extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-22 15:43:30 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update two-interface guide for PDF compatibility

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1046 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-12-31 22:15:46 +00:00
parent 0e049aad5c
commit bfa841a6c3
5 changed files with 171 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
Shorewall-docs/FAQ.xml
View File

@ -17,14 +17,10 @@
</author>
</authorgroup>
<pubdate>2003-12-18</pubdate>
<pubdate>2003-12-31</pubdate>
<copyright>
<year>2001</year>
<year>2002</year>
<year>2003</year>
<year>2001-2003</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -192,7 +188,7 @@
</informaltable>
<para>Finally, if you need to forward a range of ports, in the PORT
column specify the range as <emphasis>low-port:high-port</emphasis>.</para>
column specify the range as <emphasis>&#60;low-port&#62;:&#60;high-port&#62;</emphasis>.</para>
<section id="faq1a">
<title>(FAQ 1a) Ok -- I followed those instructions but it doesn&#39;t
@ -722,16 +718,28 @@
rather than dropping them. This is necessary to prevent outgoing
connection problems to services that use the <quote>Auth</quote>
mechanism for identifying requesting users. Shorewall also rejects TCP
ports 135, 137 and 139 as well as UDP ports 137-139. These are ports
that are used by Windows (Windows <emphasis>can</emphasis> be configured
to use the DCE cell locator on port 135). Rejecting these connection
requests rather than dropping them cuts down slightly on the amount of
Windows chatter on LAN segments connected to the Firewall.</para>
ports 135, 137, 139 and 445 as well as UDP ports 137-139. These are
ports that are used by Windows (Windows <emphasis>can</emphasis> be
configured to use the DCE cell locator on port 135). Rejecting these
connection requests rather than dropping them cuts down slightly on the
amount of Windows chatter on LAN segments connected to the Firewall.</para>
<para>If you are seeing port 80 being <quote>closed</quote>, that&#39;s
probably your ISP preventing you from running a web server in violation
of your Service Agreement.</para>
<tip>
<para>You can change the default behavior of Shorewall through use of
an /etc/shorewall/common file. See the <ulink
url="shorewall_extension_scripts.htm">Extension Script Section</ulink>.</para>
</tip>
<tip>
<para>Beginning with Shorewall 1.4.9, Shorewall no longer rejects the
Windows SMB ports (135-139 and 445) by default and silently drops them
instead.</para>
</tip>
<section id="faq4a">
<title>(FAQ 4a) I just ran an nmap UDP scan of my firewall and it
showed 100s of ports as open!!!!</title>
@ -858,7 +866,7 @@
through <ulink url="Documentation.htm#Conf">settings</ulink> in
/etc/shorewall/shorewall.conf -- If you want to log all messages, set:</para>
<programlisting format="linespecific" xml:space="preserve">LOGLIMIT=&#34;&#34;
<programlisting>LOGLIMIT=&#34;&#34;
LOGBURST=&#34;&#34;</programlisting>
<para>Beginning with Shorewall version 1.3.12, you can <ulink
@ -1867,7 +1875,8 @@ Creating input Chains...
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.7</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Remove
<para><revhistory><revision><revnumber>1.8</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Additions
to FAQ 4.</revremark></revision><revision><revnumber>1.7</revnumber><date>2003-12-30</date><authorinitials>TE</authorinitials><revremark>Remove
dead link from FAQ 1.</revremark></revision><revision><revnumber>1.6</revnumber><date>2003.12-18</date><authorinitials>TE</authorinitials><revremark>Add
external link reference to FAQ 17.</revremark></revision><revision><revnumber>1.5</revnumber><date>2003-12-16</date><authorinitials>TE</authorinitials><revremark>Added
a link to a Sys Admin article about multiple internet interfaces. Added

6
Shorewall-docs/standalone.xml
View File

@ -114,9 +114,9 @@
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /> If you
have an ADSL Modem and you use PPTP to communicate with a server in that
modem, you must make the <ulink url="PPTP.htm#PPTP_ADSL">changes
recommended here</ulink> in addition to those described in the steps
below. ADSL with PPTP is most commonly found in Europe, notably in
Austria.</para>
recommended here</ulink> <emphasis role="underline">in addition to those
described in the steps below</emphasis>. ADSL with PPTP is most commonly
found in Europe, notably in Austria.</para>
</section>
<section>

52
Shorewall-docs/starting_and_stopping_shorewall.xml
View File

@ -37,15 +37,11 @@
<title>Operating Shorewall</title>
<para>If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. Once you have
installed <quote>firewall</quote> in your init.d directory, simply type
<quote><command>chkconfig --add shorewall</command></quote> (<quote><command>insserv
-d shorewall</command></quote> if your distribution uses insserv to
install startup scripts). This will start the firewall in run levels 2-5
and stop it in run levels 1 and 6. If you want to configure your firewall
differently from this default, you can use the <quote>--level</quote>
option in chkconfig (see <quote>man chkconfig</quote>) or using your
favorite graphical run-level editor.</para>
recommend that you start the firewall automatically at boot. The <ulink
url="Install.htm">installation procedure</ulink> attempts to set up the
init scripts to start the firewall in run levels 2-5 and stop it in run
levels 1 and 6. If you want to configure your firewall differently from
this default, you can use your distribution&#39;s run-level editor.</para>
<caution>
<itemizedlist>
@ -57,20 +53,27 @@
</listitem>
<listitem>
<para>If you use dialup, you may want to start the firewall in your
<para>If you use dialup or some flavor of PPP where your IP address
can change arbitrarily, you may want to start the firewall in your
<command>/etc/ppp/ip-up.local</command> script. I recommend just
placing <quote>shorewall restart</quote> in that script.</para>
placing <quote><command>/sbin/shorewall restart</command></quote> in
that script.</para>
</listitem>
</itemizedlist>
</caution>
<para>You can manually start and stop Shoreline Firewall using the
<quote><quote>shorewall</quote></quote> shell program. Please refer to the
Shorewall State Diagram as shown at the bottom of this page.</para>
<quote><command>/sbin/shorewall</command></quote> shell program.</para>
<itemizedlist>
<listitem>
<para><command>shorewall start </command>- starts the firewall</para>
<para><command>shorewall start </command>- starts the firewall. It
important to understand that when the firewall is in the <emphasis
role="bold">Started</emphasis> state there is <emphasis>no Shorewall
Program</emphasis> running. It rather means that Netfilter has been
configured to handle traffic as described in your Shorewall
configuration files. Please refer to the <link linkend="State">Shorewall
State Diagram</link> as shown at the bottom of this page.</para>
</listitem>
<listitem>
@ -341,17 +344,18 @@
</itemizedlist>
</section>
<section>
<section id="State">
<title>Shorewall State Diagram</title>
<para>The Shorewall State Diargram is depicted below.<graphic
align="center" fileref="images/State_Diagram.png" /></para>
<para>The Shorewall State Diargram is depicted below.</para>
<para><graphic align="center" fileref="images/State_Diagram.png" /></para>
<para>You will note that the commands that result in state transitions use
the word <quote>firewall</quote> rather than <quote>shorewall</quote>.
That is because the actual transitions are done by
/usr/share/shorewall/firewall; /sbin/shorewall runs <quote>firewall</quote>
according to the following table:</para>
That is because the actual transitions are done by <command>/usr/share/shorewall/firewall</command>;
<command>/sbin/shorewall</command> runs <quote>firewall</quote> according
to the following table:</para>
<informaltable>
<tgroup cols="3">
@ -452,4 +456,12 @@
</tgroup>
</informaltable>
</section>
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.2</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Added
clarification about &#34;Started State&#34;</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Initial
Docbook conversion</revremark></revision></revhistory></para>
</appendix>
</article>

204
Shorewall-docs/two-interface.xml
View File

@ -129,23 +129,27 @@
<section>
<title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If you
have an <acronym>ADSL</acronym> Modem and you use <acronym>PPTP</acronym>
to communicate with a server in that modem, you must make the changes
recommended here in addition to those detailed below. <acronym>ADSL</acronym>
with <acronym>PPTP</acronym> is most commonly found in Europe, notably in
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>If you have an <acronym>ADSL</acronym> Modem and you use
<acronym>PPTP</acronym> to communicate with a server in that modem, you
must make the changes recommended <ulink url="PPTP.htm#PPTP_ADSL">here</ulink>
in addition to those detailed below. <acronym>ADSL</acronym> with
<acronym>PPTP</acronym> is most commonly found in Europe, notably in
Austria.</para>
</section>
<section>
<title>Shorewall Concepts</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The
configuration files for Shorewall are contained in the directory <filename
class="directory">/etc/shorewall</filename> -- for simple setups, you will
only need to deal with a few of these as described in this guide.
<tip><para>After you have <ulink url="Install.htm">installed Shorewall</ulink>,
download the <ulink url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>The configuration files for Shorewall are contained in the directory
<filename class="directory">/etc/shorewall</filename> -- for simple
setups, you will only need to deal with a few of these as described in
this guide. <tip><para>After you have <ulink url="Install.htm">installed
Shorewall</ulink>, download the <ulink
url="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface
sample</ulink>, un-tar it (<command>tar <option>-zxvf</option>
<filename>two-interfaces.tgz</filename></command>) and and copy the files
to <filename class="directory">/etc/shorewall</filename> <emphasis
@ -222,8 +226,9 @@
connection requests from the firewall to the internet (if you uncomment
the additional policy)</para></listitem><listitem><para>reject all other
connection requests.</para></listitem></itemizedlist> <inlinegraphic
fileref="images/BD21298_.gif" format="GIF" />At this point, edit your
<filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
fileref="images/BD21298_.gif" format="GIF" /></para>
<para>At this point, edit your <filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
and make any changes that you wish.</para>
</section>
@ -250,9 +255,10 @@
<acronym>ISDN</acronym>, your external interface will be <filename
class="devicefile">ippp0</filename>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If your
external interface is <filename class="devicefile">ppp0</filename> or
<filename class="devicefile">ippp0</filename> then you will want to set
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>If your external interface is <filename class="devicefile">ppp0</filename>
or <filename class="devicefile">ippp0</filename> then you will want to set
<varname>CLAMPMSS=yes</varname> in <filename class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>.</para>
<para>Your <emphasis>Internal Interface</emphasis> will be an ethernet
@ -268,11 +274,13 @@
<filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
for all interfaces connected to the common hub/switch. Using such a setup
with a production firewall is strongly recommended against.</para></warning>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The Shorewall
two-interface sample configuration assumes that the external interface is
<filename class="devicefile">eth0</filename> and the internal interface is
<filename class="devicefile">eth1</filename>. If your configuration is
different, you will have to modify the sample <filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>The Shorewall two-interface sample configuration assumes that the
external interface is <filename class="devicefile">eth0</filename> and the
internal interface is <filename class="devicefile">eth1</filename>. If
your configuration is different, you will have to modify the sample
<filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
file accordingly. While you are there, you may wish to review the list of
options that are specified for the interfaces. Some hints: <itemizedlist
spacing="compact"><listitem><para>If your external interface is <filename
@ -306,10 +314,11 @@
10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255
</programlisting> <inlinegraphic fileref="images/BD21298_.gif" format="GIF" />Before
starting Shorewall, you should look at the IP address of your external
interface and if it is one of the above ranges, you should remove the
&#39;norfc1918&#39; option from the external interface&#39;s entry in
</programlisting> <inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>Before starting Shorewall, you should look at the IP address of your
external interface and if it is one of the above ranges, you should remove
the &#39;norfc1918&#39; option from the external interface&#39;s entry in
<filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>.</para>
<para>You will want to assign your addresses from the same sub-network
@ -345,10 +354,11 @@
directly. To communicate with systems outside of the subnetwork, systems
send packets through a gateway (router).</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />Your
local computers (computer 1 and computer 2 in the above diagram) should be
configured with their default gateway to be the <acronym>IP</acronym>
address of the firewall&#39;s internal interface.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>Your local computers (computer 1 and computer 2 in the above
diagram) should be configured with their default gateway to be the
<acronym>IP</acronym> address of the firewall&#39;s internal interface.</para>
<para>The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more
@ -405,24 +415,28 @@
<acronym>IP</acronym> is dynamic and <acronym>SNAT</acronym> if the
<acronym>IP</acronym> is static.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If your
external firewall interface is <filename class="devicefile">eth0</filename>,
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>If your external firewall interface is <filename class="devicefile">eth0</filename>,
you do not need to modify the file provided with the sample. Otherwise,
edit <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
and change the first column to the name of your external interface and the
second column to the name of your internal interface.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If your
external <acronym>IP</acronym> is static, you can enter it in the third
column in the <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>If your external <acronym>IP</acronym> is static, you can enter it
in the third column in the <filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
entry if you like although your firewall will work fine if you leave that
column empty. Entering your static <acronym>IP</acronym> in column 3 makes
processing outgoing packets a little more efficient.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />If you
are using the Debian package, please check your <filename>shorewall.conf</filename>
file to ensure that the following are set correctly; if they are not,
change them appropriately: <itemizedlist spacing="compact"><listitem><para><varname>NAT_ENABLED=Yes</varname>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>If you are using the Debian package, please check your
<filename>shorewall.conf</filename> file to ensure that the following are
set correctly; if they are not, change them appropriately: <itemizedlist
spacing="compact"><listitem><para><varname>NAT_ENABLED=Yes</varname>
(Shorewall versions earlier than 1.4.6)</para></listitem><listitem><para><varname>IP_FORWARDING=On</varname></para></listitem></itemizedlist></para>
</section>
@ -448,9 +462,9 @@
class="directory">/etc/shorewall/</filename><filename>rules</filename> is:
<informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
align="left">CLIENT PORT(s)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
align="left"><varname>loc:&#60;server local ip address&#62; [:&#60;server
port&#62;]</varname></entry><entry align="left"><varname>&#60;protocol&#62;</varname></entry><entry
@ -460,9 +474,9 @@
to that system: <informaltable frame="all" label="rules" pgwide="0"><tgroup
align="left" cols="7"><thead valign="middle"><row valign="middle"><entry
align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
align="left">DEST</entry><entry align="left">PROTO</entry><entry
align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
align="left"><varname>loc:10.10.10.2</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
align="left"><varname>80</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para></example>
@ -471,9 +485,9 @@
incoming <acronym>TCP</acronym> port 21 to that system: <informaltable
frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
align="left"><varname>loc:10.10.10.1</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
align="left"><varname>21</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
@ -494,17 +508,18 @@
url="FAQ.htm#faq2">Shorewall FAQ #2</ulink>.</para></listitem><listitem><para>Many
<acronym>ISP</acronym>s block incoming connection requests to port 80. If
you have problems connecting to your web server, try the following rule
and try connecting to port 5000. <informaltable frame="all" label="rules"
pgwide="0"><tgroup align="left" cols="7"><thead valign="middle"><row
valign="middle"><entry align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
and try connecting to port 5000. </para></listitem></itemizedlist><informaltable
frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
align="left"><varname>DNAT</varname></entry><entry align="left"><varname>net</varname></entry><entry
align="left"><varname>loc:10.10.10.2:80</varname></entry><entry
align="left"><varname>tcp</varname></entry><entry align="left"><varname>5000</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para></listitem></itemizedlist>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" />At this point,
modify <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
align="left"><varname>tcp</varname></entry><entry align="left"><varname>5000</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>At this point, modify <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
to add any <acronym>DNAT</acronym> rules that you require.</para>
</section>
@ -543,9 +558,9 @@
class="directory">/etc/shorewall/</filename><filename>rules</filename>.
<informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
align="left"><varname>53</varname></entry><entry></entry><entry></entry></row><row><entry
@ -560,9 +575,9 @@
<para>The two-interface sample includes the following rules:
<informaltable frame="all" label="rules" pgwide="0"><tgroup align="left"
cols="7"><thead valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>fw</varname></entry><entry
align="left"><varname>net</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
align="left"><varname>53</varname></entry><entry></entry><entry></entry></row><row><entry
@ -576,9 +591,9 @@
<para>The sample also includes: <informaltable frame="all" label="rules"
pgwide="0"><tgroup align="left" cols="7"><thead valign="middle"><row
valign="middle"><entry align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
align="left">DEST</entry><entry align="left">PROTO</entry><entry
align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
align="left"><varname>22</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
@ -589,9 +604,9 @@
other systems, the general format is: <informaltable frame="all"
label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>&#60;source
zone&#62;</varname></entry><entry align="left"><varname>&#60;destination
zone&#62;</varname></entry><entry align="left"><varname>&#60;protocol&#62;</varname></entry><entry
@ -602,9 +617,9 @@
colname="c2" /><colspec colname="c3" /><colspec colname="c4" /><colspec
colname="c5" /><colspec colname="c6" /><colspec colname="c7" /><thead
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>net</varname></entry><entry
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
align="left"><varname>80</varname></entry><entry nameend="c7" namest="c6">#Allow
@ -619,15 +634,15 @@
url="ports.htm">here</ulink>. <important><para>I don&#39;t recommend
enabling <command>telnet</command> to/from the internet because it uses
clear text (even for login!). If you want shell access to your firewall
from the internet, use <acronym>SSH</acronym>: <informaltable frame="all"
label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
from the internet, use <acronym>SSH</acronym>: </para></important><informaltable
frame="all" label="rules" pgwide="0"><tgroup align="left" cols="7"><thead
valign="middle"><row valign="middle"><entry align="left">ACTION</entry><entry
align="left">SOURCE</entry><entry align="left">DESTINATION</entry><entry
align="left">PROTOCOL</entry><entry align="left">PORT</entry><entry
align="left">SOURCE PORT</entry><entry align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
align="left">SOURCE</entry><entry align="left">DEST</entry><entry
align="left">PROTO</entry><entry align="left">DEST PORT(S)</entry><entry
align="left">CLIENT PORT(S)</entry><entry align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>net</varname></entry><entry
align="left"><varname>fw</varname></entry><entry align="left"><varname>tcp</varname></entry><entry
align="left"><varname>22</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable></para></important>
align="left"><varname>22</varname></entry><entry></entry><entry></entry></row></tbody></tgroup></informaltable>
<inlinegraphic fileref="images/leaflogo.gif" format="GIF" />Bering users
will want to add the following two rules to be compatible with
Jacques&#39;s Shorewall configuration. <informaltable frame="all"
@ -636,9 +651,9 @@
colname="c4" /><colspec colname="c5" /><colspec colname="c6" /><colspec
colname="c7" /><thead valign="middle"><row valign="middle"><entry
align="left">ACTION</entry><entry align="left">SOURCE</entry><entry
align="left">DESTINATION</entry><entry align="left">PROTOCOL</entry><entry
align="left">PORT</entry><entry align="left">SOURCE PORT</entry><entry
align="left">ORIGINAL ADDRESS</entry></row></thead><tbody><row><entry
align="left">DEST</entry><entry align="left">PROTO</entry><entry
align="left">DEST PORT(S)</entry><entry align="left">CLIENT PORT(S)</entry><entry
align="left">ORIGINAL DEST</entry></row></thead><tbody><row><entry
align="left"><varname>ACCEPT</varname></entry><entry align="left"><varname>loc</varname></entry><entry
align="left"><varname>fw</varname></entry><entry align="left"><varname>udp</varname></entry><entry
align="left"><varname>53</varname></entry><entry nameend="c7" namest="c6">#Allow
@ -646,21 +661,23 @@
align="left"><varname>loc</varname></entry><entry align="left"><varname>fw</varname></entry><entry
align="left"><varname>tcp</varname></entry><entry align="left"><varname>80</varname></entry><entry
nameend="c7" namest="c6">#Allow weblet to work</entry></row></tbody></tgroup></informaltable>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" />Now edit your
<filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
<inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>Now edit your <filename class="directory">/etc/shorewall/</filename><filename>rules</filename>
file to add or delete other connections as required.</para>
</section>
<section>
<title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The
<ulink url="Install.htm">installation procedure</ulink> configures your
system to start Shorewall at system boot but beginning with Shorewall
version 1.3.9 startup is disabled so that your system won&#39;t try to
start Shorewall before configuration is complete. Once you have completed
configuration of your firewall, you can enable Shorewall startup by
removing the file <filename class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>The <ulink url="Install.htm">installation procedure</ulink>
configures your system to start Shorewall at system boot but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won&#39;t try to start Shorewall before configuration is complete. Once
you have completed configuration of your firewall, you can enable
Shorewall startup by removing the file <filename class="directory">/etc/shorewall/</filename><filename>startup_disabled</filename>.
<important><para>Users of the .deb package must edit <filename
class="directory">/etc/default/</filename><filename>shorewall</filename>
and set <varname>startup=1</varname>.</para></important> The firewall is
@ -674,10 +691,11 @@
of Shorewall from your Netfilter configuration, use <quote><command>shorewall
clear</command></quote>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" />The
two-interface sample assumes that you want to enable routing to/from
<filename class="devicefile">eth1</filename> (the local network) when
Shorewall is stopped. If your local network isn&#39;t connected to
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>The two-interface sample assumes that you want to enable routing
to/from <filename class="devicefile">eth1</filename> (the local network)
when Shorewall is stopped. If your local network isn&#39;t connected to
<filename class="devicefile">eth1</filename> or if you wish to enable
access to/from other hosts, change <filename class="directory">/etc/shorewall/</filename><filename>routestopped</filename>
accordingly. <warning><para>If you are connected to your firewall from the

4
Shorewall-docs/useful_links.xml
View File

@ -13,7 +13,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2003/12/22</pubdate>
<pubdate>2003/12/30</pubdate>
<copyright>
<year>2003</year>
@ -60,7 +60,7 @@
<row rowsep="0" valign="middle">
<entry align="left">Debian apt-get sources for Shorewall: <ulink
url="http://idea.sec.dico.unimi.it/~Elorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~Elorenzo/index.html#Debian</ulink></entry>
url="http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/~lorenzo/index.html#Debian</ulink></entry>
</row>
</tbody>
</tgroup>