodically for updates to the /usr/share/shorewall/bogons - file. + Errata periodically for updates to the + /usr/share/shorewall/bogons file.
@@ -388,7 +411,7 @@ fw net ACCEPT Configuration Protocol (DHCP) or as part of establishing your connection when you dial in (standard modem) or establish your PPP connection. In rare cases, your ISP may assign you a static IP address; that means that - you configure your firewall's external interface to use that address + you configure your firewall's external interface to use that address permanently. Regardless of how the address is assigned, it will be shared by all of your systems when you access the Internet. You will have to assign your own addresses for your internal network (the local and DMZ @@ -403,16 +426,17 @@ fw net ACCEPT Before starting Shorewall, you should look at the IP address of your external interface and if it is one of the above ranges, you should remove - the norfc1918 option from the external interface's + the norfc1918 option from the external interface's entry in /etc/shorewall/interfaces. You will want to assign your local addresses from one sub-network or subnet and your DMZ addresses from another subnet. For our purposes, we can consider a subnet to consists of a range of addresses x.y.z.0 - x.y.z.255. - Such a subnet will have a Subnet Mask of 255.255.255.0. - The address x.y.z.0 is reserved - as the Subnet Address and x.y.z.255 + class="ipaddress">x.y.z.0 - x.y.z.255. Such a subnet will have a Subnet + Mask of 255.255.255.0. The + address x.y.z.0 is reserved as + the Subnet Address and x.y.z.255 is reserved as the Subnet Broadcast Address. In Shorewall, a subnet is described using Classless InterDomain Routing (CIDR) notation with consists of the subnet address followed by /24. The @@ -436,27 +460,31 @@ fw net ACCEPT Subnet Address: - 10.10.10.0 + 10.10.10.0 Broadcast Address: - 10.10.10.255 + 10.10.10.255 CIDR Notation: - 10.10.10.0/24 + 10.10.10.0/24 It is conventional to assign the internal interface either the first - usable address in the subnet (10.10.10.1 - in the above example) or the last usable address (10.10.10.1 in the above example) or the + last usable address (10.10.10.254). One of the purposes of subnetting is to allow all computers in the @@ -466,17 +494,18 @@ fw net ACCEPT - Your local computers (Local Computers 1 & 2) should be + Your local computers (Local Computers 1 & 2) should be configured with their default gateway set to the IP address of the - firewall's internal interface and your DMZ computers (DMZ Computers 1 - & 2) should be configured with their default gateway set to the IP - address of the firewall's DMZ interface. + firewall's internal interface and your DMZ computers (DMZ Computers 1 + & 2) should be configured with their default gateway set to the IP + address of the firewall's DMZ interface. The foregoing short discussion barely scratches the surface regarding subnetting and routing. If you are interested in learning more about IP addressing and routing, I highly recommend IP - Fundamentals: What Everyone Needs to Know about Addressing & Routing, - Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0. + Fundamentals: What Everyone Needs to Know about Addressing & + Routing, Thomas A. Maufer, Prentice-Hall, 1999, ISBN + 0-13-975483-0. The remainder of this quide will assume that you have configured your network as shown here: @@ -492,13 +521,15 @@ fw net ACCEPT The default gateway for the DMZ computers would be 10.10.11.254 and the default gateway - for the Local computers would be 10.10.10.254. + for the Local computers would be 10.10.10.254. Your ISP might assign your external interface an RFC 1918 - address. If that address is in the 10.10.10.0/24 - subnet then you will need to select a DIFFERENT RFC 1918 subnet - for your local network and if it is in the 10.10.10.0/24 subnet then you will + need to select a DIFFERENT RFC 1918 subnet for your local network + and if it is in the 10.10.11.0/24 subnet then you will need to select a different RFC 1918 subnet for your DMZ. @@ -511,49 +542,59 @@ fw net ACCEPT IP Masquerading (SNAT) The addresses reserved by RFC 1918 are sometimes referred to as - non-routable because the Internet backbone routers don't forward - packets which have an RFC-1918 destination address. When one of your local - systems (let's assume local computer 1) sends a connection request to - an internet host, the firewall must perform Network Address Translation - (NAT). The firewall rewrites the source address in the packet to be the - address of the firewall's external interface; in other words, the - firewall makes it look as if the firewall itself is initiating the - connection. This is necessary so that the destination host will be able to - route return packets back to the firewall (remember that packets whose - destination address is reserved by RFC 1918 can't be routed accross - the internet). When the firewall receives a return packet, it rewrites the - destination address back to 10.10.10.1 and forwards the packet on to local - computer 1. + non-routable because the Internet backbone routers don't forward packets + which have an RFC-1918 destination address. When one of your local systems + (let's assume local computer 1) sends a connection request to an internet + host, the firewall must perform Network Address Translation (NAT). The + firewall rewrites the source address in the packet to be the address of + the firewall's external interface; in other words, the firewall makes it + look as if the firewall itself is initiating the connection. This is + necessary so that the destination host will be able to route return + packets back to the firewall (remember that packets whose destination + address is reserved by RFC 1918 can't be routed accross the internet). + When the firewall receives a return packet, it rewrites the destination + address back to 10.10.10.1 and forwards the packet on to local computer + 1. On Linux systems, the above process is often referred to as IP Masquerading and you will also see the term Source Network Address Translation (SNAT) used. Shorewall follows the convention used with - Netfilter: Masquerade - describes the case where you let your firewall system automatically detect - the external interface address.SNAT - refers to the case when you explicitly specify the source address that you - want outbound packets from your local network to use. - In Shorewall, both Masquerading and SNAT are configured with entries in - the /etc/shorewall/masq + Netfilter: + + Masquerade describes the case where you + let your firewall system automatically detect the external interface + address. + + + + SNAT refers to the case when you + explicitly specify the source address that you want outbound packets + from your local network to use. + + In Shorewall, both Masquerading and SNAT are configured + with entries in the /etc/shorewall/masq file. - If your external firewall interface is eth0, - your local interface eth1 and your - DMZ interface is eth2 then you do - not need to modify the file provided with the sample. Otherwise, edit - /etc/shorewall/masq - and change it to match your configuration. + If your external firewall interface is eth0, your local interface eth1 and your DMZ interface is eth2 then you do not need to modify the file + provided with the sample. Otherwise, edit /etc/shorewall/masq and + change it to match your configuration. - If, despite all advice to the contrary, you are using this guide and - want to use one-to-one NAT or Proxy ARP for your DMZ, remove the entry for - eth2 from /etc/shorewall/masq. + If, in spite of all advice to the contrary, you are using this guide + and want to use one-to-one NAT or Proxy ARP for your DMZ, remove the entry + for eth2 from /etc/shorewall/masq. If your external IP is static, you can enter it in the third column - in the /etc/shorewall/masq + in the /etc/shorewall/masq entry if you like although your firewall will work fine if you leave that column empty. Entering your static IP in column 3 makes processing outgoing packets a little more efficient. @@ -562,9 +603,16 @@ fw net ACCEPT If you are using the Debian package, please check your shorewall.conf file to ensure that the following are - set correctly; if they are not, change them appropriately: - NAT_ENABLED=Yes - (Shorewall versions earlier than 1.4.6)IP_FORWARDING=On + set correctly; if they are not, change them appropriately: + + NAT_ENABLED=Yes (Shorewall versions earlier + than 1.4.6) + + + + IP_FORWARDING=On + +
@@ -588,9 +636,10 @@ fw net ACCEPT The general form of a simple port forwarding rule in /etc/shorewall/rules is: #ACTION SOURCE DEST PROTO DEST PORT(S) -DNAT net dmz:<server local IP address>[:<server port>] <protocol> <port> - If you don't specify the <server port>, - it is assumed to be the same as <port>. +DNAT net dmz:<server local IP address>[:<server port>] <protocol> <port> + If you don't specify the <server + port>, it is assumed to be the same as + <port>. You run a Web Server on DMZ Computer 2 and you want to forward @@ -598,71 +647,113 @@ DNAT net dmz:<emphasis><server local IP address></emphasis>[: <para><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) DNAT net dmz:10.10.11.2 tcp 80 -ACCEPT loc dmz:10.10.11.2 tcp 80</programlisting><itemizedlist><listitem><para>Entry - 1 forwards port 80 from the Internet.</para></listitem><listitem><para>Entry - 2 allows connections from the local network.</para></listitem></itemizedlist> - Several important points to keep in mind:<itemizedlist><listitem><para>When - you are connecting to your server from your local systems, you must use - the server's internal IP address (<systemitem class="ipaddress">10.10.11.2</systemitem>).</para></listitem><listitem><para>Many - ISPs block incoming connection requests to port 80. If you have problems - connecting to your web server, try the following rule and try connecting - to port 5000 (e.g., connect to <literal>http://w.x.y.z:5000 where - w.x.y.z</literal> is your external IP).<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE +ACCEPT loc dmz:10.10.11.2 tcp 80</programlisting><itemizedlist> + <listitem> + <para>Entry 1 forwards port 80 from the Internet.</para> + </listitem> + + <listitem> + <para>Entry 2 allows connections from the local network.</para> + </listitem> + </itemizedlist> Several important points to keep in mind:<itemizedlist> + <listitem> + <para>When you are connecting to your server from your local + systems, you must use the server's internal IP address + (<systemitem class="ipaddress">10.10.11.2</systemitem>).</para> + </listitem> + + <listitem> + <para>Many ISPs block incoming connection requests to port 80. If + you have problems connecting to your web server, try the following + rule and try connecting to port 5000 (e.g., connect to + <literal>http://w.x.y.z:5000 where w.x.y.z</literal> is your + external IP).<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE # PORT(S) -DNAT net dmz:10.10.11.2:80 tcp 80 5000</programlisting></para></listitem><listitem><para>If - you want to be able to access your server from the local network using - your external address, then if you have a static external IP you can - replace the loc->dmz rule above with:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +DNAT net dmz:10.10.11.2:80 tcp 80 5000</programlisting></para> + </listitem> + + <listitem> + <para>If you want to be able to access your server from the local + network using your external address, then if you have a static + external IP you can replace the loc->dmz rule above + with:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST -DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><external IP></emphasis></programlisting>If - you have a dynamic IP then you must ensure that your external interface - is up before starting Shorewall and you must take steps as follows - (assume that your external interface is <filename class="devicefile">eth0</filename>):<orderedlist><listitem><para>Include - the following in /etc/shorewall/params:</para><para><command>ETH0_IP=$(find_interface_address - eth0)</command></para></listitem><listitem><para>Make your - <literal>loc->dmz</literal> rule: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL +DNAT loc dmz:10.10.11.2 tcp 80 - <emphasis><external IP></emphasis></programlisting>If + you have a dynamic IP then you must ensure that your external + interface is up before starting Shorewall and you must take steps + as follows (assume that your external interface is <filename + class="devicefile">eth0</filename>):<orderedlist> + <listitem> + <para>Include the following in /etc/shorewall/params:</para> + + <para><command>ETH0_IP=$(find_interface_address + eth0)</command></para> + </listitem> + + <listitem> + <para>Make your <literal>loc->dmz</literal> rule: + <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) SOURCE ORIGINAL # PORT(S) DEST -DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para></listitem></orderedlist></para></listitem><listitem><para>If - you want to access your server from the DMZ using your external IP - address, see <ulink url="FAQ.htm#faq2a">FAQ 2a</ulink>.</para></listitem></itemizedlist></para> +DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</programlisting></para> + </listitem> + </orderedlist></para> + </listitem> + + <listitem> + <para>If you want to access your server from the DMZ using your + external IP address, see <ulink url="FAQ.htm#faq2a">FAQ + 2a</ulink>.</para> + </listitem> + </itemizedlist></para> </example> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> - <para>At this point, add the DNAT and ACCEPT rules for your servers.</para> + <para>At this point, add the DNAT and ACCEPT rules for your + servers.</para> </section> <section> <title>Domain Name Server (DNS) Normally, when you connect to your ISP, as part of getting an IP - address your firewall's Domain Name Service (DNS) - resolver will be automatically configured (e.g., the /etc/resolv.conf - file will be written). Alternatively, your ISP may have given you the IP - address of a pair of DNS name servers for you to manually configure as - your primary and secondary name servers. It is your responsibility to - configure the resolver in your internal systems. You can take one of two - approaches: You can configure your internal - systems to use your ISP's name servers. If your ISP gave you the - addresses of their servers or if those addresses are available on their - web site, you can configure your internal systems to use those addresses. - If that information isn't available, look in /etc/resolv.conf - on your firewall system -- the name servers are given in nameserver - records in that file.You can - configure a Caching Name Server on your firewall or - in your DMZ. Red Hat has an RPM for a caching name - server (which also requires the 'bind' RPM) and - for Bering users, there is dnscache.lrp. If you take - this approach, you configure your internal systems to use the caching name - server as their primary (and only) name server. You use the internal IP - address of the firewall (10.10.10.254 - in the example above) for the name server address if you choose to run the - name server on your firewall. To allow your local systems to talk to your - caching name server, you must open port 53 (both UDP and TCP) from the - local network to the server; you do that by adding the rules in - /etc/shorewall/rules. - If you run the name server on the firewall: + address your firewall's Domain Name Service (DNS) + resolver will be automatically configured (e.g., the + /etc/resolv.conf file will be written). + Alternatively, your ISP may have given you the IP address of a pair of DNS + name servers for you to manually configure as your primary and secondary + name servers. It is your responsibility to configure the resolver in your + internal systems. You can take one of two approaches: + + You can configure your internal systems to use your ISP's name + servers. If your ISP gave you the addresses of their servers or if + those addresses are available on their web site, you can configure + your internal systems to use those addresses. If that information + isn't available, look in /etc/resolv.conf on + your firewall system -- the name servers are given in + nameserver records in that file. + + + + + + You can configure a Caching Name Server + on your firewall or in your DMZ. Red Hat has + an RPM for a caching name server (which also requires the + 'bind' RPM) and for Bering users, there is + dnscache.lrp. If you take this approach, you + configure your internal systems to use the caching name server as + their primary (and only) name server. You use the internal IP + address of the firewall (10.10.10.254 in the example above) + for the name server address if you choose to run the name server on + your firewall. To allow your local systems to talk to your caching + name server, you must open port 53 (both UDP and TCP) from the local + network to the server; you do that by adding the rules in + /etc/shorewall/rules. + + If you run the name server on the firewall: #ACTION SOURCE DEST PROTO DEST PORT(S) AllowDNS loc fw AllowDNS dmz fw Run name server on DMZ @@ -674,11 +765,12 @@ AllowDNS fw dmz:10.10.11.1 defined action. Shorewall includes a number of defined actions and you can add your own. To see the list of actions included with your version of - Shorewall, look in the file /usr/share/shorewall/actions.std. - Those actions that accept connection requests have names that begin with + Shorewall, look in the file + /usr/share/shorewall/actions.std. Those actions that + accept connection requests have names that begin with Allow. - You don't have to use defined actions when coding a rule in + You don't have to use defined actions when coding a rule in /etc/shorewall/rules; the generated Netfilter ruleset is slightly more efficient if you code your rules directly rather than using defined actions. The first example above (name server on the @@ -690,9 +782,9 @@ ACCEPT loc fw udp 53 ACCEPT dmz fw tcp 53 ACCEPT dmz fw udp 53 - In cases where Shorewall doesn't include a defined action to - meet your needs, you can either define the action yourself or you can - simply code the appropriate rules directly. + In cases where Shorewall doesn't include a defined action to meet + your needs, you can either define the action yourself or you can simply + code the appropriate rules directly.
@@ -712,12 +804,12 @@ AllowSSH loc dmz Those rules allow you to run connect to those servers from your local systems. If you wish to enable other connections between your systems, the - general format for using a defined action is: - #ACTION SOURCE DEST PROTO DEST PORT(S) -<action> <source zone> <destination zone> + general format for using a defined action is: #ACTION SOURCE DEST PROTO DEST PORT(S) +<action> <source zone> <destination zone> - The general format when not using a defined action is:#ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT <source zone> <destination zone> <protocol> <port> + The general format when not using a defined action + is:#ACTION SOURCE DEST PROTO DEST PORT(S) +ACCEPT <source zone> <destination zone> <protocol> <port> You want to run a publicly-available DNS server on your firewall @@ -735,27 +827,33 @@ ACCEPT net fw tcp 53 ACCEPT net fw udp 53 </programlisting> <para>Those rules would of course be in addition to the rules listed - above under "If you run the name server on your firewall".</para> + above under "If you run the name server on your firewall".</para> </example> - <para>If you don't know what port and protocol a particular - application uses, <ulink url="ports.htm">look here</ulink>.</para> + <para>If you don't know what port and protocol a particular application + uses, <ulink url="ports.htm">look here</ulink>.</para> <important> - <para>I don't recommend enabling telnet to/from the Internet because - it uses clear text (even for login!). If you want shell access to your + <para>I don't recommend enabling telnet to/from the Internet because it + uses clear text (even for login!). If you want shell access to your firewall from the Internet, use SSH: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) AllowSSH net fw</programlisting></para> </important> <para><inlinegraphic fileref="images/leaflogo.gif" format="GIF" /> Bering users will want to add the following two rules to be compatible with - Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) + Jacques's Shorewall configuration: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT loc fw udp 53 -ACCEPT net fw tcp 80 </programlisting><itemizedlist><listitem><para>Entry - 1 allows the DNS Cache to be used.</para></listitem><listitem><para>Entry - 2 allows the <quote>weblet</quote> to work.</para></listitem></itemizedlist><inlinegraphic - fileref="images/BD21298_.gif" format="GIF" /></para> +ACCEPT net fw tcp 80 </programlisting><itemizedlist> + <listitem> + <para>Entry 1 allows the DNS Cache to be used.</para> + </listitem> + + <listitem> + <para>Entry 2 allows the <quote>weblet</quote> to work.</para> + </listitem> + </itemizedlist><inlinegraphic fileref="images/BD21298_.gif" + format="GIF" /></para> <para>Now modify <filename>/etc/shorewall/rules</filename> to add or remove other connections as required.</para> @@ -771,18 +869,18 @@ ACCEPT net fw tcp 80 </programlisting><it external IP address does not mean that the request will be associated with the external interface or the <quote>net</quote> zone. Any traffic that you generate from the local network will be associated - with your local interface and will be treated as loc->fw traffic.</para> + with your local interface and will be treated as loc->fw + traffic.</para> </listitem> <listitem> <para><emphasis role="bold">IP addresses are properties of systems, not of interfaces</emphasis>. It is a mistake to believe that your firewall is able to forward packets just because you can ping the IP - address of all of the firewall's interfaces from the local - network. The only conclusion you can draw from such pinging success is - that the link between the local system and the firewall works and that - you probably have the local system's default gateway set - correctly.</para> + address of all of the firewall's interfaces from the local network. + The only conclusion you can draw from such pinging success is that the + link between the local system and the firewall works and that you + probably have the local system's default gateway set correctly.</para> </listitem> <listitem> @@ -790,8 +888,9 @@ ACCEPT net fw tcp 80 </programlisting><it interfaces are in the $FW (fw) zone</emphasis>. If 192.168.1.254 is the IP address of your internal interface then you can write <quote><emphasis role="bold">$FW:192.168.1.254</emphasis></quote> in a - rule but you may not write <quote><emphasis role="bold">loc:192.168.1.254</emphasis></quote>. - Similarly, it is nonsensical to add 192.168.1.254 to the <emphasis + rule but you may not write <quote><emphasis + role="bold">loc:192.168.1.254</emphasis></quote>. Similarly, it is + nonsensical to add 192.168.1.254 to the <emphasis role="bold">loc</emphasis> zone using an entry in <filename>/etc/shorewall/hosts</filename>.</para> </listitem> @@ -823,45 +922,52 @@ ACCEPT net fw tcp 80 </programlisting><it <para>The <ulink url="Install.htm">installation procedure</ulink> configures your system to start Shorewall at system boot but beginning - with Shorewall version 1.3.9 startup is disabled so that your system - won't try to start Shorewall before configuration is complete. Once - you have completed configuration of your firewall, you can enable - Shorewall startup by removing the file <filename>/etc/shorewall/startup_disabled</filename>. - <important><para>Users of the <filename>.deb</filename> package must edit - <filename>/etc/default/shorewall</filename> and set <varname>startup=1</varname>.</para></important>The - firewall is started using the <command>shorewall start</command> command - and stopped using <command>shorewall stop</command>. When the firewall is - stopped, routing is enabled on those hosts that have an entry in <ulink + with Shorewall version 1.3.9 startup is disabled so that your system won't + try to start Shorewall before configuration is complete. Once you have + completed configuration of your firewall, you can enable Shorewall startup + by removing the file <filename>/etc/shorewall/startup_disabled</filename>. + <important> + <para>Users of the <filename>.deb</filename> package must edit + <filename>/etc/default/shorewall</filename> and set + <varname>startup=1</varname>.</para> + </important>The firewall is started using the <command>shorewall + start</command> command and stopped using <command>shorewall + stop</command>. When the firewall is stopped, routing is enabled on those + hosts that have an entry in <ulink url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>. - A running firewall may be restarted using the <command>shorewall restart</command> - command. If you want to totally remove any trace of Shorewall from your - Netfilter configuration, use <command>shorewall clear</command>.</para> + A running firewall may be restarted using the <command>shorewall + restart</command> command. If you want to totally remove any trace of + Shorewall from your Netfilter configuration, use <command>shorewall + clear</command>.</para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para>The three-interface sample assumes that you want to enable routing to/from <filename class="devicefile">eth1</filename> (your local network) and <filename class="devicefile">eth2</filename> (DMZ) when Shorewall is - stopped. If these two interfaces don't connect to your local network - and DMZ or if you want to enable a different set of hosts, modify - <filename>/etc/shorewall/routestopped</filename> accordingly. - <warning><para>If you are connected to your firewall from the Internet, do - not issue a <command>shorewall stop</command> command unless you have - added an entry for the IP address that you are connected from to <ulink - url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>. - Also, I don't recommend using <command>shorewall restart</command>; it - is better to create an <ulink url="configuration_file_basics.htm#Levels">alternate - configuration</ulink> and test it using the <ulink - url="starting_and_stopping_shorewall.htm"><command>shorewall try</command> - command</ulink>.</para></warning></para> + stopped. If these two interfaces don't connect to your local network and + DMZ or if you want to enable a different set of hosts, modify + <filename>/etc/shorewall/routestopped</filename> accordingly. <warning> + <para>If you are connected to your firewall from the Internet, do not + issue a <command>shorewall stop</command> command unless you have + added an entry for the IP address that you are connected from to + <ulink + url="Documentation.htm#Routestopped"><filename>/etc/shorewall/routestopped</filename></ulink>. + Also, I don't recommend using <command>shorewall restart</command>; it + is better to create an <ulink + url="configuration_file_basics.htm#Levels">alternate + configuration</ulink> and test it using the <ulink + url="starting_and_stopping_shorewall.htm"><command>shorewall + try</command> command</ulink>.</para> + </warning></para> </section> <section> <title>Additional Recommended Reading I highly recommend that you review the Common Configuration File Features - page -- it contains helpful tips about Shorewall features than make - administering your firewall easier. + url="configuration_file_basics.htm">Common Configuration File + Features page -- it contains helpful tips about Shorewall features + than make administering your firewall easier.
\ No newline at end of file