Shoreline Firewall

diff --git a/Shorewall-Website/download.htm b/Shorewall-Website/download.htm index ba521d0f7..89f0e927b 100644 --- a/Shorewall-Website/download.htm +++ b/Shorewall-Website/download.htm @@ -22,7 +22,7 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-

2004-03-01
+

2004-04-05

I strongly urge you to read and print a copy of the

N/A
+ + Shoreline, Washington, USA
+ + Shorewall.net
+ + Browse
+ + Browse
+ + diff --git a/Shorewall-Website/index.htm b/Shorewall-Website/index.htm index 9b848c332..c22c9f151 100644 --- a/Shorewall-Website/index.htm +++ b/Shorewall-Website/index.htm @@ -10,8 +10,8 @@ charset=UTF-8"> border="1"framespacing="0"> - - + diff --git a/Shorewall-Website/shorewall_index.htm b/Shorewall-Website/shorewall_index.htm index 7184b4771..41a179579 100644 --- a/Shorewall-Website/shorewall_index.htm +++ b/Shorewall-Website/shorewall_index.htm @@ -1,24 +1,282 @@ + - - -Shoreline Firewall - - - + + + Shoreline Firewall (Shorewall) 2.0 + - - - - - - - - - - + +
+ + + + + + + + + +
+
Introduction to Shorewall
+
This is the Shorewall 2.0 Web Site
+
The information on this site +applies only to 2.0.x releases of +Shorewall. For older versions:
+
+
+
+
The 1.4 site is here.
+
+
The 1.3 site is here.
+
The 1.2 site is here.
+
+
+
Glossary
+
+
Netfilter +- the +packet filter facility built into the 2.4 and later Linux kernels.
+
ipchains - the packet filter facility built into the 2.2 +Linux kernels. Also the name of the utility program used to configure +and control that facility. Netfilter can be used in ipchains +compatibility mode.
+
iptables - the utility program used to configure and +control Netfilter. The term 'iptables' is often used to refer to the +combination of iptables+Netfilter (with Netfilter not in ipchains +compatibility mode).
+
+
What is Shorewall?
+
The Shoreline Firewall, more +commonly known as "Shorewall", is +high-level tool for configuring Netfilter. You describe your +firewall/gateway requirements using entries in a set of configuration +files. Shorewall reads those configuration files and with the help of +the iptables utility, Shorewall configures Netfilter to match your +requirements. Shorewall can be used on a dedicated firewall system, a +multi-function gateway/router/server or on a standalone GNU/Linux +system. Shorewall does not use Netfilter's ipchains compatibility mode +and can thus take advantage of Netfilter's connection +state tracking +capabilities.
+
+Shorewall is not a +daemon. Once Shorewall has configured Netfilter, it's job is complete. +After that, there is no Shorewall code running although the /sbin/shorewall +program can be used at any time to monitor the Netfilter firewall.
+
+
Getting Started with Shorewall
+
New to Shorewall? Start by +selecting the QuickStart Guide +that most +closely match your environment and follow the step by step instructions.
+
+
Looking for Information?
+
The Documentation +Index is a good place to start as is the Quick Search in the frame +above.
+
Running Shorewall on Mandrake® with a two-interface setup?
+
If so, the documentation on this +site will not apply directly +to your setup. If you want to use the documentation that you find here, +you will want to consider uninstalling what you have and installing a +setup that matches the documentation on this site. See the Two-interface QuickStart Guide for +details.
+
+ Update: I've been +informed by Mandrake Development that this problem has been corrected +in Mandrake 10.0 Final (the problem still exists in the 10.0 Community +release).
+
+
License
+
This program is free software; +you can redistribute it and/or modify it +under the terms of Version +2 of the GNU General Public License as published by the Free +Software Foundation.
+
+
This program is distributed in the +hope that it will be +useful, but WITHOUT ANY WARRANTY; without even the implied warranty of +MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU +General Public License for more detail.
+

+
You should have received a copy of +the GNU General Public +License along with this program; if not, write to the Free Software +Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
+
Permission is granted to copy, +distribute and/or modify this document +under the terms of the GNU Free Documentation License, Version 1.2 or +any later version published by the Free Software Foundation; with no +Invariant Sections, with no Front-Cover, and with no Back-Cover Texts. +A copy of the license is included in the section entitled "GNU Free +Documentation License".
+
Copyright © 2001-2004 Thomas M. Eastep
+
+
News
+
4/5/2004 - Shorewall 2.0.1
+
+Problems Corrected since 2.0.0
+
+
+
Using actions in the manner recommended in the +documentation results in a Warning that the rule is a policy.
+
When a zone on a single interface is defined using +/etc/shorewall/hosts, superfluous rules are generated in the +<zone>_frwd chain.
+
Thanks to Sean Mathews, a long-standing problem with Proxy +ARP and IPSEC has been corrected. Thanks Sean!!!
+
The "shorewall show log" and "shorewall logwatch" commands +incorrectly displayed type 3 ICMP packets.
+
+
+Issues when migrating from Shorewall 2.0.0 to Shorewall 2.0.1:
+
+
+
The function of 'norfc1918' is now split between that +option and a new 'nobogons' option.
+
+The rfc1918 file released with Shorewall now contains entries for only +those three address ranges reserved by RFC 1918. A 'nobogons' interface +option has been added which handles bogon source addresses (those which +are reserved by the IANA, those reserved for DHCP auto-configuration +and the class C test-net reserved for testing and documentation +examples). This will allow users to perform RFC 1918 filtering without +having to deal with out of date data from IANA. Those who are willing +to update their /usr/share/shorewall/bogons file regularly can specify +the 'nobogons' option in addition to 'norfc1918'.
+
+The level at which bogon packets are logged is specified in the new +BOGON_LOG_LEVEL variable in shorewall.conf. If that option is not +specified or is specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon +packets whose TARGET is 'logdrop' in /usr/share/shorewall/bogons are +logged at the 'info' level.
+
+New Features:
+
+
+
Support for Bridging Firewalls has been added. For details, +see
+
+ http://shorewall.net/bridge.html
+
+
+
Support for NETMAP has been added. NETMAP allows NAT to be +defined between two network:
+
+           +a.b.c.1    -> x.y.z.1
+           +a.b.c.2    -> x.y.z.2
+           +a.b.c.3    -> x.y.z.3
+           ...
+
+ http://shorewall.net/netmap.htm
+
+
+
The /sbin/shorewall program now accepts a "-x" option to +cause iptables to print out the actual packet and byte counts rather +than abbreviated counts such as "13MB".
+
+Commands affected by this are:
+
+            +shorewall -x show [ <chain>[ <chain> ...] ]
+            +shorewall -x show tos|mangle
+            +shorewall -x show nat
+            +shorewall -x status
+            +shorewall -x monitor [ <interval> ]
+
+
+
Shorewall now traps two common zone definition errors:
+
+
Including the firewall zone in a /etc/shorewall/hosts +record.
+
Defining an interface for a zone in both +/etc/shorewall/interfaces and /etc/shorewall/hosts.
+
+
+
+
+
In the second case, the following will appear during +"shorewall [re]start" or "shorewall check":
+
+   Determining Hosts in Zones...
+      ...
+      Error: Invalid zone definition for zone +<name of zone>
+   Terminated
+
+
+
To support bridging, the following options have been added +to entries in /etc/shorewall/hosts:
+
+           norfc1918
+           nobogons
+           blacklist
+           tcpflags
+           nosmurfs
+           newnotsyn
+
+With the exception of 'newnotsyn', these options are only useful when +the entry refers to a bridge port.
+
+   Example:
+
+   #ZONE   HOST(S)      +OPTIONS
+   net     +br0:eth0     +norfc1918,nobogons,blacklist,tcpflags,nosmurfs
+
+
+
+
More News
+
+
LEAF is an open source project +which provides a Firewall/router on a floppy, CD or CF. Several LEAF +distributions including Bering and Bering-uCLib use Shorewall as their +Netfilter configuration tool.
+
+
+

+
+
+
Donations
+
+
Shorewall +is free but +if you +try it and find it useful, +please consider making a donation to the Alzheimer's Association. Thanks!
+

+
+
+
Updated 04/12/2004 - Tom Eastep
+
+ diff --git a/Shorewall-Website/shorewall_index.html b/Shorewall-Website/shorewall_index.html new file mode 100644 index 000000000..6ab76a36d --- /dev/null +++ b/Shorewall-Website/shorewall_index.html @@ -0,0 +1,24 @@ + + + + +Shoreline Firewall + + + + + + + + + + + + + + + diff --git a/Shorewall-Website/shorewall_mirrors.htm b/Shorewall-Website/shorewall_mirrors.htm index 58a3decee..e286bf7c6 100644 --- a/Shorewall-Website/shorewall_mirrors.htm +++ b/Shorewall-Website/shorewall_mirrors.htm @@ -20,7 +20,7 @@ Texts. A copy of the license is included in the section entitled “GNU Free Documentation License”.

-
2003-12-30
+
2004-04-05

@@ -56,7 +56,9 @@ and is located in California, USA. It is mirrored at:
(Boston Mass., USA)

http://www.shorewall.net -(Washington State, USA)
+(Washington State, USA)
+
http://shorewall.net +(Shoreline, Washington, USA)

The rsync site is mirrored via FTP at:
@@ -83,7 +85,9 @@ AKA ftp://www.shore (Australia)

ftp://ftp.shorewall.net - (Washington State, USA)
+ (Washington State, USA)
+
ftp://shorewall.net/pub/shorewall/ +(Shoreline, Washington, USA)

Search results and the mailing list archives are always fetched from