diff --git a/Shorewall-docs/FAQ.xml b/Shorewall-docs/FAQ.xml
index 7b215400a..094de33a2 100644
--- a/Shorewall-docs/FAQ.xml
+++ b/Shorewall-docs/FAQ.xml
@@ -15,7 +15,7 @@
- 2003-12-04
+ 2003-12-09
2001 - 2003
@@ -24,6 +24,16 @@
+
+ 1.2
+
+ 2003-12-09
+
+ TE
+
+ Added Copyright and legacy FAQ numbers
+
+
1.1
@@ -55,9 +65,9 @@
Port Forwarding
- I want to forward UDP port 7777 to my my personal PC with IP
- address 192.168.1.5. I've looked everywhere and can't find how
- to do it.
+ (FAQ 1) I want to forward UDP port 7777 to my my personal PC with
+ IP address 192.168.1.5. I've looked everywhere and can't find
+ how to do it.
Answer: The first example in the low-port:high-port.
- Ok -- I followed those instructions but it doesn't work
+ (FAQ 1a) Ok -- I followed those instructions but it doesn't
+ work
Answer: That is usually the
result of one of three things:
@@ -221,7 +232,7 @@
- I'm still having problems with port forwarding
+ (FAQ 1b) I'm still having problems with port forwarding
Answer: To further diagnose
this problem:
@@ -284,8 +295,8 @@
- From the internet, I want to connect to port 1022 on my
- firewall and have the firewall forward the connection to port 22 on
+ <title>(FAQ 1c) From the internet, I want to connect to port 1022 on
+ my firewall and have the firewall forward the connection to port 22 on
local system 192.168.1.3. How do I do that?
In /etc/shorewall/rules:
@@ -333,8 +344,8 @@
- I'm confused about when to use DNAT rules and when to use
- ACCEPT rules.
+ (FAQ 30) I'm confused about when to use DNAT rules and when
+ to use ACCEPT rules.
It would be a good idea to review the QuickStart Guide
@@ -353,7 +364,7 @@
DNS and Port Forwarding/NAT
- I port forward www requests to www.mydomain.com (IP
+ <title>(FAQ 2) I port forward www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. External
clients can browse http://www.mydomain.com but internal clients
can't.
@@ -527,10 +538,11 @@
- I have a zone "Z" with an RFC1918 subnet and I use
- one-to-one NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in
- Z cannot communicate with each other using their external (non-RFC1918
- addresses) so they can't access each other using their DNS names.
+ (FAQ 2a) I have a zone "Z" with an RFC1918 subnet and I
+ use one-to-one NAT to assign non-RFC1918 addresses to hosts in Z.
+ Hosts in Z cannot communicate with each other using their external
+ (non-RFC1918 addresses) so they can't access each other using
+ their DNS names.
If the ALL INTERFACES column in /etc/shorewall/nat is empty or
@@ -685,8 +697,8 @@ Subnet: 192.168.2.0/24
Netmeeting/MSN
- I want to use Netmeeting or MSN Instant Messenger with Shorewall.
- What do I do?
+ (FAQ 3) I want to use Netmeeting or MSN Instant Messenger with
+ Shorewall. What do I do?
Answer: There is an H.323
@@ -702,8 +714,9 @@ Subnet: 192.168.2.0/24
Open Ports
- I just used an online port scanner to check my firewall and it
- shows some ports as 'closed' rather than 'blocked'. Why?
+ (FAQ 4) I just used an online port scanner to check my firewall
+ and it shows some ports as 'closed' rather than
+ 'blocked'. Why?
Answer: The common.def included
with version 1.3.x always rejects connection requests on TCP port 113
@@ -721,8 +734,8 @@ Subnet: 192.168.2.0/24
of your Service Agreement.
- I just ran an nmap UDP scan of my firewall and it showed 100s
- of ports as open!!!!
+ (FAQ 4a) I just ran an nmap UDP scan of my firewall and it
+ showed 100s of ports as open!!!!
Answer: Take a deep breath and
read the nmap man page section about UDP scans. If nmap gets
- I have a port that I can't close no matter how I change my
- rules.
+ (FAQ 4b) I have a port that I can't close no matter how I
+ change my rules.
I had a rule that allowed telnet from my local network to my
firewall; I removed that rule and restarted Shorewall but my telnet
@@ -748,7 +761,7 @@ Subnet: 192.168.2.0/24
- How to I use Shorewall with PortSentry?
+ (FAQ 4c) How to I use Shorewall with PortSentry?
Here's
@@ -761,8 +774,8 @@ Subnet: 192.168.2.0/24
Connection Problems
- I've installed Shorewall and now I can't ping through the
- firewall
+ (FAQ 5) I've installed Shorewall and now I can't ping
+ through the firewall
Answer: If you want your firewall
to be totally open for "ping",
@@ -789,7 +802,7 @@ Subnet: 192.168.2.0/24
- My local systems can't see out to the net
+ (FAQ 15) My local systems can't see out to the net
Answer: Every time I read
"systems can't see out to the net", I wonder where the
@@ -817,7 +830,7 @@ Subnet: 192.168.2.0/24
- FTP Doesn't Work
+ (FAQ 29) FTP Doesn't Work
See the Shorewall and FTP page.
@@ -827,8 +840,8 @@ Subnet: 192.168.2.0/24
Logging
- Where are the log messages written and how do I change the
- destination?
+ (FAQ 6) Where are the log messages written and how do I change
+ the destination?
Answer: NetFilter uses the
kernel's equivalent of syslog (see "man syslog") to log
@@ -853,7 +866,7 @@ LOGBURST=""
to a separate file.
- Are there any log parsers that work with Shorewall?
+ (FAQ 6a) Are there any log parsers that work with Shorewall?
Answer: Here are several links
that may be helpful:
@@ -872,9 +885,9 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p
- DROP messages on port 10619 are flooding the logs with their
- connect requests. Can i exclude these error messages for this port
- temporarily from logging in Shorewall?
+ (FAQ 2b) DROP messages on port 10619 are flooding the logs with
+ their connect requests. Can i exclude these error messages for this
+ port temporarily from logging in Shorewall?
Temporarily add the following rule:
@@ -927,8 +940,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
- Why is the MAC address in Shorewall log messages so long? I
- thought MAC addresses were only 6 bytes in length.
+ (FAQ 6c) Why is the MAC address in Shorewall log messages so
+ long? I thought MAC addresses were only 6 bytes in length.
What is labeled as the MAC address in a Shorewall log message is
actually the Ethernet frame header. IT contains:
@@ -970,8 +983,8 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
- Shorewall is writing log messages all over my console making it
- unusable!
+ (FAQ 16) Shorewall is writing log messages all over my console
+ making it unusable!
Answer: If you are running
Shorewall version 1.4.4 or 1.4.4a then check the errata.
@@ -983,7 +996,7 @@ run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
- How do I find out why this traffic is getting logged?
+ (FAQ 17) How do I find out why this traffic is getting logged?
Answer: Logging occurs out of a
number of chains (as indicated in the log message) in Shorewall:
@@ -1190,7 +1203,8 @@ PROTO=UDP SPT=1803 DPT=53 LEN=47
- I see these strange log entries occasionally; what are they?
+ I (FAQ 21) see these strange log entries occasionally; what are
+ they?
Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00
SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3
@@ -1236,7 +1250,7 @@ PROTO=UDP SPT=1803 DPT=53 LEN=47
Routing
- My firewall has two connections to the internet from two
+ <title>(FAQ 32) My firewall has two connections to the internet from two
different ISPs. How do I set this up in Shorewall?
Setting this up in Shorewall is easy; setting up the routing is a
@@ -1464,8 +1478,8 @@ nexthop via $P2 dev $IF2 weight 1
Starting and Stopping
- When I stop Shorewall using 'shorewall stop', I can't
- connect to anything. Why doesn't that command work?
+ (FAQ 7) When I stop Shorewall using 'shorewall stop', I
+ can't connect to anything. Why doesn't that command work?
The 'stop' command is intended to place your firewall into
a safe state whereby only those hosts listed in
@@ -1475,8 +1489,8 @@ nexthop via $P2 dev $IF2 weight 1
- When I try to start Shorewall on RedHat, I get messages about
- insmod failing -- what's wrong?
+ (FAQ 8) When I try to start Shorewall on RedHat, I get messages
+ about insmod failing -- what's wrong?
Answer: The output you will see
looks something like this:
@@ -1509,7 +1523,8 @@ rmmod ipchains
- Why can't Shorewall detect my interfaces properly at startup?
+ (FAQ 9) Why can't Shorewall detect my interfaces properly at
+ startup?
I just installed Shorewall and when I issue the start command, I
see the following:
@@ -1539,8 +1554,8 @@ Creating input Chains...
- I have some iptables commands that I want to run when Shorewall
- starts. Which file do I put them in?
+ ( FAQ 22) I have some iptables commands that I want to run when
+ Shorewall starts. Which file do I put them in?
You can place these commands in one of the Shorewall Extension Scripts.
@@ -1559,21 +1574,21 @@ Creating input Chains...
About Shorewall
- What Distributions does it work with?
+ (FAQ 10) What Distributions does it work with?
Shorewall works with any GNU/Linux distribution that includes the
proper prerequisites.
- What Features does it have?
+ (FAQ 11) What Features does it have?
Answer: See the Shorewall Feature List.
- Is there a GUI?
+ (FAQ 12) Is there a GUI?
Answer: Yes. Shorewall support is
included in Webmin 1.060 and later versions. See
- Why do you call it "Shorewall"?
+ (FAQ 13) Why do you call it "Shorewall"?
Answer: Shorewall is a
concatenation of "Shoreline" (
- Why do you use such ugly fonts on your web site?
+ (FAQ 23) Why do you use such ugly fonts on your web site?
The Shorewall web site is almost font neutral (it doesn't
explicitly specify fonts except on a few pages) so the fonts you see are
@@ -1601,7 +1616,7 @@ Creating input Chains...
- How to I tell which version of Shorewall I am running?
+ (FAQ 25) How to I tell which version of Shorewall I am running?
At the shell prompt, type:
@@ -1609,7 +1624,7 @@ Creating input Chains...
- Does Shorewall provide protection against....
+ (FAQ 31) Does Shorewall provide protection against....
@@ -1672,10 +1687,10 @@ Creating input Chains...
RFC 1918
- I'm connected via a cable modem and it has an internal web
- server that allows me to configure/monitor it but as expected if I
- enable rfc1918 blocking for my eth0 interface (the internet one), it
- also blocks the cable modems web server.
+ (FAQ 14) I'm connected via a cable modem and it has an
+ internal web server that allows me to configure/monitor it but as
+ expected if I enable rfc1918 blocking for my eth0 interface (the
+ internet one), it also blocks the cable modems web server.
Is there any way it can add a rule before the rfc1918 blocking
that will let all traffic to and from the 192.168.100.1 address of the
@@ -1747,9 +1762,10 @@ Creating input Chains...
- Even though it assigns public IP addresses, my ISP's DHCP
- server has an RFC 1918 address. If I enable RFC 1918 filtering on my
- external interface, my DHCP client cannot renew its lease.
+ (FAQ 14a) Even though it assigns public IP addresses, my
+ ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918
+ filtering on my external interface, my DHCP client cannot renew its
+ lease.
The solution is the same as above.
Simply substitute the IP address of your ISPs DHCP server.
@@ -1761,8 +1777,8 @@ Creating input Chains...
Alias IP Addresses/Virtual Interfaces
- Is there any way to use aliased ip addresses with Shorewall, and
- maintain separate rulesets for different IPs?
+ (FAQ 18) Is there any way to use aliased ip addresses with
+ Shorewall, and maintain separate rulesets for different IPs?
Answer: Yes. See Shorewall and Aliased
@@ -1774,8 +1790,8 @@ Creating input Chains...
Miscellaneous
- I have added entries to /etc/shorewall/tcrules but they don't
- seem to do anything. Why?
+ (FAQ 19) I have added entries to /etc/shorewall/tcrules but they
+ don't seem to do anything. Why?
You probably haven't set TC_ENABLED=Yes in
/etc/shorewall/shorewall.conf so the contents of the tcrules file are
@@ -1783,8 +1799,8 @@ Creating input Chains...
- I have just set up a server. Do I have to change Shorewall to
- allow access to my server from the internet?
+ (FAQ 20) I have just set up a server. Do I have to change
+ Shorewall to allow access to my server from the internet?
Yes. Consult the QuickStart
guide that you used during your initial setup for information
@@ -1792,8 +1808,8 @@ Creating input Chains...
- How can I allow conections to let's say the ssh port only
- from specific IP Addresses on the internet?
+ (FAQ 24) How can I allow conections to let's say the ssh port
+ only from specific IP Addresses on the internet?
In the SOURCE column of the rule, follow "net" by a colon
and a list of the host/subnet addresses as a comma-separated list.
@@ -1808,18 +1824,18 @@ Creating input Chains...
- When I try to use any of the SYN options in nmap on or behind the
- firewall, I get "operation not permitted". How can I use nmap
- with Shorewall?"
+ (FAQ 26) When I try to use any of the SYN options in nmap on or
+ behind the firewall, I get "operation not permitted". How can I
+ use nmap with Shorewall?"
Edit /etc/shorewall/shorewall.conf and change
"NEWNOTSYN=No" to "NEWNOTSYN=Yes" then restart
Shorewall.
- When I try to use the "-O" option of nmap from the
- firewall system, I get "operation not permitted". How to I
- allow this option?
+ (FAQ 26a) When I try to use the "-O" option of nmap
+ from the firewall system, I get "operation not permitted". How
+ to I allow this option?
Add this command to your /etc/shorewall/start file:
@@ -1828,8 +1844,8 @@ Creating input Chains...
- I'm compiling a new kernel for my firewall. What should I
- look out for?
+ (FAQ 27) I'm compiling a new kernel for my firewall. What
+ should I look out for?
First take a look at the Shorewall kernel
configuration page. You probably also want to be sure that you
@@ -1840,7 +1856,7 @@ Creating input Chains...
- How do I use Shorewall as a Bridging Firewall?
+ (FAQ 28) How do I use Shorewall as a Bridging Firewall?
Basically, you don't. While there are kernel patches that
allow you to route bridge traffic through Netfilter, the environment is