mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Update two-interface guide for PDF compatibility
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1046 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
0e049aad5c
commit
bfa841a6c3
@ -17,14 +17,10 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2003-12-18</pubdate>
|
||||
<pubdate>2003-12-31</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001</year>
|
||||
|
||||
<year>2002</year>
|
||||
|
||||
<year>2003</year>
|
||||
<year>2001-2003</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
@ -192,7 +188,7 @@
|
||||
</informaltable>
|
||||
|
||||
<para>Finally, if you need to forward a range of ports, in the PORT
|
||||
column specify the range as <emphasis>low-port:high-port</emphasis>.</para>
|
||||
column specify the range as <emphasis><low-port>:<high-port></emphasis>.</para>
|
||||
|
||||
<section id="faq1a">
|
||||
<title>(FAQ 1a) Ok -- I followed those instructions but it doesn't
|
||||
@ -722,16 +718,28 @@
|
||||
rather than dropping them. This is necessary to prevent outgoing
|
||||
connection problems to services that use the <quote>Auth</quote>
|
||||
mechanism for identifying requesting users. Shorewall also rejects TCP
|
||||
ports 135, 137 and 139 as well as UDP ports 137-139. These are ports
|
||||
that are used by Windows (Windows <emphasis>can</emphasis> be configured
|
||||
to use the DCE cell locator on port 135). Rejecting these connection
|
||||
requests rather than dropping them cuts down slightly on the amount of
|
||||
Windows chatter on LAN segments connected to the Firewall.</para>
|
||||
ports 135, 137, 139 and 445 as well as UDP ports 137-139. These are
|
||||
ports that are used by Windows (Windows <emphasis>can</emphasis> be
|
||||
configured to use the DCE cell locator on port 135). Rejecting these
|
||||
connection requests rather than dropping them cuts down slightly on the
|
||||
amount of Windows chatter on LAN segments connected to the Firewall.</para>
|
||||
|
||||
<para>If you are seeing port 80 being <quote>closed</quote>, that's
|
||||
probably your ISP preventing you from running a web server in violation
|
||||
of your Service Agreement.</para>
|
||||
|
||||
<tip>
|
||||
<para>You can change the default behavior of Shorewall through use of
|
||||
an /etc/shorewall/common file. See the <ulink
|
||||
url="shorewall_extension_scripts.htm">Extension Script Section</ulink>.</para>
|
||||
</tip>
|
||||
|
||||
<tip>
|
||||
<para>Beginning with Shorewall 1.4.9, Shorewall no longer rejects the
|
||||
Windows SMB ports (135-139 and 445) by default and silently drops them
|
||||
instead.</para>
|
||||
</tip>
|
||||
|
||||
<section id="faq4a">
|
||||
<title>(FAQ 4a) I just ran an nmap UDP scan of my firewall and it
|
||||
showed 100s of ports as open!!!!</title>
|
||||
@ -858,7 +866,7 @@
|
||||
through <ulink url="Documentation.htm#Conf">settings</ulink> in
|
||||
/etc/shorewall/shorewall.conf -- If you want to log all messages, set:</para>
|
||||
|
||||
<programlisting format="linespecific" xml:space="preserve">LOGLIMIT=""
|
||||
<programlisting>LOGLIMIT=""
|
||||
LOGBURST=""</programlisting>
|
||||
|
||||
<para>Beginning with Shorewall version 1.3.12, you can <ulink
|
||||
@ -1867,7 +1875,8 @@ Creating input Chains...
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.7</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Remove
|
||||
<para><revhistory><revision><revnumber>1.8</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Additions
|
||||
to FAQ 4.</revremark></revision><revision><revnumber>1.7</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Remove
|
||||
dead link from FAQ 1.</revremark></revision><revision><revnumber>1.6</revnumber><date>2003.12-18</date><authorinitials>TE</authorinitials><revremark>Add
|
||||
external link reference to FAQ 17.</revremark></revision><revision><revnumber>1.5</revnumber><date>2003-12-16</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
a link to a Sys Admin article about multiple internet interfaces. Added
|
||||
|
@ -114,9 +114,9 @@
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> If you
|
||||
have an ADSL Modem and you use PPTP to communicate with a server in that
|
||||
modem, you must make the <ulink url="PPTP.htm#PPTP_ADSL">changes
|
||||
recommended here</ulink> in addition to those described in the steps
|
||||
below. ADSL with PPTP is most commonly found in Europe, notably in
|
||||
Austria.</para>
|
||||
recommended here</ulink> <emphasis role="underline">in addition to those
|
||||
described in the steps below</emphasis>. ADSL with PPTP is most commonly
|
||||
found in Europe, notably in Austria.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
|
@ -37,15 +37,11 @@
|
||||
<title>Operating Shorewall</title>
|
||||
|
||||
<para>If you have a permanent internet connection such as DSL or Cable, I
|
||||
recommend that you start the firewall automatically at boot. Once you have
|
||||
installed <quote>firewall</quote> in your init.d directory, simply type
|
||||
<quote><command>chkconfig --add shorewall</command></quote> (<quote><command>insserv
|
||||
-d shorewall</command></quote> if your distribution uses insserv to
|
||||
install startup scripts). This will start the firewall in run levels 2-5
|
||||
and stop it in run levels 1 and 6. If you want to configure your firewall
|
||||
differently from this default, you can use the <quote>--level</quote>
|
||||
option in chkconfig (see <quote>man chkconfig</quote>) or using your
|
||||
favorite graphical run-level editor.</para>
|
||||
recommend that you start the firewall automatically at boot. The <ulink
|
||||
url="Install.htm">installation procedure</ulink> attempts to set up the
|
||||
init scripts to start the firewall in run levels 2-5 and stop it in run
|
||||
levels 1 and 6. If you want to configure your firewall differently from
|
||||
this default, you can use your distribution's run-level editor.</para>
|
||||
|
||||
<caution>
|
||||
<itemizedlist>
|
||||
@ -57,20 +53,27 @@
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you use dialup, you may want to start the firewall in your
|
||||
<para>If you use dialup or some flavor of PPP where your IP address
|
||||
can change arbitrarily, you may want to start the firewall in your
|
||||
<command>/etc/ppp/ip-up.local</command> script. I recommend just
|
||||
placing <quote>shorewall restart</quote> in that script.</para>
|
||||
placing <quote><command>/sbin/shorewall restart</command></quote> in
|
||||
that script.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</caution>
|
||||
|
||||
<para>You can manually start and stop Shoreline Firewall using the
|
||||
<quote><quote>shorewall</quote></quote> shell program. Please refer to the
|
||||
Shorewall State Diagram as shown at the bottom of this page.</para>
|
||||
<quote><command>/sbin/shorewall</command></quote> shell program.</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para><command>shorewall start </command>- starts the firewall</para>
|
||||
<para><command>shorewall start </command>- starts the firewall. It
|
||||
important to understand that when the firewall is in the <emphasis
|
||||
role="bold">Started</emphasis> state there is <emphasis>no Shorewall
|
||||
Program</emphasis> running. It rather means that Netfilter has been
|
||||
configured to handle traffic as described in your Shorewall
|
||||
configuration files. Please refer to the <link linkend="State">Shorewall
|
||||
State Diagram</link> as shown at the bottom of this page.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -341,17 +344,18 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="State">
|
||||
<title>Shorewall State Diagram</title>
|
||||
|
||||
<para>The Shorewall State Diargram is depicted below.<graphic
|
||||
align="center" fileref="images/State_Diagram.png" /></para>
|
||||
<para>The Shorewall State Diargram is depicted below.</para>
|
||||
|
||||
<para><graphic align="center" fileref="images/State_Diagram.png" /></para>
|
||||
|
||||
<para>You will note that the commands that result in state transitions use
|
||||
the word <quote>firewall</quote> rather than <quote>shorewall</quote>.
|
||||
That is because the actual transitions are done by
|
||||
/usr/share/shorewall/firewall; /sbin/shorewall runs <quote>firewall</quote>
|
||||
according to the following table:</para>
|
||||
That is because the actual transitions are done by <command>/usr/share/shorewall/firewall</command>;
|
||||
<command>/sbin/shorewall</command> runs <quote>firewall</quote> according
|
||||
to the following table:</para>
|
||||
|
||||
<informaltable>
|
||||
<tgroup cols="3">
|
||||
@ -452,4 +456,12 @@
|
||||
</tgroup>
|
||||
</informaltable>
|
||||
</section>
|
||||
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory><revision><revnumber>1.2</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Added
|
||||
clarification about "Started State"</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Initial
|
||||
Docbook conversion</revremark></revision></revhistory></para>
|
||||
</appendix>
|
||||
</article>
|
@ -129,23 +129,27 @@
|
||||
<section>
|
||||
<title>PPTP/ADSL</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If you
|
||||
have an <acronym>ADSL</acronym> Modem and you use <acronym>PPTP</acronym>
|
||||
to communicate with a server in that modem, you must make the changes
|
||||
recommended here in addition to those detailed below. <acronym>ADSL</acronym>
|
||||
with <acronym>PPTP</acronym> is most commonly found in Europe, notably in
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If you have an <acronym>ADSL</acronym> Modem and you use
|
||||
<acronym>PPTP</acronym> to communicate with a server in that modem, you
|
||||
must make the changes recommended <ulink url="PPTP.htm#PPTP_ADSL">here</ulink>
|
||||
in addition to those detailed below. <acronym>ADSL</acronym> with
|
||||
<acronym>PPTP</acronym> is most commonly found in Europe, notably in
|
||||
Austria.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Shorewall Concepts</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The
|
||||
configuration files for Shorewall are contained in the directory <filename
|
||||
class="directory">/etc/shorewall</filename> -- for simple setups, you will
|
||||
only need to deal with a few of these as described in this guide.
|
||||
<tip><para>After you have <ulink url="Install.htm">installed Shorewall</ulink>,
|
||||
download the <ulink url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>The configuration files for Shorewall are contained in the directory
|
||||
<filename class="directory">/etc/shorewall</filename> -- for simple
|
||||
setups, you will only need to deal with a few of these as described in
|
||||
this guide. <tip><para>After you have <ulink url="Install.htm">installed
|
||||
Shorewall</ulink>, download the <ulink
|
||||
url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
|
||||
sample</ulink>, un-tar it (<command>tar <option>-zxvf</option>
|
||||
<filename>two-interfaces.tgz</filename></command>) and and copy the files
|
||||
to <filename class="directory">/etc/shorewall</filename> <emphasis
|
||||
@ -222,8 +226,9 @@
|
||||
connection requests from the firewall to the internet (if you uncomment
|
||||
the additional policy)</para></listitem><listitem><para>reject all other
|
||||
connection requests.</para></listitem></itemizedlist> <inlinegraphic
|
||||
fileref="images/BD21298_.gif" format="GIF" />At this point, edit your
|
||||
<filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>At this point, edit your <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
and make any changes that you wish.</para>
|
||||
</section>
|
||||
|
||||
@ -250,9 +255,10 @@
|
||||
<acronym>ISDN</acronym>, your external interface will be <filename
|
||||
class="devicefile">ippp0</filename>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If your
|
||||
external interface is <filename class="devicefile">ppp0</filename> or
|
||||
<filename class="devicefile">ippp0</filename> then you will want to set
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If your external interface is <filename class="devicefile">ppp0</filename>
|
||||
or <filename class="devicefile">ippp0</filename> then you will want to set
|
||||
<varname>CLAMPMSS=yes</varname> in <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>.</para>
|
||||
|
||||
<para>Your <emphasis>Internal Interface</emphasis> will be an ethernet
|
||||
@ -268,11 +274,13 @@
|
||||
<filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
|
||||
for all interfaces connected to the common hub/switch. Using such a setup
|
||||
with a production firewall is strongly recommended against.</para></warning>
|
||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The Shorewall
|
||||
two-interface sample configuration assumes that the external interface is
|
||||
<filename class="devicefile">eth0</filename> and the internal interface is
|
||||
<filename class="devicefile">eth1</filename>. If your configuration is
|
||||
different, you will have to modify the sample <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
|
||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>The Shorewall two-interface sample configuration assumes that the
|
||||
external interface is <filename class="devicefile">eth0</filename> and the
|
||||
internal interface is <filename class="devicefile">eth1</filename>. If
|
||||
your configuration is different, you will have to modify the sample
|
||||
<filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
|
||||
file accordingly. While you are there, you may wish to review the list of
|
||||
options that are specified for the interfaces. Some hints: <itemizedlist
|
||||
spacing="compact"><listitem><para>If your external interface is <filename
|
||||
@ -306,10 +314,11 @@
|
||||
10.0.0.0 - 10.255.255.255
|
||||
172.16.0.0 - 172.31.255.255
|
||||
192.168.0.0 - 192.168.255.255
|
||||
</programlisting> <inlinegraphic fileref="images/BD21298_.gif" format="GIF" />Before
|
||||
starting Shorewall, you should look at the IP address of your external
|
||||
interface and if it is one of the above ranges, you should remove the
|
||||
'norfc1918' option from the external interface's entry in
|
||||
</programlisting> <inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Before starting Shorewall, you should look at the IP address of your
|
||||
external interface and if it is one of the above ranges, you should remove
|
||||
the 'norfc1918' option from the external interface's entry in
|
||||
<filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>.</para>
|
||||
|
||||
<para>You will want to assign your addresses from the same sub-network
|
||||
@ -345,10 +354,11 @@
|
||||
directly. To communicate with systems outside of the subnetwork, systems
|
||||
send packets through a gateway (router).</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />Your
|
||||
local computers (computer 1 and computer 2 in the above diagram) should be
|
||||
configured with their default gateway to be the <acronym>IP</acronym>
|
||||
address of the firewall's internal interface.</para>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Your local computers (computer 1 and computer 2 in the above
|
||||
diagram) should be configured with their default gateway to be the
|
||||
<acronym>IP</acronym> address of the firewall's internal interface.</para>
|
||||
|
||||
<para>The foregoing short discussion barely scratches the surface
|
||||
regarding subnetting and routing. If you are interested in learning more
|
||||
@ -405,24 +415,28 @@
|
||||
<acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
|
||||
<acronym>IP</acronym> is static.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If your
|
||||
external firewall interface is <filename class="devicefile">eth0</filename>,
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If your external firewall interface is <filename class="devicefile">eth0</filename>,
|
||||
you do not need to modify the file provided with the sample. Otherwise,
|
||||
edit <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
|
||||
and change the first column to the name of your external interface and the
|
||||
second column to the name of your internal interface.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If your
|
||||
external <acronym>IP</acronym> is static, you can enter it in the third
|
||||
column in the <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If your external <acronym>IP</acronym> is static, you can enter it
|
||||
in the third column in the <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
|
||||
entry if you like although your firewall will work fine if you leave that
|
||||
column empty. Entering your static <acronym>IP</acronym> in column 3 makes
|
||||
processing outgoing packets a little more efficient.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If you
|
||||
are using the Debian package, please check your <filename>shorewall.conf</filename>
|
||||
file to ensure that the following are set correctly; if they are not,
|
||||
change them appropriately: <itemizedlist spacing="compact"><listitem><para><varname>NAT_ENABLED=Yes</varname>
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>If you are using the Debian package, please check your
|
||||
<filename>shorewall.conf</filename> file to ensure that the following are
|
||||
set correctly; if they are not, change them appropriately: <itemizedlist
|
||||
spacing="compact"><listitem><para><varname>NAT_ENABLED=Yes</varname>
|
||||
(Shorewall versions earlier than 1.4.6)</para></listitem><listitem><para><varname>IP_FORWARDING=On</varname></para></listitem></itemizedlist></para>
|
||||
</section>
|
||||
|
||||
@ -448,9 +462,9 @@
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
|
||||
<informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
|
||||
cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
||||
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
|
||||
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
|
||||
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
|
||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
||||
align="left">CLIENT PORT(s)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
||||
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
||||
align="left"><varname>loc:<server local ip address> [:<server
|
||||
port>]</varname></entry><entry align="left"><varname><protocol></varname></entry><entry
|
||||
@ -460,9 +474,9 @@
|
||||
to that system: <informaltable frame="all" label="rules" pgwide="0"><tgroup
|
||||
align="left" cols="7"><thead valign="middle"><row valign="middle"><entry
|
||||
align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
|
||||
align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
|
||||
align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
|
||||
align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
|
||||
align="left">DEST</entry><entry align="left">PROTO</entry><entry
|
||||
align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
|
||||
align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
||||
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
||||
align="left"><varname>loc:10.10.10.2</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
||||
align="left"><varname>80</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para></example>
|
||||
@ -471,9 +485,9 @@
|
||||
incoming <acronym>TCP</acronym> port 21 to that system: <informaltable
|
||||
frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
|
||||
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
||||
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
|
||||
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
|
||||
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
|
||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
||||
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
||||
align="left"><varname>loc:10.10.10.1</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
||||
align="left"><varname>21</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
|
||||
@ -494,17 +508,18 @@
|
||||
url="FAQ.htm#faq2">Shorewall FAQ #2</ulink>.</para></listitem><listitem><para>Many
|
||||
<acronym>ISP</acronym>s block incoming connection requests to port 80. If
|
||||
you have problems connecting to your web server, try the following rule
|
||||
and try connecting to port 5000. <informaltable frame="all" label="rules"
|
||||
pgwide="0"><tgroup align="left" cols="7"><thead valign="middle"><row
|
||||
valign="middle"><entry align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
|
||||
align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
|
||||
align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
|
||||
align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
|
||||
and try connecting to port 5000. </para></listitem></itemizedlist><informaltable
|
||||
frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
|
||||
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
||||
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
||||
align="left"><varname>loc:10.10.10.2:80</varname></entry><entry
|
||||
align="left"><varname>tcp</varname></entry><entry align="left"><varname>5000</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para></listitem></itemizedlist>
|
||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" />At this point,
|
||||
modify <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
||||
align="left"><varname>tcp</varname></entry><entry align="left"><varname>5000</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
|
||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>At this point, modify <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
||||
to add any <acronym>DNAT</acronym> rules that you require.</para>
|
||||
</section>
|
||||
|
||||
@ -543,9 +558,9 @@
|
||||
class="directory">/etc/shorewall/</filename><filename>rules</filename>.
|
||||
<informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
|
||||
cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
||||
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
|
||||
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
|
||||
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
|
||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
|
||||
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
||||
align="left"><varname>53</varname></entry><entry></entry><entry></entry></row><row><entry
|
||||
@ -560,9 +575,9 @@
|
||||
<para>The two-interface sample includes the following rules:
|
||||
<informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
|
||||
cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
||||
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
|
||||
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
|
||||
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
|
||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>fw</varname></entry><entry
|
||||
align="left"><varname>net</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
||||
align="left"><varname>53</varname></entry><entry></entry><entry></entry></row><row><entry
|
||||
@ -576,9 +591,9 @@
|
||||
<para>The sample also includes: <informaltable frame="all" label="rules"
|
||||
pgwide="0"><tgroup align="left" cols="7"><thead valign="middle"><row
|
||||
valign="middle"><entry align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
|
||||
align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
|
||||
align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
|
||||
align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
|
||||
align="left">DEST</entry><entry align="left">PROTO</entry><entry
|
||||
align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
|
||||
align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
|
||||
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
||||
align="left"><varname>22</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
|
||||
@ -589,9 +604,9 @@
|
||||
other systems, the general format is: <informaltable frame="all"
|
||||
label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
|
||||
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
||||
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
|
||||
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
|
||||
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
|
||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname><source
|
||||
zone></varname></entry><entry align="left"><varname><destination
|
||||
zone></varname></entry><entry align="left"><varname><protocol></varname></entry><entry
|
||||
@ -602,9 +617,9 @@
|
||||
colname="c2" /><colspec colname="c3" /><colspec colname="c4" /><colspec
|
||||
colname="c5" /><colspec colname="c6" /><colspec colname="c7" /><thead
|
||||
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
||||
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
|
||||
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
|
||||
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
|
||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
||||
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
||||
align="left"><varname>80</varname></entry><entry nameend="c7" namest="c6">#Allow
|
||||
@ -619,15 +634,15 @@
|
||||
url="ports.htm">here</ulink>. <important><para>I don't recommend
|
||||
enabling <command>telnet</command> to/from the internet because it uses
|
||||
clear text (even for login!). If you want shell access to your firewall
|
||||
from the internet, use <acronym>SSH</acronym>: <informaltable frame="all"
|
||||
label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
|
||||
from the internet, use <acronym>SSH</acronym>: </para></important><informaltable
|
||||
frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
|
||||
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
|
||||
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
|
||||
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
|
||||
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
|
||||
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
|
||||
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
|
||||
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>net</varname></entry><entry
|
||||
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
|
||||
align="left"><varname>22</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para></important>
|
||||
align="left"><varname>22</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
|
||||
<inlinegraphic fileref="images/leaflogo.gif" format="GIF" />Bering users
|
||||
will want to add the following two rules to be compatible with
|
||||
Jacques's Shorewall configuration. <informaltable frame="all"
|
||||
@ -636,9 +651,9 @@
|
||||
colname="c4" /><colspec colname="c5" /><colspec colname="c6" /><colspec
|
||||
colname="c7" /><thead valign="middle"><row valign="middle"><entry
|
||||
align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
|
||||
align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
|
||||
align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
|
||||
align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
|
||||
align="left">DEST</entry><entry align="left">PROTO</entry><entry
|
||||
align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
|
||||
align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
|
||||
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
|
||||
align="left"><varname>fw</varname></entry><entry align="left"><varname>udp</varname></entry><entry
|
||||
align="left"><varname>53</varname></entry><entry nameend="c7" namest="c6">#Allow
|
||||
@ -646,21 +661,23 @@
|
||||
align="left"><varname>loc</varname></entry><entry align="left"><varname>fw</varname></entry><entry
|
||||
align="left"><varname>tcp</varname></entry><entry align="left"><varname>80</varname></entry><entry
|
||||
nameend="c7" namest="c6">#Allow weblet to work</entry></row></tbody></tgroup></informaltable>
|
||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" />Now edit your
|
||||
<filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
||||
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>Now edit your <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
|
||||
file to add or delete other connections as required.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Starting and Stopping Your Firewall</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The
|
||||
<ulink url="Install.htm">installation procedure</ulink> configures your
|
||||
system to start Shorewall at system boot but beginning with Shorewall
|
||||
version 1.3.9 startup is disabled so that your system won't try to
|
||||
start Shorewall before configuration is complete. Once you have completed
|
||||
configuration of your firewall, you can enable Shorewall startup by
|
||||
removing the file <filename class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>The <ulink url="Install.htm">installation procedure</ulink>
|
||||
configures your system to start Shorewall at system boot but beginning
|
||||
with Shorewall version 1.3.9 startup is disabled so that your system
|
||||
won't try to start Shorewall before configuration is complete. Once
|
||||
you have completed configuration of your firewall, you can enable
|
||||
Shorewall startup by removing the file <filename class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.
|
||||
<important><para>Users of the .deb package must edit <filename
|
||||
class="directory">/etc/default/</filename><filename>shorewall</filename>
|
||||
and set <varname>startup=1</varname>.</para></important> The firewall is
|
||||
@ -674,10 +691,11 @@
|
||||
of Shorewall from your Netfilter configuration, use <quote><command>shorewall
|
||||
clear</command></quote>.</para>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The
|
||||
two-interface sample assumes that you want to enable routing to/from
|
||||
<filename class="devicefile">eth1</filename> (the local network) when
|
||||
Shorewall is stopped. If your local network isn't connected to
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
|
||||
<para>The two-interface sample assumes that you want to enable routing
|
||||
to/from <filename class="devicefile">eth1</filename> (the local network)
|
||||
when Shorewall is stopped. If your local network isn't connected to
|
||||
<filename class="devicefile">eth1</filename> or if you wish to enable
|
||||
access to/from other hosts, change <filename class="directory">/etc/shorewall/</filename><filename>routestopped</filename>
|
||||
accordingly. <warning><para>If you are connected to your firewall from the
|
||||
|
@ -13,7 +13,7 @@
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
|
||||
<pubdate>2003/12/22</pubdate>
|
||||
<pubdate>2003/12/30</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
@ -60,7 +60,7 @@
|
||||
|
||||
<row rowsep="0" valign="middle">
|
||||
<entry align="left">Debian apt-get sources for Shorewall: <ulink
|
||||
url="http://idea.sec.dico.unimi.it/~Elorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~Elorenzo/index.html#Debian</ulink></entry>
|
||||
url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian</ulink></entry>
|
||||
</row>
|
||||
</tbody>
|
||||
</tgroup>
|
||||
|
Loading…
Reference in New Issue
Block a user