mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-23 06:38:53 +01:00
Shorewall 1.4.8
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@800 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5466a7f35b
commit
c2ccd7fd3d
@ -1,144 +1,113 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>6to4 Tunnels</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">6to4 Tunnels</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">6to4 Tunnels<br>
|
||||
</h1>
|
||||
<h3>The 6to4 tunnel documentation is provided by Eric de Thouars.<br>
|
||||
</h3>
|
||||
|
||||
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of Shorewall
|
||||
only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6
|
||||
security measures.</h3>
|
||||
|
||||
<p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
|
||||
to another IPv6 network over an IPv4 infrastructure</p>
|
||||
|
||||
<p>More information on Linux and IPv6 can be found in the <a
|
||||
</h3>
|
||||
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of
|
||||
Shorewall only facilitates IPv6 over IPv4 tunneling. It does not
|
||||
provide any IPv6
|
||||
security measures.</h3>
|
||||
<p>6to4 tunneling with Shorewall can be used to connect your IPv6
|
||||
network to another IPv6 network over an IPv4 infrastructure</p>
|
||||
<p>More information on Linux and IPv6 can be found in the <a
|
||||
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
|
||||
Details on how to setup a 6to4 tunnels are described in the section <a
|
||||
Details on how to setup a 6to4 tunnels are described in the section <a
|
||||
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
|
||||
of 6to4 tunnels</a>.</p>
|
||||
|
||||
of 6to4 tunnels</a>.</p>
|
||||
<h2>Connecting two IPv6 Networks</h2>
|
||||
|
||||
<p>Suppose that we have the following situation:</p>
|
||||
|
||||
<p align="center"> <img border="0" src="images/TwoIPv6Nets1.png"
|
||||
width="745" height="427" alt="">
|
||||
</p>
|
||||
|
||||
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to be
|
||||
able to communicate with the systems in the 2002:488:999::/64 network. This
|
||||
is accomplished through use of the /etc/shorewall/tunnels file and the "ip"
|
||||
utility for network interface and routing configuration.</p>
|
||||
|
||||
<p align="left">Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
|
||||
/etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There
|
||||
is no need to declare a zone to represent the remote IPv6 network. This
|
||||
remote network is not visible on IPv4 interfaces and to iptables. All that
|
||||
is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
|
||||
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
|
||||
width="745" height="427" alt=""> </p>
|
||||
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to
|
||||
be able to communicate with the systems in the 2002:488:999::/64
|
||||
network. This is accomplished through use of the /etc/shorewall/tunnels
|
||||
file and the "ip" utility for network interface and routing
|
||||
configuration.</p>
|
||||
<p align="left">Unlike GRE and IPIP tunneling, the
|
||||
/etc/shorewall/policy, /etc/shorewall/interfaces and
|
||||
/etc/shorewall/zones files are not used. There is no need to declare a
|
||||
zone to represent the remote IPv6 network. This
|
||||
remote network is not visible on IPv4 interfaces and to iptables. All
|
||||
that
|
||||
is visible on the IPv4 level is an IPv4 stream which contains IPv6
|
||||
traffic. Separate IPv6 interfaces and ip6tables rules need to be
|
||||
defined to handle
|
||||
this traffic. </p>
|
||||
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the
|
||||
following:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>6to4</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>6to4</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IPv6
|
||||
encapsulation protocol (41) will be accepted to/from the remote gateway.</p>
|
||||
|
||||
</blockquote>
|
||||
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
|
||||
IPv6 encapsulation protocol (41) will be accepted to/from the remote
|
||||
gateway.</p>
|
||||
<p>Use the following commands to setup system A:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p>>ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2<br>
|
||||
>ip link set dev tun6to4 up<br>
|
||||
>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
|
||||
>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
|
||||
</blockquote>
|
||||
|
||||
>ip link set dev tun6to4 up<br>
|
||||
>ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
|
||||
>ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
|
||||
</blockquote>
|
||||
<p>Similarly, in /etc/shorewall/tunnels on system B we have:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>6to4</td>
|
||||
<td>net</td>
|
||||
<td>206.191.148.9</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>6to4</td>
|
||||
<td>net</td>
|
||||
<td>206.191.148.9</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<p>And use the following commands to setup system B:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p>>ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9<br>
|
||||
>ip link set dev tun6to4 up<br>
|
||||
>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
|
||||
>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
|
||||
</blockquote>
|
||||
|
||||
<p>On both systems, restart Shorewall and issue the configuration commands
|
||||
as listed above. The systems in both IPv6 subnetworks can now talk to each
|
||||
other using IPv6.</p>
|
||||
|
||||
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
>ip link set dev tun6to4 up<br>
|
||||
>ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
|
||||
>ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
|
||||
</blockquote>
|
||||
<p>On both systems, restart Shorewall and issue the configuration
|
||||
commands as listed above. The systems in both IPv6 subnetworks can now
|
||||
talk to each other using IPv6.</p>
|
||||
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003Thomas M. Eastep and Eric de Thouars.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
45
Shorewall-docs/Banner.html
Executable file
45
Shorewall-docs/Banner.html
Executable file
@ -0,0 +1,45 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<title>Banner</title>
|
||||
<meta name="author" content="Tom Eastep">
|
||||
<base target="main">
|
||||
</head>
|
||||
<body style="color: rgb(0, 0, 0); background-color: rgb(51, 102, 255);"
|
||||
link="#000099" vlink="#990099" alink="#000099">
|
||||
<table cellpadding="0"
|
||||
style="border-collapse: collapse; background-color: rgb(51, 102, 255); width: 1020px; height: 102px;"
|
||||
id="AutoNumber3">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="text-align: center; width: 34%; vertical-align: top;">
|
||||
<div align="center"> <img src="images/Logo1.png"
|
||||
alt="(Shorewall Logo)" style="width: 430px; height: 90px;"
|
||||
align="middle" title=""> </div>
|
||||
</td>
|
||||
<td style="vertical-align: top;">
|
||||
<form method="post"
|
||||
action="http://lists.shorewall.net/cgi-bin/htsearch"
|
||||
style="background-color: rgb(51, 102, 255);"> <strong><font
|
||||
color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff">Search
|
||||
is unavailable Daily 0200-0330 GMT.</font><br>
|
||||
<strong></strong>
|
||||
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
|
||||
<font face="Arial" size="-1"> <input type="text" name="words"
|
||||
size="15"></font><font size="-1"> </font> <font color="#ffffff"> <input
|
||||
type="hidden" name="format" value="long"> <input type="hidden"
|
||||
name="method" value="and"> <input type="hidden" name="config"
|
||||
value="htdig"> <input type="submit" value="Search"><b><font
|
||||
color="#ffffff"> <a
|
||||
href="http://lists.shorewall.net/htdig/search.html"
|
||||
style="color: rgb(255, 255, 255);">Extended Search</a></font></b></font></p>
|
||||
<font face="Arial"> <input type="hidden" name="exclude"
|
||||
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</body>
|
||||
</html>
|
@ -1,285 +1,229 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
|
||||
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
|
||||
<title>Corporate Shorewall Configuration</title>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta content="Microsoft FrontPage 5.0" name="GENERATOR">
|
||||
|
||||
<meta content="FrontPage.Editor.Document" name="ProgId">
|
||||
|
||||
<meta content="none" name="Microsoft Theme">
|
||||
|
||||
<meta content="Graeme Boyle" name="author">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<body>
|
||||
<script><!--
|
||||
function PrivoxyWindowOpen(){return(null);}
|
||||
//--></script>
|
||||
|
||||
<table id="AutoNumber1" style="border-collapse: collapse;" height="90"
|
||||
cellspacing="0" cellpadding="0" width="100%" bgcolor="#3366ff"
|
||||
border="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and Internal
|
||||
Servers</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
//--></script>
|
||||
<blockquote></blockquote>
|
||||
|
||||
<h1>Corporate Network</h1>
|
||||
|
||||
<h1 style="text-align: center;">Corporate Network</h1>
|
||||
<p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
|
||||
color="#ff0000"><b>:</b></font></big></p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<ul>
|
||||
<li><b>This configuration is used on a corporate network that has a
|
||||
Linux (RedHat 8.0) server with three interfaces, running Shorewall 1.4.5
|
||||
release,</b> </li>
|
||||
<li><b>Make sure you know what public IP addresses are currently being
|
||||
used and verify these </b><i>before</i><b> starting.</b> </li>
|
||||
<li><b>Verify your DNS settings </b><i>before</i><b> starting any Shorewall
|
||||
configuration especially if you have split DNS.</b> </li>
|
||||
<li><b>System names and Internet IP addresses have been changed to protect
|
||||
the innocent.</b> </li>
|
||||
|
||||
<li><b>This configuration is used on a corporate network that has a
|
||||
Linux (RedHat 8.0) server with three interfaces, running Shorewall
|
||||
1.4.5 release,</b> </li>
|
||||
<li><b>Make sure you know what public IP addresses are currently
|
||||
being used and verify these </b><i>before</i><b> starting.</b> </li>
|
||||
<li><b>Verify your DNS settings </b><i>before</i><b> starting any
|
||||
Shorewall configuration especially if you have split DNS.</b> </li>
|
||||
<li><b>System names and Internet IP addresses have been changed to
|
||||
protect the innocent.</b> </li>
|
||||
</ul>
|
||||
|
||||
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This configuration
|
||||
uses a combination of Static NAT and Proxy ARP. This is generally not
|
||||
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
|
||||
If you have just a single public IP address, most of what you see here
|
||||
won't apply to your setup so beware of copying parts of this configuration
|
||||
and expecting them to work for you. What you copy may or may not work
|
||||
in your configuration.<br>
|
||||
</small></b></big><br>
|
||||
</p>
|
||||
|
||||
<p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
|
||||
internet is connected to eth0. The local network is connected via eth1
|
||||
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
|
||||
an IPSec tunnel connecting our offices in Germany to our offices in the
|
||||
US. I host two Microsoft Exchange servers for two different companies behind
|
||||
the firewall hence, the two Exchange servers in the diagram below.</p>
|
||||
|
||||
<p>Summary:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>SNAT for all systems connected to the LAN - Internal addresses
|
||||
10.10.x.x to external address 192.0.18.127. </li>
|
||||
<li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal address
|
||||
10.10.1.8 and external address 192.0.18.70. </li>
|
||||
<li>Static NAT for <i>Sims</i> (Inventory Management server). Internal
|
||||
address 10.10.1.56 and external address 192.0.18.75.<br>
|
||||
</li>
|
||||
<li>Static NAT for <i>Project</i> (Project Web Server). Internal address
|
||||
10.10.1.55 and external address 192.0.18.84. </li>
|
||||
<li>Static NAT for <i>Fortress</i> (Exchange Server). Internal address
|
||||
10.10.1.252 and external address 192.0.18.93. </li>
|
||||
<li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal address
|
||||
10.10.1.230 and external address 192.0.18.97. </li>
|
||||
<li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal address
|
||||
10.10.1.60 and external address 192.0.18.115. </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
|
||||
RH8.0.</p>
|
||||
|
||||
<p>The Firewall is also a proxy server running Privoxy 3.0.</p>
|
||||
|
||||
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail, imap,
|
||||
pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0). That
|
||||
server is managed through Proxy ARP.</p>
|
||||
|
||||
<p>All administration and publishing is done using ssh/scp. I have X installed
|
||||
on the firewall and the system in the DMZ. X applications tunnel through
|
||||
SSH to Hummingbird Exceed running on a PC located in the LAN. Access to
|
||||
the firewall using SSH is restricted to systems in the LAN, DMZ or the
|
||||
system Kaos which is on the Internet and managed by me.</p>
|
||||
|
||||
<p align="center"><img height="1000" alt="(Corporate Network Diagram)"
|
||||
src="images/CorpNetwork.gif" width="770" border="0">
|
||||
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This
|
||||
configuration
|
||||
uses a combination of One-to-one NAT and Proxy ARP. This is generally
|
||||
not
|
||||
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
|
||||
If you have just a single public IP address, most of what you see here
|
||||
won't apply to your setup so beware of copying parts of this
|
||||
configuration
|
||||
and expecting them to work for you. What you copy may or may not work
|
||||
in your configuration.<br>
|
||||
</small></b></big><br>
|
||||
</p>
|
||||
<p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
|
||||
internet is connected to eth0. The local network is connected via eth1
|
||||
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
|
||||
have an IPSec tunnel connecting our offices in Germany to our offices
|
||||
in the US. I host two Microsoft Exchange servers for two different
|
||||
companies behind
|
||||
the firewall hence, the two Exchange servers in the diagram below.</p>
|
||||
<p>Summary:<br>
|
||||
</p>
|
||||
|
||||
<p></p>
|
||||
|
||||
<p>The Ethernet 0 interface in the Server is configured with IP address
|
||||
192.0.18.68, netmask 255.255.255.192. The server's default gateway is
|
||||
192.0.18.65, the Router connected to my network and the ISP. This is the
|
||||
same default gateway used by the firewall itself. On the firewall, Shorewall
|
||||
automatically adds a host route to 192.0.18.80 through Ethernet 2 (192.168.21.1)
|
||||
because of the entry in /etc/shorewall/proxyarp (see below). I modified
|
||||
the start, stop and init scripts to include the fixes suggested when having
|
||||
an IPSec tunnel.</p>
|
||||
|
||||
<p><b>Some Mistakes I Made:</b></p>
|
||||
|
||||
<p>Yes, believe it or not, I made some really basic mistakes when building
|
||||
this firewall. Firstly, I had the new firewall setup in parallel with the
|
||||
old firewall so that there was no interruption of service to my users.
|
||||
During my out-bound testing, I set up systems on the LAN to utilize the
|
||||
firewall which worked fine. When testing my NAT connections, from the outside,
|
||||
these would fail and I could not understand why. Eventually, I changed
|
||||
the default route on the internal system I was trying to access, to point
|
||||
to the new firewall and "bingo", everything worked as expected. This oversight
|
||||
delayed my deployment by a couple of days not to mention level of frustration
|
||||
it produced. </p>
|
||||
|
||||
<p>Another problem that I encountered was in setting up the Proxyarp system
|
||||
in the DMZ. Initially I forgot to remove the entry for the eth2 from the
|
||||
/etc/shorewall/masq file. Once my file settings were correct, I started
|
||||
verifying that the ARP caches on the firewall, as well as the outside system
|
||||
"kaos", were showing the correct Ethernet MAC address. However, in testing
|
||||
remote access, I could access the system in the DMZ only from the firewall
|
||||
and LAN but not from the Internet. The message I received was "connection
|
||||
denied" on all protocols. What I did not realize was that a "helpful"
|
||||
administrator that had turned on an old system and assigned the same address
|
||||
as the one I was using for Proxyarp without notifying me. How did I work
|
||||
this out. I shutdown the system in the DMZ, rebooted the router and flushed
|
||||
the ARP cache on the firewall and kaos. Then, from kaos, I started pinging
|
||||
that IP address and checked the updated ARP cache and lo-and-behold a
|
||||
different MAC address showed up. High levels of frustration etc., etc.
|
||||
The administrator will <i>not</i> be doing that again! :-)</p>
|
||||
|
||||
<p><b>Lessons Learned:</b></p>
|
||||
|
||||
<ul>
|
||||
<li>Read the documentation. </li>
|
||||
<li>Draw your network topology before starting. </li>
|
||||
<li>Understand what services you are going to allow in and out of the
|
||||
firewall, whether they are TCP or UDP packets and make a note of these
|
||||
port numbers. </li>
|
||||
<li>Try to get quiet time to build the firewall - you need to focus
|
||||
on the job at hand. </li>
|
||||
<li>When asking for assistance, be honest and include as much detail
|
||||
as requested. Don't try and hide IP addresses etc., you will probably
|
||||
screw up the logs and make receiving assistance harder. </li>
|
||||
<li>Read the documentation. </li>
|
||||
|
||||
<li>SNAT for all systems connected to the LAN - Internal addresses
|
||||
10.10.x.x to external address 192.0.18.127. </li>
|
||||
<li>One-to-one NAT for <i>Polaris</i> (Exchange Server #2).
|
||||
Internal
|
||||
address 10.10.1.8 and external address 192.0.18.70. </li>
|
||||
<li>One-to-one NAT for <i>Sims</i> (Inventory Management server).
|
||||
Internal address 10.10.1.56 and external address 192.0.18.75.<br>
|
||||
</li>
|
||||
<li>One-to-one NAT for <i>Project</i> (Project Web Server).
|
||||
Internal
|
||||
address 10.10.1.55 and external address 192.0.18.84. </li>
|
||||
<li>One-to-one NAT for <i>Fortress</i> (Exchange Server). Internal
|
||||
address 10.10.1.252 and external address 192.0.18.93. </li>
|
||||
<li>One-to-one NAT for <i>BBSRV</i> (Blackberry Server). Internal
|
||||
address 10.10.1.230 and external address 192.0.18.97. </li>
|
||||
<li>One-to-one NAT for <i>Intweb</i> (Intranet Web Server).
|
||||
Internal
|
||||
address 10.10.1.60 and external address 192.0.18.115. </li>
|
||||
</ul>
|
||||
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
|
||||
with RH8.0.</p>
|
||||
<p>The Firewall is also a proxy server running Privoxy 3.0.</p>
|
||||
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail,
|
||||
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd
|
||||
1.1.0). That server is managed through Proxy ARP.</p>
|
||||
<p>All administration and publishing is done using ssh/scp. I have X
|
||||
installed on the firewall and the system in the DMZ. X applications
|
||||
tunnel through SSH to Hummingbird Exceed running on a PC located in the
|
||||
LAN. Access to the firewall using SSH is restricted to systems in the
|
||||
LAN, DMZ or the system Kaos which is on the Internet and managed by me.</p>
|
||||
<p align="center"><img height="1000" alt="(Corporate Network Diagram)"
|
||||
src="images/CorpNetwork.gif" width="770" border="0"> </p>
|
||||
<p></p>
|
||||
<p>The Ethernet 0 interface in the Server is configured with IP
|
||||
address 192.0.18.68, netmask 255.255.255.192. The server's default
|
||||
gateway is 192.0.18.65, the Router connected to my network and the ISP.
|
||||
This is the same default gateway used by the firewall itself. On the
|
||||
firewall, Shorewall automatically adds a host route to 192.0.18.80
|
||||
through Ethernet 2 (192.168.21.1) because of the entry in
|
||||
/etc/shorewall/proxyarp (see below). I modified the start, stop and
|
||||
init scripts to include the fixes suggested when having an IPSec tunnel.</p>
|
||||
<p><b>Some Mistakes I Made:</b></p>
|
||||
<p>Yes, believe it or not, I made some really basic mistakes when
|
||||
building this firewall. Firstly, I had the new firewall setup in
|
||||
parallel with the
|
||||
old firewall so that there was no interruption of service to my users.
|
||||
During my out-bound testing, I set up systems on the LAN to utilize the
|
||||
firewall which worked fine. When testing my NAT connections, from the
|
||||
outside,
|
||||
these would fail and I could not understand why. Eventually, I changed
|
||||
the default route on the internal system I was trying to access, to
|
||||
point
|
||||
to the new firewall and "bingo", everything worked as expected. This
|
||||
oversight
|
||||
delayed my deployment by a couple of days not to mention level of
|
||||
frustration
|
||||
it produced. </p>
|
||||
<p>Another problem that I encountered was in setting up the Proxyarp
|
||||
system in the DMZ. Initially I forgot to remove the entry for the eth2
|
||||
from the /etc/shorewall/masq file. Once my file settings were correct,
|
||||
I started verifying that the ARP caches on the firewall, as well as the
|
||||
outside system "kaos", were showing the correct Ethernet MAC address.
|
||||
However, in testing remote access, I could access the system in the DMZ
|
||||
only from the firewall
|
||||
and LAN but not from the Internet. The message I received was
|
||||
"connection
|
||||
denied" on all protocols. What I did not realize was that a "helpful"
|
||||
administrator that had turned on an old system and assigned the same
|
||||
address
|
||||
as the one I was using for Proxyarp without notifying me. How did I
|
||||
work
|
||||
this out. I shutdown the system in the DMZ, rebooted the router and
|
||||
flushed
|
||||
the ARP cache on the firewall and kaos. Then, from kaos, I started
|
||||
pinging
|
||||
that IP address and checked the updated ARP cache and lo-and-behold a
|
||||
different MAC address showed up. High levels of frustration etc., etc.
|
||||
The administrator will <i>not</i> be doing that again! :-)</p>
|
||||
<p><b>Lessons Learned:</b></p>
|
||||
<ul>
|
||||
<li>Read the documentation. </li>
|
||||
<li>Draw your network topology before starting. </li>
|
||||
<li>Understand what services you are going to allow in and out of
|
||||
the firewall, whether they are TCP or UDP packets and make a note of
|
||||
these port numbers. </li>
|
||||
<li>Try to get quiet time to build the firewall - you need to focus
|
||||
on the job at hand. </li>
|
||||
<li>When asking for assistance, be honest and include as much
|
||||
detail as requested. Don't try and hide IP addresses etc., you will
|
||||
probably screw up the logs and make receiving assistance harder. </li>
|
||||
<li>Read the documentation. </li>
|
||||
</ul>
|
||||
|
||||
<p><b>Futures:</b></p>
|
||||
|
||||
<p>This is by no means the final configuration. In the near future, I will
|
||||
be moving more systems from the LAN to the DMZ. I will also be watching
|
||||
the logs for port scan programs etc. but, this should be standard security
|
||||
maintenance.</p>
|
||||
|
||||
<p>Here are copies of my files. I have removed most of the internal documentation
|
||||
for the purpose of this space however, my system still has the original
|
||||
files with all the comments and I highly recommend you do the same.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>This is by no means the final configuration. In the near future, I
|
||||
will be moving more systems from the LAN to the DMZ. I will also be
|
||||
watching the logs for port scan programs etc. but, this should be
|
||||
standard security maintenance.</p>
|
||||
<p>Here are copies of my files. I have removed most of the internal
|
||||
documentation
|
||||
for the purpose of this space however, my system still has the original
|
||||
files with all the comments and I highly recommend you do the same.</p>
|
||||
</blockquote>
|
||||
<h3>Shorewall.conf</h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>Zones File</h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
|
||||
face="Courier" size="2"><br></font></pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>Interfaces File: </h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p>##############################################################################<br>
|
||||
#ZONE INTERFACE BROADCAST OPTIONS<br>
|
||||
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
|
||||
loc eth1 detect dhcp,routefilter<br>
|
||||
dmz eth2 detect<br>
|
||||
vpn1 ipsec0<br>
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
|
||||
</blockquote>
|
||||
|
||||
#ZONE INTERFACE BROADCAST OPTIONS<br>
|
||||
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
|
||||
loc eth1 detect dhcp,routefilter<br>
|
||||
dmz eth2 detect<br>
|
||||
vpn1 ipsec0<br>
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
|
||||
</blockquote>
|
||||
<h3>Routestopped File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
|
||||
face="Courier" size="2"> </font></pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>Policy File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>Masq File: </h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>NAT File: </h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>Proxy ARP File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>Tunnels File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>Start File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>Stop File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>Init File:</h3>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<p><font size="2">Last updated 7/16/2003</font>
|
||||
</blockquote>
|
||||
<p><font size="2">Last updated 11/13/2003</font>
|
||||
<script><!--
|
||||
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
|
||||
//</script>
|
||||
<br>
|
||||
</p>
|
||||
|
||||
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep and
|
||||
//</script><br>
|
||||
</p>
|
||||
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep
|
||||
and
|
||||
Graeme Boyle</a></small><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -12,17 +12,8 @@
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall 1.4 Reference</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">Shorewall 1.4 Reference<br>
|
||||
</h1>
|
||||
<h2 align="center">This documentation is intended primarily for
|
||||
reference. Step-by-step instructions for configuring Shorewall in
|
||||
common setups may be found in the <a
|
||||
@ -66,7 +57,11 @@ field in packets is to be set.<br>
|
||||
<li><b><a href="#Scripts">common.def</a></b> -- a parameter file
|
||||
installed in in /etc/shorewall that defines firewall-wide rules that
|
||||
are applied before a DROP or REJECT policy is applied.</li>
|
||||
<li><b> <a href="#Interfaces">interfaces</a> </b> -- a parameter
|
||||
<li><span style="font-weight: bold;">init.sh </span>-- a shell
|
||||
script installed in /etc/init.d to automatically start Shorewall during
|
||||
boot.<br>
|
||||
<b> </b></li>
|
||||
<li><b><a href="#Interfaces">interfaces</a> </b> -- a parameter
|
||||
file installed in /etc/shorewall/ and used to describe the interfaces
|
||||
on the firewall system.</li>
|
||||
<li><a href="#Hosts"><b> hosts</b> </a>-- a parameter file installed
|
||||
@ -78,15 +73,12 @@ possibly also the IP address(es)) of devices.<br>
|
||||
</li>
|
||||
<li><b> <a href="#Masq">masq</a></b> - This file also describes IP
|
||||
masquerading under Shorewall and is installed in /etc/shorewall.</li>
|
||||
<li><b><a href="shorewall_firewall_structure.htm">firewall</a></b> --
|
||||
<li><b>firewall</b> --
|
||||
a shell program that reads the configuration files in /etc/shorewall
|
||||
and configures your firewall. This file is installed in your init.d
|
||||
directory (/etc/rc.d/init.d ) where it is renamed <i>shorewall.</i>
|
||||
/etc/shorewall/firewall (/var/lib/shorewall/firewall in versions
|
||||
1.3.2-1.3.8 and /usr/lib/shorewall/firewall in 1.3.9 and later) is a
|
||||
symbolic link to this program.</li>
|
||||
and configures your firewall. This file is installed in
|
||||
/usr/share/shorewall.</li>
|
||||
<li><b> <a href="#NAT">nat</a></b> -- a parameter file in
|
||||
/etc/shorewall used to define <a href="#NAT"> static NAT</a> .</li>
|
||||
/etc/shorewall used to define <a href="#NAT">one-to-one NAT</a> .</li>
|
||||
<li><b> <a href="#ProxyArp">proxyarp</a></b> -- a parameter file in
|
||||
/etc/shorewall used to define <a href="#ProxyArp"> Proxy Arp</a> .</li>
|
||||
<li><b><a href="#rfc1918">rfc1918</a></b> -- a parameter file in
|
||||
@ -1190,6 +1182,13 @@ header-rewriting rule.<br>
|
||||
</li>
|
||||
<li>LOG - Log the packet -- requires
|
||||
a syslog level (see below).</li>
|
||||
<li>QUEUE - Forward the packet to a user-space application. This
|
||||
facility is provided to allow interfacing to <a
|
||||
href="http://p2pwall.sourceforge.net">ftwall</a> for <a
|
||||
href="Shorewall_and_Kazaa.html">Kazaa filtering</a>. Note: When the
|
||||
protocol specified in the PROTO column is TCP ("tcp", "TCP" or "6"),
|
||||
Shorewall will only pass connection requests (SYN packets) to user
|
||||
space. This is for compatibility with ftwall.</li>
|
||||
</ul>
|
||||
<p>Beginning with Shorewall version 1.4.7, you may rate-limit the
|
||||
rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
|
||||
@ -2253,16 +2252,20 @@ following (I haven't tried it):</p>
|
||||
<p>In /etc/shorewall/start, include:</p>
|
||||
<p> qt service ipsec start</p>
|
||||
<h2><font color="#660066"><b><a name="NAT"></a> </b></font>/etc/shorewall/nat</h2>
|
||||
<p>The /etc/shorewall/nat file is used to define static NAT. There is
|
||||
one entry in the file for each static NAT relationship that you wish to
|
||||
<p>The /etc/shorewall/nat file is used to define one-to-one NAT. There
|
||||
is
|
||||
one entry in the file for each one-to-one NAT relationship that you
|
||||
wish to
|
||||
define. In order to make use of this feature, you must have <a
|
||||
href="#NatEnabled">NAT enabled</a> .</p>
|
||||
<p> <font color="#ff0000"> <b>IMPORTANT: If all you want to do is
|
||||
forward ports to servers behind your firewall, you do NOT want to use
|
||||
static NAT. Port forwarding can be accomplished with simple entries in
|
||||
one-to-one NAT. Port forwarding can be accomplished with simple entries
|
||||
in
|
||||
the <a href="#Rules"> rules file</a>. Also, in most cases <a
|
||||
href="#ProxyArp"> Proxy ARP</a> provides a superior solution to static
|
||||
NAT because the internal systems are accessed using the same IP address
|
||||
href="#ProxyArp"> Proxy ARP</a> provides a superior solution to
|
||||
one-to-one NAT because the internal systems are accessed using the same
|
||||
IP address
|
||||
internally and externally.</b></font></p>
|
||||
<p>Columns in an entry are:</p>
|
||||
<ul>
|
||||
@ -2465,7 +2468,8 @@ individual rule for each listed port or port range. </p>
|
||||
<li><b>NAT_BEFORE_RULES</b><br>
|
||||
If set to "No" or "no", port forwarding rules can override the contents
|
||||
of the <a href="#NAT">/etc/shorewall/nat</a> file. If set to "Yes" or
|
||||
"yes", port forwarding rules cannot override static NAT. If not set or
|
||||
"yes", port forwarding rules cannot override one-to-one NAT. If not set
|
||||
or
|
||||
set to an empty value,
|
||||
"Yes" is assumed.</li>
|
||||
<li><b>FW<br>
|
||||
@ -2515,7 +2519,7 @@ this parameter is now automatically detected by Shorewall)<br>
|
||||
This parameter determines whether Shorewall supports NAT operations.
|
||||
NAT operations include:<br>
|
||||
<br>
|
||||
Static NAT<br>
|
||||
One-to-one NAT<br>
|
||||
Port Forwarding<br>
|
||||
Port Redirection<br>
|
||||
Masquerading<br>
|
||||
@ -2842,7 +2846,7 @@ Validation Documentation</a>.<br>
|
||||
<h2><a name="ECN"></a>/etc/shorewall/ecn (Added in Version 1.4.0)</h2>
|
||||
This file is described in the <a href="ECN.html">ECN Control
|
||||
Documentation</a>.<br>
|
||||
<p><font size="-1"> Updated 8/21/2003 - <a href="support.htm">Tom
|
||||
<p><font size="-1"> Updated 11/15/2003 - <a href="support.htm">Tom
|
||||
Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
|
@ -2,90 +2,75 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall and ECN</title>
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td
|
||||
width="100%">
|
||||
<h1 align="center"><font color="#ffffff">ECN</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Explicit Congestion Notification (ECN) is described in RFC 3168 and is a
|
||||
proposed internet standard. Unfortunately, not all sites support ECN and when
|
||||
a TCP connection offering ECN is sent to sites that don't support it, the
|
||||
<body>
|
||||
<br>
|
||||
<h1 style="text-align: center;">ECN<br>
|
||||
</h1>
|
||||
Explicit Congestion Notification (ECN) is described in RFC 3168 and is
|
||||
a proposed internet standard. Unfortunately, not all sites support ECN
|
||||
and when
|
||||
a TCP connection offering ECN is sent to sites that don't support it,
|
||||
the
|
||||
result is often that the connection request is ignored.<br>
|
||||
<br>
|
||||
To allow ECN to be used, Shorewall allows you to enable ECN on your Linux
|
||||
systems then disable it in your firewall when the destination matches a list
|
||||
that you create (the /etc/shorewall/ecn file).<br>
|
||||
<br>
|
||||
You enable ECN by<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<br>
|
||||
To allow ECN to be used, Shorewall allows you to enable ECN on your
|
||||
Linux systems then disable it in your firewall when the destination
|
||||
matches a list that you create (the /etc/shorewall/ecn file).<br>
|
||||
<br>
|
||||
You enable ECN by<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">echo 1 > /proc/sys/net/ipv4/tcp_ecn</font></b></pre>
|
||||
</blockquote>
|
||||
You must arrange for that command to be executed at system boot. Most distributions
|
||||
have a method for doing that -- on RedHat, you make an entry in /etc/sysctl.conf.<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
You must arrange for that command to be executed at system boot. Most
|
||||
distributions have a method for doing that -- on RedHat, you make an
|
||||
entry in /etc/sysctl.conf.<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">net.ipv4.tcp_ecn = 1<br><br></font></b></pre>
|
||||
</blockquote>
|
||||
Entries in /etc/shorewall/ecn have two columns as follows:<br>
|
||||
<br>
|
||||
INTERFACE - The name of an interface on your system<br>
|
||||
<br>
|
||||
HOST(S) - An address (host or subnet)
|
||||
of a system or group of systems accessed through the interface in the
|
||||
first column. You may include a comma-separated list of such addresses in
|
||||
this column. <br>
|
||||
<br>
|
||||
Example: Your external interface is eth0 and you want to disable ECN for
|
||||
tcp connections to 192.0.2.0/24:<br>
|
||||
<br>
|
||||
In /etc/shorewall/ecn:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
Entries in /etc/shorewall/ecn have two columns as follows:<br>
|
||||
<br>
|
||||
INTERFACE - The name of an interface on your system<br>
|
||||
<br>
|
||||
HOST(S) - An address (host or
|
||||
subnet) of a system or group of systems accessed through the
|
||||
interface in the first column. You may include a comma-separated
|
||||
list of such addresses in this column. <br>
|
||||
<br>
|
||||
Example: Your external interface is eth0 and you want to disable ECN
|
||||
for tcp connections to 192.0.2.0/24:<br>
|
||||
<br>
|
||||
In /etc/shorewall/ecn:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>HOST(S)<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">eth0<br>
|
||||
</td>
|
||||
<td valign="top">192.0.2.0/24<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>INTERFACE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>HOST(S)<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">eth0<br>
|
||||
</td>
|
||||
<td valign="top">192.0.2.0/24<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</blockquote>
|
||||
<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -10,20 +10,11 @@
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1>Looking for Step by Step Configuration Instructions? Check out the <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
|
||||
<h1 style="text-align: center;">Shorewall FAQs<br>
|
||||
</h1>
|
||||
<h2>Looking for Step by Step Configuration Instructions? Check out the <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
|
||||
</h2>
|
||||
<h1>PORT FORWARDING<br>
|
||||
</h1>
|
||||
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b>
|
||||
@ -41,8 +32,8 @@ connection
|
||||
to port 22 on local system 192.168.1.3</b>. How do I do that?</a><br>
|
||||
</p>
|
||||
<p align="left"><span style="font-weight: bold;">30.<a
|
||||
href="file:///vfat/Shorewall-docs/FAQ.htm#faq30"> </a></span><a
|
||||
href="#faq30">I'm confused about <span style="font-weight: bold;">when</span>
|
||||
href="FAQ.htm#faq30"> </a></span><a href="FAQ.htm#faq30">I'm confused
|
||||
about <span style="font-weight: bold;">when</span>
|
||||
to use <span style="font-weight: bold;">DNAT</span> rules <span
|
||||
style="font-weight: bold;">and when</span> to use <span
|
||||
style="font-weight: bold;">ACCEPT</span> rules. </a> </p>
|
||||
@ -53,7 +44,7 @@ requests to www.mydomain.com (IP 130.151.100.69)
|
||||
to system 192.168.1.5 in my local network. <b>External clients can
|
||||
browse</b> http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
|
||||
<p align="left"><b>2a. </b><a href="#faq2a">I have a zone "Z" with an
|
||||
RFC1918 subnet and I use <b>static NAT</b> to
|
||||
RFC1918 subnet and I use <b>one-to-one NAT</b> to
|
||||
assign non-RFC1918 addresses to hosts in Z.
|
||||
Hosts in Z cannot communicate with each other using their external
|
||||
(non-RFC1918 addresses) so they <b>can't access
|
||||
@ -109,6 +100,11 @@ getting <b>logged?</b></a><br>
|
||||
<b><br>
|
||||
21. </b><a href="#faq21">I see these <b>strange log entries </b>occasionally;
|
||||
what are they?</a><br>
|
||||
<h1>ROUTING</h1>
|
||||
<span style="font-weight: bold;">32. </span><a href="#faq32">My
|
||||
firewall has <span style="font-weight: bold;">two connections to the
|
||||
internet from two different ISPs</span>. How do I set this up in
|
||||
Shorewall?</a><br>
|
||||
<h1>STARTING AND STOPPING<br>
|
||||
</h1>
|
||||
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
|
||||
@ -140,6 +136,9 @@ your <b>web site</b>?</a><br>
|
||||
<b><br>
|
||||
25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b>
|
||||
I am <b>running</b>?</a><br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">31. </span><a href="#faq31">Does
|
||||
Shorewall provide protection against...</a><br>
|
||||
<h1>RFC 1918<br>
|
||||
</h1>
|
||||
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable
|
||||
@ -173,7 +172,15 @@ only<b> from specific IP Addresses</b> on the internet?</a><br>
|
||||
options in nmap</b> on or behind the firewall, I get "<b>operation not
|
||||
permitted</b>". How can I use nmap with Shorewall?"</a><br>
|
||||
<br>
|
||||
<b>27. </b><a href="#faq27">I am compiling a <b>new kernel</b> for my
|
||||
<b><span style="font-weight: bold;">26a. </span></b><a
|
||||
href="#faq26a">When I try
|
||||
to use the <span style="font-weight: bold;">"-O" option of nmap</span>
|
||||
from the firewall system, I get "<span style="font-weight: bold;">operation
|
||||
not permitted". </span>How to I allow this option?</a><b><span
|
||||
style="font-weight: bold;"><a href="#faq26a"> </a><br>
|
||||
<br>
|
||||
</span>27. </b><a href="#faq27">I am compiling a <b>new kernel</b>
|
||||
for my
|
||||
firewall<b>.</b> What should I look out for?</a><br>
|
||||
<br>
|
||||
<b>28. </b><a href="#faq28">How do I use Shorewall as a <b>Bridging
|
||||
@ -282,8 +289,9 @@ three things:</p>
|
||||
<ul>
|
||||
<li>You are trying to test from inside your firewall (no, that won't
|
||||
work -- see <a href="#faq2">FAQ #2</a>).</li>
|
||||
<li>You have a more basic problem with your local system such as an
|
||||
incorrect default gateway configured (it should be set to the IP
|
||||
<li>You have a more basic problem with your local system (the one
|
||||
that you are trying to forward to) such as an
|
||||
incorrect default gateway (it should be set to the IP
|
||||
address of your firewall's internal interface).</li>
|
||||
<li>Your ISP is blocking that particular port inbound.<br>
|
||||
</li>
|
||||
@ -306,8 +314,9 @@ packet count in the first column non-zero? If so, the connection
|
||||
request is reaching the firewall and is being redirected to the server.
|
||||
In this case, the problem is
|
||||
usually a missing or incorrect default gateway setting
|
||||
on the server (the server's default gateway should be the
|
||||
IP address of the firewall's interface to the server).</li>
|
||||
on the local system (the system you are trying to forward to -- its
|
||||
default gateway should be the
|
||||
IP address of the firewall's interface to that system).</li>
|
||||
<li>If the
|
||||
packet count is zero:</li>
|
||||
<ul>
|
||||
@ -328,6 +337,7 @@ ethereal to further diagnose the problem.<br>
|
||||
want to connect to port 1022 on my firewall and have the firewall
|
||||
forward the connection to port 22 on local system 192.168.1.3. How do I
|
||||
do that?</h4>
|
||||
In /etc/shorewall/rules:<br>
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
@ -377,7 +387,7 @@ Firewall, of course :-)</li>
|
||||
using a separate DNS server for local clients) such that
|
||||
www.mydomain.com resolves to 130.141.100.69 externally and 192.168.1.5
|
||||
internally. That's what I do here at shorewall.net for my local systems
|
||||
that use static NAT.</li>
|
||||
that use one-to-one NAT.</li>
|
||||
</ul>
|
||||
<p align="left">If you insist on an IP solution to the accessibility
|
||||
problem rather than a DNS solution, then assuming that your external
|
||||
@ -401,7 +411,7 @@ please upgrade to Shorewall 1.4.2 or later.<br>
|
||||
<li>In /etc/shorewall/interfaces:</li>
|
||||
</ul>
|
||||
<blockquote>
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<table cellpadding="2" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ZONE<br>
|
||||
@ -507,7 +517,8 @@ DHCP/PPPoE client to automatically restart Shorewall each time that you
|
||||
get a new IP address.</p>
|
||||
</div>
|
||||
<h4 align="left"><a name="faq2a"></a>2a. I have a zone "Z" with an
|
||||
RFC1918 subnet and I use static NAT to assign non-RFC1918 addresses to
|
||||
RFC1918 subnet and I use one-to-one NAT to assign non-RFC1918 addresses
|
||||
to
|
||||
hosts in Z. Hosts in Z cannot communicate with each other using their
|
||||
external (non-RFC1918 addresses) so they can't access each other using
|
||||
their DNS names.</h4>
|
||||
@ -521,7 +532,7 @@ solved using Bind Version 9 "views". It allows
|
||||
both external and internal clients to access
|
||||
a NATed host using the host's DNS name.</p>
|
||||
<p align="left">Another good way to approach this problem is to switch
|
||||
from static NAT to Proxy ARP. That way, the
|
||||
from one-to-one NAT to Proxy ARP. That way, the
|
||||
hosts in Z have non-RFC1918 addresses and can
|
||||
be accessed externally and internally using the same address.</p>
|
||||
<p align="left">If you don't like those solutions and prefer routing
|
||||
@ -984,9 +995,44 @@ cause of packets being logged in the FORWARD chain.<br>
|
||||
</li>
|
||||
<li><b>logflags </b>- The packet is being logged because it failed
|
||||
the checks implemented by the <b>tcpflags </b><a
|
||||
href="Documentation.htm#Interfaces">interface option</a>.<br>
|
||||
</li>
|
||||
href="Documentation.htm#Interfaces">interface option</a>.</li>
|
||||
</ol>
|
||||
<p align="left">Here is an example:</p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
|
||||
Shorewall:<span style="text-decoration: underline;">all2all:REJECT</span>:<span
|
||||
style="text-decoration: underline;">IN=eth2</span> <span
|
||||
style="text-decoration: underline;">OUT=eth1</span> <span
|
||||
style="text-decoration: underline;">SRC=192.168.2.2</span>
|
||||
<span style="text-decoration: underline;">DST=192.168.1.3</span> LEN=67
|
||||
TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF <span
|
||||
style="text-decoration: underline;">PROTO=UDP</span>
|
||||
SPT=1803 <span style="text-decoration: underline;">DPT=53</span> LEN=47</font></p>
|
||||
</font>
|
||||
<p align="left">Let's look at the important parts of this message:</p>
|
||||
<ul>
|
||||
<li>all2all:REJECT - This packet was REJECTed out of the <span
|
||||
style="font-weight: bold;">all2all</span> chain -- the packet
|
||||
was rejected under the "all"->"all"
|
||||
REJECT policy (number 3 above).</li>
|
||||
<li>IN=eth2 - the packet entered the firewall via eth2. If you see
|
||||
"IN=" with no interface name, the packet originated on the firewall
|
||||
itself.<br>
|
||||
</li>
|
||||
<li>OUT=eth1 - if accepted, the packet would be sent on eth1. If you
|
||||
see "OUT=" with no interface name, the packet would be processed by the
|
||||
firewall itself.<br>
|
||||
</li>
|
||||
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
|
||||
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
|
||||
<li>PROTO=UDP - UDP Protocol</li>
|
||||
<li>DPT=53 - The destination port is 53 (DNS)<br>
|
||||
</li>
|
||||
</ul>
|
||||
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and
|
||||
192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
|
||||
ACCEPT dmz
|
||||
loc udp 53
|
||||
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip
|
||||
addresses</b> with Shorewall, and maintain separate rulesets for
|
||||
different IPs?</h4>
|
||||
@ -1079,13 +1125,22 @@ Shorewall</b> I am <b>running</b>?<br>
|
||||
At the shell prompt, type:<br>
|
||||
<br>
|
||||
<font color="#009900"><b> /sbin/shorewall
|
||||
version</b></font><br>
|
||||
version<br>
|
||||
</b></font>
|
||||
<h4><a name="faq26"></a><b>26. </b>When I try to use any of the SYN
|
||||
options in nmap on or behind the firewall, I get "operation not
|
||||
permitted".
|
||||
How can I use nmap with Shorewall?"</h4>
|
||||
Edit /etc/shorewall/shorewall.conf and change "NEWNOTSYN=No" to
|
||||
"NEWNOTSYN=Yes" then restart Shorewall.<br>
|
||||
<br>
|
||||
<h4><a name="faq26a"></a><b><span style="font-weight: bold;">26a.
|
||||
</span></b>When I try to use the <span style="font-weight: bold;">"-O"
|
||||
option of nmap</span> from the firewall system, I get "<span
|
||||
style="font-weight: bold;">operation not permitted". </span>How to I
|
||||
allow this option?</h4>
|
||||
Add this command to your /etc/shorewall/start file:<br>
|
||||
<pre style="margin-left: 40px;"><tt>run_iptables -D OUTPUT -p ! icmp -m state --state INVALID -j DROP</tt><br></pre>
|
||||
<h4><a name="faq27">27. I'm compiling a new kernel for my firewall.
|
||||
What
|
||||
should I look out for?</a></h4>
|
||||
@ -1118,8 +1173,208 @@ to allow connections from the internet to your local network. In all
|
||||
other cases, you use ACCEPT unless you need to hijack connections as
|
||||
they go through your firewall and handle them on the firewall box
|
||||
itself; in that case, you use a REDIRECT rule.<br>
|
||||
<h4><a name="faq31"></a>31. Does Shorewall provide protection
|
||||
against....</h4>
|
||||
<ol>
|
||||
<li>IP Spoofing: Sending packets over the WAN interface using an
|
||||
internal LAP IP address as the source address? <span
|
||||
style="font-weight: bold;">Answer: </span>Yes.</li>
|
||||
<li>Tear Drop: Sending packets that contain overlapping fragments? <span
|
||||
style="font-weight: bold;">Answer: </span>This is the responsibility
|
||||
of the IP stack, not the Netfilter-based firewall since fragment
|
||||
reassembly occurs before the stateful packet filter ever touches each
|
||||
packet.</li>
|
||||
<li>Smurf and Fraggle: Sending packets that use the WAN or LAN
|
||||
broadcast address as the source address? <span
|
||||
style="font-weight: bold;">Answer: </span>Shorewall can be configured
|
||||
to do that using the <a href="blacklisting_support.htm">blacklisting</a>
|
||||
facility.</li>
|
||||
<li>Land Attack: Sending packets that use the same address as the
|
||||
source and destination address? <span style="font-weight: bold;">Answer:
|
||||
</span>Yes, if the <a href="Documentation.htm#Interfaces">routefilter
|
||||
interface option</a> is selected.</li>
|
||||
<li>DOS:<br>
|
||||
- SYN Dos<br>
|
||||
- ICMP Dos<br>
|
||||
- Per-host Dos protection<br>
|
||||
<span style="font-weight: bold;">Answer: </span>Shorewall has
|
||||
facilities for limiting SYN and ICMP packets. Netfilter as included in
|
||||
standard Linux kernels doesn't support per-remote-host limiting except
|
||||
by explicit rule that specifies the host IP address; that form of
|
||||
limiting is supported by Shorewall.</li>
|
||||
</ol>
|
||||
<h4><a name="faq32"></a><span style="font-weight: bold;">32. </span>My
|
||||
firewall has two connections to the internet from two different ISPs.
|
||||
How do I set this up in Shorewall?</h4>
|
||||
Setting this up in Shorewall is easy; setting up the routing is a bit
|
||||
harder.<br>
|
||||
<br>
|
||||
<font size="2">Last updated 10/04/2003 - <a href="support.htm">Tom
|
||||
Assuming that eth0 and eth1 are the interfaces to the two ISPs then:<br>
|
||||
<br>
|
||||
/etc/shorewall/interfaces:<br>
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>ZONE</b></u></td>
|
||||
<td><u><b>INTERFACE</b></u></td>
|
||||
<td><u><b>BROADCAST</b></u></td>
|
||||
<td><u><b>OPTIONS</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net<br>
|
||||
</td>
|
||||
<td>eth0</td>
|
||||
<td>detect<br>
|
||||
</td>
|
||||
<td>...<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">net<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">eth1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">detect<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">...<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
/etc/shorewall/policy:<br>
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>SOURCE </b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>POLICY</b></u></td>
|
||||
<td><u><b>LIMIT:BURST</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net<br>
|
||||
</td>
|
||||
<td>net<br>
|
||||
</td>
|
||||
<td>DROP<br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<hr style="width: 100%; height: 2px;">The following information
|
||||
regarding setting up routing for this
|
||||
configuration is reproduced from the <a href="http://www.lartc.org">LARTC
|
||||
HOWTO</a> and has not been verified by the author. If you have
|
||||
questions or problems with the instructions given below, please post to
|
||||
the <a href="http://www.lartc.org/#mailinglist">LARTC mailing list</a>.<br>
|
||||
<hr style="width: 100%; height: 2px;">A common configuration is the
|
||||
following, in which there are two providers
|
||||
that connect a local network (or even a single machine) to the big
|
||||
Internet.
|
||||
<pre class="SCREEN"> ________<br> +------------+ /<br> | | |<br> +-------------+ Provider 1 +-------<br> __ | | | /<br> ___/ \_ +------+-------+ +------------+ |<br> _/ \__ | if1 | /<br> / \ | | |<br>| Local network -----+ Linux router | | Internet<br> \_ __/ | | |<br> \__ __/ | if2 | \<br> \___/ +------+-------+ +------------+ |<br> | | | \<br> +-------------+ Provider 2 +-------<br> | | |<br> +------------+ \________</pre>
|
||||
<p>There are usually two questions given this setup.</p>
|
||||
<div class="SECT2">
|
||||
<h2 class="SECT2">Split access</h2>
|
||||
<p> The first is how to route answers to packets coming in over a
|
||||
particular provider, say Provider 1, back out again over that same
|
||||
provider. </p>
|
||||
<p> Let us first set some symbolical names. Let <b class="COMMAND">$IF1</b>
|
||||
be the name of the first interface (if1 in the picture above) and <b
|
||||
class="COMMAND">$IF2</b> the name of the second interface. Then let <b
|
||||
class="COMMAND">$IP1</b> be the IP address associated with <b
|
||||
class="COMMAND">$IF1</b> and <b class="COMMAND">$IP2</b> the IP
|
||||
address associated with <b class="COMMAND">$IF2</b>. Next, let <b
|
||||
class="COMMAND">$P1</b> be the IP address of the gateway at Provider
|
||||
1, and <b class="COMMAND">$P2</b> the IP address of the gateway at
|
||||
provider 2. Finally, let <b class="COMMAND">$P1_NET</b> be the IP
|
||||
network <b class="COMMAND">$P1</b> is in, and <b class="COMMAND">$P2_NET</b>
|
||||
the IP network <b class="COMMAND">$P2</b> is in. </p>
|
||||
<p> One creates two additional routing tables, say <b class="COMMAND">T1</b>
|
||||
and <b class="COMMAND">T2</b>. These are added in
|
||||
/etc/iproute2/rt_tables. Then you set up routing in these tables as
|
||||
follows: </p>
|
||||
<p> </p>
|
||||
<pre class="SCREEN"> ip route add $P1_NET dev $IF1 src $IP1 table T1<br> ip route add default via $P1 table T1<br> ip route add $P2_NET dev $IF2 src $IP2 table T2<br> ip route add default via $P2 table T2<br> </pre>
|
||||
Nothing spectacular, just build a route to the gateway and build a
|
||||
default route via that gateway, as you would do in the case of a single
|
||||
upstream provider, but put the routes in a separate table per provider.
|
||||
Note that the network route suffices, as it tells you how to find any
|
||||
host in that network, which includes the gateway, as specified above.
|
||||
<p> Next you set up the main routing table. It is a good idea to route
|
||||
things to the direct neighbour through the interface connected to that
|
||||
neighbour. Note the `src' arguments, they make sure the right outgoing
|
||||
IP address is chosen. </p>
|
||||
<pre class="SCREEN"> ip route add $P1_NET dev $IF1 src $IP1<br> ip route add $P2_NET dev $IF2 src $IP2<br> </pre>
|
||||
Then, your preference for default route:
|
||||
<pre class="SCREEN"> ip route add default via $P1<br> </pre>
|
||||
Next, you set up the routing rules. These actually choose what routing
|
||||
table to route with. You want to make sure that you route out a given
|
||||
interface if you already have the corresponding source address:
|
||||
<pre class="SCREEN"> ip rule add from $IP1 table T1<br> ip rule add from $IP2 table T2<br> </pre>
|
||||
This set of commands makes sure all answers to traffic coming in on a
|
||||
particular interface get answered from that interface.
|
||||
<p> </p>
|
||||
<div class="WARNING">
|
||||
<table class="WARNING" width="100%" border="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="25" align="center" valign="top"><img
|
||||
src="images/BD21298_.gif" hspace="5" alt="Warning" title=""
|
||||
style="width: 13px; height: 13px;"></td>
|
||||
<td align="left" valign="top">
|
||||
<p>Reader Rod Roark notes: 'If $P0_NET is the local network and
|
||||
$IF0 is its interface,
|
||||
the following additional entries are desirable: </p>
|
||||
<pre class="SCREEN">ip route add $P0_NET dev $IF0 table T1<br>ip route add $P2_NET dev $IF2 table T1<br>ip route add 127.0.0.0/8 dev lo table T1<br>ip route add $P0_NET dev $IF0 table T2<br>ip route add $P1_NET dev $IF1 table T2<br>ip route add 127.0.0.0/8 dev lo table T2 </pre>
|
||||
'</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<p> Now, this is just the very basic setup. It will work for all
|
||||
processes running on the router itself, and for the local network, if
|
||||
it is masqueraded. If it is not, then you either have IP space from
|
||||
both providers or you are going to want to masquerade to one of the two
|
||||
providers. In both cases you will want to add rules selecting which
|
||||
provider to route out from based on the IP address of the machine in
|
||||
the local network. </p>
|
||||
</div>
|
||||
<div class="SECT2">
|
||||
<h2 class="SECT2">Load balancing</h2>
|
||||
<p> The second question is how to balance traffic going out over the
|
||||
two providers. This is actually not hard if you already have set up
|
||||
split access as above. </p>
|
||||
<p> Instead of choosing one of the two providers as your default route,
|
||||
you now set up the default route to be a multipath route. In the
|
||||
default kernel this will balance routes over the two providers. It is
|
||||
done as follows (once more building on the example in the section on
|
||||
split-access): </p>
|
||||
<pre class="SCREEN"> ip route add default scope global nexthop via $P1 dev $IF1 weight 1 \<br> nexthop via $P2 dev $IF2 weight 1<br> </pre>
|
||||
This will balance the routes over both providers. The <b
|
||||
class="COMMAND">weight</b> parameters can be tweaked to favor one
|
||||
provider over the other.
|
||||
<p> Note that balancing will not be perfect, as it is route based, and
|
||||
routes are cached. This means that routes to often-used sites will
|
||||
always be over the same provider. </p>
|
||||
<p> Furthermore, if you really want to do this, you probably also want
|
||||
to look at Julian Anastasov's patches at <a
|
||||
href="http://www.ssi.bg/%7Eja/#routes" target="_top">http://www.ssi.bg/~ja/#routes
|
||||
</a>, Julian's route patch page. They will make things nicer to work
|
||||
with. </p>
|
||||
</div>
|
||||
<hr style="width: 100%; height: 2px;">End of information reproduced
|
||||
from the LARTC HOWTO. If you have
|
||||
questions or problems with the instructions given above, please post to
|
||||
the <a href="http://www.lartc.org/#mailinglist">LARTC mailing list</a>.
|
||||
<hr style="width: 100%; height: 2px;"><font size="2">Last updated
|
||||
11/20/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
|
@ -8,19 +8,37 @@
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h2></h2>
|
||||
<blockquote> </blockquote>
|
||||
<h1 style="text-align: center;">Shorewall and FTP<br>
|
||||
</h1>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<p><span style="font-weight: bold;">NOTICE: </span>If you are running
|
||||
Mandrake 9.1 or 9.2 and are having problems with FTP, you have three
|
||||
choices:</p>
|
||||
<ol>
|
||||
<li>Edit /usr/share/shorewall/firewall and replace this line:<br>
|
||||
<br>
|
||||
<tt>for suffix in o gz ko ; do<br>
|
||||
</tt><br>
|
||||
with<br>
|
||||
<br>
|
||||
<tt>for suffix in o gz ko <span
|
||||
style="font-weight: bold;">o.gz </span>; do<br>
|
||||
<br>
|
||||
</tt>and at a root shell prompt:<br>
|
||||
<br>
|
||||
<tt> <span style="font-weight: bold; color: rgb(0, 153, 0);">shorewall
|
||||
restart</span><br style="font-weight: bold; color: rgb(0, 153, 0);">
|
||||
<br>
|
||||
</tt></li>
|
||||
<li>Install the Mandrake "cooker" version of Shorewall.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Upgrade to Shorewall 1.4.7 or later.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<hr style="width: 100%; height: 2px;">
|
||||
<p>FTP transfers involve two TCP connections. The first <u>control</u>
|
||||
connection goes from the FTP client to port 21 on the FTP server. This
|
||||
connection is used for logon and to send commands and responses between
|
||||
@ -30,7 +48,8 @@ connection is dependent on the <u>mode</u>
|
||||
that the client is operating in:<br>
|
||||
</p>
|
||||
<ul>
|
||||
<li>Passive Mode (default for web browsers) -- The client issues a
|
||||
<li>Passive Mode (often the default for web browsers) -- The client
|
||||
issues a
|
||||
PASV command. Upon receipt of this command, the server listens on a
|
||||
dynamically-allocated port then sends a PASV reply to the client. The
|
||||
PASV reply gives the IP address
|
||||
@ -91,13 +110,17 @@ that the
|
||||
modules "ip_conntrack_ftp" and "ip_nat_ftp" need to be loaded.
|
||||
Shorewall automatically
|
||||
loads these "helper" modules from /lib/modules/<<i>kernel-version></i>/kernel/net/ipv4/netfilter/
|
||||
and you can determine if they are loaded using the 'lsmod' command:<br>
|
||||
and you can determine if they are loaded using the 'lsmod' command. The
|
||||
<<span style="font-style: italic;">kernel-version</span>> may be
|
||||
obtained by typing<br>
|
||||
</p>
|
||||
<pre> <span style="color: rgb(0, 153, 0);"><span
|
||||
style="font-weight: bold;">uname -r</span></span>
|
||||
|
||||
Example:<br></pre>
|
||||
<blockquote>
|
||||
<p>Example:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state ipt_multiport ipt_conntrack iptable_filter iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
|
||||
<pre>[root@lists etc]# lsmod<br>Module Size Used by Not tainted<br>autofs 12148 0 (autoclean) (unused)<br>ipt_TOS 1560 12 (autoclean)<br>ipt_LOG 4120 5 (autoclean)<br>ipt_REDIRECT 1304 1 (autoclean)<br>ipt_REJECT 3736 4 (autoclean)<br>ipt_state 1048 13 (autoclean)<br>ip_nat_irc 3152 0 (unused)<br><b>ip_nat_ftp 3888 0 (unused)</b><br>ip_conntrack_irc 3984 1<br><b>ip_conntrack_ftp 5008 1</b><br>ipt_multiport 1144 2 (autoclean)<br>ipt_conntrack 1592 0 (autoclean)<br>iptable_filter 2316 1 (autoclean)<br>iptable_mangle 2680 1 (autoclean)<br>iptable_nat 20568 3 (autoclean) [ipt_REDIRECT ip_nat_irc ip_nat_ftp]<br>ip_conntrack 26088 5 (autoclean) [ipt_REDIRECT ipt_state ip_nat_irc<br> ip_nat_ftp ip_conntrack_irc ip_conntrack_ftp<br> ipt_conntrack iptable_nat]<br>ip_tables 14488 12 [ipt_TOS ipt_LOG ipt_REDIRECT ipt_REJECT ipt_state<br> ipt_multiport ipt_conntrack iptable_filter<br> iptable_mangle iptable_nat]<br>tulip 42464 0 (unused)<br>e100 50596 1<br>keybdev 2752 0 (unused)<br>mousedev 5236 0 (unused)<br>hid 20868 0 (unused)<br>input 5632 0 [keybdev mousedev hid]<br>usb-uhci 24684 0 (unused)<br>usbcore 73280 1 [hid usb-uhci]<br>ext3 64704 2<br>jbd 47860 2 [ext3]<br>[root@lists etc]#<br></pre>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
@ -105,6 +128,12 @@ and you can determine if they are loaded using the 'lsmod' command:<br>
|
||||
directory, you need to set the MODULESDIR variable in
|
||||
/etc/shorewall/shorewall.conf to point to that directory.<br>
|
||||
</p>
|
||||
<p>If your FTP helper modules are compressed and have the names <span
|
||||
style="font-style: italic;">ip_nat_ftp.o.gz </span>and <span
|
||||
style="font-style: italic;">ip_conntrack_ftp.o.gz</span> then you will
|
||||
need Shorewall 1.4.7 or later if you want Shorewall to load them for
|
||||
you.<br>
|
||||
</p>
|
||||
<p>Server configuration is covered in <a href="Documentation.htm#Rules">the
|
||||
/etc/shorewall/rules documentation</a>,<br>
|
||||
</p>
|
||||
@ -203,7 +232,7 @@ to the net.<br>
|
||||
<p> </p>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<p><font size="2">Last updated 9/17/2003 - </font><font size="2"> <a
|
||||
<p><font size="2">Last updated 12/01/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||||
|
@ -8,17 +8,8 @@
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Generic Tunnels</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">Generic Tunnels<br>
|
||||
</h1>
|
||||
Shorewall includes built-in support for a wide range of VPN solutions.
|
||||
If you have need for a tunnel type that does not have explicit support,
|
||||
you can generally describe the tunneling software using "generic
|
||||
|
@ -1,341 +1,420 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Copyright</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h2 align="center"><font color="#ffffff">GNU Free Documentation License</font></h2>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">GNU Free Documentation License<br>
|
||||
</h1>
|
||||
<p>Version 1.1, March 2000 </p>
|
||||
|
||||
<pre>Copyright (C) 2000 Free Software Foundation, Inc.<br>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA<br>Everyone is permitted to copy and distribute verbatim copies<br>of this license document, but changing it is not allowed.<br></pre>
|
||||
|
||||
<p><strong>0. PREAMBLE</strong> </p>
|
||||
|
||||
<p>The purpose of this License is to make a manual, textbook, or other written
|
||||
document "free" in the sense of freedom: to assure everyone the effective
|
||||
freedom to copy and redistribute it, with or without modifying it, either
|
||||
commercially or noncommercially. Secondarily, this License preserves for
|
||||
the author and publisher a way to get credit for their work, while not being
|
||||
considered responsible for modifications made by others. </p>
|
||||
|
||||
<p>This License is a kind of "copyleft", which means that derivative works
|
||||
of the document must themselves be free in the same sense. It complements
|
||||
the GNU General Public License, which is a copyleft license designed for
|
||||
<p>The purpose of this License is to make a manual, textbook, or other
|
||||
written document "free" in the sense of freedom: to assure everyone the
|
||||
effective freedom to copy and redistribute it, with or without
|
||||
modifying it, either commercially or noncommercially. Secondarily, this
|
||||
License preserves for
|
||||
the author and publisher a way to get credit for their work, while not
|
||||
being considered responsible for modifications made by others. </p>
|
||||
<p>This License is a kind of "copyleft", which means that derivative
|
||||
works
|
||||
of the document must themselves be free in the same sense. It
|
||||
complements
|
||||
the GNU General Public License, which is a copyleft license designed
|
||||
for
|
||||
free software. </p>
|
||||
|
||||
<p>We have designed this License in order to use it for manuals for free software,
|
||||
because free software needs free documentation: a free program should come
|
||||
with manuals providing the same freedoms that the software does. But this
|
||||
License is not limited to software manuals; it can be used for any textual
|
||||
work, regardless of subject matter or whether it is published as a printed
|
||||
book. We recommend this License principally for works whose purpose is instruction
|
||||
<p>We have designed this License in order to use it for manuals for
|
||||
free software,
|
||||
because free software needs free documentation: a free program should
|
||||
come
|
||||
with manuals providing the same freedoms that the software does. But
|
||||
this License is not limited to software manuals; it can be used for any
|
||||
textual
|
||||
work, regardless of subject matter or whether it is published as a
|
||||
printed
|
||||
book. We recommend this License principally for works whose purpose is
|
||||
instruction
|
||||
or reference. </p>
|
||||
|
||||
<p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
|
||||
|
||||
<p>This License applies to any manual or other work that contains a notice
|
||||
placed by the copyright holder saying it can be distributed under the terms
|
||||
of this License. The "Document", below, refers to any such manual or work.
|
||||
<p>This License applies to any manual or other work that contains a
|
||||
notice placed by the copyright holder saying it can be distributed
|
||||
under the terms
|
||||
of this License. The "Document", below, refers to any such manual or
|
||||
work.
|
||||
Any member of the public is a licensee, and is addressed as "you". </p>
|
||||
|
||||
<p>A "Modified Version" of the Document means any work containing the Document
|
||||
or a portion of it, either copied verbatim, or with modifications and/or translated
|
||||
<p>A "Modified Version" of the Document means any work containing the
|
||||
Document or a portion of it, either copied verbatim, or with
|
||||
modifications and/or translated
|
||||
into another language. </p>
|
||||
|
||||
<p>A "Secondary Section" is a named appendix or a front-matter section of
|
||||
the Document that deals exclusively with the relationship of the publishers
|
||||
or authors of the Document to the Document's overall subject (or to related
|
||||
matters) and contains nothing that could fall directly within that overall
|
||||
subject. (For example, if the Document is in part a textbook of mathematics,
|
||||
a Secondary Section may not explain any mathematics.) The relationship could
|
||||
be a matter of historical connection with the subject or with related matters,
|
||||
or of legal, commercial, philosophical, ethical or political position regarding
|
||||
<p>A "Secondary Section" is a named appendix or a front-matter section
|
||||
of
|
||||
the Document that deals exclusively with the relationship of the
|
||||
publishers
|
||||
or authors of the Document to the Document's overall subject (or to
|
||||
related matters) and contains nothing that could fall directly within
|
||||
that overall subject. (For example, if the Document is in part a
|
||||
textbook of mathematics,
|
||||
a Secondary Section may not explain any mathematics.) The relationship
|
||||
could
|
||||
be a matter of historical connection with the subject or with related
|
||||
matters,
|
||||
or of legal, commercial, philosophical, ethical or political position
|
||||
regarding
|
||||
them. </p>
|
||||
|
||||
<p>The "Invariant Sections" are certain Secondary Sections whose titles are
|
||||
designated, as being those of Invariant Sections, in the notice that says
|
||||
<p>The "Invariant Sections" are certain Secondary Sections whose titles
|
||||
are designated, as being those of Invariant Sections, in the notice
|
||||
that says
|
||||
that the Document is released under this License. </p>
|
||||
|
||||
<p>The "Cover Texts" are certain short passages of text that are listed,
|
||||
as Front-Cover Texts or Back-Cover Texts, in the notice that says that the
|
||||
<p>The "Cover Texts" are certain short passages of text that are
|
||||
listed,
|
||||
as Front-Cover Texts or Back-Cover Texts, in the notice that says that
|
||||
the
|
||||
Document is released under this License. </p>
|
||||
|
||||
<p>A "Transparent" copy of the Document means a machine-readable copy, represented
|
||||
in a format whose specification is available to the general public, whose
|
||||
contents can be viewed and edited directly and straightforwardly with generic
|
||||
text editors or (for images composed of pixels) generic paint programs or
|
||||
(for drawings) some widely available drawing editor, and that is suitable
|
||||
for input to text formatters or for automatic translation to a variety of
|
||||
formats suitable for input to text formatters. A copy made in an otherwise
|
||||
Transparent file format whose markup has been designed to thwart or discourage
|
||||
subsequent modification by readers is not Transparent. A copy that is not
|
||||
<p>A "Transparent" copy of the Document means a machine-readable copy,
|
||||
represented
|
||||
in a format whose specification is available to the general public,
|
||||
whose
|
||||
contents can be viewed and edited directly and straightforwardly with
|
||||
generic
|
||||
text editors or (for images composed of pixels) generic paint programs
|
||||
or
|
||||
(for drawings) some widely available drawing editor, and that is
|
||||
suitable
|
||||
for input to text formatters or for automatic translation to a variety
|
||||
of
|
||||
formats suitable for input to text formatters. A copy made in an
|
||||
otherwise
|
||||
Transparent file format whose markup has been designed to thwart or
|
||||
discourage
|
||||
subsequent modification by readers is not Transparent. A copy that is
|
||||
not
|
||||
"Transparent" is called "Opaque". </p>
|
||||
|
||||
<p>Examples of suitable formats for Transparent copies include plain ASCII
|
||||
without markup, Texinfo input format, LaTeX input format, SGML or XML using
|
||||
a publicly available DTD, and standard-conforming simple HTML designed for
|
||||
human modification. Opaque formats include PostScript, PDF, proprietary formats
|
||||
that can be read and edited only by proprietary word processors, SGML or
|
||||
XML for which the DTD and/or processing tools are not generally available,
|
||||
and the machine-generated HTML produced by some word processors for output
|
||||
<p>Examples of suitable formats for Transparent copies include plain
|
||||
ASCII without markup, Texinfo input format, LaTeX input format, SGML or
|
||||
XML using
|
||||
a publicly available DTD, and standard-conforming simple HTML designed
|
||||
for
|
||||
human modification. Opaque formats include PostScript, PDF, proprietary
|
||||
formats
|
||||
that can be read and edited only by proprietary word processors, SGML
|
||||
or
|
||||
XML for which the DTD and/or processing tools are not generally
|
||||
available,
|
||||
and the machine-generated HTML produced by some word processors for
|
||||
output
|
||||
purposes only. </p>
|
||||
|
||||
<p>The "Title Page" means, for a printed book, the title page itself, plus
|
||||
such following pages as are needed to hold, legibly, the material this License
|
||||
requires to appear in the title page. For works in formats which do not have
|
||||
any title page as such, "Title Page" means the text near the most prominent
|
||||
appearance of the work's title, preceding the beginning of the body of the
|
||||
<p>The "Title Page" means, for a printed book, the title page itself,
|
||||
plus
|
||||
such following pages as are needed to hold, legibly, the material this
|
||||
License requires to appear in the title page. For works in formats
|
||||
which do not have
|
||||
any title page as such, "Title Page" means the text near the most
|
||||
prominent appearance of the work's title, preceding the beginning of
|
||||
the body of the
|
||||
text. </p>
|
||||
|
||||
<p><strong>2. VERBATIM COPYING</strong> </p>
|
||||
|
||||
<p>You may copy and distribute the Document in any medium, either commercially
|
||||
or noncommercially, provided that this License, the copyright notices, and
|
||||
the license notice saying this License applies to the Document are reproduced
|
||||
in all copies, and that you add no other conditions whatsoever to those of
|
||||
this License. You may not use technical measures to obstruct or control the
|
||||
reading or further copying of the copies you make or distribute. However,
|
||||
you may accept compensation in exchange for copies. If you distribute a large
|
||||
enough number of copies you must also follow the conditions in section 3.
|
||||
<p>You may copy and distribute the Document in any medium, either
|
||||
commercially or noncommercially, provided that this License, the
|
||||
copyright notices, and
|
||||
the license notice saying this License applies to the Document are
|
||||
reproduced
|
||||
in all copies, and that you add no other conditions whatsoever to those
|
||||
of
|
||||
this License. You may not use technical measures to obstruct or control
|
||||
the
|
||||
reading or further copying of the copies you make or distribute.
|
||||
However,
|
||||
you may accept compensation in exchange for copies. If you distribute a
|
||||
large
|
||||
enough number of copies you must also follow the conditions in section
|
||||
3.
|
||||
</p>
|
||||
|
||||
<p>You may also lend copies, under the same conditions stated above, and
|
||||
<p>You may also lend copies, under the same conditions stated above,
|
||||
and
|
||||
you may publicly display copies. </p>
|
||||
|
||||
<p><strong>3. COPYING IN QUANTITY</strong> </p>
|
||||
|
||||
<p>If you publish printed copies of the Document numbering more than 100,
|
||||
and the Document's license notice requires Cover Texts, you must enclose
|
||||
the copies in covers that carry, clearly and legibly, all these Cover Texts:
|
||||
Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover.
|
||||
Both covers must also clearly and legibly identify you as the publisher of
|
||||
these copies. The front cover must present the full title with all words
|
||||
of the title equally prominent and visible. You may add other material on
|
||||
the covers in addition. Copying with changes limited to the covers, as long
|
||||
as they preserve the title of the Document and satisfy these conditions,
|
||||
<p>If you publish printed copies of the Document numbering more than
|
||||
100,
|
||||
and the Document's license notice requires Cover Texts, you must
|
||||
enclose
|
||||
the copies in covers that carry, clearly and legibly, all these Cover
|
||||
Texts:
|
||||
Front-Cover Texts on the front cover, and Back-Cover Texts on the back
|
||||
cover.
|
||||
Both covers must also clearly and legibly identify you as the publisher
|
||||
of
|
||||
these copies. The front cover must present the full title with all
|
||||
words
|
||||
of the title equally prominent and visible. You may add other material
|
||||
on
|
||||
the covers in addition. Copying with changes limited to the covers, as
|
||||
long
|
||||
as they preserve the title of the Document and satisfy these
|
||||
conditions,
|
||||
can be treated as verbatim copying in other respects. </p>
|
||||
|
||||
<p>If the required texts for either cover are too voluminous to fit legibly,
|
||||
you should put the first ones listed (as many as fit reasonably) on the actual
|
||||
cover, and continue the rest onto adjacent pages. </p>
|
||||
|
||||
<p>If you publish or distribute Opaque copies of the Document numbering more
|
||||
than 100, you must either include a machine-readable Transparent copy along
|
||||
with each Opaque copy, or state in or with each Opaque copy a publicly-accessible
|
||||
computer-network location containing a complete Transparent copy of the Document,
|
||||
free of added material, which the general network-using public has access
|
||||
to download anonymously at no charge using public-standard network protocols.
|
||||
If you use the latter option, you must take reasonably prudent steps, when
|
||||
you begin distribution of Opaque copies in quantity, to ensure that this Transparent
|
||||
copy will remain thus accessible at the stated location until at least one
|
||||
year after the last time you distribute an Opaque copy (directly or through
|
||||
<p>If the required texts for either cover are too voluminous to fit
|
||||
legibly,
|
||||
you should put the first ones listed (as many as fit reasonably) on the
|
||||
actual cover, and continue the rest onto adjacent pages. </p>
|
||||
<p>If you publish or distribute Opaque copies of the Document numbering
|
||||
more than 100, you must either include a machine-readable Transparent
|
||||
copy along
|
||||
with each Opaque copy, or state in or with each Opaque copy a
|
||||
publicly-accessible computer-network location containing a complete
|
||||
Transparent copy of the Document,
|
||||
free of added material, which the general network-using public has
|
||||
access
|
||||
to download anonymously at no charge using public-standard network
|
||||
protocols.
|
||||
If you use the latter option, you must take reasonably prudent steps,
|
||||
when
|
||||
you begin distribution of Opaque copies in quantity, to ensure that
|
||||
this Transparent
|
||||
copy will remain thus accessible at the stated location until at least
|
||||
one
|
||||
year after the last time you distribute an Opaque copy (directly or
|
||||
through
|
||||
your agents or retailers) of that edition to the public. </p>
|
||||
|
||||
<p>It is requested, but not required, that you contact the authors of the
|
||||
Document well before redistributing any large number of copies, to give them
|
||||
<p>It is requested, but not required, that you contact the authors of
|
||||
the Document well before redistributing any large number of copies, to
|
||||
give them
|
||||
a chance to provide you with an updated version of the Document. </p>
|
||||
|
||||
<p><strong>4. MODIFICATIONS</strong> </p>
|
||||
|
||||
<p>You may copy and distribute a Modified Version of the Document under the
|
||||
conditions of sections 2 and 3 above, provided that you release the Modified
|
||||
Version under precisely this License, with the Modified Version filling the
|
||||
role of the Document, thus licensing distribution and modification of the
|
||||
Modified Version to whoever possesses a copy of it. In addition, you must
|
||||
<p>You may copy and distribute a Modified Version of the Document under
|
||||
the conditions of sections 2 and 3 above, provided that you release the
|
||||
Modified Version under precisely this License, with the Modified
|
||||
Version filling the
|
||||
role of the Document, thus licensing distribution and modification of
|
||||
the
|
||||
Modified Version to whoever possesses a copy of it. In addition, you
|
||||
must
|
||||
do these things in the Modified Version: </p>
|
||||
|
||||
<p> </p>
|
||||
|
||||
<p> </p>
|
||||
<ul>
|
||||
<li><strong>A.</strong> Use in the Title Page (and on the covers, if any)
|
||||
a title distinct from that of the Document, and from those of previous
|
||||
versions (which should, if there were any, be listed in the History section
|
||||
of the Document). You may use the same title as a previous version if the
|
||||
original publisher of that version gives permission. </li>
|
||||
<li><strong>B.</strong> List on the Title Page, as authors, one or more
|
||||
persons or entities responsible for authorship of the modifications in
|
||||
the Modified Version, together with at least five of the principal authors
|
||||
of the Document (all of its principal authors, if it has less than five).
|
||||
</li>
|
||||
<li><strong>C.</strong> State on the Title page the name of the publisher
|
||||
of the Modified Version, as the publisher. </li>
|
||||
<li><strong>D.</strong> Preserve all the copyright notices of the Document.
|
||||
</li>
|
||||
<li><strong>E.</strong> Add an appropriate copyright notice for your
|
||||
modifications adjacent to the other copyright notices. </li>
|
||||
<li><strong>F.</strong> Include, immediately after the copyright notices,
|
||||
a license notice giving the public permission to use the Modified Version
|
||||
under the terms of this License, in the form shown in the Addendum below.
|
||||
</li>
|
||||
<li><strong>G.</strong> Preserve in that license notice the full lists
|
||||
of Invariant Sections and required Cover Texts given in the Document's
|
||||
license notice. </li>
|
||||
<li><strong>H.</strong> Include an unaltered copy of this License. </li>
|
||||
<li><strong>I.</strong> Preserve the section entitled "History", and its
|
||||
title, and add to it an item stating at least the title, year, new authors,
|
||||
and publisher of the Modified Version as given on the Title Page. If there
|
||||
is no section entitled "History" in the Document, create one stating the
|
||||
title, year, authors, and publisher of the Document as given on its Title
|
||||
Page, then add an item describing the Modified Version as stated in the
|
||||
previous sentence. </li>
|
||||
<li><strong>J.</strong> Preserve the network location, if any, given in
|
||||
the Document for public access to a Transparent copy of the Document, and
|
||||
likewise the network locations given in the Document for previous versions
|
||||
it was based on. These may be placed in the "History" section. You may
|
||||
omit a network location for a work that was published at least four years
|
||||
before the Document itself, or if the original publisher of the version
|
||||
it refers to gives permission. </li>
|
||||
<li><strong>K.</strong> In any section entitled "Acknowledgements" or
|
||||
"Dedications", preserve the section's title, and preserve in the section
|
||||
all the substance and tone of each of the contributor acknowledgements
|
||||
and/or dedications given therein. </li>
|
||||
<li><strong>L.</strong> Preserve all the Invariant Sections of the Document,
|
||||
unaltered in their text and in their titles. Section numbers or the equivalent
|
||||
are not considered part of the section titles. </li>
|
||||
<li><strong>M.</strong> Delete any section entitled "Endorsements". Such
|
||||
a section may not be included in the Modified Version. </li>
|
||||
<li><strong>N.</strong> Do not retitle any existing section as "Endorsements"
|
||||
or to conflict in title with any Invariant Section. </li>
|
||||
|
||||
<li><strong>A.</strong> Use in the Title Page (and on the covers, if
|
||||
any)
|
||||
a title distinct from that of the Document, and from those of previous
|
||||
versions (which should, if there were any, be listed in the History
|
||||
section
|
||||
of the Document). You may use the same title as a previous version if
|
||||
the
|
||||
original publisher of that version gives permission. </li>
|
||||
<li><strong>B.</strong> List on the Title Page, as authors, one or
|
||||
more persons or entities responsible for authorship of the
|
||||
modifications in
|
||||
the Modified Version, together with at least five of the principal
|
||||
authors
|
||||
of the Document (all of its principal authors, if it has less than
|
||||
five). </li>
|
||||
<li><strong>C.</strong> State on the Title page the name of the
|
||||
publisher
|
||||
of the Modified Version, as the publisher. </li>
|
||||
<li><strong>D.</strong> Preserve all the copyright notices of the
|
||||
Document. </li>
|
||||
<li><strong>E.</strong> Add an appropriate copyright notice for your
|
||||
modifications adjacent to the other copyright notices. </li>
|
||||
<li><strong>F.</strong> Include, immediately after the copyright
|
||||
notices,
|
||||
a license notice giving the public permission to use the Modified
|
||||
Version
|
||||
under the terms of this License, in the form shown in the Addendum
|
||||
below. </li>
|
||||
<li><strong>G.</strong> Preserve in that license notice the full
|
||||
lists
|
||||
of Invariant Sections and required Cover Texts given in the Document's
|
||||
license notice. </li>
|
||||
<li><strong>H.</strong> Include an unaltered copy of this License. </li>
|
||||
<li><strong>I.</strong> Preserve the section entitled "History", and
|
||||
its title, and add to it an item stating at least the title, year, new
|
||||
authors, and publisher of the Modified Version as given on the Title
|
||||
Page. If there
|
||||
is no section entitled "History" in the Document, create one stating
|
||||
the
|
||||
title, year, authors, and publisher of the Document as given on its
|
||||
Title
|
||||
Page, then add an item describing the Modified Version as stated in the
|
||||
previous sentence. </li>
|
||||
<li><strong>J.</strong> Preserve the network location, if any, given
|
||||
in
|
||||
the Document for public access to a Transparent copy of the Document,
|
||||
and
|
||||
likewise the network locations given in the Document for previous
|
||||
versions
|
||||
it was based on. These may be placed in the "History" section. You may
|
||||
omit a network location for a work that was published at least four
|
||||
years
|
||||
before the Document itself, or if the original publisher of the version
|
||||
it refers to gives permission. </li>
|
||||
<li><strong>K.</strong> In any section entitled "Acknowledgements" or
|
||||
"Dedications", preserve the section's title, and preserve in the
|
||||
section
|
||||
all the substance and tone of each of the contributor acknowledgements
|
||||
and/or dedications given therein. </li>
|
||||
<li><strong>L.</strong> Preserve all the Invariant Sections of the
|
||||
Document, unaltered in their text and in their titles. Section numbers
|
||||
or the equivalent are not considered part of the section titles. </li>
|
||||
<li><strong>M.</strong> Delete any section entitled "Endorsements".
|
||||
Such
|
||||
a section may not be included in the Modified Version. </li>
|
||||
<li><strong>N.</strong> Do not retitle any existing section as
|
||||
"Endorsements" or to conflict in title with any Invariant Section. </li>
|
||||
</ul>
|
||||
|
||||
<p>If the Modified Version includes new front-matter sections or appendices
|
||||
that qualify as Secondary Sections and contain no material copied from the
|
||||
Document, you may at your option designate some or all of these sections
|
||||
as invariant. To do this, add their titles to the list of Invariant Sections
|
||||
in the Modified Version's license notice. These titles must be distinct from
|
||||
<p>If the Modified Version includes new front-matter sections or
|
||||
appendices
|
||||
that qualify as Secondary Sections and contain no material copied from
|
||||
the
|
||||
Document, you may at your option designate some or all of these
|
||||
sections
|
||||
as invariant. To do this, add their titles to the list of Invariant
|
||||
Sections
|
||||
in the Modified Version's license notice. These titles must be distinct
|
||||
from
|
||||
any other section titles. </p>
|
||||
|
||||
<p>You may add a section entitled "Endorsements", provided it contains nothing
|
||||
but endorsements of your Modified Version by various parties--for example,
|
||||
statements of peer review or that the text has been approved by an organization
|
||||
as the authoritative definition of a standard. </p>
|
||||
|
||||
<p>You may add a passage of up to five words as a Front-Cover Text, and a
|
||||
passage of up to 25 words as a Back-Cover Text, to the end of the list of
|
||||
Cover Texts in the Modified Version. Only one passage of Front-Cover Text
|
||||
and one of Back-Cover Text may be added by (or through arrangements made
|
||||
by) any one entity. If the Document already includes a cover text for the
|
||||
same cover, previously added by you or by arrangement made by the same entity
|
||||
you are acting on behalf of, you may not add another; but you may replace
|
||||
the old one, on explicit permission from the previous publisher that added
|
||||
<p>You may add a section entitled "Endorsements", provided it contains
|
||||
nothing but endorsements of your Modified Version by various
|
||||
parties--for example, statements of peer review or that the text has
|
||||
been approved by an organization as the authoritative definition of a
|
||||
standard. </p>
|
||||
<p>You may add a passage of up to five words as a Front-Cover Text, and
|
||||
a passage of up to 25 words as a Back-Cover Text, to the end of the
|
||||
list of
|
||||
Cover Texts in the Modified Version. Only one passage of Front-Cover
|
||||
Text
|
||||
and one of Back-Cover Text may be added by (or through arrangements
|
||||
made
|
||||
by) any one entity. If the Document already includes a cover text for
|
||||
the
|
||||
same cover, previously added by you or by arrangement made by the same
|
||||
entity
|
||||
you are acting on behalf of, you may not add another; but you may
|
||||
replace
|
||||
the old one, on explicit permission from the previous publisher that
|
||||
added
|
||||
the old one. </p>
|
||||
|
||||
<p>The author(s) and publisher(s) of the Document do not by this License
|
||||
give permission to use their names for publicity for or to assert or imply
|
||||
endorsement of any Modified Version. </p>
|
||||
|
||||
<p>The author(s) and publisher(s) of the Document do not by this
|
||||
License
|
||||
give permission to use their names for publicity for or to assert or
|
||||
imply endorsement of any Modified Version. </p>
|
||||
<p><strong>5. COMBINING DOCUMENTS</strong> </p>
|
||||
|
||||
<p>You may combine the Document with other documents released under this License,
|
||||
under the terms defined in section 4 above for modified versions, provided
|
||||
that you include in the combination all of the Invariant Sections of all
|
||||
of the original documents, unmodified, and list them all as Invariant Sections
|
||||
<p>You may combine the Document with other documents released under
|
||||
this License,
|
||||
under the terms defined in section 4 above for modified versions,
|
||||
provided
|
||||
that you include in the combination all of the Invariant Sections of
|
||||
all
|
||||
of the original documents, unmodified, and list them all as Invariant
|
||||
Sections
|
||||
of your combined work in its license notice. </p>
|
||||
|
||||
<p>The combined work need only contain one copy of this License, and multiple
|
||||
identical Invariant Sections may be replaced with a single copy. If there
|
||||
are multiple Invariant Sections with the same name but different contents,
|
||||
make the title of each such section unique by adding at the end of it, in
|
||||
parentheses, the name of the original author or publisher of that section
|
||||
if known, or else a unique number. Make the same adjustment to the section
|
||||
titles in the list of Invariant Sections in the license notice of the combined
|
||||
<p>The combined work need only contain one copy of this License, and
|
||||
multiple identical Invariant Sections may be replaced with a single
|
||||
copy. If there
|
||||
are multiple Invariant Sections with the same name but different
|
||||
contents,
|
||||
make the title of each such section unique by adding at the end of it,
|
||||
in
|
||||
parentheses, the name of the original author or publisher of that
|
||||
section
|
||||
if known, or else a unique number. Make the same adjustment to the
|
||||
section
|
||||
titles in the list of Invariant Sections in the license notice of the
|
||||
combined
|
||||
work. </p>
|
||||
|
||||
<p>In the combination, you must combine any sections entitled "History" in
|
||||
the various original documents, forming one section entitled "History"; likewise
|
||||
combine any sections entitled "Acknowledgements", and any sections entitled
|
||||
"Dedications". You must delete all sections entitled "Endorsements." </p>
|
||||
|
||||
<p>In the combination, you must combine any sections entitled "History"
|
||||
in
|
||||
the various original documents, forming one section entitled "History";
|
||||
likewise combine any sections entitled "Acknowledgements", and any
|
||||
sections entitled "Dedications". You must delete all sections entitled
|
||||
"Endorsements." </p>
|
||||
<p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
|
||||
|
||||
<p>You may make a collection consisting of the Document and other documents
|
||||
released under this License, and replace the individual copies of this License
|
||||
in the various documents with a single copy that is included in the collection,
|
||||
provided that you follow the rules of this License for verbatim copying of
|
||||
<p>You may make a collection consisting of the Document and other
|
||||
documents released under this License, and replace the individual
|
||||
copies of this License in the various documents with a single copy that
|
||||
is included in the collection, provided that you follow the rules of
|
||||
this License for verbatim copying of
|
||||
each of the documents in all other respects. </p>
|
||||
|
||||
<p>You may extract a single document from such a collection, and distribute
|
||||
it individually under this License, provided you insert a copy of this License
|
||||
into the extracted document, and follow this License in all other respects
|
||||
<p>You may extract a single document from such a collection, and
|
||||
distribute
|
||||
it individually under this License, provided you insert a copy of this
|
||||
License
|
||||
into the extracted document, and follow this License in all other
|
||||
respects
|
||||
regarding verbatim copying of that document. </p>
|
||||
|
||||
<p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
|
||||
|
||||
<p>A compilation of the Document or its derivatives with other separate and
|
||||
independent documents or works, in or on a volume of a storage or distribution
|
||||
medium, does not as a whole count as a Modified Version of the Document, provided
|
||||
no compilation copyright is claimed for the compilation. Such a compilation
|
||||
is called an "aggregate", and this License does not apply to the other self-contained
|
||||
works thus compiled with the Document, on account of their being thus compiled,
|
||||
<p>A compilation of the Document or its derivatives with other separate
|
||||
and independent documents or works, in or on a volume of a storage or
|
||||
distribution medium, does not as a whole count as a Modified Version of
|
||||
the Document, provided
|
||||
no compilation copyright is claimed for the compilation. Such a
|
||||
compilation
|
||||
is called an "aggregate", and this License does not apply to the other
|
||||
self-contained
|
||||
works thus compiled with the Document, on account of their being thus
|
||||
compiled,
|
||||
if they are not themselves derivative works of the Document. </p>
|
||||
|
||||
<p>If the Cover Text requirement of section 3 is applicable to these copies
|
||||
of the Document, then if the Document is less than one quarter of the entire
|
||||
aggregate, the Document's Cover Texts may be placed on covers that surround
|
||||
only the Document within the aggregate. Otherwise they must appear on covers
|
||||
<p>If the Cover Text requirement of section 3 is applicable to these
|
||||
copies
|
||||
of the Document, then if the Document is less than one quarter of the
|
||||
entire aggregate, the Document's Cover Texts may be placed on covers
|
||||
that surround
|
||||
only the Document within the aggregate. Otherwise they must appear on
|
||||
covers
|
||||
around the whole aggregate. </p>
|
||||
|
||||
<p><strong>8. TRANSLATION</strong> </p>
|
||||
|
||||
<p>Translation is considered a kind of modification, so you may distribute
|
||||
translations of the Document under the terms of section 4. Replacing Invariant
|
||||
Sections with translations requires special permission from their copyright
|
||||
holders, but you may include translations of some or all Invariant Sections
|
||||
in addition to the original versions of these Invariant Sections. You may
|
||||
include a translation of this License provided that you also include the
|
||||
original English version of this License. In case of a disagreement between
|
||||
the translation and the original English version of this License, the original
|
||||
<p>Translation is considered a kind of modification, so you may
|
||||
distribute translations of the Document under the terms of section 4.
|
||||
Replacing Invariant Sections with translations requires special
|
||||
permission from their copyright holders, but you may include
|
||||
translations of some or all Invariant Sections
|
||||
in addition to the original versions of these Invariant Sections. You
|
||||
may
|
||||
include a translation of this License provided that you also include
|
||||
the
|
||||
original English version of this License. In case of a disagreement
|
||||
between
|
||||
the translation and the original English version of this License, the
|
||||
original
|
||||
English version will prevail. </p>
|
||||
|
||||
<p><strong>9. TERMINATION</strong> </p>
|
||||
|
||||
<p>You may not copy, modify, sublicense, or distribute the Document except
|
||||
as expressly provided for under this License. Any other attempt to copy,
|
||||
modify, sublicense or distribute the Document is void, and will automatically
|
||||
terminate your rights under this License. However, parties who have received
|
||||
copies, or rights, from you under this License will not have their licenses
|
||||
<p>You may not copy, modify, sublicense, or distribute the Document
|
||||
except
|
||||
as expressly provided for under this License. Any other attempt to
|
||||
copy,
|
||||
modify, sublicense or distribute the Document is void, and will
|
||||
automatically
|
||||
terminate your rights under this License. However, parties who have
|
||||
received
|
||||
copies, or rights, from you under this License will not have their
|
||||
licenses
|
||||
terminated so long as such parties remain in full compliance. </p>
|
||||
|
||||
<p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
|
||||
|
||||
<p>The Free Software Foundation may publish new, revised versions of the
|
||||
GNU Free Documentation License from time to time. Such new versions will
|
||||
be similar in spirit to the present version, but may differ in detail to
|
||||
<p>The Free Software Foundation may publish new, revised versions of
|
||||
the
|
||||
GNU Free Documentation License from time to time. Such new versions
|
||||
will
|
||||
be similar in spirit to the present version, but may differ in detail
|
||||
to
|
||||
address new problems or concerns. See http://www.gnu.org/copyleft/. </p>
|
||||
|
||||
<p>Each version of the License is given a distinguishing version number.
|
||||
If the Document specifies that a particular numbered version of this License
|
||||
"or any later version" applies to it, you have the option of following the
|
||||
terms and conditions either of that specified version or of any later version
|
||||
that has been published (not as a draft) by the Free Software Foundation.
|
||||
If the Document does not specify a version number of this License, you may
|
||||
choose any version ever published (not as a draft) by the Free Software Foundation.
|
||||
<p>Each version of the License is given a distinguishing version
|
||||
number.
|
||||
If the Document specifies that a particular numbered version of this
|
||||
License
|
||||
"or any later version" applies to it, you have the option of following
|
||||
the
|
||||
terms and conditions either of that specified version or of any later
|
||||
version
|
||||
that has been published (not as a draft) by the Free Software
|
||||
Foundation.
|
||||
If the Document does not specify a version number of this License, you
|
||||
may
|
||||
choose any version ever published (not as a draft) by the Free Software
|
||||
Foundation.
|
||||
</p>
|
||||
|
||||
<p align="left"> </p>
|
||||
<br>
|
||||
<p align="left"> </p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,98 +1,71 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>GRE/IPIP Tunnels</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">GRE and IPIP Tunnels</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are insecure
|
||||
when used over the internet; use them at your own risk</h3>
|
||||
|
||||
<p>GRE and IPIP tunneling with Shorewall can be used to bridge two masqueraded
|
||||
networks.</p>
|
||||
|
||||
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
|
||||
Advanced Routing and Shaping HOWTO</a> work fine with Shorewall. Shorewall
|
||||
also includes a tunnel script for automating tunnel configuration. If you
|
||||
have installed the RPM, the tunnel script may be found in the Shorewall documentation
|
||||
directory (usually /usr/share/doc/shorewall-<version>/).</p>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">GRE and IPIP Tunnels<br>
|
||||
</h1>
|
||||
<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are
|
||||
insecure when used over the internet; use them at your own risk</h3>
|
||||
<p>GRE and IPIP tunneling with Shorewall can be used to bridge two
|
||||
masqueraded networks.</p>
|
||||
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
|
||||
Advanced Routing and Shaping HOWTO</a> work fine with Shorewall.
|
||||
Shorewall also includes a tunnel script for automating tunnel
|
||||
configuration. If you have installed the RPM, the tunnel script may be
|
||||
found in the Shorewall documentation directory (usually
|
||||
/usr/share/doc/shorewall-<version>/).</p>
|
||||
<h2>Bridging two Masqueraded Networks</h2>
|
||||
|
||||
<p>Suppose that we have the following situation:</p>
|
||||
|
||||
<p align="center"> <img border="0" src="images/TwoNets1.png" width="745"
|
||||
height="427">
|
||||
</p>
|
||||
|
||||
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able
|
||||
to communicate with the systems in the 10.0.0.0/8 network. This is accomplished
|
||||
through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy
|
||||
file and the /etc/shorewall/tunnel script that is included with Shorewall.</p>
|
||||
|
||||
<p align="left">The 'tunnel' script is not installed in /etc/shorewall by
|
||||
default -- If you install using the tarball, the script is included in the
|
||||
tarball; if you install using the RPM, the file is in your Shorewall documentation
|
||||
directory (normally /usr/share/doc/shorewall-<version>).</p>
|
||||
|
||||
<p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type'
|
||||
parameter to the type of tunnel that you want to create.</p>
|
||||
|
||||
<p align="center"> <img border="0" src="images/TwoNets1.png"
|
||||
width="745" height="427"> </p>
|
||||
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
|
||||
able to communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
accomplished through use of the /etc/shorewall/tunnels file, the
|
||||
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
|
||||
included with Shorewall.</p>
|
||||
<p align="left">The 'tunnel' script is not installed in /etc/shorewall
|
||||
by default -- If you install using the tarball, the script is included
|
||||
in the tarball; if you install using the RPM, the file is in your
|
||||
Shorewall documentation directory (normally
|
||||
/usr/share/doc/shorewall-<version>).</p>
|
||||
<p align="left">In the /etc/shorewall/tunnel script, set the
|
||||
'tunnel_type' parameter to the type of tunnel that you want to create.</p>
|
||||
<p align="left">Example:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p align="left">tunnel_type=gre</p>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">On each firewall, you will need to declare a zone to represent
|
||||
the remote subnet. We'll assume that this zone is called 'vpn' and declare
|
||||
it in /etc/shorewall/zones on both systems as follows.</p>
|
||||
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
<p align="left">On each firewall, you will need to declare a zone to
|
||||
represent the remote subnet. We'll assume that this zone is called
|
||||
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
|
||||
</blockquote>
|
||||
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
|
||||
zone.
|
||||
In /etc/shorewall/interfaces:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
@ -102,19 +75,17 @@ In /etc/shorewall/interfaces:</p>
|
||||
<td>vpn</td>
|
||||
<td>tosysb</td>
|
||||
<td>10.255.255.255</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
|
||||
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the
|
||||
following:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
@ -124,34 +95,29 @@ In /etc/shorewall/interfaces:</p>
|
||||
<td>ipip</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP
|
||||
encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
|
||||
|
||||
</blockquote>
|
||||
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
|
||||
IP encapsulation protocol (4) will be accepted to/from the remote
|
||||
gateway.</p>
|
||||
<p>In the tunnel script on system A:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p>tunnel=tosysb<br>
|
||||
myrealip=206.161.148.9 (for GRE tunnel only)<br>
|
||||
myip=192.168.1.1<br>
|
||||
hisip=10.0.0.1<br>
|
||||
gateway=134.28.54.2<br>
|
||||
subnet=10.0.0.0/8</p>
|
||||
</blockquote>
|
||||
|
||||
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
|
||||
myrealip=206.161.148.9 (for GRE tunnel only)<br>
|
||||
myip=192.168.1.1<br>
|
||||
hisip=10.0.0.1<br>
|
||||
gateway=134.28.54.2<br>
|
||||
subnet=10.0.0.0/8</p>
|
||||
</blockquote>
|
||||
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
|
||||
zone. In /etc/shorewall/interfaces:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
@ -161,19 +127,16 @@ zone. In /etc/shorewall/interfaces:</p>
|
||||
<td>vpn</td>
|
||||
<td>tosysa</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<p>In /etc/shorewall/tunnels on system B, we have:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
@ -183,67 +146,59 @@ zone. In /etc/shorewall/interfaces:</p>
|
||||
<td>ipip</td>
|
||||
<td>net</td>
|
||||
<td>206.191.148.9</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<p>And in the tunnel script on system B:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p>tunnel=tosysa<br>
|
||||
myrealip=134.28.54.2 (for GRE tunnel only)<br>
|
||||
myip=10.0.0.1<br>
|
||||
hisip=192.168.1.1<br>
|
||||
gateway=206.191.148.9<br>
|
||||
subnet=192.168.1.0/24</p>
|
||||
</blockquote>
|
||||
|
||||
<p>You can rename the modified tunnel scripts if you like; be sure that they
|
||||
are secured so that root can execute them. </p>
|
||||
|
||||
<p align="left"> You will need to allow traffic between the "vpn" zone and
|
||||
the "loc" zone on both systems -- if you simply want to admit all traffic
|
||||
in both directions, you can use the policy file:</p>
|
||||
|
||||
<blockquote>
|
||||
myrealip=134.28.54.2 (for GRE tunnel only)<br>
|
||||
myip=10.0.0.1<br>
|
||||
hisip=192.168.1.1<br>
|
||||
gateway=206.191.148.9<br>
|
||||
subnet=192.168.1.0/24</p>
|
||||
</blockquote>
|
||||
<p>You can rename the modified tunnel scripts if you like; be sure that
|
||||
they are secured so that root can execute them. </p>
|
||||
<p align="left"> You will need to allow traffic between the "vpn" zone
|
||||
and the "loc" zone on both systems -- if you simply want to admit all
|
||||
traffic in both directions, you can use the policy file:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>On both systems, restart Shorewall and run the modified tunnel script with
|
||||
the "start" argument on each system. The systems in the two masqueraded subnetworks
|
||||
</blockquote>
|
||||
<p>On both systems, restart Shorewall and run the modified tunnel
|
||||
script with
|
||||
the "start" argument on each system. The systems in the two masqueraded
|
||||
subnetworks
|
||||
can now talk to each other</p>
|
||||
|
||||
<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -8,17 +8,8 @@
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">IPSEC Tunnels</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">IPSEC Tunnels<br>
|
||||
</h1>
|
||||
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
|
||||
There is an excellent guide to configuring IPSEC tunnels at<a
|
||||
href="http://www.geocities.com/jixen66/">
|
||||
@ -34,10 +25,40 @@ to debug this problem so I can't say if it is a bug in the Kernel or in
|
||||
FreeS/Wan. </p>
|
||||
<p>You <b>might</b> be able to work around this problem using the
|
||||
following (I haven't tried it):</p>
|
||||
<p>In /etc/shorewall/init, include:</p>
|
||||
<p> qt service ipsec stop</p>
|
||||
<p>In /etc/shorewall/start, include:</p>
|
||||
<p> qt service ipsec start</p>
|
||||
<p style="margin-left: 40px;">In /etc/shorewall/init, include:</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p style="margin-left: 40px;"> qt service ipsec
|
||||
stop</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p style="margin-left: 40px;">In /etc/shorewall/start, include:</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p style="margin-left: 40px;"> qt service ipsec start<br>
|
||||
</p>
|
||||
<p>Also, the documentation below assumes that you have disabled
|
||||
opportunistic encryption feature in FreeS/Wan 2.0 using the following
|
||||
additional entries in ipsec.conf:<br>
|
||||
</p>
|
||||
<p style="margin-left: 40px;"><tt>conn block<br>
|
||||
auto=ignore<br>
|
||||
<br>
|
||||
conn private<br>
|
||||
auto=ignore<br>
|
||||
<br>
|
||||
conn private-or-clear<br>
|
||||
auto=ignore<br>
|
||||
<br>
|
||||
conn clear-or-private<br>
|
||||
auto=ignore<br>
|
||||
<br>
|
||||
conn clear<br>
|
||||
auto=ignore<br>
|
||||
<br>
|
||||
conn packetdefault<br>
|
||||
auto=ignore<br>
|
||||
</tt></p>
|
||||
For further information see <a
|
||||
href="http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html</a>.<tt><br>
|
||||
</tt>
|
||||
<h2> <font color="#660066">IPSec Gateway on the Firewall System </font></h2>
|
||||
<p>Suppose that we have the following sutuation:</p>
|
||||
<font color="#660066">
|
||||
@ -631,7 +652,7 @@ issue the command":<br>
|
||||
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
|
||||
</blockquote>
|
||||
and the 'down' part will:<br>
|
||||
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn<br>
|
||||
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn2<br>
|
||||
<br>
|
||||
</blockquote>
|
||||
<h3>Limitations of Dynamic Zones</h3>
|
||||
@ -664,7 +685,7 @@ DESTINATION<br>
|
||||
<tr>
|
||||
<td valign="top">DNAT<br>
|
||||
</td>
|
||||
<td valign="top">z:dyn<br>
|
||||
<td valign="top">z!dyn<br>
|
||||
</td>
|
||||
<td valign="top">loc:192.168.1.3<br>
|
||||
</td>
|
||||
@ -682,7 +703,7 @@ DESTINATION<br>
|
||||
</blockquote>
|
||||
Dynamic changes to the zone <b>dyn</b> will have no effect on the
|
||||
above rule.
|
||||
<p><font size="2">Last updated 8/12//2003 - </font><font size="2"> <a
|
||||
<p><font size="2">Last updated 10/292003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
|
@ -1,221 +1,189 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Installation</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Installation and
|
||||
Upgrade</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Shorewall Installation and Upgrade<br>
|
||||
</h1>
|
||||
<p align="center"><b>Before upgrading, be sure to review the <a
|
||||
href="upgrade_issues.htm">Upgrade Issues<br>
|
||||
</a></b></p>
|
||||
|
||||
<div align="left"><b>Before attempting installation, I strongly urge you
|
||||
to read and print a copy of the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
|
||||
for the configuration that most closely matches your own.</b><br>
|
||||
</div>
|
||||
|
||||
</a></b></p>
|
||||
<div align="left"><b>Before attempting installation, I strongly urge
|
||||
you
|
||||
to read and print a copy of the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
|
||||
for the configuration that most closely matches your own.</b><br>
|
||||
</div>
|
||||
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
|
||||
<a href="#Install_Tarball">Install using tarball<br>
|
||||
</a><a href="#LRP">Install the .lrp</a><br>
|
||||
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
|
||||
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
|
||||
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
|
||||
<a href="#Config_Files">Configuring Shorewall</a><br>
|
||||
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
|
||||
|
||||
<a href="#Install_Tarball">Install using tarball<br>
|
||||
</a><a href="#LRP">Install the .lrp</a><br>
|
||||
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
|
||||
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
|
||||
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
|
||||
<a href="#Config_Files">Configuring Shorewall</a><br>
|
||||
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
|
||||
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
|
||||
|
||||
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
|
||||
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
|
||||
1.2.4 either from the <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
|
||||
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
|
||||
attempting to start Shorewall.</b></p>
|
||||
|
||||
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at
|
||||
a shell prompt, type "/sbin/iptables --version"), you must upgrade to
|
||||
version 1.2.4 either from the <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat
|
||||
update site</a> or from the <a href="errata.htm">Shorewall Errata page</a>
|
||||
before attempting to start Shorewall.</b></p>
|
||||
<ul>
|
||||
<li>Install the RPM (rpm -ivh <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note1: </b>Some SuSE users have encountered a problem whereby
|
||||
rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel
|
||||
is installed. If this happens, simply use the --nodeps option to rpm
|
||||
(rpm -ivh --nodeps <shorewall rpm>.<br>
|
||||
<br>
|
||||
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
|
||||
on the iproute package. Unfortunately, some distributions call this package
|
||||
iproute2 which will cause the installation of Shorewall to fail with the
|
||||
diagnostic:<br>
|
||||
<br>
|
||||
error: failed dependencies:iproute is needed by shorewall-1.4.x-1
|
||||
<br>
|
||||
<br>
|
||||
This may be worked around by using the --nodeps option of rpm (rpm -ivh
|
||||
--nodeps <shorewall rpm>).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a>
|
||||
to match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
|
||||
<u>NOT</u> SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
|
||||
COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START.
|
||||
IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR
|
||||
SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE
|
||||
A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
|
||||
<li>Install the RPM (rpm -ivh <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note1: </b>Some SuSE users have encountered a problem
|
||||
whereby rpm reports a conflict with kernel <= 2.2 even though a 2.4
|
||||
kernel is installed. If this happens, simply use the --nodeps option to
|
||||
rpm (rpm -ivh --nodeps <shorewall rpm>.<br>
|
||||
<br>
|
||||
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is
|
||||
dependent on the iproute package. Unfortunately, some distributions
|
||||
call this package iproute2 which will cause the installation of
|
||||
Shorewall to fail with the diagnostic:<br>
|
||||
<br>
|
||||
error: failed dependencies:iproute is needed by
|
||||
shorewall-1.4.x-1 <br>
|
||||
<br>
|
||||
This may be worked around by using the --nodeps option of rpm (rpm -ivh
|
||||
--nodeps <shorewall rpm>).<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to
|
||||
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
|
||||
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
|
||||
COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START.
|
||||
IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR
|
||||
SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
|
||||
ISSUE
|
||||
A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
</ul>
|
||||
|
||||
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
|
||||
and install script: </p>
|
||||
|
||||
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
|
||||
and install script: </p>
|
||||
<ul>
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in
|
||||
the directory name as in "shorewall-1.1.10").</li>
|
||||
<li>If you are using <a
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-1.1.10").</li>
|
||||
<li>If you are using <a
|
||||
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
|
||||
href="http://www.redhat.com">RedHat</a>, <a
|
||||
href="http://www.redhat.com">RedHat</a>, <a
|
||||
href="http://www.linux-mandrake.com">Mandrake</a>, <a
|
||||
href="http://www.corel.com">Corel</a>, <a
|
||||
href="http://www.slackware.com/">Slackware</a> or <a
|
||||
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
|
||||
<li>If you are using <a href="http://www.suse.com">SuSe</a>
|
||||
then type "./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d
|
||||
or /etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your
|
||||
distribution installs init scripts and type "./install.sh
|
||||
<init script directory></li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a>
|
||||
to match your configuration.</li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
<li>If the install script was unable to configure Shorewall
|
||||
to be started automatically at boot, see <a
|
||||
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
|
||||
|
||||
href="http://www.corel.com">Corel</a>, <a
|
||||
href="http://www.slackware.com/">Slackware</a> or <a
|
||||
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
|
||||
<li>If you are using <a href="http://www.suse.com">SuSe</a>
|
||||
then type "./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d or
|
||||
/etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your distribution
|
||||
installs init scripts and type "./install.sh <init script
|
||||
directory></li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to
|
||||
match your configuration.</li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
<li>If the install script was unable to configure Shorewall
|
||||
to be started automatically at boot, see <a
|
||||
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
|
||||
</ul>
|
||||
|
||||
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
|
||||
disk, simply replace the "shorwall.lrp" file on the image with the file
|
||||
that you downloaded. See the <a href="two-interface.htm">two-interface
|
||||
QuickStart Guide</a> for information about further steps required.</p>
|
||||
|
||||
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
|
||||
and are upgrading to a new version:</p>
|
||||
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
|
||||
and you have entries in the /etc/shorewall/hosts file then please check
|
||||
your /etc/shorewall/interfaces file to be sure that it contains an entry
|
||||
for each interface mentioned in the hosts file. Also, there are certain
|
||||
1.2 rule forms that are no longer supported under 1.4 (you must use the
|
||||
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
|
||||
details.</p>
|
||||
|
||||
<p><a name="LRP"></a>To install my version of Shorewall on a fresh
|
||||
Bering disk, simply replace the "shorwall.lrp" file on the image with
|
||||
the file that you downloaded. See the <a href="two-interface.htm">two-interface
|
||||
QuickStart Guide</a> for information about further steps required.</p>
|
||||
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM
|
||||
installed and are upgrading to a new version:</p>
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
|
||||
version or
|
||||
and you have entries in the /etc/shorewall/hosts file then please check
|
||||
your /etc/shorewall/interfaces file to be sure that it contains an
|
||||
entry for each interface mentioned in the hosts file. Also, there are
|
||||
certain 1.2 rule forms that are no longer supported under 1.4 (you must
|
||||
use the new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade
|
||||
issues </a>for details.</p>
|
||||
<ul>
|
||||
<li>Upgrade the RPM (rpm -Uvh <shorewall rpm file>) <b>Note:
|
||||
</b>If you are installing version 1.2.0 and have one of the 1.2.0
|
||||
Beta RPMs installed, you must use the "--oldpackage" option to rpm
|
||||
(e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
|
||||
|
||||
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
|
||||
rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel
|
||||
is installed. If this happens, simply use the --nodeps option to rpm
|
||||
(rpm -Uvh --nodeps <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
|
||||
on the iproute package. Unfortunately, some distributions call this package
|
||||
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
|
||||
<br>
|
||||
error: failed dependencies:iproute is needed by shorewall-1.4.0-1
|
||||
<br>
|
||||
<br>
|
||||
This may be worked around by using the --nodeps option of rpm (rpm
|
||||
-Uvh --nodeps <shorewall rpm>). </p>
|
||||
</li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as
|
||||
necessary.</li>
|
||||
<li>Restart the firewall (shorewall restart).</li>
|
||||
|
||||
<li>Upgrade the RPM (rpm -Uvh <shorewall rpm file>) <b>Note: </b>If
|
||||
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
|
||||
installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
|
||||
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
|
||||
<p> <b>Note1: </b>Some SuSE users have encountered a problem
|
||||
whereby rpm reports a conflict with kernel <= 2.2 even though a 2.4
|
||||
kernel is installed. If this happens, simply use the --nodeps option to
|
||||
rpm (rpm -Uvh --nodeps <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is
|
||||
dependent on the iproute package. Unfortunately, some distributions
|
||||
call this package iproute2 which will cause the upgrade of Shorewall to
|
||||
fail with the diagnostic:<br>
|
||||
<br>
|
||||
error: failed dependencies:iproute is needed by
|
||||
shorewall-1.4.0-1 <br>
|
||||
<br>
|
||||
This may be worked around by using the --nodeps option of rpm (rpm
|
||||
-Uvh --nodeps <shorewall rpm>). </p>
|
||||
</li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as
|
||||
necessary.</li>
|
||||
<li>Restart the firewall (shorewall restart).</li>
|
||||
</ul>
|
||||
|
||||
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
|
||||
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall
|
||||
installed
|
||||
and are upgrading to a new version using the tarball:</p>
|
||||
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
|
||||
and you have entries in the /etc/shorewall/hosts file then please check
|
||||
your /etc/shorewall/interfaces file to be sure that it contains an entry
|
||||
for each interface mentioned in the hosts file. Also, there are certain
|
||||
1.2 rule forms that are no longer supported under 1.4 (you must use the
|
||||
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
|
||||
version
|
||||
and you have entries in the /etc/shorewall/hosts file then please check
|
||||
your /etc/shorewall/interfaces file to be sure that it contains an
|
||||
entry
|
||||
for each interface mentioned in the hosts file. Also, there are
|
||||
certain
|
||||
1.2 rule forms that are no longer supported under 1.4 (you must use the
|
||||
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
|
||||
for details. </p>
|
||||
|
||||
<ul>
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in
|
||||
the directory name as in "shorewall-3.0.1").</li>
|
||||
<li>If you are using <a
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-3.0.1").</li>
|
||||
<li>If you are using <a
|
||||
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
|
||||
href="http://www.redhat.com">RedHat</a>, <a
|
||||
href="http://www.redhat.com">RedHat</a>, <a
|
||||
href="http://www.linux-mandrake.com">Mandrake</a>, <a
|
||||
href="http://www.corel.com">Corel</a>, <a
|
||||
href="http://www.slackware.com/">Slackware</a> or <a
|
||||
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
|
||||
<li>If you are using<a href="http://www.suse.com"> SuSe</a>
|
||||
then type "./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d
|
||||
or /etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your
|
||||
distribution installs init scripts and type "./install.sh
|
||||
<init script directory></li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as
|
||||
necessary.</li>
|
||||
<li>Restart the firewall by typing "shorewall restart"</li>
|
||||
|
||||
href="http://www.corel.com">Corel</a>, <a
|
||||
href="http://www.slackware.com/">Slackware</a> or <a
|
||||
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
|
||||
<li>If you are using<a href="http://www.suse.com"> SuSe</a>
|
||||
then type "./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d or
|
||||
/etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your distribution
|
||||
installs init scripts and type "./install.sh <init script
|
||||
directory></li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as
|
||||
necessary.</li>
|
||||
<li>Restart the firewall by typing "shorewall restart"</li>
|
||||
</ul>
|
||||
<a name="LRP_Upgrade"></a>If you already have a running
|
||||
Bering installation and wish to upgrade to a later version of Shorewall:<br>
|
||||
<br>
|
||||
<b>UNDER CONSTRUCTION...</b><br>
|
||||
|
||||
<a name="LRP_Upgrade"></a>If you already have a running
|
||||
Bering installation and wish to upgrade to a later version of Shorewall:<br>
|
||||
<br>
|
||||
<b>UNDER CONSTRUCTION...</b><br>
|
||||
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
|
||||
|
||||
<p>You will need to edit some or all of the configuration files to match your
|
||||
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
|
||||
QuickStart Guides</a> contain all of the information you need.</p>
|
||||
|
||||
<p>You will need to edit some or all of the configuration files to
|
||||
match your setup. In most cases, the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
|
||||
contain all of the information you need.</p>
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
<p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -2,123 +2,103 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>MAC Verification</title>
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">MAC Verification</font><br>
|
||||
</h1>
|
||||
<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
All traffic from an interface or from a subnet on an interface
|
||||
can be verified to originate from a defined set of MAC addresses. Furthermore,
|
||||
each MAC address may be optionally associated with one or more IP addresses.
|
||||
<br>
|
||||
<br>
|
||||
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
|
||||
- module name ipt_mac.o).</b><br>
|
||||
<br>
|
||||
There are four components to this facility.<br>
|
||||
|
||||
<body>
|
||||
<br>
|
||||
<h1 style="text-align: center;">MAC Verification<br>
|
||||
</h1>
|
||||
All traffic from an interface or from a subnet on an interface can be
|
||||
verified to originate from a defined set of MAC addresses. Furthermore,
|
||||
each MAC address may be optionally associated with one or more IP
|
||||
addresses. <br>
|
||||
<br>
|
||||
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
|
||||
module name ipt_mac.o).</b><br>
|
||||
<br>
|
||||
There are four components to this facility.<br>
|
||||
<ol>
|
||||
<li>The <b>maclist</b> interface option in <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
|
||||
this option is specified, all traffic arriving on the interface is subjet
|
||||
<li>The <b>maclist</b> interface option in <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
When
|
||||
this option is specified, all traffic arriving on the interface is
|
||||
subjet
|
||||
to MAC verification.</li>
|
||||
<li>The <b>maclist </b>option in <a
|
||||
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
|
||||
is specified for a subnet, all traffic from that subnet is subject to
|
||||
MAC verification.</li>
|
||||
<li>The /etc/shorewall/maclist file. This file is used to associate
|
||||
MAC addresses with interfaces and to optionally associate IP addresses
|
||||
with MAC addresses.</li>
|
||||
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL
|
||||
</b>variables in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
|
||||
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
|
||||
and determines the disposition of connection requests that fail MAC verification.
|
||||
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
|
||||
requests that fail verification are to be logged. If set the the empty
|
||||
value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
|
||||
not logged.<br>
|
||||
</li>
|
||||
|
||||
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
|
||||
When this option is specified for a subnet, all traffic from that
|
||||
subnet is subject to
|
||||
MAC verification.</li>
|
||||
<li>The /etc/shorewall/maclist file. This file is used to associate
|
||||
MAC addresses with interfaces and to optionally associate IP addresses
|
||||
with MAC addresses.</li>
|
||||
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
|
||||
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
|
||||
and determines the disposition of connection requests that fail MAC
|
||||
verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at
|
||||
which connection requests that fail verification are to be logged. If
|
||||
set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
|
||||
connection requests are not logged.<br>
|
||||
</li>
|
||||
</ol>
|
||||
The columns in /etc/shorewall/maclist are:<br>
|
||||
|
||||
The columns in /etc/shorewall/maclist are:<br>
|
||||
<ul>
|
||||
<li>INTERFACE - The name of an ethernet interface on the Shorewall
|
||||
system.</li>
|
||||
<li>MAC - The MAC address of a device on the ethernet segment
|
||||
connected by INTERFACE. It is not necessary to use the Shorewall MAC
|
||||
format in this column although you may use that format if you so choose.</li>
|
||||
<li>IP Address - An optional comma-separated list of IP addresses
|
||||
for the device whose MAC is listed in the MAC column.</li>
|
||||
|
||||
<li>INTERFACE - The name of an ethernet interface on the Shorewall
|
||||
system.</li>
|
||||
<li>MAC - The MAC address of a device on the ethernet segment
|
||||
connected by INTERFACE. It is not necessary to use the Shorewall MAC
|
||||
format in this column although you may use that format if you so choose.</li>
|
||||
<li>IP Address - An optional comma-separated list of IP addresses for
|
||||
the device whose MAC is listed in the MAC column.</li>
|
||||
</ul>
|
||||
|
||||
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a> for
|
||||
details about my setup):</h3>
|
||||
<b>/etc/shorewall/shorewall.conf:<br>
|
||||
</b>
|
||||
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a>
|
||||
for details about my setup):</h3>
|
||||
<b>/etc/shorewall/shorewall.conf:<br>
|
||||
</b>
|
||||
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
|
||||
<b>/etc/shorewall/interfaces:</b><br>
|
||||
|
||||
<blockquote>
|
||||
<b>/etc/shorewall/interfaces:</b><br>
|
||||
<blockquote>
|
||||
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>WiFi eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
|
||||
</blockquote>
|
||||
<b>/etc/shorewall/maclist:</b><br>
|
||||
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
<b>/etc/shorewall/maclist:</b><br>
|
||||
<blockquote>
|
||||
<pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
|
||||
</blockquote>
|
||||
As shown above, I use MAC Verification on my wireless zone.<br>
|
||||
<br>
|
||||
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like
|
||||
a wireless router with DHCP relay. When forwarding DHCP traffic, it uses the
|
||||
MAC address of the host (TIPPER) but for other forwarded traffic it uses it's
|
||||
own MAC address. Consequently, I list the IP addresses of both devices in
|
||||
</blockquote>
|
||||
As shown above, I use MAC Verification on my wireless zone.<br>
|
||||
<br>
|
||||
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves
|
||||
like a wireless router with DHCP relay. When forwarding DHCP traffic,
|
||||
it uses the
|
||||
MAC address of the host (TIPPER) but for other forwarded traffic it
|
||||
uses it's
|
||||
own MAC address. Consequently, I list the IP addresses of both devices
|
||||
in
|
||||
/etc/shorewall/maclist.<br>
|
||||
|
||||
<h3>Example 2: Router in Wireless Zone</h3>
|
||||
Suppose now that I add a second wireless segment to my wireless
|
||||
zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
|
||||
and IP address 192.168.3.253. Hosts in the second segment have IP addresses
|
||||
in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
|
||||
file:<br>
|
||||
|
||||
Suppose now that I add a second wireless segment to my wireless zone
|
||||
and gateway that segment via a router with MAC address
|
||||
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
|
||||
segment have IP addresses in the subnet 192.168.4.0/24. I would add the
|
||||
following entry to my /etc/shorewall/maclist file:<br>
|
||||
<pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
|
||||
This entry accomodates traffic from the router itself (192.168.3.253)
|
||||
and from the second wireless segment (192.168.4.0/24). Remember that
|
||||
all traffic being sent to my firewall from the 192.168.4.0/24 segment
|
||||
will be forwarded by the router so that traffic's MAC address will be
|
||||
that of the router (00:06:43:45:C6:15) and not that of the host sending
|
||||
the traffic.
|
||||
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> ©
|
||||
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
This entry accomodates traffic from the router itself (192.168.3.253)
|
||||
and from the second wireless segment (192.168.4.0/24). Remember that
|
||||
all traffic being sent to my firewall from the 192.168.4.0/24 segment
|
||||
will be forwarded by the router so that traffic's MAC address will be
|
||||
that of the router (00:06:43:45:C6:15) and not that of the host sending
|
||||
the traffic.
|
||||
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
551
Shorewall-docs/Multiple_Zones.html
Executable file
551
Shorewall-docs/Multiple_Zones.html
Executable file
@ -0,0 +1,551 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Multiple Zones per Interface</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<h2></h2>
|
||||
<blockquote> </blockquote>
|
||||
<h1 style="text-align: center;">Multiple Zones per Interface<br>
|
||||
</h1>
|
||||
While most configurations can be handled with each of the firewall's
|
||||
network interfaces assigned to a single zone, there are cases where you
|
||||
will want to divide the hosts accessed through an interface between two
|
||||
or more zones.<br>
|
||||
<ol>
|
||||
<li>The interface has multiple addresses on multiple subnetworks.
|
||||
This case is covered in the <a
|
||||
href="Shorewall_and_Aliased_Interfaces.html">Aliased Interface
|
||||
documentation</a>.</li>
|
||||
<li>You are using some form of NAT and want to access a server by its
|
||||
external IP address from the same LAN segment. This is covered in <a
|
||||
href="FAQ.htm#faq2">FAQs 2 and 2a</a>.<br>
|
||||
</li>
|
||||
<li>There are routers accessible through the interface and you want
|
||||
to treat the networks accessed through that router as a separate zone.</li>
|
||||
<li>Some of the hosts accessed through an interface have
|
||||
significantly different firewalling requirements from the others so you
|
||||
want to assign them to a different zone.</li>
|
||||
</ol>
|
||||
The key points to keep in mind when setting up multiple zones per
|
||||
interface are:<br>
|
||||
<ul>
|
||||
<li>Shorewall generates rules for zones in the order that the zone
|
||||
declarations appear in /etc/shorewall/zones.</li>
|
||||
<li>The order of entries in /etc/shorewall/hosts is immaterial as far
|
||||
as the generated ruleset is concerned.</li>
|
||||
</ul>
|
||||
<span style="font-weight: bold;">These examples use the local zone but
|
||||
the same technique works for any zone. </span>Remember that Shorewall
|
||||
doesn't have any conceptual knowledge of "Internet", "Local", or "DMZ"
|
||||
so all zones except the firewall itself ($FW) are the same as far as
|
||||
Shorewall is concerned. Also, the examples use private (RFC 1918)
|
||||
addresses but public IP addresses can be used in exactly the same way.<br>
|
||||
<h2>Router in the Local Zone<br>
|
||||
</h2>
|
||||
Here is an example of a router in the local zone. Note that <span
|
||||
style="font-weight: bold;">the box called "Router" could be a VPN
|
||||
server</span> or other such device; from the point of view of this
|
||||
discussion, it makes no difference.<br>
|
||||
<br>
|
||||
<div style="text-align: center;"><img src="images/MultiZone1.png"
|
||||
title="" alt="(Firewall connected to Internal Router)"
|
||||
style="width: 556px; height: 335px;"><br>
|
||||
</div>
|
||||
<blockquote>
|
||||
<p> </p>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<h3>Can You Use the Standard Configuration?<br>
|
||||
</h3>
|
||||
In many cases, the <a href="two-interface.htm">standard two-interface
|
||||
Shorewall setup</a> will work fine in this configuration. It will
|
||||
work if:<br>
|
||||
<ul>
|
||||
<li>The firewall requirements to/from the internet are the same for
|
||||
192.168.1.0/24 and 192.168.2.0/24.</li>
|
||||
<li>The hosts in 192.168.1.0/24 know that the route to 192.168.2.0/24
|
||||
is through the <span style="font-weight: bold;">router.</span></li>
|
||||
</ul>
|
||||
All you have to do on the firewall is add a route to 192.168.2.0/24
|
||||
through the <span style="font-weight: bold;">router</span> and restart
|
||||
Shorewall.<br>
|
||||
<h3>Will One Zone be Enough?</h3>
|
||||
If the firewalling requirements for the two local networks is the same
|
||||
but the hosts in 192.168.1.0/24 don't know how to route to
|
||||
192.168.2.0/24 then you need to configure the firewall slightly
|
||||
differently. This type of configuration is rather stupid from an IP
|
||||
networking point of view but it is sometimes necessary because you
|
||||
simply don't want to have to reconfigure all of the hosts in
|
||||
192.168.1.0/24 to add a persistent route to 192.168.2.0/24. On the
|
||||
firewall:<br>
|
||||
<ul>
|
||||
<li>Add a route to 192.168.2.0/24 through the <span
|
||||
style="font-weight: bold;">Router.</span></li>
|
||||
<li>Set the 'routeback' and 'newnotsyn' options for eth1 (the local
|
||||
firewall interface) in /etc/shorewall/interfaces.</li>
|
||||
<li>Restart Shorewall.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>I Need Separate Zones</h3>
|
||||
If you need to make 192.168.2.0/24 into it's own zone, you can do it
|
||||
one of two ways; Nested Zones or Parallel Zones.<br>
|
||||
<h4>Nested Zones:</h4>
|
||||
You can define one zone (called it 'loc') as being all hosts connectied
|
||||
to eth1 and a second zone 'loc1' (192.168.2.0/24) as a sub-zone.<br>
|
||||
<br>
|
||||
<div style="text-align: center;"><img src="images/MultiZone1A.png"
|
||||
title="" alt="" style="width: 607px; height: 415px;"><br>
|
||||
</div>
|
||||
<br>
|
||||
The advantage of this approach is that the zone 'loc1' can use CONTINUE
|
||||
policies such that if a connection request doesn't match a 'loc1' rule,
|
||||
it will be matched against the 'loc' rules. For example, if your
|
||||
loc1->net policy is CONTINUE then if a connection request from loc1
|
||||
to the internet doesn't match any rules for loc1->net then it will
|
||||
be checked against the loc->net rules.<br>
|
||||
<br>
|
||||
/etc/shorewall/zones:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Local2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Hosts access through internal
|
||||
router<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Local<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">All hosts accessed via eth1<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Note that the sub-zone (loc1) is defined first!<br>
|
||||
<br>
|
||||
</div>
|
||||
/etc/shorewall/interfaces<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellspacing="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">eth1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">192.168.1.255<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">...<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</div>
|
||||
/etc/shorewall/hosts<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">HOSTS<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">eth1:192.168.2.0/24<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<br>
|
||||
If you don't need Shorewall to set up infrastructure to route traffic
|
||||
between 'loc' and 'loc1', add these two policies:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">SOURCE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">DEST<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">POLICY<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">LOG<br>
|
||||
LEVEL<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">loc1</td>
|
||||
<td style="vertical-align: top;">NONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">loc<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">NONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"> <br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<h4>Parallel Zones:</h4>
|
||||
You define both zones in the /etc/shorewall/hosts file to create two
|
||||
disjoint zones.<br>
|
||||
<br>
|
||||
<div style="text-align: center;"><img src="images/MultiZone1B.png"
|
||||
title="" alt="" style="width: 588px; height: 415px;"><br>
|
||||
</div>
|
||||
<br>
|
||||
/etc/shorewall/zones:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Local1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Hosts accessed Directly from
|
||||
Firewall<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Local2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Hosts accessed via internal
|
||||
Router<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Here it doesn't matter which zone is defined first.<br>
|
||||
<br>
|
||||
</div>
|
||||
/etc/shorewall/interfaces<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellspacing="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">-<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">eth1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">192.168.1.255<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">...<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</div>
|
||||
/etc/shorewall/hosts<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">HOSTS<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">eth1:192.168.1.0/24<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">eth1:192.168.2.0/24<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<br>
|
||||
If you don't need Shorewall to set up infrastructure to route traffic
|
||||
between 'loc' and 'loc1', add these two policies:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">SOURCE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">DEST<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">POLICY<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">LOG<br>
|
||||
LEVEL<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">loc1</td>
|
||||
<td style="vertical-align: top;">NONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">loc<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">NONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"> <br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<h2>Some Hosts have Special Firewalling Requirements</h2>
|
||||
There are cases where a subset of the addresses associated with an
|
||||
interface need special handling. Here's an example.<br>
|
||||
<br>
|
||||
<div style="text-align: center;"><img src="images/MultiZone2.png"
|
||||
title="" alt="" style="height: 252px; width: 631px;"><br>
|
||||
</div>
|
||||
<br>
|
||||
In this example, addresses 192.168.1.8 - 192.168.1.15 (192.168.1.8/29)
|
||||
are to be treated as their own zone (loc1).<br>
|
||||
<br>
|
||||
/etc/shorewall/zones:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">DISPLAY<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">COMMENTS<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Local2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">192.168.1.8 - 192.168.1.15<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Local<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">All hosts accessed via eth1<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Note that the sub-zone (loc1) is defined first!<br>
|
||||
<br>
|
||||
</div>
|
||||
/etc/shorewall/interfaces<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellspacing="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">INTERFACE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">BROADCAST<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">eth1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">192.168.1.255<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">...<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</div>
|
||||
/etc/shorewall/hosts<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">ZONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">HOSTS<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">OPTIONS<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">eth1:192.168.1.8/29<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<br>
|
||||
You probably don't want Shorewall to set up infrastructure to route
|
||||
traffic
|
||||
between 'loc' and 'loc1' so you should add these two policies:<br>
|
||||
<div style="margin-left: 40px;"><br>
|
||||
<table cellpadding="2" border="1" style="text-align: left;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="vertical-align: top; font-weight: bold;">SOURCE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">DEST<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">POLICY<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">LOG<br>
|
||||
LEVEL<br>
|
||||
</td>
|
||||
<td style="vertical-align: top; font-weight: bold;">RATE:BURST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">loc1</td>
|
||||
<td style="vertical-align: top;">NONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">loc1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">loc<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">NONE<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</div>
|
||||
<p><font size="2">Last updated 11/21/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||||
</body>
|
||||
</html>
|
@ -1,119 +1,107 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall NAT</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Static Nat</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<body>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
|
||||
ports to servers behind your firewall, you do NOT want to use static
|
||||
NAT. Port forwarding can be accomplished with simple entries in the
|
||||
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
|
||||
<blockquote> </blockquote>
|
||||
<p>Static NAT is a way to make systems behind a firewall and configured
|
||||
with private IP addresses (those reserved for private use in RFC1918)
|
||||
appear to have public IP addresses. Before you try to use this technique,
|
||||
I strongly recommend that you read the <a
|
||||
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
|
||||
<blockquote> </blockquote>
|
||||
<p>The following figure represents a static NAT environment.</p>
|
||||
<blockquote>
|
||||
<p align="center"><strong> <img src="images/staticnat.png"
|
||||
width="435" height="397">
|
||||
</strong></p>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
</blockquote>
|
||||
<p align="left">Static NAT can be used to make the systems with the 10.1.1.*
|
||||
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
|
||||
that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
|
||||
file would make the lower left-hand system appear to have IP address
|
||||
130.252.100.18 and the right-hand one to have IP address 130.252.100.19.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>INTERNAL</b></td>
|
||||
<td><b>ALL INTERFACES</b></td>
|
||||
<td><b>LOCAL</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth0</td>
|
||||
<td>10.1.1.2</td>
|
||||
<td>yes</td>
|
||||
<td>yes</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth0</td>
|
||||
<td>10.1.1.3</td>
|
||||
<td>yes</td>
|
||||
<td>yes</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
|
||||
example) is (are) not included in any specification in /etc/shorewall/masq
|
||||
or /etc/shorewall/proxyarp.</p>
|
||||
|
||||
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used
|
||||
to specify whether access to the external IP from all firewall interfaces
|
||||
should undergo NAT (Yes or yes) or if only access from the interface in
|
||||
the INTERFACE column should undergo NAT. If you leave this column empty,
|
||||
"Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.</p>
|
||||
|
||||
<p>Note 2: Shorewall will automatically add the external address to the
|
||||
specified interface unless you specify <a
|
||||
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
|
||||
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
|
||||
if you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
|
||||
<b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6 can only add
|
||||
external addresses to an interface that is configured with a single subnetwork
|
||||
-- if your external interface has addresses in more than one subnetwork,
|
||||
Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
|
||||
|
||||
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
|
||||
determine whether packets originating on the firewall itself and destined
|
||||
for the EXTERNAL address are redirected to the internal ADDRESS. If
|
||||
this column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN
|
||||
also contains "Yes" or "yes") then such packets are redirected; otherwise,
|
||||
such packets are not redirected. The LOCAL column was added in version
|
||||
1.1.8.</p>
|
||||
|
||||
<h1 style="text-align: center;">One-to-one NAT<br>
|
||||
</h1>
|
||||
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
|
||||
ports to servers behind your firewall, you do NOT want to use
|
||||
one-to-one NAT. Port forwarding can be accomplished with simple entries
|
||||
in the <a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<p><font size="2">Last updated 7/6/2003 - </font><font size="2"> <a
|
||||
<p>One-to-one NAT is a way to make systems behind a firewall and
|
||||
configured
|
||||
with private IP addresses (those reserved for private use in RFC 1918)
|
||||
appear to have public IP addresses. Before you try to use this
|
||||
technique, I strongly recommend that you read the <a
|
||||
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
|
||||
<blockquote> </blockquote>
|
||||
<p>The following figure represents a one-to-one NAT environment.</p>
|
||||
<blockquote>
|
||||
<p align="center"><strong> <img src="images/staticnat.png"
|
||||
style="width: 456px; height: 397px;" title="" alt=""> </strong></p>
|
||||
<blockquote> </blockquote>
|
||||
</blockquote>
|
||||
<p align="left">One-to-one NAT can be used to make the systems with the
|
||||
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
|
||||
we assume that the interface to the upper subnet is eth0, then the
|
||||
following /etc/shorewall/NAT file would make the lower left-hand system
|
||||
appear to have IP address 130.252.100.18 and the right-hand one to have
|
||||
IP address 130.252.100.19.</p>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>INTERNAL</b></td>
|
||||
<td><b>ALL INTERFACES</b></td>
|
||||
<td><b>LOCAL</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth0</td>
|
||||
<td>10.1.1.2</td>
|
||||
<td>yes</td>
|
||||
<td>yes</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth0</td>
|
||||
<td>10.1.1.3</td>
|
||||
<td>yes</td>
|
||||
<td>yes</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
|
||||
above example) is (are) not included in any specification in
|
||||
/etc/shorewall/masq or /etc/shorewall/proxyarp.</p>
|
||||
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is
|
||||
used to specify whether access to the external IP from all firewall
|
||||
interfaces should undergo NAT (Yes or yes) or if only access from the
|
||||
interface in the INTERFACE column should undergo NAT. If you leave this
|
||||
column empty, "Yes" is assumed. The ALL INTERFACES column was
|
||||
added in version 1.1.6. <span style="font-weight: bold;">Specifying
|
||||
"Yes" in this column will </span><span
|
||||
style="text-decoration: underline; font-weight: bold;">not</span><span
|
||||
style="font-weight: bold;"> allow systems on the lower LAN to access
|
||||
each other using their public IP addresses.</span> For example, the
|
||||
lower left-hand system (10.1.1.2) cannot connect to 130.252.100.19 and
|
||||
expect to be connected to the lower right-hand system. <a
|
||||
href="FAQ.htm#faq2a">See FAQ 2a</a>.<br>
|
||||
</p>
|
||||
<p>Note 2: Shorewall will automatically add the external address to the
|
||||
specified interface unless you specify <a
|
||||
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
|
||||
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
|
||||
if you set it to "Yes" or "yes" then you must NOT configure your own
|
||||
alias(es). <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6
|
||||
can only add external addresses to an interface that is configured with
|
||||
a single subnetwork -- if your external interface has addresses in more
|
||||
than one subnetwork,
|
||||
Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
|
||||
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"
|
||||
column determine whether packets originating on the firewall itself and
|
||||
destined for the EXTERNAL address are redirected to the internal
|
||||
ADDRESS. If this column contains "yes" or "Yes" (and the ALL INTERFACES
|
||||
COLUMN
|
||||
also contains "Yes" or "yes") then such packets are redirected;
|
||||
otherwise,
|
||||
such packets are not redirected. The LOCAL column was added in version
|
||||
1.1.8.</p>
|
||||
<blockquote> </blockquote>
|
||||
<p><font size="2">Last updated 11/222003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
104
Shorewall-docs/NetfilterOverview.html
Executable file
104
Shorewall-docs/NetfilterOverview.html
Executable file
@ -0,0 +1,104 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Netfilter Overview</title>
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<p align="left"><font size="2"><big></big></font></p>
|
||||
<h1 style="text-align: center;">Netfilter Overview<br>
|
||||
</h1>
|
||||
Netfilter consists of three <span style="font-style: italic;">tables: </span><span
|
||||
style="font-weight: bold;">Filter, Nat </span>and <span
|
||||
style="font-weight: bold;">Mangle</span>. Each table has a number of
|
||||
build-in <span style="font-style: italic;">chains: </span><span
|
||||
style="font-weight: bold;"><span style="font-weight: bold;">PREROUTING,
|
||||
INPUT, FORWARD, OUTPUT </span></span>and <span
|
||||
style="font-weight: bold;">POSTROUTING.<br>
|
||||
<br>
|
||||
</span>Rules in the various tables are used as follows:<br>
|
||||
<ul>
|
||||
<li><span style="font-weight: bold;">Filter: </span>Packet filtering
|
||||
(rejecting, dropping or accepting packets)</li>
|
||||
<li><span style="font-weight: bold;">Nat: </span>Network Address
|
||||
Translation including DNAT, SNAT and Masquerading</li>
|
||||
<li><span style="font-weight: bold;">Mangle:</span> General packet
|
||||
header modification such as setting the TOS value or marking packets
|
||||
for policy routing and traffic shaping.<br>
|
||||
</li>
|
||||
</ul>
|
||||
The following diagram shows how packets traverse the various builtin
|
||||
chains within Netfilter. Note that not all table/chain combinations are
|
||||
used.<br>
|
||||
<br>
|
||||
<div style="text-align: center;"><img src="images/Netfilter.png"
|
||||
title="" alt="(Netfilter Flow Diagram)"
|
||||
style="width: 541px; height: 826px;"><br>
|
||||
<br>
|
||||
<div style="text-align: left;"><br>
|
||||
"Local Process" means a process running on the Shorewall system itself.<br>
|
||||
<br>
|
||||
In the above diagram are boxes similar to this:<br>
|
||||
<br>
|
||||
<img src="images/Legend.png" title="" alt="(Diagram Legend)"
|
||||
style="width: 145px; height: 97px;"><br>
|
||||
<br>
|
||||
The above box gives the name of the built-in <span
|
||||
style="font-style: italic;">chain </span>(<span
|
||||
style="font-weight: bold;">INPUT</span>) along with the names of the <span
|
||||
style="font-style: italic;">tables </span>(<span
|
||||
style="font-weight: bold;">Mangle </span>and <span
|
||||
style="font-weight: bold;">Filter</span>) that the chain exists in and
|
||||
in the order that the chains are traversed. The above sample indicates
|
||||
that packets go first through the <span style="font-weight: bold;">INPUT</span>
|
||||
chain of the <span style="font-weight: bold;">Mangle </span>table
|
||||
then
|
||||
through the <span style="font-weight: bold;">INPUT</span> chain of the
|
||||
<span style="font-weight: bold;">Filter </span>table. When a chain is
|
||||
enclosed in parentheses, Shorewall does not use the named chain (<span
|
||||
style="font-weight: bold;">INPUT)</span> in that table <span
|
||||
style="font-weight: bold;">(Mangle)</span>.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">IMPORTANT: </span>Keep in mind that
|
||||
chains in the <span style="font-weight: bold;">Nat</span> table are <span
|
||||
style="text-decoration: underline;">only traversed for new connection
|
||||
requests</span> (including those related to existing connections) while
|
||||
the chains in the other tables are traversed on every packet.<br>
|
||||
<br>
|
||||
The above diagram should help you understand the output of "shorewall
|
||||
status".<br>
|
||||
<br>
|
||||
Here are some excerpts from "shorewall status" on a server with one
|
||||
interface (eth0):<br>
|
||||
<br>
|
||||
<pre style="margin-left: 40px;">[root@lists html]# shorewall status<br> <br>Shorewall-1.4.7 Status at lists.shorewall.net - Mon Oct 13 12:51:13 PDT 2003<br> <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br><br></pre>
|
||||
The first table shown is the <span style="font-weight: bold;">Filter </span>table.<br>
|
||||
<pre style="margin-left: 40px;"> <br>Chain INPUT (policy DROP 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> 679K 182M ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0<br> 785K 93M accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br></pre>
|
||||
The following rule indicates that all traffic destined for the firewall
|
||||
that comes into the firewall on eth0 is passed to a chain called
|
||||
"eth0_in". That chain will be shown further down.<br>
|
||||
<pre style="margin-left: 40px;"> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:INPUT:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain FORWARD (policy DROP 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> 0 0 accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br> 0 0 eth0_fwd all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:FORWARD:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain OUTPUT (policy DROP 1 packets, 60 bytes)<br> pkts bytes target prot opt in out source destination<br> 679K 182M ACCEPT all -- * lo 0.0.0.0/0 0.0.0.0/0<br> 922K 618M accounting all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 DROP !icmp -- * * 0.0.0.0/0 0.0.0.0/0 state INVALID<br> 922K 618M fw2net all -- * eth0 0.0.0.0/0 0.0.0.0/0<br> 0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0<br> 0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 LOG flags 0 level 6 prefix `Shorewall:OUTPUT:REJECT:'<br> 0 0 reject all -- * * 0.0.0.0/0 0.0.0.0/0<br></pre>
|
||||
Here is the eth0_in chain:<br>
|
||||
<pre style="margin-left: 40px;">Chain eth0_in (1 references)<br> pkts bytes target prot opt in out source destination<br> 785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0<br> 785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0<br></pre>
|
||||
The "dynamic" chain above is where dynamic blacklisting is done.<br>
|
||||
<br>
|
||||
Next comes the <span style="font-weight: bold;">Nat </span>table:<br>
|
||||
<pre style="margin-left: 40px;">NAT Table<br> <br>Chain PREROUTING (policy ACCEPT 182K packets, 12M bytes)<br> pkts bytes target prot opt in out source destination<br>20005 1314K net_dnat all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain OUTPUT (policy ACCEPT 678K packets, 44M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain net_dnat (1 references)<br> pkts bytes target prot opt in out source destination<br> 638 32968 REDIRECT tcp -- * * 0.0.0.0/0 !206.124.146.177 tcp dpt:80 redir ports 3128<br></pre>
|
||||
And finally, the <span style="font-weight: bold;">Mangle </span>table: <br>
|
||||
<pre style="margin-left: 40px;">Mangle Table<br> <br>Chain PREROUTING (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target prot opt in out source destination<br>1464K 275M pretos all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain INPUT (policy ACCEPT 14M packets, 2403M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain OUTPUT (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target prot opt in out source destination<br>1601K 800M outtos all -- * * 0.0.0.0/0 0.0.0.0/0<br> <br>Chain POSTROUTING (policy ACCEPT 15M packets, 7188M bytes)<br> pkts bytes target prot opt in out source destination<br> <br>Chain outtos (1 references)<br> pkts bytes target prot opt in out source destination<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10<br> 315K 311M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10<br> 683 59143 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10<br> 3667 5357K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08<br> <br>Chain pretos (1 references)<br> pkts bytes target prot opt in out source destination<br> 271K 15M TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:22 TOS set 0x10<br> 730 41538 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:21 TOS set 0x10<br> 0 0 TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp spt:20 TOS set 0x08<br> 2065 111K TOS tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:20 TOS set 0x08<br></pre>
|
||||
<pre style="margin-left: 40px;"></pre>
|
||||
</div>
|
||||
</div>
|
||||
<p align="left"><font size="2">Last updated 10/14/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -8,17 +8,287 @@
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall News Archive</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">Shorewall News Archive<br>
|
||||
</h1>
|
||||
<p><b>11/07/2003 - Shorewall 1.4.8<br>
|
||||
<br>
|
||||
</b>Problems Corrected since version 1.4.7:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Tuomo Soini has supplied a correction to a problem that occurs
|
||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||
fails with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.</li>
|
||||
<li>Andres Zhoglo has supplied a correction that avoids trying to use
|
||||
the multiport match iptables facility on ICMP rules.<br>
|
||||
<br>
|
||||
Example of rule that previously caused "shorewall start"
|
||||
to fail:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT loc $FW
|
||||
icmp 0,8,11,12<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if the following error message was issued, Shorewall
|
||||
was left in an inconsistent state.<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes through interface xxx<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
|
||||
corrected.</li>
|
||||
<li>In Shorewall 1.4.2, an optimization was added. This optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant rules
|
||||
and that the "optimization" turns out to be less than optimal. The
|
||||
implementation has now been corrected.</li>
|
||||
<li>When the MARK value in a tcrules entry is followed by ":F" or
|
||||
":P", the ":F" or ":P" was previously only applied to the first
|
||||
Netfilter rule generated by the entry. It is now applied to all entries.</li>
|
||||
<li>An incorrect comment concerning Debian's use of the SUBSYSLOCK
|
||||
option has been removed from shorewall.conf.</li>
|
||||
<li>Previously, neither the 'routefilter' interface option nor the
|
||||
ROUTE_FILTER parameter were working properly. This has been corrected
|
||||
(thanks to Eric Bowles for his analysis and patch). The definition of
|
||||
the ROUTE_FILTER option has changed however. Previously,
|
||||
ROUTE_FILTER=Yes was documented as enabling route filtering on all
|
||||
interfaces (which didn't work). Beginning with this release, setting
|
||||
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
|
||||
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
|
||||
coexist with the use of the 'routefilter' option in the interfaces file.</li>
|
||||
<li>If MAC verification was enabled on an interface with a /32
|
||||
address and a broadcast address then an error would occur during
|
||||
startup.</li>
|
||||
<li>The NONE policy's intended use is to suppress the generating of
|
||||
rules that can't possibly be traversed. This means that a policy of
|
||||
NONE is inappropriate where the source or destination zone is $FW or
|
||||
"all". Shorewall now generates an error message if such a policy is
|
||||
given in /etc/shorewall/policy. Previously such a policy caused
|
||||
"shorewall start" to fail.</li>
|
||||
<li>The 'routeback' option was broken for wildcard interfaces (e.g.,
|
||||
"tun+"). This has been corrected so that 'routeback' now works as
|
||||
expected in this case.<br>
|
||||
</li>
|
||||
</ol>
|
||||
Migration Issues:<br>
|
||||
<ol>
|
||||
<li>The definition of the ROUTE_FILTER option in shorewall.conf has
|
||||
changed as described in item 8) above.<br>
|
||||
</li>
|
||||
</ol>
|
||||
New Features:<br>
|
||||
<ol>
|
||||
<li>A new QUEUE action has been introduced for rules. QUEUE allows
|
||||
you to pass connection requests to a user-space filter such as ftwall
|
||||
(http://p2pwall.sourceforge.net). The ftwall program allows for
|
||||
effective filtering of p2p applications such as Kazaa. For example, to
|
||||
use ftwall to filter P2P clients in the 'loc' zone, you would add the
|
||||
following rules:<br>
|
||||
<br>
|
||||
QUEUE loc
|
||||
net tcp<br>
|
||||
QUEUE loc
|
||||
net udp<br>
|
||||
QUEUE loc
|
||||
fw udp<br>
|
||||
<br>
|
||||
You would normally want to place those three rules BEFORE any ACCEPT
|
||||
rules for loc->net udp or tcp.<br>
|
||||
<br>
|
||||
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
|
||||
Shorewall will only pass connection requests (SYN packets) to user
|
||||
space. This is for compatibility with ftwall.</li>
|
||||
<li>A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
|
||||
this option is set to "Yes", the blacklists (dynamic and static) are
|
||||
only consulted for new connection requests. When set to "No" (the
|
||||
default if the variable is not set), the blacklists are consulted on
|
||||
every packet.<br>
|
||||
<br>
|
||||
Setting this option to "No" allows blacklisting to stop existing
|
||||
connections from a newly blacklisted host but is more expensive in
|
||||
terms of packet processing time. This is especially true if the
|
||||
blacklists contain a large number of entries.</li>
|
||||
<li>Chain names used in the /etc/shorewall/accounting file may now
|
||||
begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
|
||||
</ol>
|
||||
<p><b>10/30/2003 - Shorewall 1.4.8 RC1<br>
|
||||
</b></p>
|
||||
Given the small number of new features and the relatively few lines of
|
||||
code that were changed, there will be no Beta for 1.4.8.<br>
|
||||
<p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<br>
|
||||
</b>Problems Corrected since version 1.4.7:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Tuomo Soini has supplied a correction to a problem that occurs
|
||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||
fails with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.</li>
|
||||
<li>Andres Zhoglo has supplied a correction that avoids trying to use
|
||||
the multiport match iptables facility on ICMP rules.<br>
|
||||
<br>
|
||||
Example of rule that previously caused "shorewall start"
|
||||
to fail:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT loc $FW
|
||||
icmp 0,8,11,12<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if the following error message was issued, Shorewall
|
||||
was left in an inconsistent state.<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes through interface xxx<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
|
||||
corrected.</li>
|
||||
<li>In Shorewall 1.4.2, an optimization was added. This optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant rules
|
||||
and that the "optimization" turns out to be less than optimal. The
|
||||
implementation has now been corrected.</li>
|
||||
<li>When the MARK value in a tcrules entry is followed by ":F" or
|
||||
":P", the ":F" or ":P" was previously only applied to the first
|
||||
Netfilter rule generated by the entry. It is now applied to all entries.</li>
|
||||
<li>An incorrect comment concerning Debian's use of the SYBSYSLOCK
|
||||
option has been removed from shorewall.conf.</li>
|
||||
<li>Previously, neither the 'routefilter' interface option nor the
|
||||
ROUTE_FILTER parameter were working properly. This has been corrected
|
||||
(thanks to Eric Bowles for his analysis and patch). The definition of
|
||||
the ROUTE_FILTER option has changed however. Previously,
|
||||
ROUTE_FILTER=Yes was documented as enabling route filtering on all
|
||||
interfaces (which didn't work). Beginning with this release, setting
|
||||
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
|
||||
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
|
||||
coexist with the use of the 'routefilter' option in the interfaces file.</li>
|
||||
</ol>
|
||||
Migration Issues:<br>
|
||||
<ol>
|
||||
<li>The definition of the ROUTE_FILTER option in shorewall.conf has
|
||||
changed as described in item 8) above.<br>
|
||||
</li>
|
||||
</ol>
|
||||
New Features:<br>
|
||||
<ol>
|
||||
<li>A new QUEUE action has been introduced for rules. QUEUE allows
|
||||
you to pass connection requests to a user-space filter such as ftwall
|
||||
(http://p2pwall.sourceforge.net). The ftwall program allows for
|
||||
effective filtering of p2p applications such as Kazaa. For example, to
|
||||
use ftwall to filter P2P clients in the 'loc' zone, you would add the
|
||||
following rules:<br>
|
||||
<br>
|
||||
QUEUE loc
|
||||
net tcp<br>
|
||||
QUEUE loc
|
||||
net udp<br>
|
||||
QUEUE loc
|
||||
fw udp<br>
|
||||
<br>
|
||||
You would normally want to place those three rules BEFORE any ACCEPT
|
||||
rules for loc->net udp or tcp.<br>
|
||||
<br>
|
||||
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
|
||||
Shorewall will only pass connection requests (SYN packets) to user
|
||||
space. This is for compatibility with ftwall.</li>
|
||||
<li>A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
|
||||
this option is set to "Yes", the blacklists (dynamic and static) are
|
||||
only consulted for new connection requests. When set to "No" (the
|
||||
default if the variable is not set), the blacklists are consulted on
|
||||
every packet.<br>
|
||||
<br>
|
||||
Setting this option to "No" allows blacklisting to stop existing
|
||||
connections from a newly blacklisted host but is more expensive in
|
||||
terms of packet processing time. This is especially true if the
|
||||
blacklists contain a large number of entries.</li>
|
||||
<li>Chain names used in the /etc/shorewall/accounting file may now
|
||||
begin with a digit ([0-9]) and may contain embedded dashes ("-").<br>
|
||||
</li>
|
||||
</ol>
|
||||
<b></b>
|
||||
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag
|
||||
awards </b><b><img
|
||||
style="border: 0px solid ; width: 50px; height: 80px;"
|
||||
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
|
||||
1.4.7c released.</b></p>
|
||||
<ol>
|
||||
<li>The saga with "<zone>_frwd" chains continues. The 1.4.7c
|
||||
script produces a ruleset that should work for everyone even if it is
|
||||
not quite optimal. My apologies for this ongoing mess.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
|
||||
This is a bugfx rollup of the 1.4.7a fixes plus:<br>
|
||||
<ol>
|
||||
<li>The fix for problem 5 in 1.4.7a was wrong with the result that
|
||||
"<zone>_frwd" chains might contain too few rules. That wrong code
|
||||
is corrected in this release.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>10/21/2003 - Shorewall 1.4.7a<br>
|
||||
</b></p>
|
||||
<p>This is a bugfix rollup of the following problem corrections:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Tuomo Soini has supplied a correction to a problem that occurs
|
||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||
fails with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Andres Zhoglo has supplied a correction that avoids trying to use
|
||||
the multiport match iptables facility on ICMP rules.<br>
|
||||
<br>
|
||||
Example of rule that previously caused "shorewall start"
|
||||
to fail:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT loc $FW
|
||||
icmp 0,8,11,12<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if the following error message was issued, Shorewall
|
||||
was left in an inconsistent state.<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes through
|
||||
interface xxx<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
|
||||
corrected.</li>
|
||||
<li>In Shorewall 1.4.2, an optimization was added. This optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant rules
|
||||
and that the "optimization" turns out to be less than optimal. The
|
||||
implementation has now been corrected.</li>
|
||||
<li>When the MARK value in a tcrules entry is followed by ":F" or
|
||||
":P", the ":F" or ":P" was previously only applied to the first
|
||||
Netfilter rule generated by the entry. It is now applied to all entries.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>10/06/2003 - Shorewall 1.4.7</b><b><br>
|
||||
</b></p>
|
||||
<b>Problems Corrected since version 1.4.6 (Those in bold font were
|
||||
@ -290,7 +560,7 @@ where we started.<br>
|
||||
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||
<li>Output rules (those with $FW as the SOURCE) may now be
|
||||
limited to a set of local users and/or groups. See <a
|
||||
href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
|
||||
href="UserSets.html">http://shorewall.net/UserSets.html</a>
|
||||
for details.</li>
|
||||
</ol>
|
||||
<p><b>10/02/2003 - Shorewall 1.4.7 RC2</b><b><br>
|
||||
@ -555,7 +825,7 @@ where we started.<br>
|
||||
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||
<li>Output rules (those with $FW as the SOURCE) may now be
|
||||
limited to a set of local users and/or groups. See <a
|
||||
href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
|
||||
href="UserSets.html">http://shorewall.net/UserSets.html</a>
|
||||
for details.</li>
|
||||
</ol>
|
||||
<p><b>9/18/2003 - Shorewall 1.4.7 RC 1</b><b><br>
|
||||
@ -997,7 +1267,7 @@ where we started.<br>
|
||||
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||
<li>Output rules (those with $FW as the SOURCE) may now be
|
||||
limited to a set of local users and/or groups. See <a
|
||||
href="file:///vfat/Shorewall-docs/UserSets.html">http://shorewall.net/UserSets.html</a>
|
||||
href="UserSets.html">http://shorewall.net/UserSets.html</a>
|
||||
for details.</li>
|
||||
</ol>
|
||||
<p><b>8/27/2003 - Shorewall Mirror in Australia</b></p>
|
||||
@ -1554,8 +1824,7 @@ ADDRESS column in /etc/shorewall/masq may now include a comma-separated
|
||||
list of addresses and/or address ranges. Netfilter will use all listed
|
||||
addresses/ranges in round-robin fashion. \</li>
|
||||
<li>An /etc/shorewall/accounting file has been added to allow for
|
||||
traffic accounting. See the <a
|
||||
href="file:///vfat/Shorewall-docs/Accounting.html">accounting
|
||||
traffic accounting. See the <a href="Accounting.html">accounting
|
||||
documentation</a> for a description of this facility.</li>
|
||||
<li>Bridge interfaces (br[0-9]) may now be used in
|
||||
/etc/shorewall/maclist.</li>
|
||||
@ -4550,7 +4819,7 @@ deleted.</li>
|
||||
an additional "gw" (gateway) zone for tunnels and it supports IPSEC
|
||||
tunnels with end-points on the firewall. There is also a .lrp available
|
||||
now.</b></p>
|
||||
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
<p><font size="2">Updated 11/07/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
|
||||
|
@ -1,284 +1,232 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>OpenVPN Tunnels</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">OpenVPN Tunnels</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3><br>
|
||||
</h3>
|
||||
|
||||
<p>OpenVPN is a robust and highly configurable VPN (Virtual Private Network)
|
||||
daemon which can be used to securely link two or more private networks using
|
||||
an encrypted tunnel over the internet. OpenVPN is an Open Source project
|
||||
and is <a href="http://openvpn.sourceforge.net/license.html">licensed under
|
||||
the GPL</a>. OpenVPN can be downloaded from <a
|
||||
<body>
|
||||
<h1 style="text-align: center;">OpenVPN Tunnels<br>
|
||||
</h1>
|
||||
<p>OpenVPN is a robust and highly configurable VPN (Virtual Private
|
||||
Network) daemon which can be used to securely link two or more private
|
||||
networks using an encrypted tunnel over the internet. OpenVPN is an
|
||||
Open Source project and is <a
|
||||
href="http://openvpn.sourceforge.net/license.html">licensed under the
|
||||
GPL</a>. OpenVPN can be downloaded from <a
|
||||
href="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</a>.<br>
|
||||
</p>
|
||||
|
||||
</p>
|
||||
<p>OpenVPN support was added to Shorewall in version 1.3.14.<br>
|
||||
</p>
|
||||
|
||||
</p>
|
||||
<h2>Bridging two Masqueraded Networks</h2>
|
||||
|
||||
<p>Suppose that we have the following situation:</p>
|
||||
|
||||
<p align="center"><img border="0" src="images/TwoNets1.png" width="745"
|
||||
height="427">
|
||||
</p>
|
||||
|
||||
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able
|
||||
to communicate with the systems in the 10.0.0.0/8 network. This is accomplished
|
||||
through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy
|
||||
file and OpenVPN.</p>
|
||||
|
||||
<p align="left">While it was possible to use the Shorewall start and stop
|
||||
script to start and stop OpenVPN, I decided to use the init script of OpenVPN
|
||||
to start and stop it.</p>
|
||||
|
||||
<p align="left">On each firewall, you will need to declare a zone to represent
|
||||
the remote subnet. We'll assume that this zone is called 'vpn' and declare
|
||||
it in /etc/shorewall/zones on both systems as follows.</p>
|
||||
|
||||
<blockquote>
|
||||
height="427"> </p>
|
||||
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
|
||||
able to communicate with the systems in the 10.0.0.0/8 network. This is
|
||||
accomplished through use of the /etc/shorewall/tunnels file and the
|
||||
/etc/shorewall/policy file and OpenVPN.</p>
|
||||
<p align="left">While it was possible to use the Shorewall start and
|
||||
stop script to start and stop OpenVPN, I decided to use the init script
|
||||
of OpenVPN to start and stop it.</p>
|
||||
<p align="left">On each firewall, you will need to declare a zone to
|
||||
represent the remote subnet. We'll assume that this zone is called
|
||||
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>ZONE</strong></td>
|
||||
<td><strong>DISPLAY</strong></td>
|
||||
<td><strong>COMMENTS</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>VPN</td>
|
||||
<td>Remote Subnet</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
|
||||
</blockquote>
|
||||
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
|
||||
zone.
|
||||
In /etc/shorewall/interfaces:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tun0</td>
|
||||
<td><br>
|
||||
</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tun0</td>
|
||||
<td><br>
|
||||
</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
|
||||
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
<p align="left">In /etc/shorewall/tunnels on system A, we need the
|
||||
following:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>openvpn</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>openvpn</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN
|
||||
traffic on the default port 5000/udp will be accepted to/from the remote
|
||||
gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels
|
||||
like this:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
<p>This entry in /etc/shorewall/tunnels opens the firewall so that
|
||||
OpenVPN traffic on the default port 5000/udp will be accepted to/from
|
||||
the remote gateway. If you change the port used by OpenVPN to 7777, you
|
||||
can define /etc/shorewall/tunnels like this:<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>openvpn:7777</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>openvpn:7777</td>
|
||||
<td>net</td>
|
||||
<td>134.28.54.2</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<p>This is the OpenVPN config on system A:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p></p>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<p>dev tun<br>
|
||||
local 206.162.148.9<br>
|
||||
remote 134.28.54.2<br>
|
||||
ifconfig 192.168.99.1 192.168.99.2<br>
|
||||
up ./route-a.up<br>
|
||||
tls-server<br>
|
||||
dh dh1024.pem<br>
|
||||
ca ca.crt<br>
|
||||
cert my-a.crt<br>
|
||||
key my-a.key<br>
|
||||
comp-lzo<br>
|
||||
verb 5<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
|
||||
zone. In /etc/shorewall/interfaces:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tun0</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>In /etc/shorewall/tunnels on system B, we have:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>openvpn</td>
|
||||
<td>net</td>
|
||||
<td>206.191.148.9</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>And in the OpenVPN config on system B:</p>
|
||||
|
||||
<blockquote>
|
||||
<p>dev tun<br>
|
||||
local 134.28.54.2<br>
|
||||
remote 206.162.148.9<br>
|
||||
ifconfig 192.168.99.2 192.168.99.1<br>
|
||||
up ./route-b.up<br>
|
||||
tls-client<br>
|
||||
ca ca.crt<br>
|
||||
cert my-b.crt<br>
|
||||
key my-b.key<br>
|
||||
comp-lzo<br>
|
||||
verb 5<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">You will need to allow traffic between the "vpn" zone and
|
||||
the "loc" zone on both systems -- if you simply want to admit all traffic
|
||||
in both directions, you can use the policy file:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>On both systems, restart Shorewall and start OpenVPN. The systems in the
|
||||
two masqueraded subnetworks can now talk to each other.</p>
|
||||
|
||||
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<small>and Simon Mater</small><br>
|
||||
local 206.162.148.9<br>
|
||||
remote 134.28.54.2<br>
|
||||
ifconfig 192.168.99.1 192.168.99.2<br>
|
||||
up ./route-a.up<br>
|
||||
tls-server<br>
|
||||
dh dh1024.pem<br>
|
||||
ca ca.crt<br>
|
||||
cert my-a.crt<br>
|
||||
key my-a.key<br>
|
||||
comp-lzo<br>
|
||||
verb 5<br>
|
||||
</p>
|
||||
|
||||
</blockquote>
|
||||
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
|
||||
zone. In /etc/shorewall/interfaces:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>tun0</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>In /etc/shorewall/tunnels on system B, we have:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>TYPE</b></td>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>GATEWAY</b></td>
|
||||
<td><b>GATEWAY ZONE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>openvpn</td>
|
||||
<td>net</td>
|
||||
<td>206.191.148.9</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>And in the OpenVPN config on system B:</p>
|
||||
<blockquote>
|
||||
<p>dev tun<br>
|
||||
local 134.28.54.2<br>
|
||||
remote 206.162.148.9<br>
|
||||
ifconfig 192.168.99.2 192.168.99.1<br>
|
||||
up ./route-b.up<br>
|
||||
tls-client<br>
|
||||
ca ca.crt<br>
|
||||
cert my-b.crt<br>
|
||||
key my-b.key<br>
|
||||
comp-lzo<br>
|
||||
verb 5<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p align="left">You will need to allow traffic between the "vpn" zone
|
||||
and the "loc" zone on both systems -- if you simply want to admit all
|
||||
traffic in both directions, you can use the policy file:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong>SOURCE</strong></td>
|
||||
<td><strong>DEST</strong></td>
|
||||
<td><strong>POLICY</strong></td>
|
||||
<td><strong>LOG LEVEL</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>vpn</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p>On both systems, restart Shorewall and start OpenVPN. The systems in
|
||||
the two masqueraded subnetworks can now talk to each other.</p>
|
||||
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<small>and Simon Mater</small><br>
|
||||
</p>
|
||||
<p><font size="2"> </font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
|
||||
</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
|
||||
</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -9,17 +9,8 @@
|
||||
<title>Shorewall PPTP</title>
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">PPTP</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">PPTP<br>
|
||||
</h1>
|
||||
<h4>NOTE: I am no longer attempting to maintain MPPE patches for
|
||||
current
|
||||
Linux kernel's and pppd. I recommend that you refer to the following
|
||||
@ -263,9 +254,191 @@ status)<br>
|
||||
esac</font></p>
|
||||
</blockquote>
|
||||
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
|
||||
<p>I consider hosts connected to my PPTP server to be just like local
|
||||
systems.
|
||||
My key Shorewall entries are:</p>
|
||||
<h4><span style="text-decoration: underline;">Basic Setup</span><br>
|
||||
</h4>
|
||||
<p>Here' a basic setup that treats your remote users as if they were
|
||||
part of your <span style="font-weight: bold;">loc</span> zone. Note
|
||||
that if your primary internet connection uses ppp0, then be sure that <span
|
||||
style="font-weight: bold;">loc</span> follows <span
|
||||
style="font-weight: bold;">net</span> in /etc/shorewall/zones.<br>
|
||||
</p>
|
||||
<p><span style="font-weight: bold;">/etc/shorewall/tunnels:</span><br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> TYPE</strong></td>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> GATEWAY</strong></td>
|
||||
<td><strong> GATEWAY ZONE</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>pptpserver<br>
|
||||
</td>
|
||||
<td>net</td>
|
||||
<td>0.0.0.0/0<br>
|
||||
</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p><span style="font-weight: bold;">/etc/shorewall/interfaces:</span><br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc<br>
|
||||
</td>
|
||||
<td>ppp+</td>
|
||||
<td> -</td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4 style="text-decoration: underline;">Remote Users in a Separate Zone</h4>
|
||||
If you want to place your remote users in their own zone so that you
|
||||
can control connections between these users and the local network,
|
||||
follow this example. Note that if your primary internet connection uses
|
||||
ppp0 then be sure that <span style="font-weight: bold;">vpn</span>
|
||||
follows <span style="font-weight: bold;">net</span> in
|
||||
/etc/shorewall/zones as shown below.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">/etc/shorewall/tunnels:<br>
|
||||
</span>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> TYPE</strong></td>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> GATEWAY</strong></td>
|
||||
<td><strong> GATEWAY ZONE</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>pptpserver<br>
|
||||
</td>
|
||||
<td>net</td>
|
||||
<td>0.0.0.0/0<br>
|
||||
</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<span style="font-weight: bold;">/etc/shorewall/zones:<br>
|
||||
</span>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>DISPLAY</b></td>
|
||||
<td><b>COMMENTS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>Internet</td>
|
||||
<td>The Internet</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>Local</td>
|
||||
<td>Local Network <br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn</td>
|
||||
<td style="vertical-align: top;">VPN<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote Users<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4>/etc/shorewall/interfaces:</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>eth0</td>
|
||||
<td>206.124.146.255</td>
|
||||
<td>norfc1918</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>eth2</td>
|
||||
<td>192.168.10.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>vpn<br>
|
||||
</td>
|
||||
<td>ppp+</td>
|
||||
<td> -</td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
Your policies and rules may now be configured for traffic to/from the <span
|
||||
style="font-weight: bold;">vpn</span> zone.<br>
|
||||
<h4><span style="text-decoration: underline;">Multiple Remote Networks</span><br>
|
||||
</h4>
|
||||
<p>Often there will be situations where you want multiple connections
|
||||
from remote networks with these networks having different firewalling
|
||||
requirements.<br>
|
||||
</p>
|
||||
<div style="text-align: center;"><img src="images/MultiPPTP.png"
|
||||
title="" alt="" style="width: 846px; height: 544px;"><br>
|
||||
</div>
|
||||
<p>Here's how you configure this in Shorewall. Note that if your
|
||||
primary internet connection uses ppp0 then be sure that the <span
|
||||
style="font-weight: bold;">vpn{1-3}</span> zones follows <span
|
||||
style="font-weight: bold;">net</span> in /etc/shorewall/zones as shown
|
||||
below.<br>
|
||||
</p>
|
||||
<p><span style="font-weight: bold;">/etc/shorewall/tunnels:</span><br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><strong> TYPE</strong></td>
|
||||
<td><strong> ZONE</strong></td>
|
||||
<td><strong> GATEWAY</strong></td>
|
||||
<td><strong> GATEWAY ZONE</strong></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>pptpserver<br>
|
||||
</td>
|
||||
<td>net</td>
|
||||
<td>0.0.0.0/0<br>
|
||||
</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4>/etc/shorewall/zones:</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
@ -283,7 +456,31 @@ My key Shorewall entries are:</p>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>Local</td>
|
||||
<td>My Local Network including remote PPTP clients</td>
|
||||
<td>Local Network <br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn1</td>
|
||||
<td style="vertical-align: top;">Remote1<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote Network 1<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote2<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote Network 2<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn3<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote3<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">Remote Network 3<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
@ -307,13 +504,13 @@ My key Shorewall entries are:</p>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>eth2</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td>192.168.10.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>-</td>
|
||||
<td>ppp+</td>
|
||||
<td> </td>
|
||||
<td> -</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
@ -329,151 +526,32 @@ My key Shorewall entries are:</p>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>eth2:192.168.1.0/24</td>
|
||||
<td><br>
|
||||
<td>vpn1<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>ppp+:192.168.1.0/24</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4>/etc/shorewall/policy:</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>POLICY</b></td>
|
||||
<td><b>LOG LEVEL</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>loc</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<h4>/etc/shorewall/rules (For Shorewall versions up to and including
|
||||
1.3.9b):</h4>
|
||||
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>1723</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>47</td>
|
||||
<td>-</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>47</td>
|
||||
<td>-</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions
|
||||
1.3.10 and
|
||||
later)<br>
|
||||
</b></p>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>TYPE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>ZONE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>GATEWAY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>GATEWAY ZONE<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">pptpserver<br>
|
||||
<td style="vertical-align: top;">vpn2<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
<td style="vertical-align: top;">ppp+:192.168.2.0/24<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">vpn3<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;">ppp+:192.168.3.0/24<br>
|
||||
</td>
|
||||
<td style="vertical-align: top;"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left"><br>
|
||||
Note: I have multiple ppp interfaces on my firewall. If you have a
|
||||
single
|
||||
ppp interface, you probably want:</p>
|
||||
<h4>/etc/shorewall/interfaces:</h4>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ZONE</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>BROADCAST</b></td>
|
||||
<td><b>OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>eth0</td>
|
||||
<td>206.124.146.255</td>
|
||||
<td>norfc1918</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>eth2</td>
|
||||
<td>192.168.1.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>ppp0</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
|
||||
Your policies and rules can now be configured using separate zones
|
||||
(vpn1, vpn2, and vpn3) for the three remote network.<br>
|
||||
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running
|
||||
Behind
|
||||
your Firewall</h2>
|
||||
@ -968,7 +1046,7 @@ as described in the QuickStart Guide corresponding to your setup.<br>
|
||||
That entry allows a PPTP tunnel to be established between your
|
||||
Shorewall system and the PPTP server in the modem.<br>
|
||||
</div>
|
||||
<p><font size="2">Last modified 8/11/2003 - <a href="support.htm">Tom
|
||||
<p><font size="2">Last modified 11/22/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><a href="copyright.htm"> <font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
|
||||
|
@ -1,192 +1,165 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Proxy ARP</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
|
||||
without changing their IP addresses and without having to re-subnet.
|
||||
Before you try to use this technique, I strongly recommend that you read
|
||||
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
|
||||
|
||||
<p>The following figure represents a Proxy ARP environment.</p>
|
||||
|
||||
<blockquote>
|
||||
<p align="center"><strong> <img src="images/proxyarp.png"
|
||||
width="519" height="397">
|
||||
</strong></p>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">Proxy ARP can be used to make the systems with addresses
|
||||
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
|
||||
subnet. Assuming that the upper firewall interface is eth0 and the
|
||||
lower interface is eth1, this is accomplished using the following entries
|
||||
in /etc/shorewall/proxyarp:</p>
|
||||
|
||||
<blockquote>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Proxy ARP<br>
|
||||
</h1>
|
||||
<p>Proxy ARP allows you to insert a firewall in front of a set of
|
||||
servers without changing their IP addresses and without having to
|
||||
re-subnet. Before you try to use this technique, I strongly recommend
|
||||
that you read the <a href="shorewall_setup_guide.htm">Shorewall Setup
|
||||
Guide.</a></p>
|
||||
<p>The following figure represents a Proxy ARP environment.</p>
|
||||
<blockquote>
|
||||
<p align="center"><strong> <img src="images/proxyarp.png" width="519"
|
||||
height="397"> </strong></p>
|
||||
<blockquote> </blockquote>
|
||||
</blockquote>
|
||||
<p align="left">Proxy ARP can be used to make the systems with
|
||||
addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper
|
||||
(130.252.100.*) subnet. Assuming that the upper firewall
|
||||
interface is eth0 and the lower interface is eth1, this is accomplished
|
||||
using the following entries in /etc/shorewall/proxyarp:</p>
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ADDRESS</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>HAVEROUTE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ADDRESS</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>HAVEROUTE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19
|
||||
in the above example) are not included in any specification in /etc/shorewall/masq
|
||||
or /etc/shorewall/nat.</p>
|
||||
|
||||
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
|
||||
irrelevant. </p>
|
||||
|
||||
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
|
||||
subnet mask and default gateway configured exactly the same way that
|
||||
the Firewall system's eth0 is configured. In other words, they should
|
||||
be configured just like they would be if they were parallel to the firewall
|
||||
rather than behind it.<br>
|
||||
</p>
|
||||
|
||||
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es)
|
||||
(130.252.100.18 and 130.252.100.19 in the above example) to the external
|
||||
interface (eth0 in this example) of the firewall.</b></font><br>
|
||||
</p>
|
||||
|
||||
<div align="left"> </div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">A word of warning is in order here. ISPs typically configure
|
||||
their routers with a long ARP cache timeout. If you move a system from
|
||||
parallel to your firewall to behind your firewall with Proxy ARP, it
|
||||
will probably be HOURS before that system can communicate with the internet.
|
||||
There are a couple of things that you can try:<br>
|
||||
</p>
|
||||
|
||||
</blockquote>
|
||||
<p>Be sure that the internal systems (130.242.100.18 and
|
||||
130.252.100.19 in the above example) are not included in any
|
||||
specification in /etc/shorewall/masq or /etc/shorewall/nat.</p>
|
||||
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address
|
||||
is irrelevant. </p>
|
||||
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have
|
||||
their subnet mask and default gateway configured exactly the same way
|
||||
that the Firewall system's eth0 is configured. In other words, they
|
||||
should be configured just like they would be if they were parallel to
|
||||
the firewall rather than behind it.<br>
|
||||
</p>
|
||||
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed
|
||||
address(es) (130.252.100.18 and 130.252.100.19 in the above
|
||||
example) to the external interface (eth0 in this example) of the
|
||||
firewall.</b></font><br>
|
||||
</p>
|
||||
<div align="left"> </div>
|
||||
<div align="left">
|
||||
<p align="left">A word of warning is in order here. ISPs typically
|
||||
configure their routers with a long ARP cache timeout. If you move a
|
||||
system from parallel to your firewall to behind your firewall with
|
||||
Proxy ARP, it
|
||||
will probably be HOURS before that system can communicate with the
|
||||
internet. There are a couple of things that you can try:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
|
||||
Illustrated, Vol 1</i> reveals that a <br>
|
||||
<br>
|
||||
"gratuitous" ARP packet should cause the ISP's router to refresh their
|
||||
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
|
||||
MAC address for its own IP; in addition to ensuring that the IP address
|
||||
isn't a duplicate...<br>
|
||||
<br>
|
||||
"if the host sending the gratuitous ARP has just changed its hardware
|
||||
address..., this packet causes any other host...that has an entry in its
|
||||
cache for the old hardware address to update its ARP cache entry accordingly."<br>
|
||||
<br>
|
||||
Which is, of course, exactly what you want to do when you switch a host
|
||||
from being exposed to the Internet to behind Shorewall using proxy ARP (or
|
||||
static NAT for that matter). Happily enough, recent versions of Redhat's
|
||||
iputils package include "arping", whose "-U" flag does just that:<br>
|
||||
<br>
|
||||
<font color="#009900"><b>arping -U -I <i><net if> <newly
|
||||
proxied IP></i></b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
|
||||
<br>
|
||||
Stevens goes on to mention that not all systems respond correctly to
|
||||
gratuitous ARPs, but googling for "arping -U" seems to support the idea
|
||||
that it works most of the time.<br>
|
||||
<br>
|
||||
To use arping with Proxy ARP in the above example, you would have to:<br>
|
||||
<br>
|
||||
<font color="#009900"><b> shorewall clear<br>
|
||||
</b></font> <font color="#009900"><b>ip addr add 130.252.100.18
|
||||
dev eth0<br>
|
||||
ip addr add 130.252.100.19 dev eth0</b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
|
||||
<b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
|
||||
ip addr del 130.252.100.19 dev eth0<br>
|
||||
shorewall start</font></b><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>You can call your ISP and ask them to purge the stale ARP cache
|
||||
entry but many either can't or won't purge individual entries.</li>
|
||||
|
||||
</ol>
|
||||
You can determine if your ISP's gateway ARP cache is stale using ping
|
||||
and tcpdump. Suppose that we suspect that the gateway router has a stale
|
||||
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
|
||||
will assume is 130.252.100.254):</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">We can now observe the tcpdump output:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply</pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Notice that the source MAC address in the echo request is
|
||||
different from the destination MAC address in the echo reply!! In this
|
||||
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
|
||||
was the MAC address of the system on the lower left. In other words,
|
||||
the gateway's ARP cache still associates 130.252.100.19 with the NIC
|
||||
in that system rather than with the firewall's eth0.</p>
|
||||
</div>
|
||||
|
||||
<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
|
||||
Illustrated, Vol 1</i> reveals that a <br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
"gratuitous" ARP packet should cause the ISP's router to refresh their
|
||||
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
|
||||
the MAC address for its own IP; in addition to ensuring that the IP
|
||||
address
|
||||
isn't a duplicate...<br>
|
||||
<br>
|
||||
"if the host sending the gratuitous ARP has just changed its hardware
|
||||
address..., this packet causes any other host...that has an entry in
|
||||
its cache for the old hardware address to update its ARP cache entry
|
||||
accordingly."<br>
|
||||
<br>
|
||||
Which is, of course, exactly what you want to do when you switch a host
|
||||
from being exposed to the Internet to behind Shorewall using proxy ARP
|
||||
(or one-to-one NAT for that matter). Happily enough, recent versions of
|
||||
Redhat's iputils package include "arping", whose "-U" flag does just
|
||||
that:<br>
|
||||
<br>
|
||||
<font color="#009900"><b>arping -U -I <i><net
|
||||
if> <newly proxied IP></i></b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0
|
||||
66.58.99.83 # for example</b></font><br>
|
||||
<br>
|
||||
Stevens goes on to mention that not all systems respond correctly to
|
||||
gratuitous ARPs, but googling for "arping -U" seems to support the idea
|
||||
that it works most of the time.<br>
|
||||
<br>
|
||||
To use arping with Proxy ARP in the above example, you would have to:<br>
|
||||
<br>
|
||||
<font color="#009900"><b> shorewall clear<br>
|
||||
</b></font> <font color="#009900"><b>ip addr add
|
||||
130.252.100.18 dev eth0<br>
|
||||
ip addr add 130.252.100.19 dev eth0</b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0
|
||||
130.252.100.18</b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
|
||||
<b><font color="#009900">ip addr del 130.252.100.18 dev
|
||||
eth0<br>
|
||||
ip addr del 130.252.100.19 dev eth0<br>
|
||||
shorewall start</font></b><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>You can call your ISP and ask them to purge the stale ARP cache
|
||||
entry but many either can't or won't purge individual entries.</li>
|
||||
</ol>
|
||||
You can determine if your ISP's gateway ARP cache is stale using ping
|
||||
and tcpdump. Suppose that we suspect that the gateway router has a
|
||||
stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump
|
||||
as follows:</div>
|
||||
<div align="left">
|
||||
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which
|
||||
we will assume is 130.252.100.254):</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">We can now observe the tcpdump output:</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply</pre>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Notice that the source MAC address in the echo request
|
||||
is different from the destination MAC address in the echo reply!! In
|
||||
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
|
||||
0:c0:a8:50:b2:57 was the MAC address of the system on the lower left.
|
||||
In other words,
|
||||
the gateway's ARP cache still associates 130.252.100.19 with the NIC
|
||||
in that system rather than with the firewall's eth0.</p>
|
||||
</div>
|
||||
<p><font size="2">Last updated 11/13/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,53 +1,34 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Springtime in Seattle!!!</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Visit Seattle in the Springtime!!!!</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<body>
|
||||
-+
|
||||
<h3><font color="#ff6633"></font></h3>
|
||||
<img src="images/P1000048.jpg" alt="" width="640" height="480">
|
||||
<br>
|
||||
<br>
|
||||
<b>March 6, 2003 - Nice day for a walk....</b><br>
|
||||
<br>
|
||||
<img src="images/P1000050.jpg" alt="" width="640" height="480">
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<img src="images/P1000049.jpg" alt="" width="480" height="640">
|
||||
|
||||
<p><b>The view from my office window -- think I'll go out and enjoy the deck
|
||||
(Yes -- that is snow on the deck...)</b>.<br>
|
||||
</p>
|
||||
|
||||
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
<h1 style="text-align: center;">Visit Seattle in the Springtime!!!<br>
|
||||
</h1>
|
||||
<img src="images/P1000048.jpg" alt="" width="640" height="480"> <br>
|
||||
<br>
|
||||
<b>March 6, 2003 - Nice day for a walk....</b><br>
|
||||
<br>
|
||||
<img src="images/P1000050.jpg" alt="" width="640" height="480"> <br>
|
||||
<br>
|
||||
<br>
|
||||
<img src="images/P1000049.jpg" alt="" width="480" height="640">
|
||||
<p><b>The view from my office window -- think I'll go out and enjoy the
|
||||
deck (Yes -- that is snow on the deck...)</b>.<br>
|
||||
</p>
|
||||
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -2,93 +2,79 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall Certificate Authority</title>
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
|
||||
(CA) Certificate</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Given that I develop and support Shorewall without asking for any renumeration,
|
||||
I can hardly justify paying $200US+ a year to a Certificate Authority such
|
||||
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
|
||||
I am who I am. I have therefore established my own Certificate Authority
|
||||
(CA) and sign my own X.509 certificates. I use these certificates on my list
|
||||
server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
|
||||
<body>
|
||||
<h1 style="text-align: center;">Shorewall Certificate Authority (CA)
|
||||
Certificate<br>
|
||||
</h1>
|
||||
Given that I develop and support Shorewall without asking for any
|
||||
renumeration, I can hardly justify paying $200US+ a year to a
|
||||
Certificate Authority such as Thawte (A Division of VeriSign) for an
|
||||
X.509 certificate to prove that I am who I am. I have therefore
|
||||
established my own Certificate Authority (CA) and sign my own X.509
|
||||
certificates. I use these certificates on my list server (<a
|
||||
href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
|
||||
which hosts parts of this web site.<br>
|
||||
<br>
|
||||
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
|
||||
part of establishing an SSL session (URL https://...), your browser verifies
|
||||
the X.509 certificate supplied by the HTTPS server against the set of Certificate
|
||||
Authority Certificates that were shipped with your browser. It is expected
|
||||
that the server's certificate was issued by one of the authorities whose
|
||||
identities are known to your browser. <br>
|
||||
<br>
|
||||
This mechanism, while supposedly guaranteeing that when you connect to
|
||||
https://www.foo.bar you are REALLY connecting to www.foo.bar, means that
|
||||
the CAs literally have a license to print money -- they are selling a string
|
||||
of bits (an X.509 certificate) for $200US+ per year!!!I <br>
|
||||
<br>
|
||||
I wish that I had decided to become a CA rather that designing and writing
|
||||
Shorewall.<br>
|
||||
<br>
|
||||
What does this mean to you? It means that the X.509 certificate that my
|
||||
server will present to your browser will not have been signed by one of the
|
||||
authorities known to your browser. If you try to connect to my server using
|
||||
SSL, your browser will frown and give you a dialog box asking if you want
|
||||
to accept the sleezy X.509 certificate being presented by my server. <br>
|
||||
<br>
|
||||
There are two things that you can do:<br>
|
||||
|
||||
<br>
|
||||
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
|
||||
part of establishing an SSL session (URL https://...), your browser
|
||||
verifies the X.509 certificate supplied by the HTTPS server against the
|
||||
set of Certificate Authority Certificates that were shipped with your
|
||||
browser. It is expected that the server's certificate was issued by one
|
||||
of the authorities whose identities are known to your browser. <br>
|
||||
<br>
|
||||
This mechanism, while supposedly guaranteeing that when you connect to
|
||||
https://www.foo.bar you are REALLY connecting to www.foo.bar, means
|
||||
that the CAs literally have a license to print money -- they are
|
||||
selling a string of bits (an X.509 certificate) for $200US+ per
|
||||
year!!!I <br>
|
||||
<br>
|
||||
I wish that I had decided to become a CA rather that designing and
|
||||
writing Shorewall.<br>
|
||||
<br>
|
||||
What does this mean to you? It means that the X.509 certificate that my
|
||||
server will present to your browser will not have been signed by one of
|
||||
the authorities known to your browser. If you try to connect to my
|
||||
server using SSL, your browser will frown and give you a dialog box
|
||||
asking if you want to accept the sleezy X.509 certificate being
|
||||
presented by my server. <br>
|
||||
<br>
|
||||
There are two things that you can do:<br>
|
||||
<ol>
|
||||
<li>You can accept the mail.shorewall.net certificate when your browser
|
||||
asks -- your acceptence of the certificate can be temporary (for that access
|
||||
only) or perminent.</li>
|
||||
<li>You can download and install <a href="ca.crt">my (self-signed) CA
|
||||
certificate.</a> This will make my Certificate Authority known to your browser
|
||||
so that it will accept any certificate signed by me. <br>
|
||||
</li>
|
||||
|
||||
<li>You can accept the mail.shorewall.net certificate when your
|
||||
browser asks -- your acceptence of the certificate can be temporary
|
||||
(for that access only) or perminent.</li>
|
||||
<li>You can download and install <a href="ca.crt">my (self-signed)
|
||||
CA certificate.</a> This will make my Certificate Authority known to
|
||||
your browser so that it will accept any certificate signed by me. <br>
|
||||
</li>
|
||||
</ol>
|
||||
What are the risks?<br>
|
||||
|
||||
What are the risks?<br>
|
||||
<ol>
|
||||
<li>If you install my CA certificate then you assume that I am trustworthy
|
||||
and that Shorewall running on your firewall won't redirect HTTPS requests
|
||||
intented to go to your bank's server to one of my systems that will present
|
||||
your browser with a bogus certificate claiming that my server is that of
|
||||
<li>If you install my CA certificate then you assume that I am
|
||||
trustworthy and that Shorewall running on your firewall won't redirect
|
||||
HTTPS requests intented to go to your bank's server to one of my
|
||||
systems that will present your browser with a bogus certificate
|
||||
claiming that my server is that of
|
||||
your bank.</li>
|
||||
<li>If you only accept my server's certificate when prompted then the
|
||||
most that you have to loose is that when you connect to https://mail.shorewall.net,
|
||||
the server you are connecting to might not be mine.</li>
|
||||
|
||||
<li>If you only accept my server's certificate when prompted then the
|
||||
most that you have to loose is that when you connect to
|
||||
https://mail.shorewall.net, the server you are connecting to might not
|
||||
be mine.</li>
|
||||
</ol>
|
||||
I have my CA certificate loaded into all of my browsers but I certainly
|
||||
I have my CA certificate loaded into all of my browsers but I certainly
|
||||
won't be offended if you decline to load it into yours... :-)<br>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003
|
||||
Thomas M.
|
||||
Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -2,56 +2,38 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall CVS Access</title>
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall CVS Access</font>
|
||||
</h1>
|
||||
<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Lots of people try to download the entire Shorewall website for off-line
|
||||
browsing, including the CVS portion. In addition to being an enormous volume
|
||||
of data (HTML versions of all versions of all Shorewall files), all of the
|
||||
pages in Shorewall CVS access are cgi-generated which places a tremendous
|
||||
load on my little server. I have therefore resorted to making CVS access
|
||||
password controlled. When you are asked to log in, enter "Shorewall" (NOTE
|
||||
THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
|
||||
<br>
|
||||
|
||||
<div align="center">
|
||||
<body>
|
||||
<br>
|
||||
<h1 style="text-align: center;">Shorewall CVS Access<br>
|
||||
</h1>
|
||||
Lots of people try to download the entire Shorewall website for
|
||||
off-line browsing, including the CVS portion. In addition to being an
|
||||
enormous volume of data (HTML versions of all versions of all Shorewall
|
||||
files), all of the pages in Shorewall CVS access are cgi-generated
|
||||
which places a tremendous load on my little server. I have therefore
|
||||
resorted to making CVS access password controlled. When you are asked
|
||||
to log in, enter "Shorewall" (NOTE THE CAPITALIZATION!!!!!) for both
|
||||
the user name and the password.<br>
|
||||
<br>
|
||||
<div align="center">
|
||||
<h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
|
||||
target="_top">CVS Login</a> <br>
|
||||
</h3>
|
||||
</div>
|
||||
|
||||
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 1/14/2002
|
||||
- <a href="support.htm">Tom Eastep</a> </font>
|
||||
</p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
target="_top">CVS Login</a> <br>
|
||||
</h3>
|
||||
</div>
|
||||
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
|
||||
1/14/2002 - <a href="support.htm">Tom Eastep</a> </font> </p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -9,20 +9,11 @@
|
||||
<body>
|
||||
<small> </small><small> </small><small> </small><small> </small><small>
|
||||
</small> <small> </small>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%"><small> </small>
|
||||
<h1 align="center"><small><font color="#ffffff">Some things that
|
||||
Shorewall <b>Cannot</b> Do</font></small></h1>
|
||||
<small> </small></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<small><br>
|
||||
</small>Shorewall cannot:<br>
|
||||
</small>
|
||||
<h1 style="text-align: center;">Some things that Shorewall Cannot Do<br>
|
||||
</h1>
|
||||
Shorewall cannot:<br>
|
||||
<ul>
|
||||
<li>Be used to filter traffic through a Layer 2 Bridge</li>
|
||||
<li>Act as a "Personal Firewall" that allows internet access by
|
||||
@ -30,18 +21,28 @@ application.</li>
|
||||
<li>Be used with an Operating System other than Linux (version >=
|
||||
2.4.0)<br>
|
||||
</li>
|
||||
<li>Do content filtering -- better to use <a
|
||||
href="Shorewall_Squid_Usage.html">Squid</a> for that.</li>
|
||||
<li>Do content filtering:</li>
|
||||
<ul>
|
||||
<li>HTTP -- better to use <a href="Shorewall_Squid_Usage.html">Squid</a>
|
||||
for that.</li>
|
||||
<li>Email -- Install something like <a
|
||||
href="http://www.postfix.org">Postfix</a> on your firewall and
|
||||
integrate it with <a href="http://www.spamassassin.org">SpamAssassin</a>
|
||||
and <a href="http://www.ijs.si/software/amavisd/">Amavisd-new</a>.<br>
|
||||
</li>
|
||||
</ul>
|
||||
</ul>
|
||||
In addition:<br>
|
||||
<ul>
|
||||
<li>Shorewall does not contain any support for Netfilter <span
|
||||
style="font-style: italic;">Patch-O-Matic</span> features -- Shorewall
|
||||
<li>Shorewall does not contain any support for Netfilter <a
|
||||
href="http://www.netfilter.org/documentation/pomlist/pom-summary.html"><span
|
||||
style="font-style: italic;">Patch-O-Matic</span></a> features --
|
||||
Shorewall
|
||||
only supports features from released kernels.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<br>
|
||||
<font size="2">Last updated 9/28/2003 - <a href="support.htm">Tom
|
||||
<font size="2">Last updated 10/07/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
|
@ -7,19 +7,22 @@
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table cellpadding="0" cellspacing="0" border="0" width="100%"
|
||||
bgcolor="#3366ff">
|
||||
<table cellpadding="0" cellspacing="0" border="0"
|
||||
style="background-color: rgb(51, 102, 255); height: 84px; width: 100%;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="middle" width="33%" bgcolor="#3366ff"><a
|
||||
<td valign="middle" width="33%" bgcolor="#3366ff"
|
||||
style="background-color: rgb(255, 255, 255);"><a
|
||||
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
|
||||
alt="" width="88" height="31" hspace="4"> </a><br>
|
||||
</td>
|
||||
<td valign="middle" height="90" align="center" width="34%">
|
||||
<h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
|
||||
<td valign="middle" height="90" align="center" width="34%"
|
||||
style="background-color: rgb(255, 255, 255);">
|
||||
<h1 style="color: rgb(51, 0, 51);"><b>Using Shorewall with Squid</b></h1>
|
||||
<h1> </h1>
|
||||
</td>
|
||||
<td valign="middle" height="90" width="33%" align="right"><a
|
||||
<td valign="middle" height="90" width="33%" align="right"
|
||||
style="background-color: rgb(255, 255, 255);"><a
|
||||
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
|
||||
alt="" width="100" height="31" hspace="4"> </a><br>
|
||||
</td>
|
||||
@ -28,10 +31,14 @@
|
||||
</table>
|
||||
<br>
|
||||
This page covers Shorewall configuration to use with <a
|
||||
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
|
||||
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
|
||||
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
|
||||
href="http://www.squid-cache.org/">Squid </a>running as a <a
|
||||
href="#Transparent">Transparent
|
||||
Proxy</a> or as a <a href="#Manual">Manual Proxy</a>.<br>
|
||||
<br>
|
||||
If you are running Shorewall 1.3, please see <a
|
||||
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
|
||||
<h1><a name="Transparent"></a>Squid as a Transparent Proxy<br>
|
||||
</h1>
|
||||
<img border="0" src="images/j0213519.gif" width="60" height="60"
|
||||
alt="Caution" align="middle"> Please observe the
|
||||
following general requirements:<br>
|
||||
@ -71,7 +78,7 @@ running on the Firewall.</a></li>
|
||||
local network</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
|
||||
</ol>
|
||||
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
|
||||
<h2><a name="Firewall"></a>Squid (transparent) Running on the Firewall</h2>
|
||||
You want to redirect all local www connection requests
|
||||
EXCEPT those to your own http server (206.124.146.177) to a Squid
|
||||
transparent proxy running on the firewall
|
||||
@ -123,15 +130,49 @@ DEST</b></td>
|
||||
There may be a requirement to exclude additional destination
|
||||
hosts or networks from being redirected. For example, you might also
|
||||
want
|
||||
requests destined for 130.252.100.0/24 to not be routed to Squid. In
|
||||
that
|
||||
case, you must add a manual rule in /etc/shorewall/start:<br>
|
||||
requests destined for 130.252.100.0/24 to not be routed to Squid.<br>
|
||||
<br>
|
||||
If you are running Shorewall version 1.4.5 or later, you may just add
|
||||
the additional hosts/networks to the ORIGINAL DEST column in your
|
||||
REDIRECT rule:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>REDIRECT</td>
|
||||
<td>loc</td>
|
||||
<td>3128</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> -<br>
|
||||
</td>
|
||||
<td>!206.124.146.177,130.252.100.0/24</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<br>
|
||||
If you are running a Shorewall version earlier than 1.4.5, you must add
|
||||
a manual rule in /etc/shorewall/start:<br>
|
||||
<blockquote>
|
||||
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
|
||||
</blockquote>
|
||||
To exclude additional hosts or networks, just add additional
|
||||
similar rules.<br>
|
||||
<h2><a name="Local"></a>Squid Running in the local network</h2>
|
||||
<h2><a name="Local"></a>Squid (transparent) Running in the local network</h2>
|
||||
You want to redirect all local www connection requests to a Squid
|
||||
transparent proxy running in your local zone at 192.168.1.3 and
|
||||
listening
|
||||
@ -273,7 +314,8 @@ command above:<br>
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
|
||||
<h2><a name="DMZ"></a>Squid (transparent) Running in the DMZ (This is
|
||||
what I do)</h2>
|
||||
You have a single Linux system in your DMZ with IP address 192.0.2.177.
|
||||
You want to run both a web server and Squid on that system. Your DMZ
|
||||
interface is eth1 and your local interface is eth2.<br>
|
||||
@ -455,7 +497,133 @@ command above:<br>
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
|
||||
</blockquote>
|
||||
<blockquote> </blockquote>
|
||||
<p><font size="-1"> Updated 8/9/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
<h1><a name="Manual"></a>Squid as a Manual Proxy</h1>
|
||||
Assume that Squid is running in zone SZ and listening on port SP; all
|
||||
web sites that are to be accessed through Squid are in the 'net' zone.
|
||||
Then for each zone Z that needs access to the Squid server:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ACTION<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
</td>
|
||||
<td valign="top">PROTO<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
PORT(S)<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT<br>
|
||||
PORT(2)<br>
|
||||
</td>
|
||||
<td valign="top">ORIGINAL<br>
|
||||
DEST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">Z<br>
|
||||
</td>
|
||||
<td valign="top">SZ<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">SP<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">SZ<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">Squid on the firewall listening on port
|
||||
8080 with access from the 'loc' zone:<br>
|
||||
<br>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ACTION<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
</td>
|
||||
<td valign="top">PROTO<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
PORT(S)<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT<br>
|
||||
PORT(2)<br>
|
||||
</td>
|
||||
<td valign="top">ORIGINAL<br>
|
||||
DEST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">$FW<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">8080<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">$FW<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</div>
|
||||
<p><font size="-1">Updated 1017/2003 - <a href="support.htm">Tom
|
||||
Eastep</a>
|
||||
</font></p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||||
|
File diff suppressed because it is too large
Load Diff
32
Shorewall-docs/Shorewall_and_Kazaa.html
Normal file
32
Shorewall-docs/Shorewall_and_Kazaa.html
Normal file
@ -0,0 +1,32 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<title>Shorewall and Kazaa</title>
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Kazaa Filtering</h1>
|
||||
<br>
|
||||
Beginning with Shorewall version 1.4.8, Shorewall can interface to <span
|
||||
style="font-weight: bold;">ftwall</span>. ftwall is part of the
|
||||
p2pwall project and is a user-space filter for applications based on
|
||||
the "Fast Track" peer to peer protocol. Applications using this
|
||||
protocol include Kazaa, KazaaLite, iMash and Grokster.<br>
|
||||
<br>
|
||||
To filter traffic from your 'loc' zone with ftwall, you insert the
|
||||
following rules <span style="text-decoration: underline;"><span
|
||||
style="font-weight: bold;">near the top</span></span> of your
|
||||
/etc/shorewall/rules file (before and ACCEPT rules whose source is the
|
||||
'loc' zone).<br>
|
||||
<pre style="margin-left: 40px;">QUEUE loc net tcp<br>QUEUE loc net udp<br>QUEUE loc fw udp<br></pre>
|
||||
Now simply configure ftwall as described in the ftwall documentation
|
||||
and restart Shorewall.<br>
|
||||
<p align="left"><font size="2">Last updated 10/22/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -1,138 +1,66 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
|
||||
|
||||
<base target="main">
|
||||
|
||||
<base target="main">
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td
|
||||
width="100%" height="90" align="center">
|
||||
<div align="center">
|
||||
|
||||
</div>
|
||||
<a href="http://www.shorewall.net" target="_top"><img
|
||||
border="0" src="images/ProtectedBy.png" width="200" height="42"
|
||||
hspace="4" alt="(Shorewall Logo)" align="middle" vspace="4">
|
||||
|
||||
</a><br>
|
||||
<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td
|
||||
width="100%" bgcolor="#ffffff">
|
||||
|
||||
|
||||
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
<ul>
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li>
|
||||
<a href="shorewall_features.htm">Features</a></li>
|
||||
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a
|
||||
href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a
|
||||
href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
|
||||
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a
|
||||
href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
|
||||
<li> <a
|
||||
href="errata.htm">Errata</a></li>
|
||||
<li> <a
|
||||
href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a
|
||||
href="support.htm">Getting help or Answers to Questions</a></li>
|
||||
<li><a href="http://lists.shorewall.net">Mailing
|
||||
Lists</a><a href="http://lists.shorewall.net"> </a><br>
|
||||
</li>
|
||||
|
||||
<li><a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
|
||||
|
||||
|
||||
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a href="shorewall_features.htm">Features</a></li>
|
||||
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Things to try if it doesn't
|
||||
work</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
|
||||
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
|
||||
href="http://lists.shorewall.net"> </a><br>
|
||||
</li>
|
||||
<li><a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
<ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a
|
||||
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
<li> <a
|
||||
href="quotes.htm">Quotes from Users</a></li>
|
||||
|
||||
</li>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<ul>
|
||||
|
||||
|
||||
</ul>
|
||||
<li> <a
|
||||
href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
||||
|
||||
|
||||
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,120 +1,68 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
|
||||
<base
|
||||
target="main">
|
||||
<base target="main">
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td
|
||||
width="100%" height="90">
|
||||
|
||||
|
||||
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td
|
||||
width="100%" bgcolor="#ffffff">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
<ul>
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li>
|
||||
<a href="shorewall_features.htm">Features</a></li>
|
||||
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a
|
||||
href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a
|
||||
href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
|
||||
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a
|
||||
href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
|
||||
<li> <a
|
||||
href="errata.htm">Errata</a></li>
|
||||
<li> <a
|
||||
href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a
|
||||
href="support.htm">Getting help or Answers to Questions</a>
|
||||
</li>
|
||||
<li><a
|
||||
href="http://lists.shorewall.net">Mailing Lists</a></li>
|
||||
|
||||
|
||||
<li><a
|
||||
href="shorewall_mirrors.htm">Mirrors</a></li>
|
||||
|
||||
|
||||
|
||||
<li><a
|
||||
href="News.htm">News Archive</a></li>
|
||||
<li> <a
|
||||
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a href="shorewall_features.htm">Features</a></li>
|
||||
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Things to try if it doesn't
|
||||
work</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
|
||||
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
|
||||
href="http://lists.shorewall.net"> </a><br>
|
||||
</li>
|
||||
<li><a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
<ul>
|
||||
</ul>
|
||||
</li>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<ul>
|
||||
|
||||
|
||||
</ul>
|
||||
<li> <a
|
||||
href="quotes.htm">Quotes from Users</a></li>
|
||||
<li> <a
|
||||
href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
||||
|
||||
|
||||
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
45
Shorewall-docs/SourceforgeBanner.html
Executable file
45
Shorewall-docs/SourceforgeBanner.html
Executable file
@ -0,0 +1,45 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
<title>Banner</title>
|
||||
<meta name="author" content="Tom Eastep">
|
||||
<base target="main">
|
||||
</head>
|
||||
<body style="color: rgb(0, 0, 0); background-color: rgb(51, 102, 255);"
|
||||
link="#000099" vlink="#990099" alink="#000099">
|
||||
<table cellpadding="0"
|
||||
style="border-collapse: collapse; background-color: rgb(51, 102, 255); width: 1020px; height: 102px;"
|
||||
id="AutoNumber3">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td style="text-align: center; width: 34%; vertical-align: top;">
|
||||
<div align="center"> <img src="images/Logo1.png"
|
||||
alt="(Shorewall Logo)" style="width: 430px; height: 90px;"
|
||||
align="middle" title=""> </div>
|
||||
</td>
|
||||
<td style="vertical-align: top;">
|
||||
<form method="post"
|
||||
action="http://lists.shorewall.net/cgi-bin/htsearch"
|
||||
style="background-color: rgb(51, 102, 255);"> <strong><font
|
||||
color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff">Search
|
||||
is unavailable Daily 0200-0330 GMT.</font><br>
|
||||
<strong></strong>
|
||||
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
|
||||
<font face="Arial" size="-1"> <input type="text" name="words"
|
||||
size="15"></font><font size="-1"> </font> <font color="#ffffff"> <input
|
||||
type="hidden" name="format" value="long"> <input type="hidden"
|
||||
name="method" value="and"> <input type="hidden" name="config"
|
||||
value="htdig"> <input type="submit" value="Search"><b><font
|
||||
color="#ffffff"> <a
|
||||
href="http://lists.shorewall.net/htdig/search.html"
|
||||
style="color: rgb(255, 255, 255);">Extended Search</a></font></b></font></p>
|
||||
<font face="Arial"> <input type="hidden" name="exclude"
|
||||
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</body>
|
||||
</html>
|
141
Shorewall-docs/UserSets.html
Executable file
141
Shorewall-docs/UserSets.html
Executable file
@ -0,0 +1,141 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Controlling Traffic by UID/GID</title>
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Controlling Output
|
||||
Traffic by UID/GID<br>
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
This capability was added in Shorewall release
|
||||
1.4.7.<br>
|
||||
<br>
|
||||
Netfilter provides the capability to filter packets generated on the
|
||||
firewall system by User Id and/or Group Id. Shorewall provides two
|
||||
separate but related ways to use this Netfilter capability:<br>
|
||||
<ol>
|
||||
<li>Shorewall allows you to
|
||||
define collections of users called "<a href="#UserSet">User Sets</a>"
|
||||
and then to restrict
|
||||
certain rules in /etc/shorewall/rules to a given User Set.</li>
|
||||
<li>Shorewall also allows you to restrict a given <a href="#Rule">rule
|
||||
</a>to a particular user and/or group.<br>
|
||||
</li>
|
||||
</ol>
|
||||
Since only packets created by programs running on the Shorewall box
|
||||
itself, only rules whose SOURCE is the firewall ($FW) may be restricted
|
||||
using either of the facilities.<br>
|
||||
<h2><a name="UserSet"></a>User Sets<br>
|
||||
</h2>
|
||||
Given the way that this facility is implemented in Shorewall, it is not
|
||||
possible to control logging of individual rules using a User Set and
|
||||
logging is rather specified on the User Set itself.<br>
|
||||
<br>
|
||||
User Sets are defined in the /etc/shorewall/usersets file. Columns in
|
||||
that file include:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">USERSET
|
||||
The name of a User Set. Must be a legal
|
||||
shell
|
||||
identifier of no more than six (6) characters in length.<br>
|
||||
REJECT
|
||||
Log level for connections rejected for this User Set.<br>
|
||||
ACCEPT Log
|
||||
level for connections accepted for this User Set.<br>
|
||||
DROP
|
||||
Log level for connections dropped for this User Set.<br>
|
||||
</div>
|
||||
<br>
|
||||
In the REJECT and ACCEPT columns, if you don't want to specify a value
|
||||
in the column but you want to specify a value in a following column,
|
||||
you may enter "-".<br>
|
||||
<br>
|
||||
Users and/or groups are added to User Sets using the
|
||||
/etc/shorewall/users file. Columns in that file are:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">USERSET
|
||||
The name of a User Set defined in
|
||||
/etc/shorewall/usersets.<br>
|
||||
USER
|
||||
The name of a user defined on the system or a user number.<br>
|
||||
GROUP
|
||||
The name of a group defined on the system or a number.<br>
|
||||
</div>
|
||||
<p align="left">Only one of the USER and GROUP
|
||||
column needs to be non-empty. If you wish to specify a GROUP but not a
|
||||
USER, enter "-" in the user column.<br>
|
||||
</p>
|
||||
<p align="left">If both USER and GROUP are
|
||||
specified then only programs running under that USER:GROUP pair will
|
||||
match rules specifying the User Set named in the USERSET column.<br>
|
||||
</p>
|
||||
<p align="left">Once a user set has been defined, its name may be
|
||||
placed in the USER SET column of the /etc/shorewall/rules file. <span
|
||||
style="color: rgb(255, 0, 0);"><span style="font-weight: bold;">IMPORTANT:
|
||||
</span></span>When
|
||||
the name of a user set is given in the USER SET column, you may not
|
||||
include a log level in the ACTION column; logging of such rules is
|
||||
governed solely by the user set's definition in the
|
||||
/etc/shorewall/userset file.
|
||||
</p>
|
||||
<p align="left">Example: You want members of the
|
||||
'admin' group and 'root' to be able to use ssh on the firewall to
|
||||
connect to local systems. You want to log all connections accepted for
|
||||
these users using syslog at the 'info' level.<br>
|
||||
</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p align="left" style="margin-left: 40px;">/etc/shorewall/usersets</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<pre style="margin-left: 80px;">#USERSET REJECT ACCEPT DROP<br>admins - info<br></pre>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<p align="left" style="margin-left: 40px;">/etc/shorewall/users<br>
|
||||
</p>
|
||||
<div style="margin-left: 40px;"></div>
|
||||
<pre style="margin-left: 80px;">#USERSET USER GROUP<br>admins - admin<br>admins root<br></pre>
|
||||
<div style="margin-left: 40px;">/etc/shorewall/rules<br>
|
||||
</div>
|
||||
<pre style="margin-left: 80px;">#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER<br># PORT(S) DESTINATION SET<br><br>ACCEPT $FW loc tcp 22 - - - admins<br></pre>
|
||||
<h2><a name="Rule"></a>Restricting a rule to a particular user and/or
|
||||
group<br>
|
||||
</h2>
|
||||
In cases where you may want to restrict a rule to a particular user
|
||||
and/or group, the USER SET column in the rules file may be specified as:<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">[ <<span style="font-style: italic;">user
|
||||
name or number</span>> ] : [ <<span style="font-style: italic;">group
|
||||
name or number</span>> ]<br>
|
||||
<div style="text-align: left;"><br>
|
||||
</div>
|
||||
</div>
|
||||
When a user and/or group name is given in the USER SET column, it is OK
|
||||
to specify a log level in the ACTION column. <br>
|
||||
<br>
|
||||
Example: You want user <span style="font-style: italic;">mail </span>to
|
||||
be able to send email from the firewall to the local net zone<br>
|
||||
<br>
|
||||
<div style="margin-left: 40px;">/etc/shorewall/rules (be sure to note
|
||||
the ":" in the USER SET column entry).<br>
|
||||
<pre>#ACTION SOURCE DESTINATION PROTO PORT SOURCE ORIGINAL RATE USER<br># PORT(S) DESTINATION SET<br><br>ACCEPT $FW loc tcp 25 - - - mail:</pre>
|
||||
</div>
|
||||
<p align="left"><font size="2">Last updated 9/19/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>
|
||||
</body>
|
||||
</html>
|
@ -1,78 +1,59 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>VPN</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">VPN</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p>It is often the case that a system behind the firewall needs to be able
|
||||
to access a remote network through Virtual Private Networking (VPN). The
|
||||
two most common means for doing this are IPSEC and PPTP. The basic setup
|
||||
is shown in the following diagram:</p>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">VPN<br>
|
||||
</h1>
|
||||
<p>It is often the case that a system behind the firewall needs to be
|
||||
able to access a remote network through Virtual Private Networking
|
||||
(VPN). The two most common means for doing this are IPSEC and PPTP. The
|
||||
basic setup is shown in the following diagram:</p>
|
||||
<p align="center"><img border="0" src="images/VPN.png" width="568"
|
||||
height="796">
|
||||
</p>
|
||||
|
||||
<p align="left">A system with an RFC 1918 address needs to access a remote
|
||||
network through a remote gateway. For this example, we will assume that the
|
||||
local system has IP address 192.168.1.12 and that the remote gateway has
|
||||
IP address 192.0.2.224.</p>
|
||||
|
||||
<p align="left">If PPTP is being used, there are no firewall requirements
|
||||
beyond the default loc->net ACCEPT policy. There is one restriction however:
|
||||
Only one local system at a time can be connected to a single remote gateway
|
||||
unless you patch your kernel from the 'Patch-o-matic' patches available at
|
||||
height="796"> </p>
|
||||
<p align="left">A system with an RFC 1918 address needs to access a
|
||||
remote network through a remote gateway. For this example, we will
|
||||
assume that the local system has IP address 192.168.1.12 and that the
|
||||
remote gateway has
|
||||
IP address 192.0.2.224.</p>
|
||||
<p align="left">If PPTP is being used, there are no firewall
|
||||
requirements beyond the default loc->net ACCEPT policy. There is one
|
||||
restriction however: Only one local system at a time can be connected
|
||||
to a single remote gateway unless you patch your kernel from the
|
||||
'Patch-o-matic' patches available at
|
||||
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
|
||||
|
||||
<p align="left">If IPSEC is being used then only one system may connect to
|
||||
the remote gateway and there are firewall configuration requirements as follows:</p>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">If IPSEC is being used then only one system may connect
|
||||
to the remote gateway and there are firewall configuration requirements
|
||||
as follows:</p>
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
bordercolor="#111111" id="AutoNumber2" height="98">
|
||||
<tbody>
|
||||
<tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td height="38"><u><b>ACTION</b></u></td>
|
||||
<td height="38"><u><b>SOURCE</b></u></td>
|
||||
<td height="38"><u><b>DESTINATION</b></u></td>
|
||||
<td height="38"><u><b>PROTOCOL</b></u></td>
|
||||
<td height="38"><u><b>PORT</b></u></td>
|
||||
<td height="38"><u><b>CLIENT<br>
|
||||
PORT</b></u></td>
|
||||
PORT</b></u></td>
|
||||
<td height="38"><u><b>ORIGINAL<br>
|
||||
DEST</b></u></td>
|
||||
DEST</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td height="19">DNAT</td>
|
||||
<td height="19">net:192.0.2.224</td>
|
||||
<td height="19">loc:192.168.1.12</td>
|
||||
<td height="19">50</td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td height="19">DNAT</td>
|
||||
@ -80,27 +61,24 @@ the remote gateway and there are firewall configuration requirements as follows
|
||||
<td height="19">loc:192.168.1.12</td>
|
||||
<td height="19">udp</td>
|
||||
<td height="19">500</td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
<td height="19"> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>If you want to be able to give access to all of your local systems to the
|
||||
remote network, you should consider running a VPN client on your firewall.
|
||||
As starting points, see <a
|
||||
href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
|
||||
or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
|
||||
|
||||
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
</blockquote>
|
||||
<p>If you want to be able to give access to all of your local systems
|
||||
to the remote network, you should consider running a VPN client on your
|
||||
firewall. As starting points, see <a
|
||||
href="Documentation.htm#Tunnels">
|
||||
http://www.shorewall.net/Documentation.htm#Tunnels</a> or <a
|
||||
href="PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
|
||||
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
|
||||
|
||||
<p> </p>
|
||||
<br>
|
||||
<br>
|
||||
<p> </p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,102 +1,91 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Blacklisting Support</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Shorewall Blacklisting Support<br>
|
||||
</h1>
|
||||
<p>Shorewall supports two different forms of blacklisting; static and
|
||||
dynamic. Beginning with Shorewall version 1.4.8, the BLACKLISTNEWONLY
|
||||
option in /etc/shorewall/shorewall.conf controls the degree of
|
||||
blacklist filtering:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>BLACKLISTNEWONLY=No -- All incoming packets are checked
|
||||
against the blacklist. New blacklist entries can be used to terminate
|
||||
existing connections. Versions of Shorewall prior to 1.4.8 behave in
|
||||
this manner.<br>
|
||||
</li>
|
||||
<li>BLACKLISTNEWONLY=Yes -- The blacklists are only consulted for new
|
||||
connection requests. Blacklists may not be used to terminate existing
|
||||
connections.</li>
|
||||
</ol>
|
||||
Only the source address is checked against the blacklists.<br>
|
||||
<h2>Static Blacklisting</h2>
|
||||
|
||||
<p>Shorewall static blacklisting support has the following configuration
|
||||
<p>Shorewall static blacklisting support has the following
|
||||
configuration
|
||||
parameters:</p>
|
||||
|
||||
<ul>
|
||||
<li>You specify whether you want packets from blacklisted hosts dropped
|
||||
or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
|
||||
setting in /etc/shorewall/shorewall.conf</li>
|
||||
<li>You specify whether you want packets from blacklisted hosts logged
|
||||
and at what syslog level using the <a
|
||||
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
|
||||
/etc/shorewall/shorewall.conf</li>
|
||||
<li>You list the IP addresses/subnets that you wish to blacklist in
|
||||
<a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
|
||||
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL and
|
||||
Port numbers/Service names in the blacklist file.<br>
|
||||
</li>
|
||||
<li>You specify the interfaces whose incoming packets you want checked
|
||||
against the blacklist using the "<a
|
||||
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
|
||||
<li>The black list is refreshed from /etc/shorewall/blacklist by the
|
||||
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
|
||||
|
||||
<li>You specify whether you want packets from blacklisted hosts
|
||||
dropped or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
|
||||
setting in /etc/shorewall/shorewall.conf</li>
|
||||
<li>You specify whether you want packets from blacklisted hosts
|
||||
logged and at what syslog level using the <a
|
||||
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
|
||||
/etc/shorewall/shorewall.conf</li>
|
||||
<li>You list the IP addresses/subnets that you wish to blacklist in <a
|
||||
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
|
||||
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
|
||||
and
|
||||
Port numbers/Service names in the blacklist file.<br>
|
||||
</li>
|
||||
<li>You specify the interfaces whose incoming packets you want
|
||||
checked against the blacklist using the "<a
|
||||
href="Documentation.htm#Interfaces">blacklist</a>" option in
|
||||
/etc/shorewall/interfaces.</li>
|
||||
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
|
||||
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
|
||||
</ul>
|
||||
|
||||
<h2>Dynamic Blacklisting</h2>
|
||||
|
||||
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
|
||||
doesn't use any configuration parameters but is rather controlled using
|
||||
/sbin/shorewall commands:</p>
|
||||
|
||||
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic
|
||||
blacklisting doesn't use any configuration parameters but is rather
|
||||
controlled using /sbin/shorewall commands:</p>
|
||||
<ul>
|
||||
<li>drop <i><ip address list> </i>- causes packets from the
|
||||
listed IP addresses to be silently dropped by the firewall.</li>
|
||||
<li>reject <i><ip address list> </i>- causes packets from the
|
||||
listed IP addresses to be rejected by the firewall.</li>
|
||||
<li>allow <i><ip address list> </i>- re-enables receipt of packets
|
||||
from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
|
||||
<li>drop <i><ip address list> </i>- causes packets from the
|
||||
listed IP addresses to be silently dropped by the firewall.</li>
|
||||
<li>reject <i><ip address list> </i>- causes packets from the
|
||||
listed IP addresses to be rejected by the firewall.</li>
|
||||
<li>allow <i><ip address list> </i>- re-enables receipt of
|
||||
packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
|
||||
command.</li>
|
||||
<li>save - save the dynamic blacklisting configuration so that it
|
||||
will be automatically restored the next time that the firewall is restarted.</li>
|
||||
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
|
||||
|
||||
<li>save - save the dynamic blacklisting configuration so that it
|
||||
will be automatically restored the next time that the firewall is
|
||||
restarted.</li>
|
||||
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
|
||||
</ul>
|
||||
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
|
||||
in /etc/shorewall/interfaces.<br>
|
||||
|
||||
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
|
||||
in /etc/shorewall/interfaces.<br>
|
||||
<p>Example 1:</p>
|
||||
|
||||
<pre> <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
|
||||
|
||||
<p> Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
|
||||
|
||||
<p> Drops packets from hosts 192.0.2.124 and
|
||||
192.0.2.125</p>
|
||||
<p>Example 2:</p>
|
||||
|
||||
<pre> <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
|
||||
|
||||
<p> Reenables access from 192.0.2.125.</p>
|
||||
|
||||
<p><font size="2">Last updated 7/27/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p> Reenables access from 192.0.2.125.</p>
|
||||
<p><font size="2">Last updated 11/14/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -9,17 +9,8 @@
|
||||
<title>Configuration File Basics</title>
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">Configuration Files<br>
|
||||
</h1>
|
||||
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
|
||||
configuration files on a system running Microsoft Windows, you <u>must</u>
|
||||
run them through <a
|
||||
@ -46,7 +37,7 @@ and Source Network Address Translation (SNAT).</li>
|
||||
modules.</li>
|
||||
<li>/etc/shorewall/rules - defines rules that are exceptions to the
|
||||
overall policies established in /etc/shorewall/policy.</li>
|
||||
<li>/etc/shorewall/nat - defines static NAT
|
||||
<li>/etc/shorewall/nat - defines one-to-one NAT
|
||||
rules.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
|
||||
@ -254,18 +245,21 @@ that you can then use in some of the other configuration files.</p>
|
||||
<p>It is suggested that variable names begin with an upper case letter<font
|
||||
size="1"> </font>to distinguish them from variables used internally
|
||||
within the Shorewall programs</p>
|
||||
<p>Example:</p>
|
||||
<p>Example:<br>
|
||||
</p>
|
||||
<p> /etc/shorewall/params<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
|
||||
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918<br></pre>
|
||||
</blockquote>
|
||||
<p><br>
|
||||
Example (/etc/shorewall/interfaces record):</p>
|
||||
<p> /etc/shorewall/interfaces record:</p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
<blockquote>
|
||||
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
<p>The result will be the same as if the record had been written</p>
|
||||
<p> The result will be the same as if the record had
|
||||
been written</p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
<blockquote>
|
||||
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>
|
||||
@ -331,7 +325,8 @@ The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
|
||||
allows you to attempt to restart using an alternate configuration and
|
||||
if an
|
||||
error occurs to automatically restart the standard configuration.<br>
|
||||
<p><font size="2"> Updated 8/22/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
<p><font size="2"> Updated 11/20/2003 - <a href="support.htm">Tom
|
||||
Eastep</a>
|
||||
</font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
|
@ -1,46 +1,30 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Copyright</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Copyright</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Copyright <font face="Trebuchet MS">©</font> 2000, 2001,
|
||||
2003 Thomas M Eastep<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">Permission is granted to copy, distribute and/or modify
|
||||
this document under the terms of the GNU Free Documentation License, Version
|
||||
1.1 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
|
||||
A copy of the license is included in the section entitled "<a
|
||||
href="GnuCopyright.htm">GNU Free Documentation License</a>".<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<br>
|
||||
<br>
|
||||
<body>
|
||||
<h1 style="text-align: center;">Copyright<br>
|
||||
</h1>
|
||||
<p align="left">Copyright <font face="Trebuchet MS">©</font>
|
||||
2000, 2001, 2003 Thomas M Eastep<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p align="left">Permission is granted to copy, distribute and/or
|
||||
modify this document under the terms of the GNU Free Documentation
|
||||
License, Version 1.1 or any later version published by the Free
|
||||
Software Foundation; with no Invariant Sections, with no Front-Cover,
|
||||
and with no Back-Cover Texts. A copy of the license is included in the
|
||||
section entitled "<a href="GnuCopyright.htm">GNU Free Documentation
|
||||
License</a>".<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,85 +1,65 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>DHCP</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">DHCP</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">DHCP<br>
|
||||
</h1>
|
||||
<h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">Specify the "dhcp" option on each interface to be served
|
||||
by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
file. This will generate rules that will allow DHCP to and from your firewall
|
||||
system. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">When starting "dhcpd", you need to list those interfaces
|
||||
on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.
|
||||
</p>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<p align="left">Specify the "dhcp" option on each interface to be
|
||||
served
|
||||
by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
file. This will generate rules that will allow DHCP to and from your
|
||||
firewall
|
||||
system. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">When starting "dhcpd", you need to list those
|
||||
interfaces on the run line. On a RedHat system, this is done by
|
||||
modifying /etc/sysconfig/dhcpd. </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">Specify the "dhcp" option for this interface in the
|
||||
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
file. This will generate rules that will allow DHCP to and from your firewall
|
||||
system. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If you know that the dynamic address is always going to
|
||||
be in the same subnet, you can specify the subnet address in the interface's
|
||||
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
file. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If you don't know the subnet address in advance, you should
|
||||
specify "detect" for the interface's subnet address in the <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
|
||||
and start Shorewall after the interface has started. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">In the event that the subnet address might change while
|
||||
Shorewall is started, you need to arrange for a "shorewall refresh"
|
||||
command to be executed when a new dynamic IP address gets assigned to
|
||||
the interface. Check your DHCP client's documentation. </p>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<p align="left">Specify the "dhcp" option for this interface in the
|
||||
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
file. This will generate rules that will allow DHCP to and from
|
||||
your firewall system. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If you know that the dynamic address is always
|
||||
going to
|
||||
be in the same subnet, you can specify the subnet address in the
|
||||
interface's entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
file. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If you don't know the subnet address in advance,
|
||||
you should specify "detect" for the interface's subnet address in the <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
|
||||
and start Shorewall after the interface has started. </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">In the event that the subnet address might change
|
||||
while Shorewall is started, you need to arrange for a "shorewall
|
||||
refresh" command to be executed when a new dynamic IP address gets
|
||||
assigned to the interface. Check your DHCP client's documentation. </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<p align="left"><font size="2">Last updated 11/03/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -9,17 +9,8 @@
|
||||
<title>Download</title>
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">Shorewall Download<br>
|
||||
</h1>
|
||||
<p><b>I strongly urge you to read and print a copy of the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
|
||||
for the configuration that most closely matches your own.<br>
|
||||
@ -86,20 +77,20 @@ removing the file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>SourceForge<br>
|
||||
</td>
|
||||
<td>sf.net</td>
|
||||
<td><a
|
||||
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
|
||||
<td>N/A</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td style="vertical-align: top;">Washington State, USA</td>
|
||||
<td style="vertical-align: top;">Shorewall.net</td>
|
||||
<td style="vertical-align: top;"><a
|
||||
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td style="vertical-align: top;"><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
@ -144,7 +135,8 @@ Unavailable)</a></td>
|
||||
<td valign="top"><a
|
||||
href="http://argentina.shorewall.net/pub/shorewall/shorewall">Browse</a><br>
|
||||
</td>
|
||||
<td valign="top">N/A<br>
|
||||
<td valign="top"><a href="ftp://ftp.syachile.cl/pub/shorewall"
|
||||
target="_top">Browse</a><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
@ -159,11 +151,14 @@ Unavailable)</a></td>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Washington State, USA</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
|
||||
target="_blank">Browse</a></td>
|
||||
<td>Sourceforge - California, USA (Incomplete)<br>
|
||||
</td>
|
||||
<td>Sourceforge.net<br>
|
||||
</td>
|
||||
<td><a href="http://sourceforge.net/projects/shorewall">Browse<br>
|
||||
</a></td>
|
||||
<td>N/A<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
@ -187,7 +182,7 @@ These snapshots have undergone initial testing and will have been
|
||||
installed and run at shorewall.net.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p align="left"><font size="2">Last Updated 9/25/2003 - <a
|
||||
<p align="left"><font size="2">Last Updated 11/14/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
|
@ -10,43 +10,36 @@
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade
|
||||
Issues</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p align="center"> <b><u>IMPORTANT</u></b></p>
|
||||
<p align="center"> </p>
|
||||
<h1 style="text-align: center;">Shorewall Errata<br>
|
||||
</h1>
|
||||
<p align="center"><b><u>IMPORTANT</u></b></p>
|
||||
<ol>
|
||||
<li>
|
||||
<p align="left"> <b><u>I</u>f you use a Windows system to download
|
||||
a corrected script, be sure to run the script through <u> <a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
||||
style="text-decoration: none;"> dos2unix</a></u> after you have moved
|
||||
it to your Linux system.</b></p>
|
||||
it
|
||||
to your Linux system.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"> <b>If you are installing Shorewall for the first
|
||||
time and plan to use the .tgz and install.sh script, you can untar
|
||||
the archive, replace the 'firewall' script in the untarred directory
|
||||
with the one you downloaded below, and then run install.sh.</b></p>
|
||||
time and plan to use the .tgz and install.sh script, you can untar the
|
||||
archive, replace the 'firewall' script in the untarred directory with
|
||||
the one you downloaded below, and then run install.sh.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"> <b>When the instructions say to install a
|
||||
corrected firewall script in /usr/share/shorewall/firewall,
|
||||
you may rename the existing file before copying in the new file.</b></p>
|
||||
corrected firewall script in /usr/share/shorewall/firewall, you may
|
||||
rename the existing file before copying in the new file.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
|
||||
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
|
||||
BELOW. For example, do NOT install the 1.3.9a firewall script
|
||||
if you are running 1.3.7c.</font></b><br>
|
||||
BELOW. For example, do NOT install the 1.3.9a firewall script if you
|
||||
are
|
||||
running 1.3.7c.</font></b><br>
|
||||
</p>
|
||||
</li>
|
||||
</ol>
|
||||
@ -61,8 +54,7 @@ Version 1.1</a></font></b></li>
|
||||
<li> <b><font color="#660066"><a href="#iptables"> Problem with
|
||||
iptables version 1.2.3 on RH7.2</a></font></b></li>
|
||||
<li> <b><a href="#Debug">Problems with kernels >= 2.4.18 and
|
||||
RedHat
|
||||
iptables</a></b></li>
|
||||
RedHat iptables</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
|
||||
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
|
||||
MULTIPORT=Yes</a></b></li>
|
||||
@ -75,12 +67,38 @@ REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
|
||||
<hr>
|
||||
<h2 align="left"><a name="V1.4"></a>Problems in Version 1.4</h2>
|
||||
<h3></h3>
|
||||
<h3>1.4.7</h3>
|
||||
<ul>
|
||||
<li>Using some versions of 'ash' (such as from RH8) as the
|
||||
SHOREWALL_SHELL causes "shorewall [re]start" to fail with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so: <br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.</li>
|
||||
<li>When more than one ICMP type is listed in a rule and your kernel
|
||||
includes multiport match support, the firewall fails to
|
||||
start. </li>
|
||||
<li>Regardless of the setting of LOGUNCLEAN, the value
|
||||
LOGUNCLEAN=info was used.</li>
|
||||
<li>After the following error message, Shorewall was left in an
|
||||
inconsistent state:<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes through interface xxx<br>
|
||||
</li>
|
||||
</ul>
|
||||
These problems have been corrected in this <a
|
||||
href="http://shorewall.net/pub/shorewall/errata/1.4.7/firewall">firewall
|
||||
script</a> which may be installed in /var/share/shorewall/firewall as
|
||||
described above.<br>
|
||||
<h3>1.4.6</h3>
|
||||
<ul>
|
||||
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
|
||||
would fail to start with the error "ERROR: Traffic Control
|
||||
requires Mangle";
|
||||
that problem has been corrected in <a
|
||||
requires
|
||||
Mangle"; that problem has been corrected in <a
|
||||
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||||
firewall script</a> which may be installed in
|
||||
/var/share/shorewall/firewall as described above. This problem is also
|
||||
@ -95,13 +113,10 @@ follows:<br>
|
||||
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
|
||||
in <a href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
|
||||
firewall script</a> which may be installed in
|
||||
/var/share/shorewall/firewall
|
||||
as described above. For all other versions, you will have to edit your
|
||||
'firewall'
|
||||
script (in versions 1.4.*, it is located in
|
||||
/usr/share/shorewall/firewall).
|
||||
Locate the function add_tcrule_() and in that function, replace this
|
||||
line:<br>
|
||||
/var/share/shorewall/firewall as described above. For all other
|
||||
versions, you will have to edit your 'firewall' script (in versions
|
||||
1.4.*, it is located in /usr/share/shorewall/firewall). Locate the
|
||||
function add_tcrule_() and in that function, replace this line:<br>
|
||||
<br>
|
||||
<span style="font-family: monospace;">r=`mac_match
|
||||
$source` </span><br>
|
||||
@ -116,13 +131,13 @@ Note that there must be a space before the ending quote!<br>
|
||||
</ul>
|
||||
<h3>1.4.4b</h3>
|
||||
<ul>
|
||||
<li>Shorewall is ignoring records in /etc/shorewall/routestopped
|
||||
that have an empty second column (HOSTS). This problem may be corrected
|
||||
by installing <a
|
||||
<li>Shorewall is ignoring records in /etc/shorewall/routestopped that
|
||||
have an empty second column (HOSTS). This problem may be corrected by
|
||||
installing <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
|
||||
target="_top">this firewall script</a> in
|
||||
/usr/share/shorewall/firewall as
|
||||
described above.</li>
|
||||
/usr/share/shorewall/firewall
|
||||
as described above.</li>
|
||||
<li>The INCLUDE directive doesn't work when placed in the
|
||||
/etc/shorewall/zones file. This problem may be corrected by installing <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
|
||||
@ -138,8 +153,8 @@ though the log level for the console is set properly according to <a
|
||||
installing <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
|
||||
target="_top">this firewall script</a> in
|
||||
/usr/share/shorewall/firewall as
|
||||
described above.<br>
|
||||
/usr/share/shorewall/firewall
|
||||
as described above.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.4<br>
|
||||
@ -158,7 +173,8 @@ to allow integration of Shorewall with Fireparse
|
||||
of the integration problem. I have implimented a new LOGFORMAT variable
|
||||
which will replace LOGMARKER which has completely solved this problem
|
||||
and is currently in production with fireparse here at shorewall.net.
|
||||
The updated files may be found at <a
|
||||
The
|
||||
updated files may be found at <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
|
||||
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
|
||||
See the 0README.txt file for details.<br>
|
||||
@ -171,8 +187,8 @@ directory created in /tmp is not being removed. This problem may be
|
||||
corrected by installing <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
|
||||
target="_top">this firewall script</a> in
|
||||
/usr/share/shorewall/firewall as
|
||||
described above. <br>
|
||||
/usr/share/shorewall/firewall
|
||||
as described above. <br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
|
||||
@ -191,7 +207,8 @@ in /etc/shorewall/common.def.<br>
|
||||
produces the harmless additional message:<br>
|
||||
<br>
|
||||
/usr/share/shorewall/firewall: line 2174: [: =:
|
||||
unary operator expected<br>
|
||||
unary operator
|
||||
expected<br>
|
||||
<br>
|
||||
You may correct the problem by installing <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1/firewall"
|
||||
@ -202,8 +219,8 @@ You may correct the problem by installing <a
|
||||
<h3>1.4.0</h3>
|
||||
<ul>
|
||||
<li>When running under certain shells Shorewall will attempt to
|
||||
create ECN rules even when /etc/shorewall/ecn is empty. You may
|
||||
either just remove /etc/shorewall/ecn or you can install <a
|
||||
create ECN rules even when /etc/shorewall/ecn is empty. You may either
|
||||
just remove /etc/shorewall/ecn or you can install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
|
||||
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
|
||||
</li>
|
||||
@ -222,17 +239,19 @@ released this buggy iptables in RedHat 7.2. </p>
|
||||
<p align="left"> I have built a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have
|
||||
also built an <a
|
||||
also
|
||||
built an <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
||||
iptables-1.2.4 rpm which you can download here</a>. If you are
|
||||
currently running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
|
||||
</b>you upgrade to RedHat 7.2.</p>
|
||||
currently
|
||||
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
|
||||
</b>you
|
||||
upgrade to RedHat 7.2.</p>
|
||||
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
||||
has released an iptables-1.2.4 RPM of their own which
|
||||
you can download from<font color="#ff6633"> <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
|
||||
</font>I have installed this RPM on my firewall and
|
||||
it works fine.</p>
|
||||
has released an iptables-1.2.4 RPM of their own which you can download
|
||||
from<font color="#ff6633"> <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.</font>I
|
||||
have installed this RPM on my firewall and it works fine.</p>
|
||||
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
||||
the patches are available for download. This <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
||||
@ -246,8 +265,8 @@ corrects a problem in handling the TOS target.</p>
|
||||
<li>patch -p0 < <i>the-patch-file</i></li>
|
||||
</ul>
|
||||
</blockquote>
|
||||
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18 and
|
||||
RedHat iptables</h3>
|
||||
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18 and RedHat
|
||||
iptables</h3>
|
||||
<blockquote>
|
||||
<p>Users who use RedHat iptables RPMs and who upgrade to kernel
|
||||
2.4.18/19 may experience the following:</p>
|
||||
@ -259,10 +278,9 @@ user-space debugging code was not updated to reflect recent changes in
|
||||
the Netfilter 'mangle' table. You can correct the problem by installing
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
||||
this iptables RPM</a>. If you are already running a
|
||||
1.2.5 version of iptables, you will need to specify the
|
||||
--oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage
|
||||
iptables-1.2.5-1.i386.rpm").</p>
|
||||
this iptables RPM</a>. If you are already running a 1.2.5 version of
|
||||
iptables, you will need to specify the --oldpackage option to rpm
|
||||
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||
</blockquote>
|
||||
<h3><a name="SuSE"></a>Problems installing/upgrading RPM on SuSE</h3>
|
||||
<p>If you find that rpm complains about a conflict with kernel <=
|
||||
@ -275,7 +293,8 @@ MULTIPORT=Yes</b></h3>
|
||||
<p>The iptables 1.2.7 release of iptables has made an incompatible
|
||||
change to the syntax used to specify multiport match rules; as a
|
||||
consequence, if you install iptables 1.2.7 you must be running
|
||||
Shorewall 1.3.7a or later or:</p>
|
||||
Shorewall
|
||||
1.3.7a or later or:</p>
|
||||
<ul>
|
||||
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
|
||||
<li>if you are running Shorewall 1.3.6 you may install <a
|
||||
@ -293,23 +312,22 @@ Error message is:<br>
|
||||
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
|
||||
The solution is to put "no" in the LOCAL column. Kernel support for
|
||||
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
|
||||
2.4.19 kernel contains corrected support
|
||||
under a new kernel configuraiton option; see <a
|
||||
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
2.4.19 kernel contains corrected support under a new kernel
|
||||
configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
<br>
|
||||
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
|
||||
and REJECT
|
||||
(also applies to 2.4.21-RC1)</b></h3>
|
||||
and
|
||||
REJECT (also applies to 2.4.21-RC1)</b></h3>
|
||||
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
|
||||
tcp-reset" is broken. The symptom most commonly seen is that REJECT
|
||||
rules act just like DROP rules when dealing with TCP. A kernel patch
|
||||
and precompiled modules to fix this problem are available at <a
|
||||
and
|
||||
precompiled modules to fix this problem are available at <a
|
||||
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
|
||||
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
|
||||
<hr>
|
||||
<p><font size="2"> Last updated 7/23/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font>
|
||||
</p>
|
||||
<p><font size="2"> Last updated 10/11/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font> </p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
|
@ -1,77 +1,61 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Fallback and Uninstall</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Fallback and Uninstall</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<body>
|
||||
<div style="text-align: left;">
|
||||
<h1 style="text-align: center;">Fallback and Uninstall<br>
|
||||
</h1>
|
||||
<h1><strong></strong></h1>
|
||||
<h1><strong></strong></h1>
|
||||
</div>
|
||||
<p><strong>Shorewall includes a </strong><a href="#fallback"><strong>fallback
|
||||
script</strong></a><strong> and an </strong><a href="#uninstall"><strong>uninstall
|
||||
script</strong></a><strong>.</strong></p>
|
||||
|
||||
<h2><a name="fallback"></a>Falling Back to the Previous Version of Shorewall
|
||||
using the Fallback Script</h2>
|
||||
|
||||
<p>If you install Shorewall and discover that it doesn't work for you, you
|
||||
<h2><a name="fallback"></a>Falling Back to the Previous Version of
|
||||
Shorewall using the Fallback Script</h2>
|
||||
<p>If you install Shorewall and discover that it doesn't work for you,
|
||||
you
|
||||
can fall back to your previously installed version. To do that:</p>
|
||||
|
||||
<ul>
|
||||
<li>cd to the distribution directory for the version of Seattle
|
||||
Firewall <u>that you are currently running </u>(NOT the version
|
||||
that you want to fall back to).</li>
|
||||
<li>Type "./fallback.sh"</li>
|
||||
|
||||
<li>cd to the distribution directory for the version of Seattle
|
||||
Firewall <u>that you are currently running </u>(NOT the version that
|
||||
you want to fall back to).</li>
|
||||
<li>Type "./fallback.sh"</li>
|
||||
</ul>
|
||||
|
||||
<h3><strong><u>Warning:</u> The fallback script will replace /etc/shorewall/policy,
|
||||
/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat, /etc/shorewall/proxyarp
|
||||
and /etc/shorewall/masq with the version of these files from before the current
|
||||
<h3><strong><u>Warning:</u> The fallback script will replace
|
||||
/etc/shorewall/policy,
|
||||
/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat,
|
||||
/etc/shorewall/proxyarp
|
||||
and /etc/shorewall/masq with the version of these files from before the
|
||||
current
|
||||
version was installed. Any changes to any of these files will be lost.</strong></h3>
|
||||
|
||||
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using
|
||||
rpm</h2>
|
||||
|
||||
<p>If your previous version of Shorewall was installed using RPM, you may
|
||||
fall back to that version by typing "rpm -Uvh --force <old rpm>" at
|
||||
a root shell prompt (Example: "rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm"
|
||||
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall
|
||||
using rpm</h2>
|
||||
<p>If your previous version of Shorewall was installed using RPM, you
|
||||
may
|
||||
fall back to that version by typing "rpm -Uvh --force <old rpm>"
|
||||
at
|
||||
a root shell prompt (Example: "rpm -Uvh --force
|
||||
/downloads/shorewall-3.1=0noarch.rpm"
|
||||
would fall back to the 3.1-0 version of Shorewall).</p>
|
||||
|
||||
<h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
|
||||
|
||||
<p>If you no longer wish to use Shorewall, you may remove it by:</p>
|
||||
|
||||
<ul>
|
||||
<li>cd to the distribution directory for the version of Shorewall
|
||||
<li>cd to the distribution directory for the version of Shorewall
|
||||
that you have installed.</li>
|
||||
<li>type "./uninstall.sh"</li>
|
||||
|
||||
<li>type "./uninstall.sh"</li>
|
||||
</ul>
|
||||
|
||||
<p>If you installed using an rpm, at a root shell prompt type "rpm -e shorewall".</p>
|
||||
|
||||
<p>If you installed using an rpm, at a root shell prompt type "rpm -e
|
||||
shorewall".</p>
|
||||
<p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,80 +1,57 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>GNU Mailman</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy
|
||||
Way</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h1 align="center"> </h1>
|
||||
|
||||
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
|
||||
Tokarev as a suggested addition to the Postfix FAQ.</h4>
|
||||
|
||||
<body>
|
||||
<h1 align="center">GNU Mailman/Postfix the Easy Way </h1>
|
||||
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by
|
||||
Michael Tokarev as a suggested addition to the Postfix FAQ.</h4>
|
||||
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
|
||||
<br>
|
||||
A: Mailman uses a setgid wrapper that is designed to be used in system-wide
|
||||
aliases file so that rest of mailman's mail handling processes will run
|
||||
with proper uid/gid. Postfix has an ability to run a command specified in
|
||||
an alias as owner of that alias, thus mailman's wrapper is not needed here.
|
||||
The best method to invoke mailman's mail handling via aliases is to use
|
||||
separate alias file especially for mailman, and made it owned by mailman
|
||||
and group mailman. Like:<br>
|
||||
<br>
|
||||
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
|
||||
<br>
|
||||
Make sure that /var/mailman/aliases.db is owned by mailman user (this
|
||||
may be done by executing postalias as mailman userid).<br>
|
||||
<br>
|
||||
Next, instead of using mailman-suggested aliases entries with wrapper,
|
||||
use the following:<br>
|
||||
<br>
|
||||
instead of<br>
|
||||
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
|
||||
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
|
||||
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
|
||||
...<br>
|
||||
<br>
|
||||
use<br>
|
||||
mailinglist: /var/mailman/scripts/post mailinglist<br>
|
||||
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
|
||||
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
|
||||
...</p>
|
||||
|
||||
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted something
|
||||
very similar so that no workaround is necessary. See the README.POSTFIX file
|
||||
included with Mailman-2.1. </h4>
|
||||
|
||||
<br>
|
||||
A: Mailman uses a setgid wrapper that is designed to be used in
|
||||
system-wide aliases file so that rest of mailman's mail handling
|
||||
processes will run with proper uid/gid. Postfix has an ability to run a
|
||||
command specified in an alias as owner of that alias, thus mailman's
|
||||
wrapper is not needed here. The best method to invoke mailman's mail
|
||||
handling via aliases is to use separate alias file especially for
|
||||
mailman, and made it owned by mailman and group mailman. Like:<br>
|
||||
<br>
|
||||
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
|
||||
<br>
|
||||
Make sure that /var/mailman/aliases.db is owned by mailman user (this
|
||||
may be done by executing postalias as mailman userid).<br>
|
||||
<br>
|
||||
Next, instead of using mailman-suggested aliases entries with wrapper,
|
||||
use the following:<br>
|
||||
<br>
|
||||
instead of<br>
|
||||
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
|
||||
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
|
||||
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
|
||||
...<br>
|
||||
<br>
|
||||
use<br>
|
||||
mailinglist: /var/mailman/scripts/post mailinglist<br>
|
||||
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
|
||||
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
|
||||
...</p>
|
||||
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted
|
||||
something very similar so that no workaround is necessary. See the
|
||||
README.POSTFIX file included with Mailman-2.1. </h4>
|
||||
<p align="left"><font size="2">Last updated 12/29/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M.
|
||||
Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
Binary file not shown.
BIN
Shorewall-docs/images/Logo.png
Executable file
BIN
Shorewall-docs/images/Logo.png
Executable file
Binary file not shown.
BIN
Shorewall-docs/images/Logo1.gif
Normal file
BIN
Shorewall-docs/images/Logo1.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 10 KiB |
BIN
Shorewall-docs/images/Logo2.gif
Normal file
BIN
Shorewall-docs/images/Logo2.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 10 KiB |
BIN
Shorewall-docs/images/Logo3.png
Executable file
BIN
Shorewall-docs/images/Logo3.png
Executable file
Binary file not shown.
BIN
Shorewall-docs/images/MultiPPTP.png
Executable file
BIN
Shorewall-docs/images/MultiPPTP.png
Executable file
Binary file not shown.
BIN
Shorewall-docs/images/MultiZone1.png
Executable file
BIN
Shorewall-docs/images/MultiZone1.png
Executable file
Binary file not shown.
BIN
Shorewall-docs/images/MultiZone1A.png
Executable file
BIN
Shorewall-docs/images/MultiZone1A.png
Executable file
Binary file not shown.
BIN
Shorewall-docs/images/MultiZone1B.png
Executable file
BIN
Shorewall-docs/images/MultiZone1B.png
Executable file
Binary file not shown.
BIN
Shorewall-docs/images/MultiZone2.png
Executable file
BIN
Shorewall-docs/images/MultiZone2.png
Executable file
Binary file not shown.
Binary file not shown.
BIN
Shorewall-docs/images/ProtectedBy.png
Executable file
BIN
Shorewall-docs/images/ProtectedBy.png
Executable file
Binary file not shown.
BIN
Shorewall-docs/images/netfilterconf.png
Normal file
BIN
Shorewall-docs/images/netfilterconf.png
Normal file
Binary file not shown.
Binary file not shown.
Binary file not shown.
@ -1,22 +1,19 @@
|
||||
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
|
||||
Frameset//EN""http://www.w3.org/TR/html4/frameset.dtd">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>Shoreline Firewall</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
|
||||
<frameset cols="242,*">
|
||||
<frame name="contents" target="main" src="Shorewall_index_frame.htm">
|
||||
<frame name="main" src="seattlefirewall_index.htm" target="_self" scrolling="auto">
|
||||
<noframes>
|
||||
<body>
|
||||
|
||||
<p>This page uses frames, but your browser doesn't support them.</p>
|
||||
|
||||
</body>
|
||||
</noframes>
|
||||
<meta http-equiv="Content-Type" content="text/html;
|
||||
charset=iso-8859-1"></head>
|
||||
<frameset rows="110,*" cols="*" frameborder="yes"
|
||||
border="1"framespacing="0"> <frame
|
||||
src="Banner.html" name="topFrame"scrolling="NO"
|
||||
noresize >
|
||||
<frameset cols="242,*" frameborder="yes" border="1" framespacing="0">
|
||||
<frame src="Shorewall_index_frame.htm" name="contents"> <frame src="seattlefirewall_index.htm"
|
||||
name="main">
|
||||
</frameset>
|
||||
|
||||
</html>
|
||||
</frameset>
|
||||
<noframes><body><p>This page uses frames, but your browser doesn't
|
||||
support them.</p></body></noframes>
|
||||
</html>
|
||||
|
@ -1,46 +1,28 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Kernel Configuration</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Kernel Configuration</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p>For information regarding configuring and building GNU/Linux kernels, see
|
||||
<body>
|
||||
<h1 style="text-align: center;">Kernel Configuration<br>
|
||||
</h1>
|
||||
<p>For information regarding configuring and building GNU/Linux
|
||||
kernels, see
|
||||
<a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
|
||||
|
||||
<p>Here's a screen shot of my Network Options Configuration:</p>
|
||||
|
||||
<blockquote>
|
||||
<p> <img border="0" src="images/netopts.jpg" width="609" height="842">
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p>While not all of the options that I've selected are required, they should
|
||||
be sufficient for most applications. Here's an excerpt from the corresponding
|
||||
.config file (Note: If you are running a kernel older than 2.4.17, be sure
|
||||
to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
|
||||
|
||||
<blockquote> <font size="2">
|
||||
<blockquote>
|
||||
<p> <img border="0" src="images/netopts.jpg" width="609"
|
||||
height="842"> </p>
|
||||
</blockquote>
|
||||
<p>While not all of the options that I've selected are required, they
|
||||
should be sufficient for most applications. Here's an excerpt from the
|
||||
corresponding .config file (Note: If you are running a kernel older
|
||||
than 2.4.17, be sure to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
|
||||
<blockquote> <font size="2">
|
||||
<p>#<br>
|
||||
# Networking options<br>
|
||||
#<br>
|
||||
@ -70,33 +52,30 @@ CONFIG_NET_IPGRE=y<br>
|
||||
CONFIG_INET_ECN=y<br>
|
||||
CONFIG_SYN_COOKIES=y<br>
|
||||
</p>
|
||||
</font> </blockquote>
|
||||
|
||||
</font> </blockquote>
|
||||
<p>Here's a screen shot of my Netfilter configuration:</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p><img src="images/menuconfig1.jpg" alt="(Netfilter Options)"
|
||||
width="589" height="849">
|
||||
<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p>Note that I have built everything I need as modules. You can also build
|
||||
everything into your kernel but if you want to be able to deal with FTP running
|
||||
on a non-standard port then I recommend that you modularize FTP Protocol
|
||||
width="589" height="849"> <br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p>Note that I have built everything I need as modules. You can also
|
||||
build
|
||||
everything into your kernel but if you want to be able to deal with FTP
|
||||
running
|
||||
on a non-standard port then I recommend that you modularize FTP
|
||||
Protocol
|
||||
support.<br>
|
||||
</p>
|
||||
<p>Here's the corresponding part of my .config file:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>#<br># IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<pre>#<br># IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
|
||||
</blockquote>
|
||||
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001-2003, Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001-2003, Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -15,7 +15,8 @@
|
||||
border="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="33%" valign="middle" align="left">
|
||||
<td width="33%" valign="middle" align="left"
|
||||
style="background-color: rgb(255, 255, 255);">
|
||||
<h1 align="center"><a
|
||||
href="http://www.centralcommand.com/linux_products.html"><img
|
||||
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
|
||||
@ -23,15 +24,18 @@
|
||||
<a href="http://www.gnu.org/software/mailman/mailman.html"> <img
|
||||
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
|
||||
height="35" alt=""> </a>
|
||||
<p align="right"><font color="#ffffff"><b> </b></font><a
|
||||
<p align="right" style="background-color: rgb(255, 255, 255);"><font
|
||||
color="#ffffff"><b> </b></font><a
|
||||
href="http://razor.sourceforge.net/"><img src="images/razor.gif"
|
||||
alt="(Razor Logo)" width="100" height="22" align="left" border="0"> </a>
|
||||
</p>
|
||||
</td>
|
||||
<td valign="middle" width="34%" align="center">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
|
||||
<td valign="middle" width="34%" align="center"
|
||||
style="color: rgb(51, 0, 51); background-color: rgb(255, 255, 255);">
|
||||
<h1 align="center">Shorewall Mailing Lists</h1>
|
||||
</td>
|
||||
<td valign="middle" width="33%"> <a
|
||||
<td valign="middle" width="33%"
|
||||
style="background-color: rgb(255, 255, 255);"> <a
|
||||
href="http://www.postfix.org/"> <img src="images/postfix-white.gif"
|
||||
align="right" border="0" width="158" height="84" alt="(Postfix Logo)">
|
||||
</a><br>
|
||||
@ -50,7 +54,7 @@
|
||||
<big><span style="color: rgb(255, 0, 0);"><span
|
||||
style="font-weight: bold;">If you are reporting a problem or asking a
|
||||
question, you are at the wrong place -- please see the <a
|
||||
href="http://www.shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
|
||||
href="http://shorewall.net/support.htm">Shorewall Support Guide</a>.</span></span></big><br>
|
||||
<br>
|
||||
If you experience problems with any of these lists,
|
||||
please let <a href="mailto:postmaster@shorewall.net">me</a>
|
||||
@ -148,7 +152,7 @@ of general interest to the Shorewall user community is also posted to
|
||||
this list.</p>
|
||||
<p align="left" style="color: rgb(255, 0, 0);"><big><b>Before posting
|
||||
to this list, please see the <a
|
||||
href="http://www.shorewall.net/support.htm">problem
|
||||
href="http://shorewall.net/support.htm">problem
|
||||
reporting guidelines</a>.<br>
|
||||
</b></big></p>
|
||||
<p align="left">To subscribe: <a
|
||||
@ -158,7 +162,9 @@ reporting guidelines</a>.<br>
|
||||
</ul>
|
||||
<p align="left"> To post to the list, post to <a
|
||||
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.
|
||||
<br>
|
||||
<span style="font-weight: bold;">IMPORTANT: </span>If you are not
|
||||
subscribed to the list, please say so -- otherwise, you will not be
|
||||
included in any replies.<br>
|
||||
</p>
|
||||
<p align="left">The list archives are at <a
|
||||
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
|
||||
@ -230,8 +236,8 @@ to be emailed to you.</p>
|
||||
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with
|
||||
Postfix?</h2>
|
||||
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
|
||||
<p align="left"><font size="2">Last updated 9/17/2003 - <a
|
||||
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
|
||||
<p align="left"><font size="2">Last updated 10/27/2003 - <a
|
||||
href="http://shorewall.net/support.htm">Tom Eastep</a></font></p>
|
||||
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
©
|
||||
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
|
@ -9,18 +9,9 @@
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">About My Network</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<blockquote> </blockquote>
|
||||
<h1 style="text-align: center;">About My Network<br>
|
||||
</h1>
|
||||
<a href="http://www.redhat.com"><img
|
||||
style="border: 0px solid ; width: 88px; height: 31px;"
|
||||
src="images/poweredby.png" title="" alt="(RedHat Logo)"> </a><a
|
||||
@ -51,7 +42,7 @@
|
||||
<h1> </h1>
|
||||
<blockquote>
|
||||
<p><big><font color="#ff0000"><b>Warning 1: </b></font><b><small>I</small></b></big><big><b><small>
|
||||
use a combination of Static NAT and Proxy ARP, neither of which are
|
||||
use a combination of One-to-one NAT and Proxy ARP, neither of which are
|
||||
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
|
||||
If you have just a single public IP address, most of what you see here
|
||||
won't apply to your setup so beware of copying parts of this
|
||||
@ -70,9 +61,10 @@ and a Wireless network connected to eth3 (192.168.3.0/24).</p>
|
||||
<p> I use:<br>
|
||||
</p>
|
||||
<ul>
|
||||
<li>Static NAT for Ursa (my XP System) - Internal address
|
||||
<li>One-to-one NAT for Ursa (my XP System) - Internal address
|
||||
192.168.1.5 and external address 206.124.146.178.</li>
|
||||
<li>Static NAT for EastepLaptop (My work system). Internal address
|
||||
<li>One-to-one NAT for EastepLaptop (My work system). Internal
|
||||
address
|
||||
192.168.1.7 and external address 206.124.146.180.<br>
|
||||
</li>
|
||||
<li>SNAT through the primary gateway address
|
||||
@ -181,7 +173,8 @@ my Ethernet interfaces. </p>
|
||||
</blockquote>
|
||||
<h3>Masq File: </h3>
|
||||
<blockquote>
|
||||
<p> Although most of our internal systems use static NAT, my wife's
|
||||
<p> Although most of our internal systems use one-to-one NAT, my
|
||||
wife's
|
||||
system (192.168.1.4) uses IP Masquerading (actually SNAT) as does my
|
||||
personal system (192.168.1.3), our laptop (192.168.3.8) and
|
||||
visitors with laptops.<br>
|
||||
@ -244,7 +237,7 @@ file.<br>
|
||||
</div>
|
||||
<pre style="margin-left: 40px;">#!/bin/sh<br><br>case $1 in<br> eth1)<br> ip route add 206.124.146.177 dev eth1<br> ;;<br>esac<br></pre>
|
||||
<pre style="margin-left: 40px;"><span style="font-family: sans-serif;"></span></pre>
|
||||
<p><font size="2">Last updated 10/03/2003 - <a href="support.htm">Tom
|
||||
<p><font size="2">Last updated 11/13/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
|
@ -7,18 +7,9 @@
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
<h1 style="text-align: center;">ICMP Echo-request (Ping)<br>
|
||||
</h1>
|
||||
Shorewall 'Ping' management has evolved over time with the latest
|
||||
change coming in Shorewall version 1.4.0. To find out which version of
|
||||
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
|
||||
|
@ -1,201 +1,147 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Port Information</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Ports required for Various
|
||||
Services/Applications</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Ports Required for Various
|
||||
Services/Applications<br>
|
||||
</h1>
|
||||
<p>In addition to those applications described in <a
|
||||
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
|
||||
are some other services/applications that you may need to configure
|
||||
your firewall to accommodate.</p>
|
||||
|
||||
href="Documentation.htm">the /etc/shorewall/rules documentation</a>,
|
||||
here are some other services/applications that you may need to
|
||||
configure
|
||||
your firewall to accommodate.</p>
|
||||
<p>NTP (Network Time Protocol)</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p>UDP Port 123</p>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<p>rdate</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p>TCP Port 37</p>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<p>UseNet (NNTP)</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p>TCP Port 119</p>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<p>DNS</p>
|
||||
|
||||
<blockquote>
|
||||
<p>UDP Port 53. If you are configuring a DNS client, you will probably
|
||||
want to open TCP Port 53 as well.<br>
|
||||
If you are configuring a server, only open TCP Port 53 if
|
||||
you will return long replies to queries or if you need to enable ZONE
|
||||
transfers. In the latter case, be sure that your server is properly
|
||||
<blockquote>
|
||||
<p>UDP Port 53. If you are configuring a DNS client, you will
|
||||
probably
|
||||
want to open TCP Port 53 as well.<br>
|
||||
If you are configuring a server, only open TCP Port 53 if
|
||||
you will return long replies to queries or if you need to enable ZONE
|
||||
transfers. In the latter case, be sure that your server is
|
||||
properly
|
||||
configured.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>ICQ </p>
|
||||
|
||||
<blockquote>
|
||||
<p>UDP Port 4000. You will also need to open a range of TCP ports which
|
||||
you can specify to your ICQ client. By default, clients use 4000-4100.</p>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<p>ICQ </p>
|
||||
<blockquote>
|
||||
<p>UDP Port 4000. You will also need to open a range of TCP ports
|
||||
which you can specify to your ICQ client. By default, clients use
|
||||
4000-4100.</p>
|
||||
</blockquote>
|
||||
<p>PPTP</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
|
||||
href="PPTP.htm">Lots more information here</a>).</p>
|
||||
</blockquote>
|
||||
|
||||
href="PPTP.htm">Lots more information here</a>).</p>
|
||||
</blockquote>
|
||||
<p>IPSEC</p>
|
||||
|
||||
<blockquote>
|
||||
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
|
||||
500. These should be opened in both directions (Lots more information
|
||||
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP
|
||||
Port 500. These should be opened in both directions (Lots more
|
||||
information <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
|
||||
</blockquote>
|
||||
<p>SMTP (Email)</p>
|
||||
|
||||
<blockquote>
|
||||
<p> TCP Port 25.</p>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p> TCP Port 25.</p>
|
||||
</blockquote>
|
||||
<p>RealPlayer<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p>UDP Port 6790 inbound<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p>POP3</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 110 (Secure = TCP Port 995)<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p>IMAP<br>
|
||||
</p>
|
||||
|
||||
<blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
|
||||
</blockquote>
|
||||
|
||||
<p>TELNET</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 23.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>SSH</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 22.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>Auth (identd)</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 113</p>
|
||||
</blockquote>
|
||||
|
||||
<p>Web Access</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Ports 80 and 443.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>FTP<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP port 21 plus <a href="FTP.html">look here for much more information</a>.<br>
|
||||
</blockquote>
|
||||
<p>POP3</p>
|
||||
<blockquote>
|
||||
<p>TCP Port 110 (Secure = TCP Port 995)<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p>IMAP<br>
|
||||
</p>
|
||||
<blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
|
||||
</blockquote>
|
||||
<p>TELNET</p>
|
||||
<blockquote>
|
||||
<p>TCP Port 23.</p>
|
||||
</blockquote>
|
||||
<p>SSH</p>
|
||||
<blockquote>
|
||||
<p>TCP Port 22.</p>
|
||||
</blockquote>
|
||||
<p>Auth (identd)</p>
|
||||
<blockquote>
|
||||
<p>TCP Port 113</p>
|
||||
</blockquote>
|
||||
<p>Web Access</p>
|
||||
<blockquote>
|
||||
<p>TCP Ports 80 and 443.</p>
|
||||
</blockquote>
|
||||
<p>FTP<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p>TCP port 21 plus <a href="FTP.html">look here for much more
|
||||
information</a>.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p>TCP Ports 137, 139 and 445.<br>
|
||||
UDP Ports 137-139.<br>
|
||||
<br>
|
||||
Also, <a href="samba.htm">see this page</a>.</p>
|
||||
</blockquote>
|
||||
|
||||
UDP Ports 137-139.<br>
|
||||
<br>
|
||||
Also, <a href="samba.htm">see this page</a>.</p>
|
||||
</blockquote>
|
||||
<p>Traceroute</p>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<p>UDP ports 33434 through 33434+<i><max number of hops></i>-1<br>
|
||||
ICMP type 8 ('ping')<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
ICMP type 8 ('ping')<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<p>NFS<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<p>I personally use the following rules for opening access from zone z1
|
||||
to a server with IP address a.b.c.d in zone z2:<br>
|
||||
</p>
|
||||
|
||||
</p>
|
||||
<blockquote>
|
||||
<p>I personally use the following rules for opening access from zone
|
||||
z1 to a server with IP address a.b.c.d in zone z2:<br>
|
||||
</p>
|
||||
<pre>ACCEPT z1 z2:a.b.c.d udp 111<br>ACCEPT z1 z2:a.b.c.d tcp 111<br>ACCEPT z1 z2:a.b.c.d udp 2049<br>ACCEPT z1 z2:a.b.c.d udp 32700:<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p>Note that my rules only cover NFS using UDP (the normal case). There
|
||||
is lots of additional information at <a
|
||||
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<p>Note that my rules only cover NFS using UDP (the normal case).
|
||||
There is lots of additional information at <a
|
||||
href="http://nfs.sourceforge.net/nfs-howto/security.html">
|
||||
http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
|
||||
</blockquote>
|
||||
<p>VNC<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p>TCP port 5900 + <display number></p>
|
||||
</blockquote>
|
||||
|
||||
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
|
||||
file? </p>
|
||||
|
||||
<p>Still looking? Try <a
|
||||
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
|
||||
|
||||
</blockquote>
|
||||
<p>Didn't find what you are looking for -- have you looked in your own
|
||||
/etc/services file? </p>
|
||||
<p>Still looking? Try <a
|
||||
href="http://www.networkice.com/advice/Exploits/Ports">
|
||||
http://www.networkice.com/advice/Exploits/Ports</a></p>
|
||||
<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> ©
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> ©
|
||||
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,153 +1,134 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Quotes from Shorewall Users</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Quotes from Shorewall Users<br>
|
||||
</h1>
|
||||
<ul>
|
||||
<li><font size="3">"I have fought with IPtables for untold hours. First
|
||||
I tried the SuSE firewall, which worked for 80% of what I needed. Then gShield,
|
||||
which also worked for 80%. Then I set out to write my own IPtables parser
|
||||
in shell and awk, which was a lot of fun but never got me past the "hey, cool"
|
||||
stage. Then I discovered Shorewall. After about an hour, everything just
|
||||
<li><font size="3">"I have fought with IPtables for untold hours.
|
||||
First
|
||||
I tried the SuSE firewall, which worked for 80% of what I needed. Then
|
||||
gShield, which also worked for 80%. Then I set out to write my own
|
||||
IPtables parser in shell and awk, which was a lot of fun but never got
|
||||
me past the "hey, cool"
|
||||
stage. Then I discovered Shorewall. After about an hour, everything
|
||||
just
|
||||
worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>"The configuration is intuitive and flexible, and much easier than
|
||||
any of the other iptables-based firewall programs out there. After sifting
|
||||
through many other scripts, it is obvious that yours is the most well thought-out
|
||||
and complete one available." -- BC, USA<br>
|
||||
<li>"The configuration is intuitive and flexible, and much easier
|
||||
than
|
||||
any of the other iptables-based firewall programs out there. After
|
||||
sifting
|
||||
through many other scripts, it is obvious that yours is the most well
|
||||
thought-out and complete one available." -- BC, USA<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>"I just installed Shorewall after weeks of messing with ipchains/iptables
|
||||
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
|
||||
<li>"I just installed Shorewall after weeks of messing with
|
||||
ipchains/iptables and I had it up and running in under 20 minutes!" --
|
||||
JL, Ohio<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>"My case was almost like [the one above]. Well. instead of 'weeks'
|
||||
it was 'months' for me, and I think I needed two minutes more:<br>
|
||||
<li>"My case was almost like [the one above]. Well. instead of
|
||||
'weeks'
|
||||
it was 'months' for me, and I think I needed two minutes more:<br>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
|
||||
<ul>
|
||||
<li>One to see that I had no Internet access from the firewall itself.</li>
|
||||
<li>One to see that I had no Internet access from the firewall
|
||||
itself.</li>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>Other to see that this was the default configuration, and it was
|
||||
enough to uncomment a line in /etc/shorewall/policy.<br>
|
||||
</li>
|
||||
<li>Other to see that this was the default configuration, and it
|
||||
was enough to uncomment a line in /etc/shorewall/policy.<br>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
</ul>
|
||||
<ul>
|
||||
<li> Minutes instead of months! Congratulations and thanks for such
|
||||
a simple and well documented thing for something as huge as iptables." --
|
||||
JV, Spain. </li>
|
||||
<li> Minutes instead of months! Congratulations and thanks for such
|
||||
a simple and well documented thing for something as huge as iptables."
|
||||
--
|
||||
JV, Spain. </li>
|
||||
</ul>
|
||||
<ul>
|
||||
<li>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1
|
||||
without any problems. Your documentation is great and I really appreciate
|
||||
your network configuration info. That really helped me out alot. THANKS!!!"
|
||||
-- MM. </li>
|
||||
<li>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1
|
||||
without any problems. Your documentation is great and I really
|
||||
appreciate
|
||||
your network configuration info. That really helped me out alot.
|
||||
THANKS!!!" -- MM. </li>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>"[Shorewall is a] great, great project. I've used/tested may
|
||||
firewall scripts but this one is till now the best." -- B.R, Netherlands
|
||||
</li>
|
||||
<li>"[Shorewall is a] great, great project. I've used/tested may
|
||||
firewall scripts but this one is till now the best." -- B.R,
|
||||
Netherlands </li>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>"Never in my +12 year career as a sys admin have I witnessed
|
||||
someone so relentless in developing a secure, state of the art, safe and
|
||||
useful product as the Shorewall firewall package for no cost or obligation
|
||||
involved." -- Mario Kerecki, Toronto </li>
|
||||
<li>"Never in my +12 year career as a sys admin have I witnessed
|
||||
someone so relentless in developing a secure, state of the art, safe
|
||||
and useful product as the Shorewall firewall package for no cost or
|
||||
obligation involved." -- Mario Kerecki, Toronto </li>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>"one time more to report, that your great shorewall in the latest
|
||||
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
|
||||
have 7 machines up and running with shorewall on several versions
|
||||
- starting with 1.2.2 up to the new 1.2.9 and I never have encountered
|
||||
<li>"one time more to report, that your great shorewall in the latest
|
||||
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
|
||||
have 7 machines up and running with shorewall on several versions
|
||||
- starting with 1.2.2 up to the new 1.2.9 and I never have encountered
|
||||
any problems!" -- SM, Germany</li>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>"You have the best support of any other package I've ever used."
|
||||
-- SE, US </li>
|
||||
<li>"You have the best support of any other package I've ever used."
|
||||
-- SE, US </li>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>"Because our company has information which has been classified by the
|
||||
national government as secret, our security doesn't stop by putting a fence
|
||||
around our company. Information security is a hot issue. We also make use
|
||||
of checkpoint firewalls, but not all of the internet servers are guarded
|
||||
by checkpoint, some of them are running....Shorewall." -- Name withheld
|
||||
by request, Europe</li>
|
||||
<li>"Because our company has information which has been classified by
|
||||
the national government as secret, our security doesn't stop by putting
|
||||
a fence around our company. Information security is a hot issue. We
|
||||
also make use of checkpoint firewalls, but not all of the internet
|
||||
servers are guarded by checkpoint, some of them are
|
||||
running....Shorewall." -- Name withheld by request, Europe</li>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>"thanx for all your efforts you put into shorewall - this product stands
|
||||
out against a lot of commercial stuff i´ve been working with in terms of
|
||||
flexibillity, quality & support" -- RM, Austria</li>
|
||||
<li>"thanx for all your efforts you put into shorewall - this product
|
||||
stands out against a lot of commercial stuff i´ve been working with in
|
||||
terms of flexibillity, quality & support" -- RM, Austria</li>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>"I have never seen such a complete firewall package that is so easy
|
||||
to configure. I searched the Debian package system for firewall scripts
|
||||
and Shorewall won hands down." -- RG, Toronto</li>
|
||||
<li>"I have never seen such a complete firewall package that is so
|
||||
easy
|
||||
to configure. I searched the Debian package system for firewall scripts
|
||||
and Shorewall won hands down." -- RG, Toronto</li>
|
||||
</ul>
|
||||
|
||||
<p></p>
|
||||
<ul>
|
||||
<li>"My respects... I've just found and installed Shorewall 1.3.3-1 and
|
||||
it is a wonderful piece of software. I've just sent out an email to about
|
||||
30 people recommending it. :-)<br>
|
||||
<li>"My respects... I've just found and installed Shorewall 1.3.3-1
|
||||
and
|
||||
it is a wonderful piece of software. I've just sent out an email to
|
||||
about 30 people recommending it. :-)<br>
|
||||
<br>
|
||||
While I had previously taken the time (maybe 40 hours) to really understand
|
||||
ipchains, then spent at least an hour per server customizing and carefully
|
||||
scrutinizing firewall rules, I've got shorewall running on my home firewall,
|
||||
with rulesets and policies that I know make sense, in under 20 minutes."
|
||||
-- RP, Guatamala<br>
|
||||
While I had previously taken the time (maybe 40 hours) to really
|
||||
understand ipchains, then spent at least an hour per server customizing
|
||||
and carefully scrutinizing firewall rules, I've got shorewall running
|
||||
on my home firewall, with rulesets and policies that I know make sense,
|
||||
in under 20 minutes." -- RP, Guatamala<br>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003
|
||||
- <a href="support.htm">Tom Eastep</a> </font>
|
||||
</p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
|
||||
7/1/2003 - <a href="support.htm">Tom Eastep</a> </font> </p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -9,17 +9,8 @@
|
||||
<title>Samba</title>
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Samba</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">Samba/SMB<br>
|
||||
</h1>
|
||||
<p>If you wish to run Samba on your firewall and access shares between
|
||||
the firewall and local hosts, you need the following rules:</p>
|
||||
<h4>/etc/shorewall/rules:</h4>
|
||||
@ -95,7 +86,98 @@ DEST</b></td>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<p><font size="2">Last modified 8/17/2002 - <a href="support.htm">Tom
|
||||
<p>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</p>
|
||||
<h4>/etc/shorewall/rules:</h4>
|
||||
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>Z1<br>
|
||||
</td>
|
||||
<td>Z2<br>
|
||||
</td>
|
||||
<td>udp</td>
|
||||
<td>137:139</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>Z1<br>
|
||||
</td>
|
||||
<td>Z2<br>
|
||||
</td>
|
||||
<td>tcp</td>
|
||||
<td>137,139,445</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>Z1<br>
|
||||
</td>
|
||||
<td>Z2<br>
|
||||
</td>
|
||||
<td>udp</td>
|
||||
<td>1024:</td>
|
||||
<td>137</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>Z2<br>
|
||||
</td>
|
||||
<td>Z1<br>
|
||||
</td>
|
||||
<td>udp</td>
|
||||
<td>137:139</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>Z2<br>
|
||||
</td>
|
||||
<td>Z1<br>
|
||||
</td>
|
||||
<td>tcp</td>
|
||||
<td>137,139,445</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>Z2<br>
|
||||
</td>
|
||||
<td>Z1<br>
|
||||
</td>
|
||||
<td>udp</td>
|
||||
<td>1024:</td>
|
||||
<td>137</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
<br>
|
||||
To make network browsing ("Network Neighborhood") work properly between
|
||||
Z1 and Z2 requires a Windows Domain Controller and/or a WINS server. I
|
||||
run Samba on my firewall to handle browsing between two zones connected
|
||||
to my firewall. Details are <a href="myfiles.htm">here</a>.<br>
|
||||
<p><font size="2">Last modified 10/22/2002 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
|
||||
|
@ -7,30 +7,38 @@
|
||||
<base target="_self">
|
||||
</head>
|
||||
<body>
|
||||
<table cellpadding="0" cellspacing="4"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#3366ff">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="33%" height="90" valign="middle" align="center"><a
|
||||
href="http://www.cityofshoreline.com"> </a>
|
||||
<div align="center"> <img src="images/Logo1.png"
|
||||
alt="(Shorewall Logo)" width="430" height="90" align="middle"> </div>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<div align="center">
|
||||
<div align="center"> </div>
|
||||
<center>
|
||||
<div align="center"> </div>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
style="border-collapse: collapse; width: 100%; height: 100%;"
|
||||
id="AutoNumber4">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="90%">
|
||||
<h2>Introduction<br>
|
||||
<h2>Site Problem</h2>
|
||||
The server that normally hosts www.shorewall.net and ftp.shorewall.net
|
||||
is currently down. Until it is back up, a small server with very
|
||||
limited bandwidth is being used temporarly. You will likely experience
|
||||
better response time from the <a
|
||||
href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
|
||||
or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>.
|
||||
Sorry for the inconvenience.<br>
|
||||
<br>
|
||||
<h2>Introduction to Shorewall<br>
|
||||
</h2>
|
||||
<h3>This is the Shorewall 1.4 Web Site</h3>
|
||||
The information on this site applies only to 1.4.x releases of
|
||||
Shorewall. For older versions:<br>
|
||||
<ul>
|
||||
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
|
||||
target="_top">here.</a></li>
|
||||
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
||||
target="_top">here</a>.</li>
|
||||
</ul>
|
||||
<h3>Glossary<br>
|
||||
</h3>
|
||||
<ul>
|
||||
<li><a href="http://www.netfilter.org">Netfilter</a> - the
|
||||
packet filter facility built into the 2.4 and later Linux kernels.</li>
|
||||
@ -40,12 +48,12 @@ and control that facility. Netfilter can be used in ipchains
|
||||
compatibility mode.<br>
|
||||
</li>
|
||||
<li>iptables - the utility program used to configure and
|
||||
control
|
||||
Netfilter. The term 'iptables' is often used to refer to the
|
||||
combination of iptables+Netfilter (with Netfilter not in
|
||||
ipchains compatibility mode).<br>
|
||||
</li>
|
||||
control Netfilter. The term 'iptables' is often used to refer to the
|
||||
combination of iptables+Netfilter (with Netfilter not in ipchains
|
||||
compatibility mode).</li>
|
||||
</ul>
|
||||
<h3>What is Shorewall?<br>
|
||||
</h3>
|
||||
The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
high-level tool for configuring Netfilter. You describe your
|
||||
firewall/gateway requirements using entries in a set of configuration
|
||||
@ -57,367 +65,237 @@ system. Shorewall does not use Netfilter's ipchains compatibility mode
|
||||
and can thus take advantage of Netfilter's connection state tracking
|
||||
capabilities.<br>
|
||||
<br>
|
||||
Shorewall is <span style="text-decoration: underline;">not</span> a
|
||||
daemon. Once Shorewall has configured Netfilter, it's job is complete
|
||||
although the <a href="starting_and_stopping_shorewall.htm">/sbin/shorewall
|
||||
program can be used at any time to monitor the Netfilter firewall</a>.<br>
|
||||
<h3>Getting Started with Shorewall</h3>
|
||||
New to Shorewall? Start by selecting the <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
||||
closely match your environment and follow the step by step instructions.<br>
|
||||
<h3>Looking for Information?</h3>
|
||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||
Index</a> is a good place to start as is the Quick Search in the frame
|
||||
above.
|
||||
<h3>License<br>
|
||||
</h3>
|
||||
This program is free software; you can redistribute it and/or modify it
|
||||
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
|
||||
2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
2 of the GNU General Public License</a> as published by the Free
|
||||
Software Foundation.<br>
|
||||
<p> This program is distributed in the hope that it will be
|
||||
useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
General Public License for more details.<br>
|
||||
General
|
||||
Public License for more details.<br>
|
||||
<br>
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
|
||||
Eastep</a></p>
|
||||
<h2>This is the Shorewall 1.4 Web Site</h2>
|
||||
The information on this site applies only to 1.4.x releases of
|
||||
Shorewall. For older versions:<br>
|
||||
<ul>
|
||||
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
|
||||
target="_top">here.</a></li>
|
||||
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
|
||||
target="_top">here</a>.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h2>Getting Started with Shorewall</h2>
|
||||
New to Shorewall? Start by selecting the <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
||||
closely match your environment
|
||||
and follow the step by step instructions.<br>
|
||||
<h2>Looking for Information?</h2>
|
||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||
Index</a> is a good place to start as is the Quick Search to your
|
||||
right.
|
||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||
If so, the documentation<b> </b>on
|
||||
this site will not apply directly to your setup. If you want
|
||||
to use the documentation that you find here, you will want to consider
|
||||
uninstalling what you have and installing a setup that matches the
|
||||
documentation on this site. See the <a href="two-interface.htm">Two-interface
|
||||
QuickStart Guide</a> for details.<br>
|
||||
<h2>News</h2>
|
||||
<p><b>10/06/2003 - Shorewall 1.4.7</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""><br>
|
||||
</b></p>
|
||||
<b>Problems Corrected since version 1.4.6 (Those in bold font
|
||||
were corrected since 1.4.7 RC2)</b><br>
|
||||
<ol>
|
||||
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
|
||||
variable was being tested before it was set.</li>
|
||||
<li>Corrected handling of MAC addresses in the SOURCE column of
|
||||
the tcrules file. Previously, these addresses resulted in an invalid
|
||||
iptables command.</li>
|
||||
<li>The "shorewall stop" command is now disabled when
|
||||
/etc/shorewall/startup_disabled exists. This prevents people from
|
||||
shooting themselves in the foot prior to having configured Shorewall.</li>
|
||||
<li>A change introduced in version 1.4.6 caused error messages
|
||||
during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
|
||||
were being added to a PPP interface; the addresses were successfully
|
||||
added in spite of the messages.<br>
|
||||
<br>
|
||||
The firewall script has been modified to eliminate the error messages</li>
|
||||
<li>Interface-specific dynamic blacklisting chains are
|
||||
now displayed by "shorewall monitor" on the "Dynamic Chains" page
|
||||
(previously named "Dynamic Chain").</li>
|
||||
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
||||
<li>The 'shorewall reject' and
|
||||
'shorewall drop' commands now delete any existing rules for the subject
|
||||
IP address before adding a new DROP or REJECT rule. Previously, there
|
||||
could be many rules for the same IP address in the dynamic chain so
|
||||
that multiple 'allow' commands were required to re-enable traffic
|
||||
to/from the address.</li>
|
||||
<li>When ADD_SNAT_ALIASES=Yes in
|
||||
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
|
||||
a startup error:<br>
|
||||
<br>
|
||||
eth0 eth1
|
||||
206.124.146.20-206.124.146.24<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall previously choked over
|
||||
IPV6 addresses configured on interfaces in contexts where Shorewall
|
||||
needed to detect something about the interface (such as when "detect"
|
||||
appears in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
|
||||
<li>Shorewall will now load
|
||||
module files that are formed from the module name by appending ".o.gz".</li>
|
||||
<li>When Shorewall adds a route to a
|
||||
proxy ARP host and such a route already exists, two routes resulted
|
||||
previously. This has been corrected so that the existing route is
|
||||
replaced if it already exists.</li>
|
||||
<li>The rfc1918 file has been
|
||||
updated to reflect recent allocations.</li>
|
||||
<li>The documentation of the
|
||||
USER SET column in the rules file has been corrected.</li>
|
||||
<li>If there is no policy
|
||||
defined for
|
||||
the zones specified in a rule, the firewall script previously
|
||||
encountered a shell syntax error:<br>
|
||||
|
||||
<br>
|
||||
[: NONE: unexpected operator<br>
|
||||
|
||||
<br>
|
||||
Now, the absence of a policy generates an error message and the
|
||||
firewall is stopped:<br>
|
||||
|
||||
<br>
|
||||
No policy defined from zone
|
||||
<source> to zone <dest><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if neither
|
||||
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
|
||||
would fail to start and would not remove the lock file. Failure to
|
||||
remove the lock file resulted in the following during subsequent
|
||||
attempts to start:<br>
|
||||
|
||||
<br>
|
||||
Loading /usr/share/shorewall/functions...<br>
|
||||
Processing /etc/shorewall/params ...<br>
|
||||
Processing /etc/shorewall/shorewall.conf...<br>
|
||||
Giving up on lock file /var/lib/shorewall/lock<br>
|
||||
Shorewall Not Started<br>
|
||||
<br>
|
||||
Shorewall now reports a fatal error if neither of these two files exist
|
||||
and correctly removes the lock fille.</li>
|
||||
<li>The order of processing
|
||||
the
|
||||
various options has been changed such that blacklist entries now take
|
||||
precedence over the 'dhcp' interface setting.</li>
|
||||
<li>The log message generated
|
||||
from the
|
||||
'logunclean' interface option has been changed to reflect a disposition
|
||||
of LOG rather than DROP.</li>
|
||||
<li><span style="font-weight: bold;">When a user name and/or a
|
||||
group
|
||||
name was specified in the USER SET column and the destination zone was
|
||||
qualified with a IP address, the user and/or group name was not being
|
||||
used to qualify the rule.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
ACCEPT fw net:192.0.2.12 tcp 23 - - - vladimir:<br>
|
||||
<br>
|
||||
</span></li>
|
||||
<li><span style="font-weight: bold;">The /etc/shorewall/masq
|
||||
file has had the spurious "/" character at the front removed.</span></li>
|
||||
</ol>
|
||||
<b>Migration Issues:</b><br>
|
||||
<ol>
|
||||
<li>Shorewall IP Traffic Accounting has changed since snapshot
|
||||
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
|
||||
details.</li>
|
||||
<li>The Uset Set capability introduced in SnapShot 20030821 has
|
||||
changed -- see the <a href="UserSets.html">User Set page</a> for
|
||||
details.</li>
|
||||
<li>The per-interface Dynamic Blacklisting facility introduced
|
||||
in the first post-1.4.6 Snapshot has been removed. The facility had too
|
||||
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<b>New Features:</b><br>
|
||||
<ol>
|
||||
<li>Thanks to Steve Herber, the 'help' command can now give
|
||||
command-specific help (e.g., shorewall help <command>).</li>
|
||||
<li>A new option "ADMINISABSENTMINDED" has been added to
|
||||
/etc/shorewall/shorewall.conf. This option has a default value of "No"
|
||||
for existing users which causes Shorewall's 'stopped' state to
|
||||
continue as it has been; namely, in the stopped state only traffic
|
||||
to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
|
||||
<br>
|
||||
With ADMINISABSENTMINDED=Yes (the default for new installs), in
|
||||
addition to traffic to/from the hosts listed in
|
||||
/etc/shorewall/routestopped, Shorewall will allow:<br>
|
||||
<br>
|
||||
a) All traffic originating from the firewall itself; and<br>
|
||||
b) All traffic that is part of or related to an
|
||||
already-existing connection.<br>
|
||||
<br>
|
||||
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
||||
entered through an ssh session will not kill the session.<br>
|
||||
<br>
|
||||
Note though that even with ADMINISABSENTMINDED=Yes, it is still
|
||||
possible for people to shoot themselves in the foot.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
/etc/shorewall/nat:<br>
|
||||
<br>
|
||||
206.124.146.178
|
||||
eth0:0 192.168.1.5 <br>
|
||||
<br>
|
||||
/etc/shorewall/rules:<br>
|
||||
<br>
|
||||
ACCEPT net
|
||||
loc:192.168.1.5 tcp 22<br>
|
||||
ACCEPT loc
|
||||
fw tcp 22<br>
|
||||
<br>
|
||||
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
|
||||
connection with local system 192.168.1.5. I then create a second SSH
|
||||
connection
|
||||
from that computer to the firewall and confidently type "shorewall
|
||||
stop".
|
||||
As part of its stop processing, Shorewall removes eth0:0 which kills my
|
||||
SSH
|
||||
connection to 192.168.1.5!!!</li>
|
||||
<li>Given the wide range of VPN software, I can never hope to
|
||||
add specific support for all of it. I have therefore decided to add
|
||||
"generic" tunnel support.<br>
|
||||
<br>
|
||||
Generic tunnels work pretty much like any of the other tunnel types.
|
||||
You usually add a zone to represent the systems at the other end of the
|
||||
tunnel and you add the appropriate rules/policies to<br>
|
||||
implement your security policy regarding traffic to/from those systems.<br>
|
||||
<br>
|
||||
In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
|
||||
<br>
|
||||
generic:<protocol>[:<port>] <zone> <ip
|
||||
address> <gateway zones><br>
|
||||
<br>
|
||||
where:<br>
|
||||
<br>
|
||||
<protocol> is the protocol
|
||||
used by the tunnel<br>
|
||||
<port> if the protocol
|
||||
is 'udp' or 'tcp' then this is the destination port number used by the
|
||||
tunnel.<br>
|
||||
<zone> is the zone of
|
||||
the remote tunnel gateway<br>
|
||||
<ip address> is the IP
|
||||
address of the remote tunnel gateway.<br>
|
||||
<gateway zone>
|
||||
Optional. A comma-separated list of zone names. If specified, the
|
||||
remote gateway is to be considered part of these zones.</li>
|
||||
<li>An 'arp_filter' option has been added to the
|
||||
/etc/shorewall/interfaces file. This option causes
|
||||
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
||||
result that this interface will only answer ARP 'who-has' requests from
|
||||
hosts that are routed out through that interface. Setting this option
|
||||
facilitates testing of your firewall where multiple firewall interfaces
|
||||
are connected to the same HUB/Switch (all interfaces connected to the
|
||||
single HUB/Switch should have this option specified). Note that using
|
||||
such a configuration in a production environment is strongly
|
||||
recommended against.</li>
|
||||
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
||||
comma-separated list of addresses and/or address ranges. Netfilter will
|
||||
use all listed addresses/ranges in round-robin fashion. \</li>
|
||||
<li>An /etc/shorewall/accounting file has been added to allow
|
||||
for traffic accounting. See the <a href="Accounting.html">accounting
|
||||
documentation</a> for a description of this facility.</li>
|
||||
<li>Bridge interfaces (br[0-9]) may now be used in
|
||||
/etc/shorewall/maclist.</li>
|
||||
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
|
||||
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
|
||||
rules, rate limiting occurs in the nat table DNAT rule; the
|
||||
corresponding ACCEPT rule in the filter table is not rate limited. If
|
||||
you want to limit the filter table rule, you will need o create two
|
||||
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
|
||||
separately.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Warning: </span>When rate
|
||||
limiting is specified on a rule with "all" in the SOURCE or DEST
|
||||
fields, the limit will apply to each pair of zones individually rather
|
||||
than as a single limit for all pairs of covered by the rule.<br>
|
||||
<br>
|
||||
To specify a rate limit, <br>
|
||||
<br>
|
||||
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
|
||||
<br>
|
||||
<
|
||||
<rate>/<interval>[:<burst>] ><br>
|
||||
<br>
|
||||
|
||||
where<br>
|
||||
<br>
|
||||
<rate> is the sustained rate per
|
||||
<interval><br>
|
||||
<interval> is "sec" or "min"<br>
|
||||
<burst> is the largest burst
|
||||
accepted within an <interval>. If not given, the default of 5 is
|
||||
assumed.<br>
|
||||
<br>
|
||||
There may be no white space between the ACTION and "<" nor there may
|
||||
be any white space within the burst specification. If you want to
|
||||
specify logging of a rate-limited rule, the ":" and log level comes
|
||||
after the ">" (e.g., ACCEPT<2/sec:4>:info ).<br>
|
||||
<br>
|
||||
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
|
||||
file. You may specify the rate limit there in the format:<br>
|
||||
<br>
|
||||
|
||||
<rate>/<interval>[:<burst>]<br>
|
||||
<br>
|
||||
Let's take an example:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT<2/sec:4>
|
||||
net dmz
|
||||
tcp 80<br>
|
||||
<br>
|
||||
The first time this rule is reached, the packet will be accepted; in
|
||||
fact, since the burst is 4, the first four packets will be accepted.
|
||||
After this, it will be 500ms (1 second divided by the rate<br>
|
||||
of 2) before a packet will be accepted from this rule, regardless of
|
||||
how many packets reach it. Also, every 500ms which passes without
|
||||
matching a packet, one of the bursts will be regained; if no packets
|
||||
hit the rule for 2 second, the burst will be fully recharged; back
|
||||
where we started.<br>
|
||||
</li>
|
||||
<li>Multiple chains may now be displayed in one "shorewall
|
||||
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||
<li>Output rules (those with $FW as the SOURCE) may now be
|
||||
limited to a set of local users and/or groups. See <a
|
||||
href="UserSets.html">http://shorewall.net/UserSets.html</a>
|
||||
for details.<br>
|
||||
<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>8/27/2003 - Shorewall Mirror in Australia </b></p>
|
||||
<p>Thanks to Dave Kempe and Solutions First (<a
|
||||
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
|
||||
there is now a Shorewall Mirror in Australia:</p>
|
||||
<p style="margin-left: 40px;"><a
|
||||
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><font
|
||||
size="3"><br>
|
||||
<a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font><br>
|
||||
Eastep</a><br>
|
||||
</p>
|
||||
<p><b>8/26/2003 - French Version of the Shorewall Setup
|
||||
Guide </b></p>
|
||||
Thanks to Fabien <font size="3">Demassieux, there is now a <a
|
||||
href="shorewall_setup_guide_fr.htm">French translation of the
|
||||
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!<br>
|
||||
</font>
|
||||
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <br>
|
||||
</b></p>
|
||||
<b>Problems Corrected since version 1.4.6:</b><br>
|
||||
<ol>
|
||||
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
|
||||
then Shorewall would fail to start with the error "ERROR: Traffic
|
||||
Control requires Mangle"; that problem has been corrected.</li>
|
||||
<li>Corrected handling of MAC addresses in the SOURCE column of
|
||||
the
|
||||
tcrules file. Previously, these addresses resulted in an invalid
|
||||
iptables
|
||||
command.</li>
|
||||
<li>The "shorewall stop" command is now disabled when
|
||||
/etc/shorewall/startup_disabled
|
||||
exists. This prevents people from shooting themselves in the foot prior
|
||||
<h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
|
||||
If so, the documentation<b> </b>on this site will not apply directly
|
||||
to
|
||||
having configured Shorewall.</li>
|
||||
<li>A change introduced in version 1.4.6 caused error messages
|
||||
during
|
||||
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
|
||||
being
|
||||
added to a PPP interface; the addresses were successfully added in
|
||||
spite
|
||||
of the messages.<br>
|
||||
<br>
|
||||
The firewall script has been modified to eliminate the error messages.<br>
|
||||
your setup. If you want to use the documentation that you find here,
|
||||
you will want to consider uninstalling what you have and installing a
|
||||
setup that matches the documentation on this site. See the <a
|
||||
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
||||
details.<br>
|
||||
<h2>News</h2>
|
||||
<p><b>11/07/2003 - Shorewall 1.4.8</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""></b><b><br>
|
||||
<br>
|
||||
</b>Problems Corrected since version 1.4.7:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Tuomo Soini has supplied a correction to a problem that
|
||||
occurs
|
||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||
fails with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.</li>
|
||||
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||
to use the multiport match iptables facility on ICMP rules.<br>
|
||||
<br>
|
||||
Example of rule that previously caused "shorewall start"
|
||||
to fail:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT loc $FW
|
||||
icmp 0,8,11,12<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if the following error message was issued,
|
||||
Shorewall was left in an inconsistent state.<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes through interface xxx<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||
been corrected.</li>
|
||||
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||
optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant rules
|
||||
and that the "optimization" turns out to be less than optimal. The
|
||||
implementation has now been corrected.</li>
|
||||
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||
or
|
||||
":P", the ":F" or ":P" was previously only applied to the first
|
||||
Netfilter rule generated by the entry. It is now applied to all entries.</li>
|
||||
<li>An incorrect comment concerning Debian's use of the
|
||||
SUBSYSLOCK option has been removed from shorewall.conf.</li>
|
||||
<li>Previously, neither the 'routefilter' interface option nor
|
||||
the
|
||||
ROUTE_FILTER parameter were working properly. This has been corrected
|
||||
(thanks to Eric Bowles for his analysis and patch). The definition of
|
||||
the ROUTE_FILTER option has changed however. Previously,
|
||||
ROUTE_FILTER=Yes was documented as enabling route filtering on all
|
||||
interfaces (which didn't work). Beginning with this release, setting
|
||||
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
|
||||
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
|
||||
coexist with the use of the 'routefilter' option in the interfaces file.</li>
|
||||
<li>If MAC verification was enabled on an interface with a /32
|
||||
address and
|
||||
a broadcast address then an error would occur during startup.</li>
|
||||
<li>he NONE policy's intended use is to suppress the generating
|
||||
of
|
||||
rules that can't possibly be traversed. This means that a policy of
|
||||
NONE is inappropriate where the source or destination zone is $FW or
|
||||
"all". Shorewall now generates an error message if such a policy is
|
||||
given in /etc/shorewall/policy. Previously such a policy caused
|
||||
"shorewall start" to fail.</li>
|
||||
<li>The 'routeback' option was broken for wildcard interfaces
|
||||
(e.g.,
|
||||
"tun+"). This has been corrected so that 'routeback' now works as
|
||||
expected in this case.<br>
|
||||
</li>
|
||||
</ol>
|
||||
Migration Issues:<br>
|
||||
<ol>
|
||||
<li>The definition of the ROUTE_FILTER option in shorewall.conf
|
||||
has changed as described in item 8) above.<br>
|
||||
</li>
|
||||
</ol>
|
||||
New Features:<br>
|
||||
<ol>
|
||||
<li>A new QUEUE action has been introduced for rules. QUEUE
|
||||
allows
|
||||
you to pass connection requests to a user-space filter such as ftwall
|
||||
(http://p2pwall.sourceforge.net). The ftwall program
|
||||
allows for effective filtering of p2p applications such as Kazaa. For
|
||||
example, to use ftwall to filter P2P clients in the 'loc' zone, you
|
||||
would add the following rules:<br>
|
||||
<br>
|
||||
QUEUE loc
|
||||
net tcp<br>
|
||||
QUEUE loc
|
||||
net udp<br>
|
||||
QUEUE loc
|
||||
fw udp<br>
|
||||
<br>
|
||||
You would normally want to place those three rules BEFORE any ACCEPT
|
||||
rules for loc->net udp or tcp.<br>
|
||||
<br>
|
||||
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
|
||||
Shorewall will only pass connection requests (SYN packets) to user
|
||||
space. This is for compatibility with ftwall.</li>
|
||||
<li>A BLACKLISTNEWNONLY option has been added to
|
||||
shorewall.conf. When this option is set to "Yes", the blacklists
|
||||
(dynamic and static) are only consulted for new connection requests.
|
||||
When set to "No" (the default if the variable is not set), the
|
||||
blacklists are consulted on every packet.<br>
|
||||
<br>
|
||||
Setting this option to "No" allows blacklisting to stop existing
|
||||
connections from a newly blacklisted host but is more expensive in
|
||||
terms of packet processing time. This is especially true if the
|
||||
blacklists contain a large number of entries.</li>
|
||||
<li>Chain names used in the /etc/shorewall/accounting file may
|
||||
now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
|
||||
</ol>
|
||||
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
|
||||
bag awards </b><b><img
|
||||
style="border: 0px solid ; width: 50px; height: 80px;"
|
||||
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
|
||||
1.4.7c released.</b> </p>
|
||||
<ol>
|
||||
<li>The saga with "<zone>_frwd" chains continues. The
|
||||
1.4.7c
|
||||
script produces a ruleset that should work for everyone even if it is
|
||||
not
|
||||
quite optimal. My apologies for this ongoing mess.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
|
||||
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>The fix for problem 5 in 1.4.7a was wrong with the result
|
||||
that
|
||||
"<zone>_frwd" chains might contain too few rules. That wrong code
|
||||
is corrected in this release.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
|
||||
<p>This is a bugfix rollup of the following problem corrections:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Tuomo Soini has supplied a correction to a problem that
|
||||
occurs
|
||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||
fails with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||
to use the multiport match iptables facility on ICMP rules.<br>
|
||||
<br>
|
||||
Example of rule that previously caused "shorewall start"
|
||||
to fail:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT loc $FW
|
||||
icmp 0,8,11,12<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if the following error message was issued,
|
||||
Shorewall was left in an inconsistent state.<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes through
|
||||
interface xxx<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||
been corrected.</li>
|
||||
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||
optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant rules
|
||||
and that the "optimization" turns out to be less than optimal. The
|
||||
implementation has now been corrected.</li>
|
||||
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||
or
|
||||
":P", the ":F" or ":P" was previously only applied to the first
|
||||
Netfilter rule generated by the entry. It is now applied to all entries.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<ol>
|
||||
</ol>
|
||||
<p><b></b></p>
|
||||
<ol>
|
||||
@ -432,56 +310,33 @@ You can find their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo">
|
||||
http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
</a></p>
|
||||
<b>Congratulations to Jacques
|
||||
and Eric on the recent release of Bering 1.2!!! </b><br>
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
</td>
|
||||
<td width="88" bgcolor="#3366ff" valign="top" align="center">
|
||||
<form method="post"
|
||||
action="http://lists.shorewall.net/cgi-bin/htsearch"> <strong><br>
|
||||
<font color="#ffffff"><b>Note: </b></font></strong><font
|
||||
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
|
||||
<strong></strong>
|
||||
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
|
||||
<font face="Arial" size="-1"> <input type="text" name="words"
|
||||
size="15"></font><font size="-1"> </font> <font face="Arial"
|
||||
size="-1"> <input type="hidden" name="format" value="long"> <input
|
||||
type="hidden" name="method" value="and"> <input type="hidden"
|
||||
name="config" value="htdig"> <input type="submit" value="Search"></font>
|
||||
</p>
|
||||
<font face="Arial"> <input type="hidden" name="exclude"
|
||||
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
||||
<p><font color="#ffffff"><b><a
|
||||
href="http://lists.shorewall.net/htdig/search.html"><font
|
||||
color="#ffffff">Extended Search</font></a></b></font></p>
|
||||
<b>Congratulations to Jacques and Eric on the recent release of
|
||||
Bering 1.2!!! <br>
|
||||
<br>
|
||||
</b>
|
||||
<div style="text-align: center;">
|
||||
<div style="text-align: center;"><a
|
||||
href="http://www.shorewall.net" target="_top"><img
|
||||
src="images/ProtectedBy.png" title="" alt="(Protected by Shorewall)"
|
||||
style="border: 0px solid ; width: 216px; height: 45px;"></a></div>
|
||||
</div>
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
<p style="text-align: left;"><a href="http://www.starlight.org"> <img
|
||||
style="border: 4px solid ; width: 57px; height: 100px;"
|
||||
src="images/newlog.gif" align="left" hspace="10" alt="(Starlight Logo)"
|
||||
title=""></a><br>
|
||||
<big>Shorewall is free but if you try it and find it useful,
|
||||
please consider making a donation to <a href="http://www.starlight.org">Starlight
|
||||
Children's Foundation</a>. Thanks!</big><br>
|
||||
<a href="http://www.starlight.org"> </a></p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</center>
|
||||
</div>
|
||||
<table border="0" cellpadding="5" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#3366ff">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" style="margin-top: 1px;" valign="middle">
|
||||
<p align="center"><a href="http://www.starlight.org"> <img
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10" alt="(Starlight Logo)"> </a></p>
|
||||
<p align="center"><font size="4" color="#ffffff"><br>
|
||||
<font size="+2"> Shorewall is free but if you try it and find it
|
||||
useful, please consider making a donation to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></font></p>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<p><font size="2">Updated 11/13/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -9,18 +9,10 @@
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p align="center"> <img border="3" src="images/Tom.jpg"
|
||||
<p align="center"> </p>
|
||||
<h1 style="text-align: center;">Tom Eastep<br>
|
||||
</h1>
|
||||
<p align="center"><img border="3" src="images/Tom.jpg"
|
||||
alt="Aging Geek - June 2003" width="320" height="240"> </p>
|
||||
<p align="center">"The Aging Geek" -- June 2003<br>
|
||||
<br>
|
||||
|
@ -1,118 +1,89 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Extension Scripts</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p> Extension scripts are user-provided scripts that are invoked at various
|
||||
points during firewall start, restart, stop and clear. The scripts are
|
||||
placed in /etc/shorewall and are processed using the Bourne shell "source"
|
||||
mechanism.<br>
|
||||
</p>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Extension Scripts<br>
|
||||
</h1>
|
||||
<p>Extension scripts are user-provided scripts that are invoked at
|
||||
various points during firewall start, restart, stop and clear. The
|
||||
scripts are placed in /etc/shorewall and are processed using the Bourne
|
||||
shell "source" mechanism.<br>
|
||||
</p>
|
||||
<p><font color="#ff0000"><b>Caution: <br>
|
||||
</b></font></p>
|
||||
|
||||
</b></font></p>
|
||||
<ol>
|
||||
<li><font color="#ff0000"><b>Be sure that you actually need to use an
|
||||
extension script to do what you want. Shorewall has a wide range of features
|
||||
that cover most requirements.</b></font></li>
|
||||
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON
|
||||
THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
|
||||
SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE
|
||||
<li><font color="#ff0000"><b>Be sure that you actually need to use an
|
||||
extension script to do what you want. Shorewall has a wide range of
|
||||
features
|
||||
that cover most requirements.</b></font></li>
|
||||
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND
|
||||
ON THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT
|
||||
BREAK SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT
|
||||
YOU ARE
|
||||
DOING WITH RESPECT TO iptables/Netfilter</b></font></li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p>The following scripts can be supplied:</p>
|
||||
|
||||
<p>The following scripts can be supplied:</p>
|
||||
<ul>
|
||||
<li>init -- invoked early in "shorewall start" and "shorewall
|
||||
restart"</li>
|
||||
<li>start -- invoked after the firewall has been started or restarted.</li>
|
||||
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
|
||||
<li>stopped -- invoked after the firewall has been stopped.</li>
|
||||
<li>clear -- invoked after the firewall has been cleared.</li>
|
||||
<li>refresh -- invoked while the firewall is being refreshed but
|
||||
before the common and/or blacklst chains have been rebuilt.</li>
|
||||
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
|
||||
chain has been created but before any rules have been added to it.</li>
|
||||
|
||||
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
|
||||
<li>start -- invoked after the firewall has been started or restarted.</li>
|
||||
<li>stop -- invoked as a first step when the firewall is being
|
||||
stopped.</li>
|
||||
<li>stopped -- invoked after the firewall has been stopped.</li>
|
||||
<li>clear -- invoked after the firewall has been cleared.</li>
|
||||
<li>refresh -- invoked while the firewall is being refreshed but
|
||||
before the common and/or blacklst chains have been rebuilt.</li>
|
||||
<li>newnotsyn (added in version 1.3.6) -- invoked after the
|
||||
'newnotsyn' chain has been created but before any rules have been added
|
||||
to it.</li>
|
||||
</ul>
|
||||
|
||||
<p><u><b>If your version of Shorewall doesn't have the file that you want
|
||||
to use from the above list, you can simply create the file yourself.</b></u></p>
|
||||
|
||||
<p> You can also supply a script with the same name as any of the filter
|
||||
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
|
||||
file has been processed but before the /etc/shorewall/policy file has
|
||||
been processed.</p>
|
||||
|
||||
<p>The /etc/shorewall/common file receives special treatment. If this file
|
||||
is present, the rules that it defines will totally replace the default
|
||||
rules in the common chain. These default rules are contained in the
|
||||
file /etc/shorewall/common.def which may be used as a starting point
|
||||
for making your own customized file.</p>
|
||||
|
||||
<p> Rather than running iptables directly, you should run it using the
|
||||
function run_iptables. Similarly, rather than running "ip" directly, you
|
||||
should use run_ip. These functions accept the same arguments as the underlying
|
||||
command but cause the firewall to be stopped if an error occurs during
|
||||
<p><u><b>If your version of Shorewall doesn't have the file that you
|
||||
want to use from the above list, you can simply create the file
|
||||
yourself.</b></u></p>
|
||||
<p> You can also supply a script with the same name as any of the
|
||||
filter chains in the firewall and the script will be invoked after the
|
||||
/etc/shorewall/rules file has been processed but before the
|
||||
/etc/shorewall/policy file has been processed.</p>
|
||||
<p>The /etc/shorewall/common file receives special treatment. If this
|
||||
file is present, the rules that it defines will totally replace the
|
||||
default rules in the common chain. These default rules are contained in
|
||||
the file /etc/shorewall/common.def which may be used as a starting
|
||||
point for making your own customized file.</p>
|
||||
<p> Rather than running iptables directly, you should run it using the
|
||||
function run_iptables. Similarly, rather than running "ip" directly,
|
||||
you should use run_ip. These functions accept the same arguments as the
|
||||
underlying command but cause the firewall to be stopped if an error
|
||||
occurs during
|
||||
processing of the command.</p>
|
||||
|
||||
<p> If you decide to create /etc/shorewall/common it is a good idea to
|
||||
use the following technique</p>
|
||||
|
||||
<p> /etc/shorewall/common:</p>
|
||||
|
||||
<blockquote>
|
||||
<p> If you decide to create /etc/shorewall/common it is a good idea to
|
||||
use the following technique</p>
|
||||
<p> /etc/shorewall/common:</p>
|
||||
<blockquote>
|
||||
<pre>. /etc/shorewall/common.def<br><add your rules here></pre>
|
||||
</blockquote>
|
||||
|
||||
<p>If you need to supercede a rule in the released common.def file, you can
|
||||
add the superceding rule before the '.' command. Using this technique allows
|
||||
you to add new rules while still getting the benefit of the latest common.def
|
||||
file.</p>
|
||||
|
||||
<p>Remember that /etc/shorewall/common defines rules that are only applied
|
||||
if the applicable policy is DROP or REJECT. These rules are NOT applied
|
||||
if the policy is ACCEPT or CONTINUE<br>
|
||||
</p>
|
||||
|
||||
</blockquote>
|
||||
<p>If you need to supercede a rule in the released common.def file, you
|
||||
can add the superceding rule before the '.' command. Using this
|
||||
technique allows you to add new rules while still getting the benefit
|
||||
of the latest common.def file.</p>
|
||||
<p>Remember that /etc/shorewall/common defines rules that are only
|
||||
applied if the applicable policy is DROP or REJECT. These rules are NOT
|
||||
applied if the policy is ACCEPT or CONTINUE<br>
|
||||
</p>
|
||||
<p> </p>
|
||||
|
||||
<p align="left"><font size="2">Last updated 6/30/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
|
||||
Thomas M. Eastep</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
|
||||
2003 Thomas M. Eastep</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,119 +1,98 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Features</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Shorewall Features<br>
|
||||
</h1>
|
||||
<ul>
|
||||
<li>Uses Netfilter's connection tracking facilities for stateful packet
|
||||
filtering.</li>
|
||||
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
|
||||
|
||||
<li>Uses Netfilter's connection tracking facilities for stateful
|
||||
packet filtering.</li>
|
||||
<li>Can be used in a <b> wide range of router/firewall/gateway
|
||||
applications</b>.
|
||||
<ul>
|
||||
<li>Completely customizable using configuration files.</li>
|
||||
<li>No limit on the number of network interfaces.</li>
|
||||
<li>Allows you to partitions the network into <i><a
|
||||
href="Documentation.htm#Zones">zones</a></i> and gives you complete
|
||||
control over the connections permitted between each pair of zones.</li>
|
||||
<li>Multiple interfaces per zone and multiple zones per interface
|
||||
permitted.</li>
|
||||
<li>Supports nested and overlapping zones.</li>
|
||||
|
||||
<li>Completely customizable using configuration files.</li>
|
||||
<li>No limit on the number of network interfaces.</li>
|
||||
<li>Allows you to partitions the network into <i><a
|
||||
href="Documentation.htm#Zones">zones</a></i> and gives you complete
|
||||
control over the connections permitted between each pair of
|
||||
zones.</li>
|
||||
<li>Multiple interfaces per zone and multiple zones per interface
|
||||
permitted.</li>
|
||||
<li>Supports nested and overlapping zones.</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a>
|
||||
to help get your first firewall up and running quickly</li>
|
||||
<li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
|
||||
(HOWTOs)</a> to help get your first firewall up and running quickly</li>
|
||||
<li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
|
||||
href="http://www.webmin.com">http://www.webmin.com</a>)<br>
|
||||
</li>
|
||||
<li>Extensive <b> <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">documentation</a>
|
||||
</b> included in the .tgz and .rpm downloads.</li>
|
||||
<li><b>Flexible address management/routing support</b> (and you can
|
||||
use all types in the same firewall):
|
||||
</li>
|
||||
<li>Extensive <b> <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">documentation</a> </b>
|
||||
included in the .tgz and .rpm downloads.</li>
|
||||
<li><b>Flexible address management/routing support</b> (and you can
|
||||
use all types in the same firewall):
|
||||
<ul>
|
||||
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
|
||||
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
|
||||
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
|
||||
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
|
||||
<li>Simple host/subnet Routing</li>
|
||||
|
||||
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
|
||||
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
|
||||
<li><a href="Documentation.htm#NAT">One-to-one NAT</a>.</li>
|
||||
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
|
||||
<li>Simple host/subnet Routing</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
|
||||
individual IP addresses and subnetworks is supported.</li>
|
||||
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
|
||||
|
||||
</li>
|
||||
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
|
||||
individual IP addresses and subnetworks is supported.</li>
|
||||
<li><b><a href="starting_and_stopping_shorewall.htm">Operational
|
||||
support</a></b>:
|
||||
<ul>
|
||||
<li>Commands to start, stop and clear the firewall</li>
|
||||
<li>Supports status monitoring with an audible
|
||||
alarm when an "interesting" packet is detected.</li>
|
||||
<li>Wide variety of informational commands.</li>
|
||||
|
||||
<li>Commands to start, stop and clear the firewall</li>
|
||||
<li>Supports status monitoring with an audible
|
||||
alarm when an "interesting" packet is detected.</li>
|
||||
<li>Wide variety of informational commands.</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><b>VPN Support</b>
|
||||
</li>
|
||||
<li><b>VPN Support</b>
|
||||
<ul>
|
||||
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE, IPIP and
|
||||
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE, IPIP
|
||||
and
|
||||
OpenVPN Tunnels</a>.</li>
|
||||
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
|
||||
|
||||
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
|
||||
integration.</li>
|
||||
<li>Wide support for different <b>GNU/Linux Distributions</b>.
|
||||
|
||||
</li>
|
||||
<li>Support for <a href="traffic_shaping.htm"><b>Traffic
|
||||
Control/Shaping</b></a> integration.</li>
|
||||
<li>Wide support for different <b>GNU/Linux Distributions</b>.
|
||||
<ul>
|
||||
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
|
||||
packages available.</li>
|
||||
<li>Includes <a href="Install.htm"><b>automated install, upgrade,
|
||||
fallback and uninstall facilities</b></a> for users who can't use
|
||||
or choose not to use the RPM or Debian packages.</li>
|
||||
<li>Included as a standard part of<b> <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
|
||||
on a floppy, CD or compact flash).</li>
|
||||
|
||||
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
|
||||
href="http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian"><b>Debian</b></a>
|
||||
packages available.</li>
|
||||
<li>Includes <a href="Install.htm"><b>automated install,
|
||||
upgrade, fallback and uninstall facilities</b></a> for users
|
||||
who can't use or choose not to use the RPM or Debian packages.</li>
|
||||
<li>Included as a standard part of<b> <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
|
||||
on a floppy, CD or compact flash).</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
|
||||
Address <b>Verification</b><br>
|
||||
</a><br>
|
||||
</li>
|
||||
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
|
||||
Address <b>Verification</b></a></li>
|
||||
<li><a href="Accounting.html">Traffic Accounting<br>
|
||||
</a><br>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<p><font size="2">Last updated 2/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font size="2">Last updated 11/13/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,332 +0,0 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Firewall Structure</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Firewall Structure (Under
|
||||
Construction)</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p> Shorewall views the network in which it is running as a set of
|
||||
<i> zones. </i>Shorewall itself defines exactly one zone called "fw" which
|
||||
refers to the firewall system itself . The /etc/shorewall/zones file
|
||||
is used to define additional zones and the example file provided with
|
||||
Shorewall defines the zones:</p>
|
||||
|
||||
<ol>
|
||||
<li> net -- the (untrusted) internet.</li>
|
||||
<li> dmz - systems that must be accessible from the internet
|
||||
and from the local network. These systems cannot be trusted completely
|
||||
since their servers may have been compromised through a security exploit.</li>
|
||||
<li> loc - systems in your local network(s). These systems
|
||||
must be protected from the internet and from the DMZ and in some
|
||||
cases, from each other.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><b>Note: </b><a href="#Conf">You can specify the name of the firewall
|
||||
zone</a>. For ease of description in this documentation, it is assumed
|
||||
that the firewall zone is named "fw".</p>
|
||||
|
||||
<p>It can't be stressed enough that with the exception of the firewall zone,
|
||||
Shorewall itself attaches no meaning to zone names. Zone names are simply
|
||||
labels used to refer to a collection of network hosts.</p>
|
||||
|
||||
<p>While zones are normally disjoint (no two zones have a host in common),
|
||||
there are cases where nested or overlapping zone definitions are appropriate.</p>
|
||||
|
||||
<p>Netfilter has the concept of <i>tables</i> and <i>chains. </i>For the purpose
|
||||
of this document, we will consider Netfilter to have three tables:</p>
|
||||
|
||||
<ol>
|
||||
<li>Filter table -- this is the main table for packet filtering and
|
||||
can be displayed with the command "shorewall show".</li>
|
||||
<li>Nat table -- used for all forms of Network Address Translation (NAT);
|
||||
SNAT, DNAT and MASQUERADE.</li>
|
||||
<li>Mangle table -- used to modify fields in the packet header.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p>Netfilter defines a number of inbuilt chains: PREROUTING, INPUT, OUTPUT,
|
||||
FORWARD and POSTROUTING. Not all inbuilt chains are present in all tables
|
||||
as shown in this table.<br>
|
||||
</p>
|
||||
|
||||
<div align="center">
|
||||
<table cellpadding="2" cellspacing="2" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">CHAIN<br>
|
||||
</td>
|
||||
<td valign="top">Filter<br>
|
||||
</td>
|
||||
<td valign="top">Nat<br>
|
||||
</td>
|
||||
<td valign="top">Mangle<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">PREROUTING<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top">X<br>
|
||||
</td>
|
||||
<td valign="top">X<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">INPUT<br>
|
||||
</td>
|
||||
<td valign="top">X<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top">X<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">OUTPUT<br>
|
||||
</td>
|
||||
<td valign="top">X<br>
|
||||
</td>
|
||||
<td valign="top">X<br>
|
||||
</td>
|
||||
<td valign="top">X<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">FORWARD<br>
|
||||
</td>
|
||||
<td valign="top">X<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top">X<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">POSTROUTING<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top">X<br>
|
||||
</td>
|
||||
<td valign="top">X<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</div>
|
||||
|
||||
<p>Shorewall doesn't create rules in all of the builtin chains. In the large
|
||||
diagram below are boxes such as shown below. This box represents in INPUT
|
||||
chain and shows that packets first flow through the INPUT chain in the Mangle
|
||||
table followed by the INPUT chain in the Filter table. The parentheses around
|
||||
"Mangle" indicate that while the packets will flow through the INPUT chain
|
||||
in the Mangle table, Shorewall does not create any rules in that chain.<br>
|
||||
</p>
|
||||
|
||||
<div align="center"><img src="images/Legend.png" alt="(Box Legend)"
|
||||
width="145" height="97" align="middle">
|
||||
<br>
|
||||
</div>
|
||||
|
||||
<p></p>
|
||||
|
||||
<p>Here is a picture of how packets traverse the various chains and tables
|
||||
in Netfilter. In that diagram, "Local Process" refers to a process running
|
||||
on the Firewall itself (in the 'fw' zone).</p>
|
||||
|
||||
<div align="center"><img src="images/Netfilter.png"
|
||||
alt="Netfilter Flow Diagram" width="541" height="767">
|
||||
</div>
|
||||
|
||||
<p><br>
|
||||
<br>
|
||||
In the text that follows, the paragraph numbers correspond to the box
|
||||
number in the diagram above.<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>Packets entering the firewall first pass through the <i>mangle </i>table's
|
||||
PREROUTING chain (you can see the mangle table by typing "shorewall show
|
||||
mangle"). If the packet entered through an interface that has the <b>norfc1918</b>
|
||||
option and if iptables/netfilter doesn't support the connection tracking
|
||||
match extension, then the packet is sent down the <b>man1918</b> chain which
|
||||
will drop the packet if its destination IP address is reserved (as specified
|
||||
in the /etc/shorewall/rfc1918 file). Next the packet passes through the<b>
|
||||
pretos</b> chain to set its TOS field as specified in the /etc/shorewall/tos
|
||||
file. Finally, if traffic control/shaping is being used, the packet is
|
||||
sent through the<b> tcpre</b> chain to be marked for later use in policy
|
||||
routing or traffic control.<br>
|
||||
<br>
|
||||
Next, if the packet isn't part of an established connection, it passes
|
||||
through the<i> nat</i> table's PREROUTING chain (you can see the nat table
|
||||
by typing "shorewall show nat"). If you are doing both static nat and
|
||||
port forwarding, the order in which chains are traversed is dependent on
|
||||
the setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is
|
||||
on then packets will ender a chain called<b> <i>interface_</i>in</b> where
|
||||
<i>interface</i> is the name of the interface on which the packet entered.
|
||||
Here it's destination IP is compared to each of the <i>EXTERNAL</i> IP
|
||||
addresses from /etc/shorewall/nat that correspond to this interface; if
|
||||
there is a match, DNAT is applied and the packet header is modified to
|
||||
the IP in the <i>INTERNAL</i> column of the nat file record. If the destination
|
||||
address doesn't match any of the rules in the <b><i>interface_</i>in</b>
|
||||
chain then the packet enters a chain called <b><i>sourcezone</i>_dnat</b>
|
||||
where <i>sourcezone</i> is the source zone of the packet. There it is compared
|
||||
for a match against each of the DNAT records in the rules file that specify
|
||||
<i> sourcezone </i>as the source zone. If a match is found, the
|
||||
destination IP address (and possibly the destination port) is modified based
|
||||
on the rule matched. If NAT_BEFORE_RULES is off, then the order of traversal
|
||||
of the <b><i> interface_</i>in</b> and <b><i>sourcezone</i>_dnat</b> is
|
||||
reversed.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Depending on whether the packet is destined for the firewall itself
|
||||
or for another system, it follows either the left or the right path. Traffic
|
||||
going to the firewall goes through chain called INPUT in the mangle table.
|
||||
Shorewall doesn't add any rules to that chain.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Traffic that is to be forwarded to another host goes through the chains
|
||||
called FORWARD in the mangle table. If MARK_IN_FORWARD=Yes in shorewall.conf,
|
||||
all rules in /etc/shorewall/tcrules that do not specify Prerouting (:P) are
|
||||
processed in a chain called <br>
|
||||
<br>
|
||||
</li>
|
||||
|
||||
<ol>
|
||||
|
||||
</ol>
|
||||
<li>Traffic is next sent to an<i> interface </i>chain in the main Netfilter
|
||||
table (called 'filter'). If the traffic is destined for the firewall
|
||||
itself, the name of the interface chain is formed by appending "_in" to
|
||||
the interface name. So traffic on eth0 destined for the firewall will
|
||||
enter a chain called <i>eth0_in</i>. The interface chain for traffic
|
||||
that will be routed to another system is formed by appending "_fwd" to
|
||||
the interface name. So traffic from eth1 that is going to be forwarded
|
||||
enters a chain called<i> eth1_fwd</i>. Interfaces described with the wild-card
|
||||
character ("+") in /etc/shorewall/interfaces, share input chains. if <i>ppp+
|
||||
</i>appears in /etc/shorewall/interfaces then all PPP interfaces (ppp0,
|
||||
ppp1, ...) will share the interface chains <i>ppp_in</i> and <i>ppp_fwd</i>.
|
||||
In other words, "+" is deleted from the name before forming the input chain
|
||||
names.<br>
|
||||
<br>
|
||||
While the use of interfacechains may seem wasteful in simple environments,
|
||||
in complex setups it substantially reduces the number of rules that each
|
||||
packet must traverse. </li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p> Traffic directed from a zone to the firewall itself is sent through
|
||||
a chain named <<i>zone name></i>2fw. For example, traffic inbound from
|
||||
the internet and addressed to the firewall is sent through a chain named
|
||||
net2fw. Similarly, traffic originating in the firewall and being sent
|
||||
to a host in a given zone is sent through a chain named fw2<i><zone
|
||||
name>. </i>For example, traffic originating in the firewall and
|
||||
destined for a host in the local network is sent through a chain named
|
||||
<i>fw2loc.</i> <font face="Century Gothic, Arial, Helvetica"> </font></p>
|
||||
|
||||
<p> Traffic being forwarded between two zones (or from one interface to
|
||||
a zone to another interface to that zone) is sent through a chain named <i>
|
||||
<source zone></i>2<i> <destination zone></i>. So for example,
|
||||
traffic originating in a local system and destined for a remote web server
|
||||
is sent through chain <i>loc2net. </i>This chain is referred to
|
||||
as the <i>canonical</i> chain from <source zone> to <destination
|
||||
zone>. Any destination NAT will have occurred <u>before</u> the packet
|
||||
traverses one of these chains so rules in /etc/shorewall/rules should
|
||||
be expressed in terms of the destination system's real IP address as opposed
|
||||
to its apparent external address. Similarly, source NAT will occur <u>after</u>
|
||||
the packet has traversed the appropriate forwarding chain so the rules
|
||||
again will be expressed using the source system's real IP address.</p>
|
||||
|
||||
<p> For each record in the /etc/shorewall/policy file, a chain is created.
|
||||
Policies in that file are expressed in terms of a source zone and destination
|
||||
zone where these zones may be a zone defined in /etc/shorewall/zones,
|
||||
"fw" or "all". Policies specifying the pseudo-zone "all" matches all defined
|
||||
zones and "fw". These chains are referred to as <i>Policy Chains.</i> Notice
|
||||
that for an ordered pair of zones (za,zb), the canonical chain (za2zb)
|
||||
may also be the policy chain for the pair or the policy chain may be
|
||||
a different chain (za2all, for example). Packets from one zone to another
|
||||
will traverse chains as follows:</p>
|
||||
|
||||
<ol>
|
||||
<li> If the canonical chain exists, packets first traverse
|
||||
that chain.</li>
|
||||
<li> If the canonical chain and policy chain are different
|
||||
and the packet does not match a rule in the canonical chain, it then
|
||||
is sent to the policy chain.</li>
|
||||
<li> If the canonical chain does not exist, packets are sent
|
||||
immediately to the policy chain.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p> The canonical chain from zone za to zone zb will be created only if
|
||||
there are exception rules defined in /etc/shorewall/rules for packets going
|
||||
from za to zb.</p>
|
||||
|
||||
<p> Shorewall is built on top of the Netfilter kernel facility. Netfilter
|
||||
implements connection tracking function that allow what is often referred
|
||||
to as "statefull inspection" of packets. This statefull property allows
|
||||
firewall rules to be defined in terms of "connections" rather than in
|
||||
terms of "packets". With Shorewall, you:</p>
|
||||
|
||||
<ol>
|
||||
<li> Identify the client's zone.</li>
|
||||
<li> Identify the server's zone.</li>
|
||||
<li> If the POLICY from the client's zone to the server's zone
|
||||
is what you want for this client/server pair, you need do nothing further.</li>
|
||||
<li> If the POLICY is not what you want, then you must add
|
||||
a rule. That rule is expressed in terms of the client's zone and
|
||||
the server's zone.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p> Just because connections of a particular type are allowed between zone
|
||||
A and the firewall and are also allowed between the firewall and zone
|
||||
B <font color="#ff6633"><b><u> DOES NOT mean that these connections
|
||||
are allowed between zone A and zone B</u></b></font>. It rather means
|
||||
that you can have a proxy running on the firewall that accepts a connection
|
||||
from zone A and then establishes its own separate connection from the
|
||||
firewall to zone B.</p>
|
||||
|
||||
<p> If you adopt the default policy of ACCEPT from the local zone to the
|
||||
internet zone and you are having problems connecting from a local client
|
||||
to an internet server, <font color="#ff6633"><b><u> adding a rule won't
|
||||
help</u></b></font> (see point 3 above).</p>
|
||||
|
||||
<p><font size="2">Last modified 5/22/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -7,18 +7,37 @@
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Logging</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
<h1 style="text-align: center;">Logging</h1>
|
||||
<h2>How to Log Traffic through a Shorewall Firewall</h2>
|
||||
The disposition of packets entering a Shorewall firewall is
|
||||
determined by one of a number of Shorewall facilities. Only some of
|
||||
these facilities permit logging.<br>
|
||||
<ol>
|
||||
<li>The packet is part of an established connection. The packet is
|
||||
accepted and cannot be logged.</li>
|
||||
<li>The packet represents a connection request that is related to an
|
||||
established connection (such as a <a href="FTP.html">data connection
|
||||
associated with an FTP control connection</a>). These packets
|
||||
also cannot be logged.</li>
|
||||
<li>The packet is rejected because of an option in <a
|
||||
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> or <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
These packets can be logged by setting the appropriate logging-related
|
||||
option in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
|
||||
<li>The packet matches a rule in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.
|
||||
By including a syslog level (see below) in the ACTION column of a rule
|
||||
(e.g., "ACCEPT<span
|
||||
style="font-weight: bold; text-decoration: underline;">:info</span>
|
||||
net fw tcp 22"), the connection attempt will be logged at that level.</li>
|
||||
<li>The packet doesn't match a rule so is handled by a policy defined
|
||||
in <a href="Documentation.htm#Policy">/etc/shorewall/policy</a>. These
|
||||
may be logged by specifying a syslog level in the LOG LEVEL column of
|
||||
the policy entry (e.g., "loc net ACCEPT <span
|
||||
style="font-weight: bold; text-decoration: underline;">info</span>"<br>
|
||||
</li>
|
||||
</ol>
|
||||
<h2>Where the Traffic is logged and how to Change the Destination<br>
|
||||
</h2>
|
||||
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
|
||||
classifies log messages by a <i>facility</i> and a <i>priority</i>
|
||||
(using the notation <i>facility.priority</i>). <br>
|
||||
@ -149,7 +168,8 @@ and
|
||||
<a
|
||||
href="http://marc.theaimsgroup.com/?l=gentoo-security&m=106040714910563&w=2">Here</a>
|
||||
is a post describing configuring syslog-ng to work with Shorewall.<br>
|
||||
<p><font size="2"> Updated 9/29/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
<p><font size="2"> Updated 10/30/2003 - <a href="support.htm">Tom
|
||||
Eastep</a>
|
||||
</font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
|
||||
|
@ -9,20 +9,12 @@
|
||||
<title>Shorewall Mirrors</title>
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">Shorewall Mirrors<br>
|
||||
</h1>
|
||||
<p align="left"><b>Remember that updates to the mirrors are often
|
||||
delayed for 6-12 hours after an update to the primary rsync site. For
|
||||
HTML content, the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
|
||||
HTML content, the main web site (<a href="http://shorewall.sf.net"
|
||||
target="_top">http://shorewall.sf.net</a>)
|
||||
is updated at the same time as the rsync site.</b></p>
|
||||
<p align="left">The main Shorewall Web Site is <a
|
||||
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>
|
||||
@ -67,6 +59,9 @@ AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shore
|
||||
<li> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall">ftp://france.shorewall.net/pub/mirrors/shorewall</a>
|
||||
(Paris, France)</li>
|
||||
<li><a href="ftp://ftp.syachile.cl/pub/shorewall" target="_top">ftp://ftp.syachile.cl/pub/shorewall
|
||||
</a>(Santiago Chile)<br>
|
||||
</li>
|
||||
<li><a href="ftp://shorewall.greshko.com/pub/shorewall" target="_top">ftp://shorewall.greshko.com</a>
|
||||
(Taipei, Taiwan)</li>
|
||||
<li><a href="ftp://ftp.shorewall.com.au" target="_top">ftp://ftp.shorewall.com.au</a>
|
||||
@ -78,7 +73,7 @@ AKA <a href="ftp://www.shorewall.de/pub/shorewall" target="_top">ftp://www.shore
|
||||
</ul>
|
||||
Search results and the mailing list archives are always fetched from
|
||||
the site in Washington State.<br>
|
||||
<p align="left"><font size="2">Last Updated 8/27/2003 - <a
|
||||
<p align="left"><font size="2">Last Updated 11/14/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
|
||||
|
@ -1,86 +1,57 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Prerequisites</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Shorewall Requires:<br>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Shorewall Requirements</h1>
|
||||
Shorewall Requires:<br>
|
||||
<ul>
|
||||
<li>A kernel that supports netfilter. I've tested with 2.4.2 -
|
||||
2.4.20. With current releases of Shorewall, Traffic Shaping/Control requires
|
||||
at least 2.4.18. <a href="kernel.htm"> Check here for kernel configuration
|
||||
information.</a> If you are looking for a firewall for use with
|
||||
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle
|
||||
Firewall site</a> .</li>
|
||||
<li>iptables 1.2 or later but beware version 1.2.3 -- see the
|
||||
<a href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING:
|
||||
</b></font>The buggy iptables version 1.2.3 is included in RedHat
|
||||
7.2 and you should upgrade to iptables 1.2.4 prior to installing Shorewall.
|
||||
Version 1.2.4 is available <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
|
||||
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
|
||||
<li>Iproute ("ip" utility). The iproute package is included
|
||||
with most distributions but may not be installed by default. The official
|
||||
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
|
||||
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
|
||||
</li>
|
||||
<li>A Bourne shell or derivative such as bash or ash. This shell
|
||||
must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
|
||||
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
|
||||
} and ${<i>variable</i>##<i>pattern</i>}.</li>
|
||||
<li>Your shell must produce a sensible result when a number n (128 <=
|
||||
n <= 255) is left shifted by 24 bits. You can check this at a shell prompt
|
||||
by:</li>
|
||||
|
||||
<li>A kernel that supports netfilter. I've tested with 2.4.2 -
|
||||
2.4.23-rc2. With current releases of Shorewall, Traffic
|
||||
Shaping/Control
|
||||
requires at least 2.4.18. <a href="kernel.htm"> Check here for
|
||||
kernel configuration information.</a> If you are looking for a firewall
|
||||
for use with 2.2 kernels, <a href="http://seawall.sf.net"> see the
|
||||
Seattle
|
||||
Firewall site</a> .</li>
|
||||
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
|
||||
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
|
||||
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
|
||||
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
|
||||
is available <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from
|
||||
RedHat</a> and in the <a href="errata.htm">Shorewall Errata</a>. </li>
|
||||
<li>Iproute ("ip" utility). The iproute package is included with most
|
||||
distributions but may not be installed by default. The official
|
||||
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
|
||||
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
|
||||
</li>
|
||||
<li>A Bourne shell or derivative such as bash or ash. This shell must
|
||||
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
|
||||
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
|
||||
} and ${<i>variable</i>##<i>pattern</i>}.</li>
|
||||
<li>Your shell must produce a sensible result when a number n (128
|
||||
<= n <= 255) is left shifted by 24 bits. You can check this at a
|
||||
shell prompt by:</li>
|
||||
<ul>
|
||||
<li>echo $((128 << 24))<br>
|
||||
</li>
|
||||
<li>The result must be either 2147483648 or -2147483648.<br>
|
||||
</li>
|
||||
|
||||
<li>echo $((128 << 24))<br>
|
||||
</li>
|
||||
<li>The result must be either 2147483648 or -2147483648.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<li>The firewall monitoring display is greatly improved if you
|
||||
have awk (gawk) installed.</li>
|
||||
|
||||
<li>The firewall monitoring display is greatly improved if you have
|
||||
awk (gawk) installed.</li>
|
||||
</ul>
|
||||
|
||||
<p align="left"><font size="2">Last updated 7/8/2003 - <a
|
||||
<p align="left"><font size="2">Last updated 11/20/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
|
||||
Eastep.</font></a></font></p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -10,22 +10,10 @@
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall QuickStart
|
||||
Guides (HOWTO's)<br>
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">Shorewall QuickStart Guides (HOWTOs)<br>
|
||||
</h1>
|
||||
<p align="center">With thanks to Richard who reminded me once again
|
||||
that we
|
||||
must all first walk before we can run.<br>
|
||||
that we must all first walk before we can run.<br>
|
||||
The French Translations of the single-IP guides are courtesy of Patrice
|
||||
Vetsel<br>
|
||||
The French Translation of the Shorewall Setup Guide is courtesy of
|
||||
@ -51,15 +39,16 @@ acting as a firewall/router for a small local network and a DMZ. (<a
|
||||
running quickly in the three most common Shorewall configurations. If
|
||||
you want to learn more about Shorewall than is explained in the above
|
||||
simple guides, the <a href="shorewall_setup_guide.htm">Shorewall
|
||||
Setup Guide</a> (See Index Below) is for you.</p>
|
||||
Setup
|
||||
Guide</a> (See Index Below) is for you.</p>
|
||||
</blockquote>
|
||||
<p>If you have <font color="#ff0000"><big><big><b>more than one public
|
||||
IP address</b></big></big></font>:<br>
|
||||
</p>
|
||||
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
|
||||
Guide</a> (See Index Below) outlines the steps necessary to set up a
|
||||
firewall where there are multiple public IP
|
||||
addresses involved or if you
|
||||
firewall where there are multiple public IP addresses involved or if
|
||||
you
|
||||
want to learn more about Shorewall than is explained in the
|
||||
single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
|
||||
Française</a>).</blockquote>
|
||||
@ -79,13 +68,11 @@ Interfaces (e.g., eth0:0)</a><br>
|
||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||
<ul>
|
||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||
<li>Dynamic Blacklisting using
|
||||
/sbin/shorewall</li>
|
||||
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="starting_and_stopping_shorewall.htm">Commands</a>
|
||||
(Description of
|
||||
all /sbin/shorewall commands)</li>
|
||||
(Description of all /sbin/shorewall commands)</li>
|
||||
<li><a href="configuration_file_basics.htm">Common configuration file
|
||||
features</a> </li>
|
||||
<ul>
|
||||
@ -143,13 +130,16 @@ in Shorewall</a> </li>
|
||||
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
|
||||
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
|
||||
code through the use of files in /etc/shorewall --
|
||||
/etc/shorewall/start, /etc/shorewall/stopped, etc.)</li>
|
||||
/etc/shorewall/start,
|
||||
/etc/shorewall/stopped, etc.)</li>
|
||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||
<li><a href="FAQ.htm">FAQs</a><br>
|
||||
</li>
|
||||
<li><a href="shorewall_features.htm">Features</a><br>
|
||||
</li>
|
||||
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
|
||||
<li><a href="Multiple_Zones.html">Forwarding Traffic on the Same
|
||||
Interface</a><br>
|
||||
</li>
|
||||
<li><a href="FTP.html">FTP and Shorewall</a><br>
|
||||
</li>
|
||||
<li><a href="support.htm">Getting help or answers to questions</a></li>
|
||||
@ -158,16 +148,25 @@ code through the use of files in /etc/shorewall --
|
||||
<li><a href="GSLUG.htm">HTML</a></li>
|
||||
<li><a href="GSLUG.ppt">PowerPoint</a></li>
|
||||
</ul>
|
||||
<li><a href="Install.htm">Installation/Upgrade</a><br>
|
||||
<li><a href="Install.htm">Installation/Upgrade</a></li>
|
||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||
<li><a href="Shorewall_and_Kazaa.html">Kazaa Filtering</a><br>
|
||||
</li>
|
||||
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
|
||||
<li><a href="shorewall_logging.html">Logging</a><br>
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">MAC Verification</a></li>
|
||||
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
|
||||
<li><a href="http://lists.shorewall.net">Mailing Lists</a></li>
|
||||
<li><a href="Multiple_Zones.html">Multiple Zones Through One Interface</a><br>
|
||||
</li>
|
||||
<li><a href="NetfilterOverview.html">Netfilter Overview</a><br>
|
||||
</li>
|
||||
<li><a href="myfiles.htm">My Shorewall Configuration (How I
|
||||
personally use Shorewall)</a></li>
|
||||
<li><font color="#000099"><a href="NAT.htm">One-to-one NAT (Formerly
|
||||
referred to as <span style="font-style: italic;">Static NAT</span>)<br>
|
||||
</a></font></li>
|
||||
<li><a href="OPENVPN.html">OpenVPN</a></li>
|
||||
<li><a href="starting_and_stopping_shorewall.htm">Operating Shorewall</a><br>
|
||||
</li>
|
||||
<li><a href="ping.html">'Ping' Management</a><br>
|
||||
@ -178,8 +177,8 @@ personally use Shorewall)</a></li>
|
||||
<li>Ports used by Trojans</li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="ProxyARP.htm">Proxy
|
||||
ARP</a></li>
|
||||
<li><a href="PPTP.htm">PPTP</a></li>
|
||||
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
|
||||
</li>
|
||||
<li><a href="samba.htm">Samba</a></li>
|
||||
@ -197,8 +196,7 @@ Subnets and Routing</a>
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
|
||||
Addresses</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Subnets">4.2
|
||||
Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
|
||||
Resolution Protocol (ARP)</a></li>
|
||||
@ -219,7 +217,8 @@ Network</a>
|
||||
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
|
||||
Proxy ARP</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
|
||||
One-to-one NAT</a></li>
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
|
||||
@ -235,14 +234,11 @@ Starting and Stopping the Firewall</a></li>
|
||||
href="starting_and_stopping_shorewall.htm">Starting/stopping the
|
||||
Firewall</a></font></li>
|
||||
<ul>
|
||||
<li>Description of all /sbin/shorewall
|
||||
commands</li>
|
||||
<li>Description of all /sbin/shorewall commands</li>
|
||||
<li>How to safely test a Shorewall configuration change<br>
|
||||
</li>
|
||||
</ul>
|
||||
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
|
||||
with Shorewall</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html">Squid with Shorewall</a></li>
|
||||
<li><a href="Accounting.html">Traffic Accounting</a><br>
|
||||
</li>
|
||||
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
|
||||
@ -255,14 +251,14 @@ doesn't work)</a></li>
|
||||
<li>VPN
|
||||
<ul>
|
||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||
<li><a href="IPIP.htm">GRE and
|
||||
IPIP</a></li>
|
||||
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||
<li><a href="OPENVPN.html">OpenVPN</a><br>
|
||||
</li>
|
||||
<li><a href="PPTP.htm">PPTP</a></li>
|
||||
<li><a href="6to4.htm">6t04</a><br>
|
||||
</li>
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind your
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> passthrough from a system
|
||||
behind your
|
||||
firewall to a remote network.</li>
|
||||
<li><a href="GenericTunnels.html">Other VPN types</a>.<br>
|
||||
</li>
|
||||
@ -272,7 +268,7 @@ firewall to a remote network.</li>
|
||||
</ul>
|
||||
<p>If you use one of these guides and have a suggestion for improvement
|
||||
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
||||
<p><font size="2">Last modified 9/23/2003 - <a href="support.htm">Tom
|
||||
<p><font size="2">Last modified 11/22/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
|
||||
M. Eastep</font></a><br>
|
||||
|
@ -10,18 +10,8 @@
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Setup Guide</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
<h1 style="text-align: center;">Shorewall Setup Guide<br>
|
||||
</h1>
|
||||
<p><a href="#Introduction">1.0 Introduction</a><br>
|
||||
<a href="#Concepts">2.0 Shorewall Concepts</a><br>
|
||||
<a href="#Interfaces">3.0 Network Interfaces</a><br>
|
||||
@ -41,7 +31,7 @@
|
||||
<p><a href="#SNAT">5.2.1 SNAT</a><br>
|
||||
<a href="#DNAT">5.2.2 DNAT</a><br>
|
||||
<a href="#ProxyARP">5.2.3 Proxy ARP</a><br>
|
||||
<a href="#NAT">5.2.4 Static NAT</a></p>
|
||||
<a href="#NAT">5.2.4 One-to-one NAT</a></p>
|
||||
</blockquote>
|
||||
<p><a href="#Rules">5.3 Rules</a><br>
|
||||
<a href="#OddsAndEnds">5.4 Odds and Ends</a></p>
|
||||
@ -929,7 +919,15 @@ a VPN relationship. </p>
|
||||
<div align="left">
|
||||
<p align="left">So it's a good idea to check with your ISP to see if
|
||||
they are using (or are planning to use) private addresses before you
|
||||
decide the addresses that you are going to use.</p>
|
||||
decide the addresses that you are going to use.<br>
|
||||
</p>
|
||||
<p align="left"><span style="font-weight: bold;">NOTE: In this
|
||||
document, external "real" IP addresses are of the form 192.0.2.x.
|
||||
192.0.2.0/24 is reserved by RFC 3330 for use as public IP addresses in
|
||||
printed examples. These addresses are not to be confused with addresses
|
||||
in 192.168.0.0/16; as described above, these addresses are reserved by
|
||||
RFC 1918 for private use.</span><br>
|
||||
</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<h2 align="left"><a name="Options"></a>5.0 Setting up your Network</h2>
|
||||
@ -1077,7 +1075,7 @@ also known as <i>Port Forwarding.</i> </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><i>Network Address Translation</i> (NAT) also
|
||||
referred to as <i>Static NAT</i>. </p>
|
||||
referred to as <i>One-to-one NAT</i>. </p>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
@ -1230,12 +1228,13 @@ your public IP addresses (<b>A)</b> and is assigned the same netmask <b>(M)
|
||||
<p align="left">When <b>H</b> issues an ARP "who has" request for
|
||||
an address in the subnetwork defined by <b>A</b> and <b>M</b>, the
|
||||
firewall will
|
||||
respond (with the MAC if the firewall interface to <b>H</b>). </p>
|
||||
respond (with the MAC if the firewall interface) to <b>H</b>. </p>
|
||||
</li>
|
||||
</ul>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Let suppose that we decide to use Proxy ARP on the DMZ
|
||||
<p align="left">Let us suppose that we decide to use Proxy ARP on the
|
||||
DMZ
|
||||
in our example network.</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
@ -1323,7 +1322,7 @@ accordingly."<br>
|
||||
<br>
|
||||
Which is, of course, exactly what you want to do when you switch a host
|
||||
from being exposed to the Internet to behind Shorewall using proxy ARP
|
||||
(or static NAT for that matter). Happily enough, recent versions
|
||||
(or one-to-one NAT for that matter). Happily enough, recent versions
|
||||
of Redhat's iputils package include "arping", whose "-U" flag does just
|
||||
that:<br>
|
||||
<br>
|
||||
@ -1371,10 +1370,10 @@ words, the gateway's ARP cache still associates 192.0.2.177 with
|
||||
the NIC in DMZ 1 rather than with the firewall's eth0.</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<h4 align="left"><a name="NAT"></a>5.2.4 Static NAT</h4>
|
||||
<h4 align="left"><a name="NAT"></a>5.2.4 One-to-one NAT</h4>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">With static NAT, you assign local systems RFC 1918
|
||||
<p align="left">With one-to-one NAT, you assign local systems RFC 1918
|
||||
addresses then establish a one-to-one mapping between those addresses
|
||||
and
|
||||
public IP addresses. For outgoing connections SNAT (Source Network
|
||||
@ -1486,7 +1485,7 @@ daughter's web server -- you would rather just use an ACCEPT rule:</p>
|
||||
<p align="left">A word of warning is in order here. ISPs typically
|
||||
configure their routers with a long ARP cache timeout. If you move a
|
||||
system from parallel to your firewall to behind your firewall with
|
||||
static NAT, it will probably be HOURS before that system can
|
||||
one-to-one NAT, it will probably be HOURS before that system can
|
||||
communicate
|
||||
with the internet. There are a couple of things that you can try:<br>
|
||||
</p>
|
||||
@ -1506,7 +1505,7 @@ accordingly."<br>
|
||||
<br>
|
||||
Which is, of course, exactly what you want to do when you switch a host
|
||||
from being exposed to the Internet to behind Shorewall using proxy ARP
|
||||
(or static NAT for that matter). Happily enough, recent versions
|
||||
(or one-to-one NAT for that matter). Happily enough, recent versions
|
||||
of Redhat's iputils package include "arping", whose "-U" flag does just
|
||||
that:<br>
|
||||
<br>
|
||||
@ -2367,7 +2366,7 @@ create an <i><a href="Documentation.htm#Configs">alternate
|
||||
configuration</a></i> and test it using the <a
|
||||
href="Documentation.htm#Starting">"shorewall try" command</a>.</p>
|
||||
</div>
|
||||
<p align="left"><font size="2">Last updated 7/6/2003 - <a
|
||||
<p align="left"><font size="2">Last updated 11/18/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
|
||||
2003 Thomas M. Eastep</font></a><br>
|
||||
|
2515
Shorewall-docs/shorewall_setup_guide_fr.htm
Executable file
2515
Shorewall-docs/shorewall_setup_guide_fr.htm
Executable file
File diff suppressed because it is too large
Load Diff
@ -7,18 +7,6 @@
|
||||
<base target="_self">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="4"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#3366ff">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="33%" height="90" valign="middle" align="center"><a
|
||||
href="http://www.cityofshoreline.com"> </a><img src="images/Logo1.png"
|
||||
alt="(Shorewall Logo)" width="430" height="90"> <br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<div align="center">
|
||||
<center>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
@ -26,6 +14,15 @@
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="90%">
|
||||
<h2>Site Problem</h2>
|
||||
The server that normally hosts www.shorewall.net and ftp.shorewall.net
|
||||
is currently down. Until it is back up, a small server with very
|
||||
limited bandwidth is being used temporarly. You will likely experience
|
||||
better response time from the <a
|
||||
href="http://shorewall.sourceforge.net" target="_top">Sourceforge site</a>
|
||||
or from one of the other <a href="shorewall_mirrors.htm">mirrors</a>.
|
||||
Sorry for the inconvenience.<br>
|
||||
<br>
|
||||
<h2>Introduction<br>
|
||||
</h2>
|
||||
<ul>
|
||||
@ -37,14 +34,12 @@ and control that facility. Netfilter can be used in ipchains
|
||||
compatibility mode.<br>
|
||||
</li>
|
||||
<li>iptables - the utility program used to configure and
|
||||
control
|
||||
Netfilter. The term 'iptables' is often used to refer to the
|
||||
combination of iptables+Netfilter (with Netfilter not in
|
||||
ipchains compatibility mode).<br>
|
||||
control Netfilter. The term 'iptables' is often used to refer to the
|
||||
combination of iptables+Netfilter (with Netfilter not in ipchains
|
||||
compatibility mode).<br>
|
||||
</li>
|
||||
</ul>
|
||||
The
|
||||
Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
high-level tool for configuring Netfilter. You describe your
|
||||
firewall/gateway requirements using entries in a set of configuration
|
||||
files. Shorewall reads those configuration files and with the help of
|
||||
@ -56,14 +51,14 @@ and can thus take advantage of Netfilter's connection state tracking
|
||||
capabilities.
|
||||
<p>This program is free software; you can redistribute it and/or
|
||||
modify it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
|
||||
GNU General Public License</a> as published by the Free Software
|
||||
Foundation.<br>
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
<br>
|
||||
This program is distributed in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
General Public License for more details.<br>
|
||||
General
|
||||
Public License for more details.<br>
|
||||
<br>
|
||||
You should have received a copy of the GNU General Public License along
|
||||
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||
@ -81,356 +76,205 @@ Shorewall. For older versions:<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h2>Getting Started with Shorewall</h2>
|
||||
New to Shorewall? Start by
|
||||
selecting the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
|
||||
that most closely match your environment and
|
||||
follow the step by step instructions.<br>
|
||||
New to Shorewall? Start by selecting the <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
|
||||
closely match your environment and follow the step by step instructions.<br>
|
||||
<h2>Looking for Information?</h2>
|
||||
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||
Index</a> is a good place to start as is the Quick Search to your
|
||||
right.
|
||||
Index</a> is a good place to start as is the Quick Search in the frame
|
||||
above.
|
||||
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
|
||||
If so, the documentation<b> </b>on this site will not apply directly
|
||||
to your setup. If you want to
|
||||
use the documentation that you find here, you will want to consider
|
||||
uninstalling what you have and installing a setup that matches the
|
||||
documentation on this site. See the <a href="two-interface.htm">Two-interface
|
||||
QuickStart Guide</a> for
|
||||
to
|
||||
your setup. If you want to use the documentation that you find here,
|
||||
you will want to consider uninstalling what you have and installing a
|
||||
setup that matches the documentation on this site. See the <a
|
||||
href="two-interface.htm">Two-interface QuickStart Guide</a> for
|
||||
details.
|
||||
<h2></h2>
|
||||
<h2><b>News</b></h2>
|
||||
<b>10/06/2003 - Shorewall 1.4.7</b><b> <img
|
||||
<p><b>11/01/2003 - Shorewall 1.4.8 RC2</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""></b><br>
|
||||
<b><br>
|
||||
Problems Corrected since version 1.4.6 (Those in bold font
|
||||
were corrected since 1.4.7 RC2).</b><br>
|
||||
<ol>
|
||||
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
|
||||
variable was being tested before it was set.</li>
|
||||
<li>Corrected handling of MAC addresses in the SOURCE column of
|
||||
the tcrules file. Previously, these addresses resulted in an invalid
|
||||
iptables command.</li>
|
||||
<li>The "shorewall stop" command is now disabled when
|
||||
/etc/shorewall/startup_disabled exists. This prevents people from
|
||||
shooting themselves in the foot prior to having configured Shorewall.</li>
|
||||
<li>A change introduced in version 1.4.6 caused error messages
|
||||
during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
|
||||
were being added to a PPP interface; the addresses were successfully
|
||||
added in spite of the messages.<br>
|
||||
<br>
|
||||
The firewall script has been modified to eliminate the error messages</li>
|
||||
<li>Interface-specific dynamic blacklisting chains are
|
||||
now displayed by "shorewall monitor" on the "Dynamic Chains" page
|
||||
(previously named "Dynamic Chain").</li>
|
||||
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
|
||||
<li value="7">The 'shorewall reject'
|
||||
and
|
||||
'shorewall drop' commands now delete any existing rules for the subject
|
||||
IP address before adding a new DROP or REJECT rule. Previously, there
|
||||
could be many rules for the same IP address in the dynamic chain so
|
||||
that multiple 'allow' commands were required to re-enable traffic
|
||||
to/from the address.</li>
|
||||
<li>When ADD_SNAT_ALIASES=Yes in
|
||||
shorewall.conf, the following entry in /etc/shorewall/masq resulted in
|
||||
a startup error:<br>
|
||||
<br>
|
||||
eth0 eth1
|
||||
206.124.146.20-206.124.146.24<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Shorewall previously choked over
|
||||
IPV6
|
||||
addresses configured on interfaces in contexts where Shorewall needed
|
||||
to detect something about the interface (such as when "detect" appears
|
||||
in the BROADCAST column of the /etc/shorewall/interfaces file).</li>
|
||||
<li>Shorewall will now load
|
||||
module files that are formed from the module name by appending ".o.gz".</li>
|
||||
<li>When Shorewall adds a route to a
|
||||
proxy
|
||||
ARP host and such a route already exists, two routes resulted
|
||||
previously. This has been corrected so that the existing route is
|
||||
replaced if it already exists.</li>
|
||||
<li>The rfc1918 file has been
|
||||
updated to reflect recent allocations.</li>
|
||||
<li>The documentation of the
|
||||
USER SET column in the rules file has been corrected.</li>
|
||||
<li>If there is no policy
|
||||
defined for
|
||||
the zones specified in a rule, the firewall script previously
|
||||
encountered a shell syntax error:<br>
|
||||
|
||||
<br>
|
||||
[: NONE: unexpected operator<br>
|
||||
|
||||
<br>
|
||||
Now, the absence of a policy generates an error message and the
|
||||
firewall is stopped:<br>
|
||||
|
||||
<br>
|
||||
No policy defined from zone
|
||||
<source> to zone <dest><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if neither
|
||||
/etc/shorewall/common nor /etc/shorewall/common.def existed, Shorewall
|
||||
would fail to start and would not remove the lock file. Failure to
|
||||
remove the lock file resulted in the following during subsequent
|
||||
attempts to start:<br>
|
||||
|
||||
<br>
|
||||
Loading /usr/share/shorewall/functions...<br>
|
||||
Processing /etc/shorewall/params ...<br>
|
||||
Processing /etc/shorewall/shorewall.conf...<br>
|
||||
Giving up on lock file /var/lib/shorewall/lock<br>
|
||||
Shorewall Not Started<br>
|
||||
<br>
|
||||
Shorewall now reports a fatal error if neither of these two files exist
|
||||
and correctly removes the lock fille.</li>
|
||||
<li>The order of processing
|
||||
the
|
||||
various options has been changed such that blacklist entries now take
|
||||
precedence over the 'dhcp' interface setting.</li>
|
||||
<li>The log message generated
|
||||
from the
|
||||
'logunclean' interface option has been changed to reflect a disposition
|
||||
of LOG rather than DROP.</li>
|
||||
<li><span style="font-weight: bold;">When a user name and/or a
|
||||
group
|
||||
name was specified in the USER SET column and the destination zone was
|
||||
qualified with a IP address, the user and/or group name was not being
|
||||
used to qualify the rule.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
ACCEPT fw net:192.0.2.12 tcp 23 - - - vladimir:<br>
|
||||
<br>
|
||||
</span></li>
|
||||
<li><span style="font-weight: bold;">The /etc/shorewall/masq
|
||||
file has had the spurious "/" character at the front removed.</span></li>
|
||||
</ol>
|
||||
<b>Migration Issues:</b><br>
|
||||
<ol>
|
||||
<li>Shorewall IP Traffic Accounting has changed since snapshot
|
||||
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
|
||||
details.</li>
|
||||
<li>The Uset Set capability introduced in SnapShot 20030821 has
|
||||
changed -- see the <a href="UserSets.html">User Set page</a> for
|
||||
details.</li>
|
||||
<li>The
|
||||
per-interface Dynamic Blacklisting facility introduced in the first
|
||||
post-1.4.6 Snapshot has been removed. The facility had too many
|
||||
idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<b></b><b>New Features:</b><br>
|
||||
<ol>
|
||||
<li>Shorewall now creates a dynamic blacklisting chain for each
|
||||
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
|
||||
commands use the routing table to determine which of these chains is to
|
||||
be used for blacklisting the specified IP address(es).<br>
|
||||
<br>
|
||||
Two new commands ('dropall' and 'rejectall') have been introduced that
|
||||
do what 'drop' and 'reject' used to do; namely, when an address is
|
||||
blacklisted using these new commands, it will be blacklisted on all of
|
||||
your firewall's interfaces.</li>
|
||||
<li>Thanks to Steve Herber, the 'help' command can now give
|
||||
command-specific help (e.g., shorewall help <command>).</li>
|
||||
<li>A new option "ADMINISABSENTMINDED" has been added to
|
||||
/etc/shorewall/shorewall.conf. This option has a default value of "No"
|
||||
for existing users which causes Shorewall's 'stopped' state to
|
||||
continue as it has been; namely, in the stopped state only traffic
|
||||
to/from hosts listed in /etc/shorewall/routestopped is accepted.<br>
|
||||
<br>
|
||||
With ADMINISABSENTMINDED=Yes (the default for new installs), in
|
||||
addition to traffic to/from the hosts listed in
|
||||
/etc/shorewall/routestopped, Shorewall will allow:<br>
|
||||
<br>
|
||||
a) All traffic originating from the firewall itself; and<br>
|
||||
b) All traffic that is part of or related to an
|
||||
already-existing connection.<br>
|
||||
<br>
|
||||
In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
|
||||
entered through an ssh session will not kill the session.<br>
|
||||
<br>
|
||||
Note though that even with ADMINISABSENTMINDED=Yes, it is still
|
||||
possible for people to shoot themselves in the foot.<br>
|
||||
<br>
|
||||
Example:<br>
|
||||
<br>
|
||||
/etc/shorewall/nat:<br>
|
||||
<br>
|
||||
206.124.146.178
|
||||
eth0:0 192.168.1.5 <br>
|
||||
<br>
|
||||
/etc/shorewall/rules:<br>
|
||||
<br>
|
||||
ACCEPT net
|
||||
loc:192.168.1.5 tcp 22<br>
|
||||
ACCEPT loc
|
||||
fw tcp 22<br>
|
||||
<br>
|
||||
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
|
||||
connection with local system 192.168.1.5. I then create a second SSH
|
||||
connection
|
||||
from that computer to the firewall and confidently type "shorewall
|
||||
stop".
|
||||
As part of its stop processing, Shorewall removes eth0:0 which kills my
|
||||
SSH
|
||||
connection to 192.168.1.5!!!</li>
|
||||
<li>Given the wide range of VPN software, I can never hope to
|
||||
add specific support for all of it. I have therefore decided to add
|
||||
"generic" tunnel support.<br>
|
||||
<br>
|
||||
Generic tunnels work pretty much like any of the other tunnel types.
|
||||
You usually add a zone to represent the systems at the other end of the
|
||||
tunnel and you add the appropriate rules/policies to<br>
|
||||
implement your security policy regarding traffic to/from those systems.<br>
|
||||
<br>
|
||||
In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
|
||||
<br>
|
||||
generic:<protocol>[:<port>] <zone> <ip
|
||||
address> <gateway zones><br>
|
||||
<br>
|
||||
where:<br>
|
||||
<br>
|
||||
<protocol> is the protocol
|
||||
used by the tunnel<br>
|
||||
<port> if the protocol
|
||||
is 'udp' or 'tcp' then this is the destination port number used by the
|
||||
tunnel.<br>
|
||||
<zone> is the zone of
|
||||
the remote tunnel gateway<br>
|
||||
<ip address> is the IP
|
||||
address of the remote tunnel gateway.<br>
|
||||
<gateway zone>
|
||||
Optional. A comma-separated list of zone names. If specified, the
|
||||
remote gateway is to be considered part of these zones.</li>
|
||||
<li>An 'arp_filter' option has been added to the
|
||||
/etc/shorewall/interfaces file. This option causes
|
||||
/proc/sys/net/ipv4/conf/<interface>/arp_filter to be set with the
|
||||
result that this interface will only answer ARP 'who-has' requests from
|
||||
hosts that are routed out through that interface. Setting this option
|
||||
facilitates testing of your firewall where multiple firewall interfaces
|
||||
are connected to the same HUB/Switch (all interfaces connected to the
|
||||
single HUB/Switch should have this option specified). Note that using
|
||||
such a configuration in a production environment is strongly
|
||||
recommended against.</li>
|
||||
<li>The ADDRESS column in /etc/shorewall/masq may now include a
|
||||
comma-separated list of addresses and/or address ranges. Netfilter will
|
||||
use all listed addresses/ranges in round-robin fashion. \</li>
|
||||
<li>An /etc/shorewall/accounting file has been added to allow
|
||||
for traffic accounting. See the <a href="Accounting.html">accounting
|
||||
documentation</a> for a description of this facility.</li>
|
||||
<li>Bridge interfaces (br[0-9]) may now be used in
|
||||
/etc/shorewall/maclist.</li>
|
||||
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
|
||||
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
|
||||
rules, rate limiting occurs in the nat table DNAT rule; the
|
||||
corresponding ACCEPT rule in the filter table is not rate limited. If
|
||||
you want to limit the filter table rule, you will need o create two
|
||||
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
|
||||
separately.<br>
|
||||
<br>
|
||||
<span style="font-weight: bold;">Warning: </span>When rate
|
||||
limiting is specified on a rule with "all" in the SOURCE or DEST
|
||||
fields, the limit will apply to each pair of zones individually rather
|
||||
than as a single limit for all pairs of covered by the rule.<br>
|
||||
<br>
|
||||
To specify a rate limit, <br>
|
||||
<br>
|
||||
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
|
||||
<br>
|
||||
<
|
||||
<rate>/<interval>[:<burst>] ><br>
|
||||
<br>
|
||||
|
||||
where<br>
|
||||
<br>
|
||||
<rate> is the sustained rate per
|
||||
<interval><br>
|
||||
<interval> is "sec" or "min"<br>
|
||||
<burst> is the largest burst
|
||||
accepted within an <interval>. If not given, the default of 5 is
|
||||
assumed.<br>
|
||||
<br>
|
||||
There may be no white space between the ACTION and "<" nor there may
|
||||
be any white space within the burst specification. If you want to
|
||||
specify logging of a rate-limited rule, the ":" and log level comes
|
||||
after the ">" (e.g., ACCEPT<2/sec:4>:info ).<br>
|
||||
<br>
|
||||
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
|
||||
file. You may specify the rate limit there in the format:<br>
|
||||
<br>
|
||||
|
||||
<rate>/<interval>[:<burst>]<br>
|
||||
<br>
|
||||
Let's take an example:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT<2/sec:4>
|
||||
net dmz
|
||||
tcp 80<br>
|
||||
<br>
|
||||
The first time this rule is reached, the packet will be accepted; in
|
||||
fact, since the burst is 4, the first four packets will be accepted.
|
||||
After this, it will be 500ms (1 second divided by the rate<br>
|
||||
of 2) before a packet will be accepted from this rule, regardless of
|
||||
how many packets reach it. Also, every 500ms which passes without
|
||||
matching a packet, one of the bursts will be regained; if no packets
|
||||
hit the rule for 2 second, the burst will be fully recharged; back
|
||||
where we started.<br>
|
||||
</li>
|
||||
<li>Multiple chains may now be displayed in one "shorewall
|
||||
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
|
||||
<li>Output rules (those with $FW as the SOURCE) may now be
|
||||
limited to a set of local users and/or groups. See <a
|
||||
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
|
||||
details.</li>
|
||||
</ol>
|
||||
<p><b>8/27/2003 - Shorewall Mirror in Australia </b></p>
|
||||
<p>Thanks to Dave Kempe and Solutions First (<a
|
||||
href="http://www.solutionsfirst.com.au"><font size="3">http://www.solutionsfirst.com.au</font></a>),
|
||||
there is now a Shorewall Mirror in Australia:</p>
|
||||
<div style="margin-left: 40px;"><a
|
||||
href="http://www.shorewall.com.au" target="_top"><font size="3">http://www.shorewall.com.au</font></a><br>
|
||||
<font size="3"><a href="ftp://ftp.shorewall.com.au">ftp://ftp.shorewall.com.au</a></font></div>
|
||||
<p><b>8/26/2003 - French Version of the Shorewall Setup
|
||||
Guide </b></p>
|
||||
Thanks to Fabien <font size="3">Demassieux, there is now a <a
|
||||
href="shorewall_setup_guide_fr.htm">French translation of the
|
||||
Shorewall Setup Guide</a>. Merci Beacoup, Fabien!</font> <b>9/15/2003
|
||||
- Shorewall 1.4.7 Beta 2</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b>
|
||||
<p><b>8/5/2003 - Shorewall-1.4.6b</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""> <br>
|
||||
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b><b>
|
||||
</b></p>
|
||||
<b>Problems Corrected since version 1.4.6:</b><br>
|
||||
Given the small number of new features and the relatively few lines of
|
||||
code that were changed, there will be no Beta for 1.4.8.<br>
|
||||
<p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<br>
|
||||
</b>Problems Corrected since version 1.4.7:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Previously, if TC_ENABLED is set to yes in shorewall.conf
|
||||
then Shorewall would fail to start with the error "ERROR: Traffic
|
||||
Control requires Mangle"; that problem has been corrected.</li>
|
||||
<li>Corrected handling of MAC addresses in the SOURCE column of
|
||||
<li>Tuomo Soini has supplied a correction to a problem that
|
||||
occurs
|
||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||
fails with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.</li>
|
||||
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||
to use the multiport match iptables facility on ICMP rules.<br>
|
||||
<br>
|
||||
Example of rule that previously caused "shorewall start"
|
||||
to fail:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT loc $FW
|
||||
icmp 0,8,11,12<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if the following error message was issued,
|
||||
Shorewall was left in an inconsistent state.<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes through interface xxx<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||
been corrected.</li>
|
||||
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||
optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant rules
|
||||
and that the "optimization" turns out to be less than optimal. The
|
||||
implementation has now been corrected.</li>
|
||||
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||
or
|
||||
":P", the ":F" or ":P" was previously only applied to the first
|
||||
Netfilter rule generated by the entry. It is now applied to all entries.</li>
|
||||
<li>An incorrect comment concerning Debian's use of the
|
||||
SUBSYSLOCK option has been removed from shorewall.conf.</li>
|
||||
<li>Previously, neither the 'routefilter' interface option nor
|
||||
the
|
||||
tcrules file. Previously, these addresses resulted in an invalid
|
||||
iptables
|
||||
command.</li>
|
||||
<li>The "shorewall stop" command is now disabled when
|
||||
/etc/shorewall/startup_disabled
|
||||
exists. This prevents people from shooting themselves in the foot prior
|
||||
to
|
||||
having configured Shorewall.</li>
|
||||
<li>A change introduced in version 1.4.6 caused error messages
|
||||
during
|
||||
"shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses were
|
||||
being
|
||||
added to a PPP interface; the addresses were successfully added in
|
||||
spite
|
||||
of the messages.<br>
|
||||
<br>
|
||||
The firewall script has been modified to eliminate the error messages.</li>
|
||||
ROUTE_FILTER parameter were working properly. This has been corrected
|
||||
(thanks to Eric Bowles for his analysis and patch). The definition of
|
||||
the ROUTE_FILTER option has changed however. Previously,
|
||||
ROUTE_FILTER=Yes was documented as enabling route filtering on all
|
||||
interfaces (which didn't work). Beginning with this release, setting
|
||||
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
|
||||
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
|
||||
coexist with the use of the 'routefilter' option in the interfaces file.</li>
|
||||
<li>If MAC verification was enabled on an interface with a /32
|
||||
address and
|
||||
a broadcast address then an error would occur during startup.</li>
|
||||
</ol>
|
||||
Migration Issues:<br>
|
||||
<ol>
|
||||
<li>The definition of the ROUTE_FILTER option in shorewall.conf
|
||||
has changed as described in item 8) above.<br>
|
||||
</li>
|
||||
</ol>
|
||||
New Features:<br>
|
||||
<ol>
|
||||
<li>A new QUEUE action has been introduced for rules. QUEUE
|
||||
allows
|
||||
you to pass connection requests to a user-space filter such as ftwall
|
||||
(http://p2pwall.sourceforge.net). The ftwall program
|
||||
allows for effective filtering of p2p applications such as Kazaa. For
|
||||
example, to use ftwall to filter P2P clients in the 'loc' zone, you
|
||||
would add the following rules:<br>
|
||||
<br>
|
||||
QUEUE loc
|
||||
net tcp<br>
|
||||
QUEUE loc
|
||||
net udp<br>
|
||||
QUEUE loc
|
||||
fw udp<br>
|
||||
<br>
|
||||
You would normally want to place those three rules BEFORE any ACCEPT
|
||||
rules for loc->net udp or tcp.<br>
|
||||
<br>
|
||||
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
|
||||
Shorewall will only pass connection requests (SYN packets) to user
|
||||
space. This is for compatibility with ftwall.</li>
|
||||
<li>A
|
||||
BLACKLISTNEWNONLY option has been added to shorewall.conf. When this
|
||||
option is set to "Yes", the blacklists (dynamic and static) are only
|
||||
consulted for new connection requests. When set to "No" (the default if
|
||||
the variable is not set), the blacklists are consulted on every packet.<br>
|
||||
<br>
|
||||
Setting this option to "No" allows blacklisting to stop existing
|
||||
connections from a newly blacklisted host but is more expensive in
|
||||
terms of packet processing time. This is especially true if the
|
||||
blacklists contain a large number of entries.</li>
|
||||
<li>Chain names used in the /etc/shorewall/accounting file may
|
||||
now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
|
||||
</ol>
|
||||
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
|
||||
bag awards </b><b><img
|
||||
style="border: 0px solid ; width: 50px; height: 80px;"
|
||||
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
|
||||
1.4.7c released.</b> </p>
|
||||
<ol>
|
||||
<li>The saga with "<zone>_frwd" chains continues. The
|
||||
1.4.7c script
|
||||
produces a ruleset that should work for everyone even if it is not
|
||||
quite optimal. My apologies for this ongoing mess.</li>
|
||||
</ol>
|
||||
<p><b>10/24/2003 - Shorewall 1.4.7b</b><b> <img
|
||||
style="border: 0px solid ; width: 28px; height: 12px;"
|
||||
src="images/new10.gif" alt="(New)" title=""></b></p>
|
||||
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>The fix for problem 5 in 1.4.7a was wrong with the result
|
||||
that
|
||||
"<zone>_frwd" chains might contain too few rules. That wrong code
|
||||
is corrected in this release.<br>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
|
||||
<p>This is a bugfix rollup of the following problem corrections:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>Tuomo Soini has supplied a correction to a problem that
|
||||
occurs
|
||||
using some versions of 'ash'. The symptom is that "shorewall start"
|
||||
fails with:<br>
|
||||
<br>
|
||||
local: --limit: bad variable name<br>
|
||||
iptables v1.2.8: Couldn't load match
|
||||
`-j':/lib/iptables/libipt_-j.so:<br>
|
||||
cannot open shared object file: No such file or directory<br>
|
||||
Try `iptables -h' or 'iptables --help' for more
|
||||
information.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Andres Zhoglo has supplied a correction that avoids trying
|
||||
to use the multiport match iptables facility on ICMP rules.<br>
|
||||
<br>
|
||||
Example of rule that previously caused "shorewall start"
|
||||
to fail:<br>
|
||||
<br>
|
||||
|
||||
ACCEPT loc $FW
|
||||
icmp 0,8,11,12<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Previously, if the following error message was issued,
|
||||
Shorewall was left in an inconsistent state.<br>
|
||||
<br>
|
||||
Error: Unable to determine the routes through
|
||||
interface xxx<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
|
||||
been corrected.</li>
|
||||
<li>In Shorewall 1.4.2, an optimization was added. This
|
||||
optimization
|
||||
involved creating a chain named "<zone>_frwd" for most zones
|
||||
defined using the /etc/shorewall/hosts file. It has since been
|
||||
discovered that in many cases these new chains contain redundant rules
|
||||
and that the "optimization" turns out to be less than optimal. The
|
||||
implementation has now been corrected.</li>
|
||||
<li>When the MARK value in a tcrules entry is followed by ":F"
|
||||
or
|
||||
":P", the ":F" or ":P" was previously only applied to the first
|
||||
Netfilter rule generated by the entry. It is now applied to all entries.</li>
|
||||
</ol>
|
||||
<p><b><a href="News.htm">More News</a></b></p>
|
||||
<b> </b>
|
||||
@ -453,44 +297,22 @@ Bering 1.2!!! </b><br>
|
||||
<h4><b> </b></h4>
|
||||
<b> </b>
|
||||
<h2><b>This site is hosted by the generous folks at <a
|
||||
href="http://www.sf.net">SourceForge.net</a> </b></h2>
|
||||
<b> </b>
|
||||
href="http://www.sf.net">SourceForge.net</a></b></h2>
|
||||
<br>
|
||||
<br>
|
||||
<h2><b><a name="Donations"></a>Donations</b></h2>
|
||||
<b> </b></td>
|
||||
<td width="88" bgcolor="#3366ff" valign="top" align="center">
|
||||
<form method="post"
|
||||
action="http://lists.shorewall.net/cgi-bin/htsearch">
|
||||
<p><strong><br>
|
||||
<font color="#ffffff"><b>Note: </b></font></strong> <font
|
||||
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
|
||||
</p>
|
||||
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
|
||||
<font face="Arial" size="-1"> <input type="text" name="words"
|
||||
size="15"></font><font size="-1"> </font><font face="Arial" size="-1">
|
||||
<input type="hidden" name="format" value="long"> <input
|
||||
type="hidden" name="method" value="and"> <input type="hidden"
|
||||
name="config" value="htdig"> <input type="submit" value="Search"></font>
|
||||
</p>
|
||||
<font face="Arial"> <input type="hidden" name="exclude"
|
||||
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
||||
<p><font color="#ffffff"><b> <a
|
||||
href="http://lists.shorewall.net/htdig/search.html"> <font
|
||||
color="#ffffff">Extended Search</font></a></b></font></p>
|
||||
<a target="_top" href="1.3/index.html"><font color="#ffffff"> </font></a><a
|
||||
target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
|
||||
color="#ffffff"><small><small><small></small></small></small></font></a><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</center>
|
||||
</div>
|
||||
<table border="0" cellpadding="5" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#3366ff">
|
||||
style="border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
|
||||
id="AutoNumber2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
<td style="width: 100%; margin-top: 1px;">
|
||||
<p align="center"><a href="http://www.starlight.org"> <img
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10"> </a></p>
|
||||
@ -503,7 +325,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<p><font size="2">Updated 11/17/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
<br>
|
||||
</p>
|
||||
</body>
|
||||
|
@ -9,17 +9,8 @@
|
||||
<title>Standalone Firewall</title>
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber6" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">Standalone Firewall<br>
|
||||
</h1>
|
||||
<p align="left">Setting up Shorewall on a standalone Linux system is
|
||||
very easy if you understand the basics and follow the documentation.</p>
|
||||
<p>This guide doesn't attempt to acquaint you with all of the features
|
||||
@ -113,7 +104,9 @@ first checked against the /etc/shorewall/rules file. If no rule in that
|
||||
file matches the connection request then the first policy in
|
||||
/etc/shorewall/policy that matches the request is applied. If that
|
||||
policy is REJECT or DROP the request is first checked against the
|
||||
rules in /etc/shorewall/common (the samples provide that file for you).</p>
|
||||
rules in /etc/shorewall/common if that file exists; otherwise the rules
|
||||
in /etc/shorewall/common.def are checked.<br>
|
||||
</p>
|
||||
<p>The /etc/shorewall/policy file included with the one-interface
|
||||
sample
|
||||
has the following policies:</p>
|
||||
@ -365,9 +358,15 @@ to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
Also, I don't recommend using "shorewall restart"; it is better to
|
||||
create an <i><a href="configuration_file_basics.htm#Configs">alternate
|
||||
configuration</a></i> and test it using the <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
|
||||
</p>
|
||||
<h2>Additional Recommended Reading</h2>
|
||||
I highly recommend that you review the <a
|
||||
href="configuration_file_basics.htm">Common Configuration File
|
||||
Features page</a> -- it contains helpful tips about Shorewall features
|
||||
than make administering your firewall easier.<br>
|
||||
</div>
|
||||
<p align="left"><font size="2">Last updated 2/08/2003 - <a
|
||||
<p align="left"><font size="2">Last updated 11/15/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
|
||||
2003 Thomas M. Eastep</font></a></p>
|
||||
|
@ -1,471 +1,426 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Standalone Firewall</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber6" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h2 align="center">Version 2.0.1 Française</h2>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Standalone Firewall</h1>
|
||||
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
|
||||
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
|
||||
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
|
||||
traduction exacte du texte, mais plutôt à en faire une version française intelligible
|
||||
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
|
||||
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
|
||||
dans le reste des documentations ainsi que dans les fichiers de configuration.
|
||||
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
|
||||
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à
|
||||
une traduction exacte du texte, mais plutôt à en faire une version
|
||||
française intelligible
|
||||
par tous (et par moi). Les termes techniques sont la plupart du temps
|
||||
conservés
|
||||
sous leur forme originale et mis entre parenthèses car vous pouvez les
|
||||
retrouver
|
||||
dans le reste des documentations ainsi que dans les fichiers de
|
||||
configuration.
|
||||
N?hésitez pas à me contacter afin d?améliorer ce document <a
|
||||
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
|
||||
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
|
||||
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à
|
||||
JMM
|
||||
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP
|
||||
pour
|
||||
son formidable outil et sa disponibilité)</i><i>.</i></small></p>
|
||||
|
||||
<p align="left">Mettre en place un système Linux en tant que firewall (écluse)
|
||||
pour un petit réseau est une chose assez simple, si vous comprenez les bases
|
||||
et suivez la documentation.</p>
|
||||
|
||||
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
|
||||
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
|
||||
<p align="left">Mettre en place un système Linux en tant que firewall
|
||||
(écluse) pour un petit réseau est une chose assez simple, si vous
|
||||
comprenez les bases et suivez la documentation.</p>
|
||||
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
|
||||
Il
|
||||
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans
|
||||
son
|
||||
utilisation la plus courante :</p>
|
||||
|
||||
<ul>
|
||||
<li>Un système Linux</li>
|
||||
<li>Une seule adresse IP externe</li>
|
||||
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
|
||||
rtc...</li>
|
||||
|
||||
<li>Un système Linux</li>
|
||||
<li>Une seule adresse IP externe</li>
|
||||
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame
|
||||
Relay, rtc...</li>
|
||||
</ul>
|
||||
|
||||
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
|
||||
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
|
||||
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
|
||||
pour rechercher le programme :</p>
|
||||
|
||||
<p>Ce guide suppose que vous avez le paquet iproute/iproute2
|
||||
d'installé.
|
||||
Vous pouvez voir si le paquet est installé en vérifiant la présence du
|
||||
programme ip sur votre système de firewall. Sous root, utilisez la
|
||||
commande 'which' pour rechercher le programme :</p>
|
||||
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
|
||||
|
||||
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
|
||||
vous familiariser avec ce qu'il va se passer, et de revenir au début en
|
||||
effectuant le changements dans votre configuration. Les points, où les changements
|
||||
dans la configuration sont recommandées, sont signalés par une <img
|
||||
border="0" src="images/BD21298_.gif" width="13" height="13">
|
||||
.</p>
|
||||
|
||||
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
|
||||
Si vous éditez vos fichiers de configuration sur un système Windows, vous
|
||||
devez les sauver comme des fichiers Unix si votre éditeur supporte cette
|
||||
option sinon vous devez les faire passer par dos2unix avant d'essayer de les
|
||||
utiliser. De la même manière, si vous copiez un fichier de configuration depuis
|
||||
votre disque dur Windows vers une disquette, vous devez lancer dos2unix sur
|
||||
<p>Je vous recommande dans un premier temps de parcourir tout le guide
|
||||
pour vous familiariser avec ce qu'il va se passer, et de revenir au
|
||||
début en
|
||||
effectuant le changements dans votre configuration. Les points, où les
|
||||
changements
|
||||
dans la configuration sont recommandées, sont signalés par une <img
|
||||
border="0" src="images/BD21298_.gif" width="13" height="13"> .</p>
|
||||
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si
|
||||
vous éditez vos fichiers de configuration sur un système Windows, vous
|
||||
devez les sauver comme des fichiers Unix si votre éditeur supporte
|
||||
cette option sinon vous devez les faire passer par dos2unix avant
|
||||
d'essayer de les
|
||||
utiliser. De la même manière, si vous copiez un fichier de
|
||||
configuration depuis
|
||||
votre disque dur Windows vers une disquette, vous devez lancer dos2unix
|
||||
sur
|
||||
la copie avant de l'utiliser avec Shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
|
||||
of dos2unix</a></li>
|
||||
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
Version of dos2unix</a></li>
|
||||
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
|
||||
of dos2unix</a></li>
|
||||
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
Version of dos2unix</a></li>
|
||||
</ul>
|
||||
|
||||
<h2 align="left">Les Concepts de Shorewall</h2>
|
||||
|
||||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
|
||||
alt="">
|
||||
Les fichiers de configuration pour Shorewall sont situés dans le répertoire
|
||||
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
|
||||
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
|
||||
href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
|
||||
href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
|
||||
un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shorewall
|
||||
(Ils remplaceront les fichiers de même nom déjà existant dans /etc/shorewall
|
||||
installés lors de l'installation de Shorewall)</b>.</p>
|
||||
|
||||
<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
|
||||
physiquement présents sur votre système -- chacun des fichiers contient
|
||||
des instructions de configuration détaillées et des entrées par défaut.</p>
|
||||
|
||||
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
|
||||
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique
|
||||
alt=""> Les fichiers de configuration pour Shorewall sont situés dans
|
||||
le répertoire /etc/shorewall -- pour de simples paramétrages, vous
|
||||
n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce
|
||||
guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez
|
||||
le <a href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
|
||||
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les
|
||||
fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
|
||||
déjà existant dans /etc/shorewall installés lors de l'installation de
|
||||
Shorewall)</b>.</p>
|
||||
<p>Parallèlement à la description, je vous suggère de jeter un oeil à
|
||||
ceux physiquement présents sur votre système -- chacun des fichiers
|
||||
contient
|
||||
des instructions de configuration détaillées et des entrées par défaut.</p>
|
||||
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
|
||||
de <i>zones.</i> Dans les fichiers de configuration fournis pour une
|
||||
unique
|
||||
interface, une seule zone est définie :</p>
|
||||
|
||||
<table border="0" style="border-collapse: collapse;" cellpadding="3"
|
||||
cellspacing="0" id="AutoNumber2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>Name</b></u></td>
|
||||
<td><u><b>Description</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><b>net</b></td>
|
||||
<td><b>The Internet</b></td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>Name</b></u></td>
|
||||
<td><u><b>Description</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><b>net</b></td>
|
||||
<td><b>The Internet</b></td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p>Les zones de Shorewall sont définies dans <a
|
||||
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
|
||||
|
||||
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
|
||||
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
|
||||
|
||||
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
|
||||
en utilisant les termes de zones.</p>
|
||||
|
||||
<p>Shorewall reconnaît aussi le système de firewall comme sa propre
|
||||
zone
|
||||
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
|
||||
<p>Les règles concernant le trafic à autoriser ou à interdire sont
|
||||
exprimées en utilisant les termes de zones.</p>
|
||||
<ul>
|
||||
<li>Vous exprimez les politiques par défaut pour les connexions d'une
|
||||
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
</a>.</li>
|
||||
<li>Vous définissez les exceptions à ces règles de politiques par défaut
|
||||
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
|
||||
|
||||
<li>Vous exprimez les politiques par défaut pour les connexions d'une
|
||||
zone à une autre dans le fichier<a href="Documentation.htm#Policy">
|
||||
/etc/shorewall/policy </a>.</li>
|
||||
<li>Vous définissez les exceptions à ces règles de politiques par
|
||||
défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
|
||||
</ul>
|
||||
|
||||
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
|
||||
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
|
||||
Si aucune des règles dans ce fichier ne correspondent, alors la première
|
||||
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
|
||||
politique est REJECT ou DROP la requête est alors comparée par rapport aux
|
||||
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
|
||||
<p>Pour chacune des demandes de connexion entrantes dans le firewall,
|
||||
les demandes sont en premier lieu comparées par rapport au fichier
|
||||
/etc/shorewall/rules. Si aucune des règles dans ce fichier ne
|
||||
correspondent, alors la première
|
||||
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si
|
||||
cette
|
||||
politique est REJECT ou DROP la requête est alors comparée par rapport
|
||||
aux
|
||||
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous
|
||||
fournit
|
||||
ce fichier).</p>
|
||||
|
||||
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
|
||||
a les politiques suivantes :</p>
|
||||
|
||||
<blockquote>
|
||||
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive
|
||||
one-interface a les politiques suivantes :</p>
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>SOURCE ZONE</b></u></td>
|
||||
<td><u><b>DESTINATION ZONE</b></u></td>
|
||||
<td><u><b>POLICY</b></u></td>
|
||||
<td><u><b>LOG LEVEL</b></u></td>
|
||||
<td><u><b>LIMIT:BURST</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>all<br>
|
||||
</td>
|
||||
<td>DROP</td>
|
||||
<td>info</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>all</td>
|
||||
<td>all</td>
|
||||
<td>REJECT</td>
|
||||
<td>info</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>SOURCE ZONE</b></u></td>
|
||||
<td><u><b>DESTINATION ZONE</b></u></td>
|
||||
<td><u><b>POLICY</b></u></td>
|
||||
<td><u><b>LOG LEVEL</b></u></td>
|
||||
<td><u><b>LIMIT:BURST</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>all<br>
|
||||
</td>
|
||||
<td>DROP</td>
|
||||
<td>info</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>all</td>
|
||||
<td>all</td>
|
||||
<td>REJECT</td>
|
||||
<td>info</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<pre> </pre>
|
||||
Ces politiques vont :
|
||||
Ces politiques vont :
|
||||
<ol>
|
||||
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
|
||||
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
|
||||
vers votre firewall</li>
|
||||
<li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
|
||||
de cette politique).</li>
|
||||
|
||||
<li>permettre toutes demandes de connexion depuis le firewall vers
|
||||
l'Internet</li>
|
||||
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
|
||||
vers votre firewall</li>
|
||||
<li>rejeter toutes les autres requêtes de connexion (Shorewall à
|
||||
besoin de cette politique).</li>
|
||||
</ol>
|
||||
|
||||
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
|
||||
que vous désirez.</p>
|
||||
|
||||
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
|
||||
changements que vous désirez.</p>
|
||||
<h2 align="left">Interface Externe</h2>
|
||||
|
||||
<p align="left">Le firewall possède une seule interface réseau. Lorsque la
|
||||
connexion Internet passe par un modem câble ou par un routeur ADSL (pas
|
||||
un simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
|
||||
ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
|
||||
par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
|
||||
(PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
|
||||
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
|
||||
par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
|
||||
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
|
||||
sera<b> ippp0.</b></p>
|
||||
|
||||
<p align="left">Le firewall possède une seule interface réseau. Lorsque
|
||||
la connexion Internet passe par un modem câble ou par un routeur ADSL
|
||||
(pas
|
||||
un simple modem), l'<i>External Interface</i> (interface externe) sera
|
||||
l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u>
|
||||
vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
|
||||
over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
|
||||
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous
|
||||
connectez par un simple modem (RTC), votre interface externe sera aussi
|
||||
<b>ppp0</b>. Si vous vous connectez en utilisant l'ISDN (numéris),
|
||||
votre interface externe sera<b> ippp0.</b></p>
|
||||
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
|
||||
height="13">
|
||||
L'exemple de configuration de Shorewall pour une interface suppose que
|
||||
votre interface externe est <b>eth0</b>. Si votre configuration est différente,
|
||||
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
|
||||
Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
|
||||
spécifiées pour l'interface. Quelques astuces :</p>
|
||||
|
||||
height="13"> L'exemple de configuration de Shorewall pour une
|
||||
interface suppose que votre interface externe est <b>eth0</b>. Si
|
||||
votre configuration est différente, vous devrez modifier le fichier
|
||||
d'exemple /etc/shorewall/interfaces en conséquence. Puisque vous y
|
||||
êtes, vous pourriez parcourir la liste d'options qui sont spécifiées
|
||||
pour l'interface. Quelques astuces :</p>
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
|
||||
vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
|
||||
</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
|
||||
ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
|
||||
de la liste d'option. </p>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
|
||||
vous pouvez remplacer le "detect" dans la seconde colonne par un "-". </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
|
||||
ou bien si vous avez une adresse IP statique, vous pouvez enlever le
|
||||
"dhcp" de la liste d'option. </p>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<div align="left">
|
||||
<div align="left">
|
||||
<h2 align="left">Adresse IP</h2>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP
|
||||
privée
|
||||
(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
|
||||
|
||||
<div align="left">
|
||||
<div align="left">
|
||||
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
|
||||
</div>
|
||||
|
||||
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
|
||||
car les routeurs sur les backbones Internet ne font pas passer les paquets
|
||||
dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
|
||||
cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
|
||||
le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
|
||||
lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
|
||||
|
||||
</div>
|
||||
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
|
||||
car les routeurs sur les backbones Internet ne font pas passer les
|
||||
paquets dont les adresses de destinations sont définies dans la RFC
|
||||
1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent
|
||||
ces adresses et utilisent le <i>Network Address Translation </i>afin
|
||||
de récrire les entêtes des paquets lorsqu'ils les font circuler depuis
|
||||
ou vers l'Internet.</p>
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
|
||||
width="13" height="13">
|
||||
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
|
||||
externe et si elle est comprise dans une des plages précédentes, vous devriez
|
||||
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
width="13" height="13"> Avant de lancer Shorewall, vous devriez
|
||||
regarder l'adresse de votre interface externe et si elle est comprise
|
||||
dans une des plages précédentes, vous devriez enlever l'option
|
||||
'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<h2 align="left">Permettre d'autres connexions</h2>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
|
||||
vers votre firewall, le format général est :</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Si vous désirez autoriser d'autres connexions depuis
|
||||
l'Internet vers votre firewall, le format général est :</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber4">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td><i><protocol></i></td>
|
||||
<td><i><port></i></td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td><i><protocol></i></td>
|
||||
<td><i><port></i></td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
|
||||
</blockquote>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et
|
||||
un
|
||||
serveur POP3 sur votre système de firewall :</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
</div>
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber5">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>80</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>110</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>80</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>110</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Si vous ne savez pas quel port ou protocole une application
|
||||
particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
|
||||
telnet depuis ou vers l'Internet car il utilise du texte en clair (même
|
||||
pour le login et le mot de passe !). Si vous voulez avoir un accès au shell
|
||||
de votre firewall depuis Internet, utilisez SSH :</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Si vous ne savez pas quel port ou protocole une
|
||||
application particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left"><b>Important: </b>Je ne vous recommande pas
|
||||
d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte
|
||||
en clair (même
|
||||
pour le login et le mot de passe !). Si vous voulez avoir un accès au
|
||||
shell
|
||||
de votre firewall depuis Internet, utilisez SSH :</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber4">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</blockquote>
|
||||
</div>
|
||||
<div align="left">
|
||||
<pre> ACCEPT net fw tcp 22</pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
|
||||
height="13">
|
||||
A ce point, éditez /etc/shorewall/rules pour rajouter les autres connexions
|
||||
désirées.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter les
|
||||
autres connexions désirées.</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<h2 align="left">Lancer et Arrêter son Firewall</h2>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
|
||||
height="13" alt="Arrow">
|
||||
La <a href="Install.htm">procédure d'installation </a> configure votre
|
||||
système pour lancer Shorewall au boot du système, mais au début avec la version
|
||||
1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
|
||||
avec que la configuration soit finie. Une fois que vous en aurez fini avec
|
||||
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
|
||||
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
|
||||
</p>
|
||||
|
||||
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
|
||||
des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Le firewall est activé en utilisant la commande "shorewall
|
||||
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
|
||||
le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
|
||||
firewall qui tourne peut être relancé en utilisant la commande "shorewall
|
||||
restart". Si vous voulez enlever toutes traces de Shorewall sur votre
|
||||
configuration de Netfilter, utilisez "shorewall clear".</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
|
||||
depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
|
||||
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
|
||||
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
|
||||
il est plus intéressant de créer une <i><a
|
||||
href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
|
||||
et de la tester en utilisant la commande <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
|
||||
</div>
|
||||
|
||||
height="13" alt="Arrow"> La <a href="Install.htm">procédure
|
||||
d'installation </a> configure votre système pour lancer Shorewall au
|
||||
boot du système, mais au début avec la version 1.3.9 de Shorewall le
|
||||
lancement est désactivé, n'essayer pas de lancer Shorewall avec que la
|
||||
configuration soit finie. Une fois que vous en aurez fini avec la
|
||||
configuration du firewall, vous pouvez permettre le lancement de
|
||||
Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
|
||||
</p>
|
||||
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
|
||||
utilisateurs
|
||||
des paquets .deb doivent éditer /etc/default/shorewall et mettre
|
||||
'startup=1'.</font><br>
|
||||
</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Le firewall est activé en utilisant la commande
|
||||
"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall
|
||||
est stoppé,
|
||||
le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
Un firewall qui tourne peut être relancé en utilisant la commande
|
||||
"shorewall restart". Si vous voulez enlever toutes traces de Shorewall
|
||||
sur votre
|
||||
configuration de Netfilter, utilisez "shorewall clear".</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre
|
||||
firewall
|
||||
depuis Internet, n'essayez pas une commande "shorewall stop" tant que
|
||||
vous
|
||||
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de
|
||||
laquelle
|
||||
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
De la même manière, je ne vous recommande pas d'utiliser "shorewall
|
||||
restart"; il est plus intéressant de créer une <i><a
|
||||
href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
|
||||
et de la tester en utilisant la commande <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
|
||||
</div>
|
||||
<p align="left"><font size="2">Last updated 12/9/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
|
||||
M. Eastep</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
|
||||
Thomas M. Eastep</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -9,19 +9,12 @@
|
||||
<title>Starting and Stopping Shorewall</title>
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Starting/Stopping and
|
||||
Monitoring the Firewall</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p> If you have a permanent internet connection such as DSL or Cable, I
|
||||
<div style="text-align: center;">
|
||||
<h1>Starting/Stopping and Monitoring the Firewall<br>
|
||||
</h1>
|
||||
</div>
|
||||
<p><br>
|
||||
If you have a permanent internet connection such as DSL or Cable, I
|
||||
recommend that you start the firewall automatically at boot. Once you
|
||||
have installed "firewall" in your init.d directory, simply type
|
||||
"chkconfig --add firewall". This will start the firewall in run levels
|
||||
@ -44,7 +37,7 @@ restart" in that script.</li>
|
||||
<p> </p>
|
||||
<p> You can manually start and stop Shoreline Firewall using the
|
||||
"shorewall" shell program. Please refer to the <a
|
||||
href="file:///vfat/Shorewall-docs/starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
|
||||
href="starting_and_stopping_shorewall.htm#StateDiagram">Shorewall
|
||||
State Diagram</a> is shown at the bottom of this page. </p>
|
||||
<ul>
|
||||
<li>shorewall start - starts the firewall</li>
|
||||
|
@ -7,19 +7,11 @@
|
||||
<title>Shorewall Support Guide</title>
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
|
||||
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 align="center" style="background-color: rgb(255, 255, 255);">Shorewall
|
||||
Support Guide <font><font color="#ffffff"><img
|
||||
src="images/obrasinf.gif" alt=""
|
||||
style="width: 90px; height: 90px; color: rgb(51, 0, 51);"
|
||||
align="middle" title=""></font></font></h1>
|
||||
<h2>Before Reporting a Problem or Asking a Question<br>
|
||||
</h2>
|
||||
There are a number of sources of Shorewall information. Please try
|
||||
@ -29,15 +21,15 @@ these before you post.
|
||||
</li>
|
||||
<li>More than half of the questions posted on the support list have
|
||||
answers directly accessible from the <a
|
||||
href="http://www.shorewall.net/shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation
|
||||
Index</a><br>
|
||||
</li>
|
||||
<li> The <a href="http://www.shorewall.net/FAQ.htm">FAQ</a> has
|
||||
<li> The <a href="FAQ.htm">FAQ</a> has
|
||||
solutions to more than 20 common problems. </li>
|
||||
<li> The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
|
||||
<li> The <a href="troubleshoot.htm">Troubleshooting</a>
|
||||
Information contains a number of tips
|
||||
to help you solve common problems. </li>
|
||||
<li> The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
|
||||
<li> The <a href="errata.htm"> Errata</a>
|
||||
has links to download updated components. </li>
|
||||
<li> The Site and Mailing List Archives search facility can locate
|
||||
documents and posts about similar problems: </li>
|
||||
@ -98,6 +90,13 @@ error messages, log entries, command output, and other output is
|
||||
better than a paraphrase or summary.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please don't describe your problem as "Computer A can't see
|
||||
Computer B". Of course it can't -- it hasn't any eyes! If ping from A
|
||||
to B fails, say so (and see below for information about reporting
|
||||
'ping' problems). If Computer B doesn't show up in "Network
|
||||
Neighborhood" then say so. <br>
|
||||
<br>
|
||||
</li>
|
||||
<li> Please don't describe your environment and then ask us to send
|
||||
you custom configuration files. We're here to answer your questions but
|
||||
we can't do your job for you.<br>
|
||||
@ -143,7 +142,11 @@ problem is that some type of connection to/from or through your
|
||||
firewall
|
||||
isn't working then please perform the following four steps:<br>
|
||||
<br>
|
||||
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
|
||||
1. <b><font color="#009900"><span style="color: rgb(0, 0, 0);">If
|
||||
shorewall isn't running then </span></font></b><font color="#009900"
|
||||
style="font-weight: bold; color: rgb(0, 153, 0);">/sbin/shorewall/start</font><b><font
|
||||
color="#009900"><span style="color: rgb(0, 0, 0);">. Otherwise</span>
|
||||
/sbin/shorewall reset<span style="color: rgb(0, 0, 0);">.</span></font></b><br>
|
||||
<br>
|
||||
2. Try making the connection that is failing.<br>
|
||||
<br>
|
||||
@ -189,7 +192,7 @@ unless one also knows the policies).<br>
|
||||
</li>
|
||||
<li>If an error occurs when you try to "<font color="#009900"><b>shorewall
|
||||
start</b></font>", include a trace (See the <a
|
||||
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
|
||||
href="troubleshoot.htm">Troubleshooting</a>
|
||||
section for instructions).<br>
|
||||
<br>
|
||||
</li>
|
||||
@ -232,7 +235,10 @@ you can post non MNF-specific Shorewall questions to the </b><a
|
||||
mailing list</a>. <b>Do not expect to get free MNF support on the list</b>
|
||||
<p>Otherwise, please post your question or problem to the <a
|
||||
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
|
||||
mailing list.</a> </p>
|
||||
mailing list.</a><span style="font-weight: bold;"> IMPORTANT: </span>If
|
||||
you are not subscribed to the list, please say so -- otherwise, you
|
||||
will not be included in any replies.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<h2>Subscribing to the Users Mailing List<br>
|
||||
</h2>
|
||||
@ -245,7 +251,7 @@ mailing list.</a> </p>
|
||||
<p>For information on other Shorewall mailing lists, go to <a
|
||||
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
|
||||
</p>
|
||||
<p align="left"><font size="2">Last Updated 9/17/2003 - Tom Eastep</font></p>
|
||||
<p align="left"><font size="2">Last Updated 11/12/2003 - Tom Eastep</font></p>
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
|
||||
Eastep.</font></a></font><br>
|
||||
|
@ -9,17 +9,8 @@
|
||||
<title>Three-Interface Firewall</title>
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber5" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">Three-Interface Firewall<br>
|
||||
</h1>
|
||||
<p align="left">Setting up a Linux system as a firewall for a small
|
||||
network with DMZ is a fairly straight-forward task if you understand
|
||||
the basics and follow the documentation.</p>
|
||||
@ -28,7 +19,11 @@ of Shorewall. It rather focuses on what is required to configure
|
||||
Shorewall in one of its more popular configurations:</p>
|
||||
<ul>
|
||||
<li>Linux system used as a firewall/router for a small local network.</li>
|
||||
<li>Single public IP address.</li>
|
||||
<li style="font-weight: bold;">Single public IP address. If you have
|
||||
more than one public IP address, this is not the guide you want -- see
|
||||
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
|
||||
instead.<br>
|
||||
</li>
|
||||
<li>DMZ connected to a separate ethernet interface.</li>
|
||||
<li>Connection through DSL, Cable Modem, ISDN, Frame Relay, dial-up,
|
||||
...</li>
|
||||
@ -128,7 +123,9 @@ file matches the connection request then the first policy in
|
||||
/etc/shorewall/policy that matches the request is applied. If that
|
||||
policy is REJECT
|
||||
or DROP the request is first checked against the rules in
|
||||
/etc/shorewall/common (the samples provide that file for you).</p>
|
||||
/etc/shorewall/common if that file exists; otherwise the file
|
||||
/etc/shorewall/common.def is checked<br>
|
||||
</p>
|
||||
<p>The /etc/shorewall/policy file included with the three-interface
|
||||
sample has the following policies:</p>
|
||||
<blockquote>
|
||||
@ -1064,9 +1061,15 @@ from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>
|
||||
Also, I don't recommend using "shorewall restart"; it is better to
|
||||
create an <i><a href="configuration_file_basics.htm#Configs">alternate
|
||||
configuration</a></i> and test it using the <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
|
||||
</p>
|
||||
<h2>Additional Recommended Reading</h2>
|
||||
I highly recommend that you review the <a
|
||||
href="configuration_file_basics.htm">Common Configuration File
|
||||
Features page</a> -- it contains helpful tips about Shorewall features
|
||||
than make administering your firewall easier.
|
||||
</div>
|
||||
<p align="left"><font size="2">Last updated 8/8/2003 - <a
|
||||
<p align="left"><font size="2">Last updated 11/15/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
|
||||
2003 Thomas M. Eastep</font></a><br>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,341 +1,306 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Traffic Shaping</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Shorewall has limited support for traffic shaping/control.
|
||||
In order to use traffic shaping under Shorewall, it is essential that
|
||||
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
|
||||
and Shaping HOWTO</a>, version 0.3.0 or later. It is also necessary
|
||||
to be running Linux Kernel 2.4.18 or later.</p>
|
||||
|
||||
<p align="left">Shorewall traffic shaping support consists of the following:</p>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Traffic Shaping/Control<br>
|
||||
</h1>
|
||||
<p align="left">Shorewall has limited support for traffic
|
||||
shaping/control. In order to use traffic shaping under Shorewall, it is
|
||||
essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux
|
||||
Advanced Routing and Shaping HOWTO</a>, version 0.3.0 or later. It is
|
||||
also necessary to be running Linux Kernel 2.4.18 or later.</p>
|
||||
<p align="left">Shorewall traffic shaping support consists of the
|
||||
following:</p>
|
||||
<ul>
|
||||
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
|
||||
Traffic Shaping also requires that you enable packet mangling.</li>
|
||||
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
|
||||
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
|
||||
the setting of this variable determines whether Shorewall clears the traffic
|
||||
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcrules</b> - A file where you
|
||||
can specify firewall marking of packets. The firewall mark value
|
||||
may be used to classify packets for traffic shaping/control.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
|
||||
that is sourced by Shorewall during "shorewall start" and which
|
||||
you can use to define your traffic shaping disciplines and classes.
|
||||
I have provided a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
||||
table-driven CBQ shaping but if you read the traffic shaping sections
|
||||
of the HOWTO mentioned above, you can probably code your own faster
|
||||
than you can learn how to use my sample. I personally use
|
||||
<a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
|
||||
HTB support may eventually become an integral part of Shorewall
|
||||
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
|
||||
HTB is a standard part of the kernel but iproute2 must be patched in
|
||||
order to use it.<br>
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility,
|
||||
use the run_tc function supplied by shorewall if you want tc errors
|
||||
to stop the firewall.<br>
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by
|
||||
simply copying them to /etc/shorewall/tcstart. I use <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
|
||||
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
|
||||
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
|
||||
you use use Masquerading or SNAT (i.e., you only have one external IP address)
|
||||
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
|
||||
script won't work. Traffic shaping occurs after SNAT has already been
|
||||
applied so when traffic shaping happens, all outbound traffic will have
|
||||
as a source address the IP addresss of your firewall's external interface.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
|
||||
that is sourced by Shorewall when it is clearing traffic shaping.
|
||||
This file is normally not required as Shorewall's method of clearing
|
||||
qdisc and filter definitions is pretty general.</li>
|
||||
|
||||
</ul>
|
||||
Shorewall allows you to start traffic shaping when Shorewall itself
|
||||
starts or it allows you to bring up traffic shaping when you bring up your
|
||||
interfaces.<br>
|
||||
<br>
|
||||
To start traffic shaping when Shorewall starts:<br>
|
||||
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
|
||||
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
|
||||
shaping rules.</li>
|
||||
<li>Optionally supply an /etc/shorewall/tcclear script to stop
|
||||
traffic shaping. That is usually unnecessary.</li>
|
||||
<li>If your tcstart script uses the 'fwmark' classifier, you can
|
||||
mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
|
||||
</ol>
|
||||
To start traffic shaping when you bring up your network interfaces,
|
||||
you will have to arrange for your traffic shaping configuration script
|
||||
to be run at that time. How you do that is distribution dependent and will
|
||||
not be covered here. You then should:<br>
|
||||
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
|
||||
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
|
||||
scripts.</li>
|
||||
<li value="4">If your tcstart script uses the 'fwmark' classifier,
|
||||
you can mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<h3 align="left">Kernel Configuration</h3>
|
||||
|
||||
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
|
||||
|
||||
<p align="center"><img border="0" src="images/QoS.png" width="590"
|
||||
height="764">
|
||||
</p>
|
||||
|
||||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||||
|
||||
<p align="left">The fwmark classifier provides a convenient way to classify
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides
|
||||
a means for specifying these marks in a tabular fashion.<br>
|
||||
</p>
|
||||
|
||||
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
|
||||
any address rewriting takes place. This makes it impossible to mark inbound
|
||||
packets based on their destination address when SNAT or Masquerading
|
||||
are being used. Beginning with Shorewall 1.3.12, you can cause packet
|
||||
marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
|
||||
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
</p>
|
||||
|
||||
<p align="left">Columns in the file are as follows:</p>
|
||||
|
||||
<ul>
|
||||
<li>MARK - Specifies the mark value is to be assigned
|
||||
in case of a match. This is an integer in the range 1-255. Beginning
|
||||
with Shorewall version 1.3.14, this value may be optionally followed by
|
||||
":" and either 'F' or 'P' to designate that the marking will occur in the
|
||||
FORWARD or PREROUTING chains respectively. If this additional specification
|
||||
is omitted, the chain used to mark packets will be determined by the setting
|
||||
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet
|
||||
originates on the firewall, place "fw" in this column. Otherwise,
|
||||
this is a comma-separated list of interface names, IP addresses, MAC
|
||||
addresses in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or
|
||||
Subnets.<br>
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated
|
||||
list of IP addresses and/or subnets.<br>
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol
|
||||
from /etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list
|
||||
of Port names (from /etc/services), port numbers or port ranges (e.g.,
|
||||
21:22); if the protocol is "icmp", this column is interpreted as
|
||||
the destination icmp type(s).<br>
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
|
||||
If omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">Example 1 - All packets arriving on eth1 should be marked
|
||||
with 1. All packets arriving on eth2 and eth3 should be marked with
|
||||
2. All packets originating on the firewall itself should be marked with
|
||||
3.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>1</td>
|
||||
<td>eth1</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>2</td>
|
||||
<td>eth2</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
|
||||
on the firewall and destined for 155.186.235.151 should be marked
|
||||
with 12.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>12</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>47</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>22</td>
|
||||
<td>192.168.1.0/24</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<h3>My Setup<br>
|
||||
</h3>
|
||||
|
||||
<p>While I am currently using the HTB version of <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
|
||||
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
|
||||
in the Wondershaper README), I have also run with the following set of
|
||||
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||
|
||||
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1</pre>
|
||||
|
||||
<pre>echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
|
||||
|
||||
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
|
||||
|
||||
<pre>echo " Enabled PFIFO on Second Level Classes"</pre>
|
||||
|
||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||
|
||||
<pre>echo " Defined fwmark filters"<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<p>My tcrules file that went with this tcstart file is shown in Example 1
|
||||
above. You can look at <a href="myfiles.htm">my configuration</a> to
|
||||
see why I wanted shaping of this type.<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound
|
||||
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ
|
||||
traffic can use all available bandwidth if there is no traffic from the
|
||||
local systems or from my laptop or firewall).</li>
|
||||
<li>My laptop and local systems could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.</li>
|
||||
|
||||
</ol>
|
||||
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
|
||||
to see how this fit in. <br>
|
||||
|
||||
<p><font size="2">Last Updated 3/19/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
|
||||
Traffic Shaping also requires that you enable packet mangling.</li>
|
||||
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
|
||||
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
|
||||
the setting of this variable determines whether Shorewall clears the
|
||||
traffic shaping configuration during Shorewall [re]start and Shorewall
|
||||
stop. <br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcrules</b> - A file where you
|
||||
can specify firewall marking of packets. The firewall mark value
|
||||
may be used to classify packets for traffic shaping/control.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file that is
|
||||
sourced by Shorewall during "shorewall start" and which you can use to
|
||||
define your traffic shaping disciplines and classes. I have provided a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
||||
table-driven CBQ shaping but if you read the traffic shaping sections
|
||||
of the HOWTO mentioned above, you can probably code your own faster
|
||||
than you can learn how to use my sample. I personally use <a
|
||||
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
|
||||
support may eventually become an integral part of Shorewall since HTB
|
||||
is a lot simpler and better-documented than CBQ. As of 2.4.20, HTB is a
|
||||
standard part of the kernel but iproute2 must be patched in order to
|
||||
use it.<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility,
|
||||
use the run_tc function supplied by shorewall if you want tc errors to
|
||||
stop the firewall.<br>
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by simply
|
||||
copying them to /etc/shorewall/tcstart. I use <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB
|
||||
version) that way (i.e., I just copied wshaper.htb to
|
||||
/etc/shorewall/tcstart
|
||||
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
|
||||
you use use Masquerading or SNAT (i.e., you only have one external IP
|
||||
address) then listing internal hosts in the NOPRIOHOSTSRC variable in
|
||||
the wshaper[.htb] script won't work. Traffic shaping occurs after SNAT
|
||||
has already been
|
||||
applied so when traffic shaping happens, all outbound traffic will have
|
||||
as a source address the IP addresss of your firewall's external
|
||||
interface.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file that is
|
||||
sourced by Shorewall when it is clearing traffic shaping. This file is
|
||||
normally not required as Shorewall's method of clearing qdisc and
|
||||
filter definitions is pretty general.</li>
|
||||
</ul>
|
||||
Shorewall allows you to start traffic shaping when Shorewall itself
|
||||
starts or it allows you to bring up traffic shaping when you bring up
|
||||
your interfaces.<br>
|
||||
<br>
|
||||
To start traffic shaping when Shorewall starts:<br>
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
|
||||
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
|
||||
shaping rules.</li>
|
||||
<li>Optionally supply an /etc/shorewall/tcclear script to stop
|
||||
traffic shaping. That is usually unnecessary.</li>
|
||||
<li>If your tcstart script uses the 'fwmark' classifier, you can mark
|
||||
packets using entries in /etc/shorewall/tcrules.</li>
|
||||
</ol>
|
||||
To start traffic shaping when you bring up your network interfaces, you
|
||||
will have to arrange for your traffic shaping configuration script to
|
||||
be run at that time. How you do that is distribution dependent and will
|
||||
not be covered here. You then should:<br>
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
|
||||
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
|
||||
scripts.</li>
|
||||
<li value="4">If your tcstart script uses the 'fwmark' classifier,
|
||||
you can mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
</ol>
|
||||
<h3 align="left">Kernel Configuration</h3>
|
||||
<p align="left">This screen shot show how I've configured QoS in my
|
||||
Kernel:</p>
|
||||
<p align="center"><img border="0" src="images/QoS.png" width="590"
|
||||
height="764"> </p>
|
||||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||||
<p align="left">The fwmark classifier provides a convenient way to
|
||||
classify packets for traffic shaping. The /etc/shorewall/tcrules file
|
||||
provides a means for specifying these marks in a tabular fashion.<br>
|
||||
</p>
|
||||
<p align="left">Normally, packet marking occurs in the PREROUTING chain
|
||||
before any address rewriting takes place. This makes it impossible to
|
||||
mark inbound packets based on their destination address when SNAT or
|
||||
Masquerading
|
||||
are being used. Beginning with Shorewall 1.3.12, you can cause packet
|
||||
marking to occur in the FORWARD chain by using the
|
||||
MARK_IN_FORWARD_CHAIN
|
||||
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
</p>
|
||||
<p align="left">Columns in the file are as follows:</p>
|
||||
<ul>
|
||||
<li>MARK - Specifies the mark value is to be assigned in case of a
|
||||
match. This is an integer in the range 1-255. Beginning with Shorewall
|
||||
version 1.3.14, this value may be optionally followed by
|
||||
":" and either 'F' or 'P' to designate that the marking will occur in
|
||||
the
|
||||
FORWARD or PREROUTING chains respectively. If this additional
|
||||
specification
|
||||
is omitted, the chain used to mark packets will be determined by the
|
||||
setting
|
||||
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet
|
||||
originates on the firewall, place "fw" in this column. Otherwise,
|
||||
this is a comma-separated list of interface names, IP addresses, MAC
|
||||
addresses in <a href="Documentation.htm#MAC">Shorewall Format</a>
|
||||
and/or
|
||||
Subnets.<br>
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated list of IP
|
||||
addresses and/or subnets.<br>
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol from
|
||||
/etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list of Port names
|
||||
(from /etc/services), port numbers or port ranges (e.g., 21:22); if the
|
||||
protocol is "icmp", this column is interpreted as the destination icmp
|
||||
type(s).<br>
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
|
||||
omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</li>
|
||||
</ul>
|
||||
<p align="left">Example 1 - All packets arriving on eth1 should be
|
||||
marked with 1. All packets arriving on eth2 and eth3 should be marked
|
||||
with 2. All packets originating on the firewall itself should be marked
|
||||
with 3.</p>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>1</td>
|
||||
<td>eth1</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>2</td>
|
||||
<td>eth2</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p align="left">Example 2 - All GRE (protocol 47) packets not
|
||||
originating on the firewall and destined for 155.186.235.151 should be
|
||||
marked with 12.</p>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>12</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>47</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<p align="left">Example 3 - All SSH packets originating in
|
||||
192.168.1.0/24 and destined for 155.186.235.151 should be marked with
|
||||
22.</p>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>22</td>
|
||||
<td>192.168.1.0/24</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h3>My Current Setup<br>
|
||||
</h3>
|
||||
<p>I am currently using the HTB version of <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just
|
||||
copied wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as
|
||||
shown in the Wondershaper README).<span style="font-weight: bold;"> </span>WonderShaper
|
||||
DOES NOT USE THE
|
||||
/etc/shorewall/tcrules file. While I currently have entries in
|
||||
/etc/shorewall/tcrules, I do so for <a
|
||||
href="Shorewall_Squid_Usage.html">policy routing for Squid</a> and not
|
||||
for Traffic Shaping.</p>
|
||||
<h3>My Old Setup<br>
|
||||
</h3>
|
||||
<p>I have also run with the following set of hand-crafted rules in my <b>/etc/shorewall/tcstart</b>
|
||||
file.<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1</pre>
|
||||
<pre>echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
|
||||
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
|
||||
<pre>echo " Enabled PFIFO on Second Level Classes"</pre>
|
||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||
<pre>echo " Defined fwmark filters"<br></pre>
|
||||
</blockquote>
|
||||
<p>My tcrules file that went with this tcstart file is shown in Example
|
||||
1 above. When I was using these rules:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound from
|
||||
my DMZ (eth1 -- note that the ceiling is set to 384kbit so outbound DMZ
|
||||
traffic can use all available bandwidth if there is no traffic from the
|
||||
local systems or from my laptop or firewall).</li>
|
||||
<li>My laptop (which at that time connected via eth3) and local
|
||||
systems (eth2) could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.</li>
|
||||
</ol>
|
||||
Once www.shorewall.net was moved off-site, I no longer needed these
|
||||
shaping rules and The Wonder Shaper does all that I now require.<br>
|
||||
<p><font size="2">Last Updated 10/21/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -8,19 +8,10 @@
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
|
||||
src="images/obrasinf.gif" alt="Beating head on table" width="90"
|
||||
height="90" align="middle"> </font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 align="center" style="background-color: rgb(255, 255, 255);">Shorewall
|
||||
Troubleshooting <img src="images/obrasinf.gif"
|
||||
alt="Beating head on table" style="width: 90px; height: 90px;"
|
||||
align="middle" title=""></h1>
|
||||
<h3 style="text-align: center;"><span style="font-style: italic;">"If
|
||||
you think you can you can; if you think you can't you're right.<br>
|
||||
If you don't believe that you can, why should someone else?" -- Gunnar
|
||||
@ -145,8 +136,8 @@ sending the packets or the destination host isn't in any zone (using an
|
||||
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
|
||||
are you?); or</li>
|
||||
<li>the source and destination hosts are both connected to the
|
||||
same interface and you don't have a policy or rule for the
|
||||
source zone to or from the destination zone.</li>
|
||||
same interface and you haven't specified the 'routeback' option on that
|
||||
interface.</li>
|
||||
</ol>
|
||||
</li>
|
||||
<li>Remember that Shorewall doesn't automatically allow ICMP type 8
|
||||
@ -199,7 +190,7 @@ in /etc/shorewall/shorewall.conf.</li>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
<blockquote> </blockquote>
|
||||
</font>
|
||||
<p><font size="2">Last updated 8/29/2003 - Tom Eastep</font> </p>
|
||||
<p><font size="2">Last updated 11/1/2003 - Tom Eastep</font> </p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
|
@ -10,18 +10,8 @@
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber5"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Basic Two-Interface
|
||||
Firewall</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<h1 style="text-align: center;">Basic Two-Interface Firewall<br>
|
||||
</h1>
|
||||
<p align="left">Setting up a Linux system as a firewall for a small
|
||||
network is a fairly straight-forward task if you understand the basics
|
||||
and follow the documentation.</p>
|
||||
@ -30,7 +20,10 @@ of Shorewall. It rather focuses on what is required to configure
|
||||
Shorewall in its most common configuration:</p>
|
||||
<ul>
|
||||
<li>Linux system used as a firewall/router for a small local network.</li>
|
||||
<li>Single public IP address.</li>
|
||||
<li style="font-weight: bold;">Single public IP address. If you have
|
||||
more than one public IP address, this is not the guide you want -- see
|
||||
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
|
||||
instead.</li>
|
||||
<li>Internet connection through cable modem, DSL, ISDN, Frame Relay,
|
||||
dial-up ...</li>
|
||||
</ul>
|
||||
@ -140,8 +133,8 @@ that file matches the connection request then the first policy
|
||||
in /etc/shorewall/policy that matches the request is applied.
|
||||
If that policy is REJECT or DROP the request is first checked
|
||||
against
|
||||
the rules in /etc/shorewall/common (the samples provide that file
|
||||
for you).</p>
|
||||
the rules in /etc/shorewall/common if that file exists; otherwise the
|
||||
rules in /etc/shorewall/common.def are checked.</p>
|
||||
<p>The /etc/shorewall/policy file included with the two-interface
|
||||
sample
|
||||
has the following policies:</p>
|
||||
@ -946,9 +939,15 @@ have added an entry for the IP address that you are connected from to <a
|
||||
Also, I don't recommend using "shorewall restart"; it is better
|
||||
to create an <i><a href="configuration_file_basics.htm#Configs">alternate
|
||||
configuration</a></i> and test it using the <a
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
|
||||
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
|
||||
</p>
|
||||
<h2>Additional Recommended Reading</h2>
|
||||
I highly recommend that you review the <a
|
||||
href="configuration_file_basics.htm">Common Configuration File
|
||||
Features page</a> -- it contains helpful tips about Shorewall features
|
||||
than make administering your firewall easier.
|
||||
</div>
|
||||
<p align="left"><font size="2">Last updated 8/8/2003 - <a
|
||||
<p align="left"><font size="2">Last updated 11/15/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
|
||||
2003 Thomas M. Eastep</font></a><br>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,471 +1,378 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Upgrade Issues</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p>For upgrade instructions see the <a
|
||||
href="Install.htm">Install/Upgrade page</a>.<br>
|
||||
</p>
|
||||
|
||||
<p>It is important that you read all of the sections on this page where the
|
||||
version number mentioned in the section title is later than what you
|
||||
are currently running.<br>
|
||||
</p>
|
||||
|
||||
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
|
||||
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
|
||||
be a host address) accessed through a particular interface.<br>
|
||||
</p>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Upgrade Issues<br>
|
||||
</h1>
|
||||
<p>For upgrade instructions see the <a href="Install.htm">Install/Upgrade
|
||||
page</a>.<br>
|
||||
</p>
|
||||
<p>It is important that you read all of the sections on this page where
|
||||
the version number mentioned in the section title is later than what
|
||||
you are currently running.<br>
|
||||
</p>
|
||||
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
|
||||
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
|
||||
be a host address) accessed through a particular interface.<br>
|
||||
</p>
|
||||
<p>Examples:<br>
|
||||
<br>
|
||||
eth0:0.0.0.0/0<br>
|
||||
eth2:192.168.1.0/24<br>
|
||||
eth3:192.0.2.123<br>
|
||||
</p>
|
||||
|
||||
<p> You can use the "shorewall check" command to see the groups associated
|
||||
with each of your zones.<br>
|
||||
</p>
|
||||
|
||||
<br>
|
||||
eth0:0.0.0.0/0<br>
|
||||
eth2:192.168.1.0/24<br>
|
||||
eth3:192.0.2.123<br>
|
||||
</p>
|
||||
<p> You can use the "shorewall check" command to see the groups
|
||||
associated with each of your zones.<br>
|
||||
</p>
|
||||
<h3> </h3>
|
||||
|
||||
<h3>Version >= 1.4.8</h3>
|
||||
<ul>
|
||||
<li>The meaning of ROUTE_FILTER=Yes has changed. Previously this
|
||||
setting was documented as causing route filtering to occur on all
|
||||
network interfaces; this didn't work. Beginning with this release,
|
||||
ROUTE_FILTER=Yes causes route filtering to occur on all interfaces
|
||||
brought up while Shorewall is running. This means that it may be
|
||||
appropriate to set ROUTE_FILTER=Yes <span
|
||||
style="text-decoration: underline;">and</span> use the routefilter
|
||||
option in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
|
||||
entries.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>Version >= 1.4.6</h3>
|
||||
|
||||
<ul>
|
||||
<li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed
|
||||
from shorewall.conf. These capabilities are now automatically detected by
|
||||
Shorewall.</li>
|
||||
<li>An undocumented <i>feature</i> previously allowed entries in the host
|
||||
file as follows:<br>
|
||||
<br>
|
||||
<i>zone</i> eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
|
||||
<br>
|
||||
This capability was never documented and has been removed in 1.4.6 to allow
|
||||
entries of the following format:<br>
|
||||
<br>
|
||||
<i>zone</i> eth1:192.168.1.0/24,192.168.2.0/24<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version >= 1.4.4</h3>
|
||||
If you are upgrading from 1.4.3 and have set the LOGMARKER variable
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then
|
||||
you must set the new LOGFORMAT variable appropriately and remove your setting
|
||||
of LOGMARKER<br>
|
||||
<li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
|
||||
removed from shorewall.conf. These capabilities are now automatically
|
||||
detected by Shorewall.</li>
|
||||
<li>An undocumented <i>feature</i> previously allowed entries in the
|
||||
host file as follows:<br>
|
||||
<br>
|
||||
|
||||
<i>zone</i> eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
|
||||
<br>
|
||||
This capability was never documented and has been removed in 1.4.6 to
|
||||
allow entries of the following format:<br>
|
||||
<br>
|
||||
<i>zone</i> eth1:192.168.1.0/24,192.168.2.0/24<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>Version >= 1.4.4</h3>
|
||||
If you are upgrading from 1.4.3 and have set the LOGMARKER variable
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>,
|
||||
then you must set the new LOGFORMAT variable appropriately and remove
|
||||
your setting of LOGMARKER<br>
|
||||
<br>
|
||||
<h3>Version 1.4.4<br>
|
||||
</h3>
|
||||
If you have zone names that are 5 characters long, you may experience
|
||||
problems starting Shorewall because the --log-prefix in a logging rule
|
||||
is too long. Upgrade to Version 1.4.4a to fix this problem..<br>
|
||||
|
||||
</h3>
|
||||
If you have zone names that are 5 characters long, you may experience
|
||||
problems starting Shorewall because the --log-prefix in a logging rule
|
||||
is too long. Upgrade to Version 1.4.4a to fix this problem..<br>
|
||||
<h3>Version >= 1.4.2</h3>
|
||||
There are some cases where you may want to handle traffic from a particular
|
||||
group to itself. While I personally think that such a setups are ridiculous,
|
||||
there are two cases covered in this documentation where it can occur:<br>
|
||||
|
||||
There are some cases where you may want to handle traffic from a
|
||||
particular group to itself. While I personally think that such a setups
|
||||
are ridiculous, there are two cases covered in this documentation where
|
||||
it can occur:<br>
|
||||
<ol>
|
||||
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
|
||||
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a
|
||||
transparent proxy in your local zone.</a></li>
|
||||
|
||||
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
|
||||
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a
|
||||
transparent proxy in your local zone.</a></li>
|
||||
</ol>
|
||||
If you have either of these cases, you will want to review the current
|
||||
documentation and change your configuration accordingly.<br>
|
||||
|
||||
If you have either of these cases, you will want to review the current
|
||||
documentation and change your configuration accordingly.<br>
|
||||
<h3>Version >= 1.4.1</h3>
|
||||
|
||||
<ul>
|
||||
<li>Beginning with Version 1.4.1, traffic between groups in
|
||||
the same zone is accepted by default. Previously, traffic from a zone
|
||||
to itself was treated just like any other traffic; any matching rules
|
||||
were applied followed by enforcement of the appropriate policy. With 1.4.1
|
||||
and later versions, unless you have explicit rules for traffic from Z
|
||||
to Z or you have an explicit Z to Z policy (where "Z" is some zone) then
|
||||
traffic between the groups in zone Z will be accepted. If you do have one
|
||||
or more explicit rules for Z to Z or if you have an explicit Z to Z policy
|
||||
then the behavior is as it was in prior versions.</li>
|
||||
|
||||
<li>Beginning with Version 1.4.1, traffic between groups in
|
||||
the same zone is accepted by default. Previously, traffic from a zone
|
||||
to itself was treated just like any other traffic; any matching rules
|
||||
were applied followed by enforcement of the appropriate policy. With
|
||||
1.4.1
|
||||
and later versions, unless you have explicit rules for traffic from Z
|
||||
to Z or you have an explicit Z to Z policy (where "Z" is some zone)
|
||||
then
|
||||
traffic between the groups in zone Z will be accepted. If you do have
|
||||
one
|
||||
or more explicit rules for Z to Z or if you have an explicit Z to Z
|
||||
policy
|
||||
then the behavior is as it was in prior versions.</li>
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<ol>
|
||||
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic
|
||||
between two interfaces to the same zone, that policy can be removed
|
||||
and traffic between the interfaces will traverse fewer rules than previously.</li>
|
||||
<li>If you have a Z Z DROP or Z Z REJECT policy or you have
|
||||
Z->Z rules then your configuration should not require any change.</li>
|
||||
<li>If you are currently relying on a implicit policy (one
|
||||
that has "all" in either the SOURCE or DESTINATION column) to prevent
|
||||
traffic between two interfaces to a zone Z and you have no rules for
|
||||
Z->Z then you should add an explicit DROP or REJECT policy for Z to
|
||||
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic
|
||||
between two interfaces to the same zone, that policy can be removed
|
||||
and traffic between the interfaces will traverse fewer rules than
|
||||
previously.</li>
|
||||
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z->Z
|
||||
rules then your configuration should not require any change.</li>
|
||||
<li>If you are currently relying on a implicit policy (one
|
||||
that has "all" in either the SOURCE or DESTINATION column) to prevent
|
||||
traffic between two interfaces to a zone Z and you have no rules for
|
||||
Z->Z then you should add an explicit DROP or REJECT policy for Z to
|
||||
Z.<br>
|
||||
</li>
|
||||
|
||||
</li>
|
||||
</ol>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li> Sometimes, you want two separate zones on one interface but
|
||||
you don't want Shorewall to set up any infrastructure to handle traffic
|
||||
between them. </li>
|
||||
|
||||
<li> Sometimes, you want two separate zones on one interface but you
|
||||
don't want Shorewall to set up any infrastructure to handle traffic
|
||||
between them. </li>
|
||||
</ul>
|
||||
|
||||
<blockquote>Example:<br>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
|
||||
</blockquote>
|
||||
Here, zone z1 is nested in zone z2 and the firewall is not going
|
||||
to be involved in any traffic between these two zones. Beginning with
|
||||
Shorewall 1.4.1, you can prevent Shorewall from setting up any infrastructure
|
||||
to handle traffic between z1 and z2 by using the new NONE policy:<br>
|
||||
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
Here, zone z1 is nested in zone z2 and the firewall is not going to be
|
||||
involved in any traffic between these two zones. Beginning with
|
||||
Shorewall 1.4.1, you can prevent Shorewall from setting up any
|
||||
infrastructure
|
||||
to handle traffic between z1 and z2 by using the new NONE policy:<br>
|
||||
<blockquote>
|
||||
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
|
||||
</blockquote>
|
||||
Note that NONE policies are generally used in pairs unless there
|
||||
is asymetric routing where only the traffic on one direction flows through
|
||||
the firewall and you are using a NONE polciy in the other direction. </blockquote>
|
||||
|
||||
</blockquote>
|
||||
Note that NONE policies are generally used in pairs unless there is
|
||||
asymetric routing where only the traffic on one direction flows through
|
||||
the firewall and you are using a NONE polciy in the other
|
||||
direction. </blockquote>
|
||||
<h3>Version 1.4.1<br>
|
||||
</h3>
|
||||
|
||||
</h3>
|
||||
<ul>
|
||||
<li>In Version 1.4.1, Shorewall will never create rules to
|
||||
deal with traffic from a given group back to itself. The <i>multi</i>
|
||||
interface option is no longer available so if you want to route traffic
|
||||
between two subnetworks on the same interface then I recommend that you
|
||||
upgrade to Version 1.4.2 and use the 'routeback' interface or host option. </li>
|
||||
|
||||
<li>In Version 1.4.1, Shorewall will never create rules to deal with
|
||||
traffic from a given group back to itself. The <i>multi</i> interface
|
||||
option is no longer available so if you want to route traffic between
|
||||
two subnetworks on the same interface then I recommend that you upgrade
|
||||
to Version 1.4.2 and use the 'routeback' interface or host option. </li>
|
||||
</ul>
|
||||
|
||||
<h3>Version >= 1.4.0</h3>
|
||||
<b>IMPORTANT: Shorewall >=1.4.0 </b><b>requires</b> <b>the
|
||||
iproute package ('ip' utility).</b><br>
|
||||
<br>
|
||||
<b>Note: </b>Unfortunately, some distributions call this package
|
||||
iproute2 which will cause the upgrade of Shorewall to fail with the
|
||||
<b>IMPORTANT: Shorewall >=1.4.0 </b><b>requires</b> <b>the iproute
|
||||
package ('ip' utility).</b><br>
|
||||
<br>
|
||||
<b>Note: </b>Unfortunately, some distributions call this package
|
||||
iproute2 which will cause the upgrade of Shorewall to fail with the
|
||||
diagnostic:<br>
|
||||
<br>
|
||||
error: failed dependencies:iproute is needed by shorewall-1.4.0-1
|
||||
<br>
|
||||
<br>
|
||||
This may be worked around by using the --nodeps option of rpm
|
||||
(rpm -Uvh --nodeps <shorewall rpm>).<br>
|
||||
<br>
|
||||
If you are upgrading from a version < 1.4.0, then:<br>
|
||||
|
||||
<br>
|
||||
error: failed dependencies:iproute is needed by
|
||||
shorewall-1.4.0-1 <br>
|
||||
<br>
|
||||
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
|
||||
--nodeps <shorewall rpm>).<br>
|
||||
<br>
|
||||
If you are upgrading from a version < 1.4.0, then:<br>
|
||||
<ul>
|
||||
<li>The <b>noping </b>and <b>forwardping</b> interface
|
||||
options are no longer supported nor is the <b>FORWARDPING </b>option
|
||||
in shorewall.conf. ICMP echo-request (ping) packets are treated just
|
||||
like any other connection request and are subject to rules and policies.</li>
|
||||
<li>Interface names of the form <device>:<integer>
|
||||
in /etc/shorewall/interfaces now generate a Shorewall error at startup
|
||||
(they always have produced warnings in iptables).</li>
|
||||
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
|
||||
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
|
||||
contents are determined by BOTH the interfaces and hosts files when
|
||||
there are entries for the zone in both files.</li>
|
||||
<li>The <b>routestopped</b> option in the interfaces
|
||||
and hosts file has been eliminated; use entries in the routestopped
|
||||
file instead.</li>
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
|
||||
is no longer accepted; you must convert to using the new syntax.</li>
|
||||
<li value="6">The ALLOWRELATED variable in shorewall.conf
|
||||
is no longer supported. Shorewall 1.4 behavior is the same as 1.3
|
||||
with ALLOWRELATED=Yes.</li>
|
||||
<li value="6">Late-arriving DNS replies are now dropped
|
||||
by default; there is no need for your own /etc/shorewall/common file
|
||||
simply to avoid logging these packets.</li>
|
||||
<li value="6">The 'firewall', 'functions' and 'version'
|
||||
file have been moved to /usr/share/shorewall.</li>
|
||||
<li value="6">The icmp.def file has been removed. If you
|
||||
include it from /etc/shorewall/icmpdef, you will need to modify that
|
||||
file.</li>
|
||||
|
||||
<li>The <b>noping </b>and <b>forwardping</b> interface options are
|
||||
no longer supported nor is the <b>FORWARDPING </b>option in
|
||||
shorewall.conf. ICMP echo-request (ping) packets are treated just like
|
||||
any other connection request and are subject to rules and policies.</li>
|
||||
<li>Interface names of the form <device>:<integer> in
|
||||
/etc/shorewall/interfaces now generate a Shorewall error at startup
|
||||
(they always have produced warnings in iptables).</li>
|
||||
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
|
||||
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
|
||||
contents are determined by BOTH the interfaces and hosts files when
|
||||
there are entries for the zone in both files.</li>
|
||||
<li>The <b>routestopped</b> option in the interfaces
|
||||
and hosts file has been eliminated; use entries in the routestopped
|
||||
file instead.</li>
|
||||
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
|
||||
accepted; you must convert to using the new syntax.</li>
|
||||
<li value="6">The ALLOWRELATED variable in shorewall.conf is no
|
||||
longer supported. Shorewall 1.4 behavior is the same as 1.3 with
|
||||
ALLOWRELATED=Yes.</li>
|
||||
<li value="6">Late-arriving DNS replies are now dropped by default;
|
||||
there is no need for your own /etc/shorewall/common file simply to
|
||||
avoid logging these packets.</li>
|
||||
<li value="6">The 'firewall', 'functions' and 'version' file have
|
||||
been moved to /usr/share/shorewall.</li>
|
||||
<li value="6">The icmp.def file has been removed. If you include it
|
||||
from /etc/shorewall/icmpdef, you will need to modify that file.</li>
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
<li>If you followed the advice in FAQ #2 and call find_interface_address
|
||||
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
|
||||
</li>
|
||||
|
||||
<li>If you followed the advice in FAQ #2 and call
|
||||
find_interface_address in /etc/shorewall/params, that code should be
|
||||
moved to /etc/shorewall/init.<br>
|
||||
</li>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.4.0</h3>
|
||||
|
||||
<ul>
|
||||
<li value="8">The 'multi' interface option is no longer supported.
|
||||
Shorewall will generate rules for sending packets back out the same
|
||||
interface that they arrived on in two cases:</li>
|
||||
|
||||
<li value="8">The 'multi' interface option is no longer supported.
|
||||
Shorewall will generate rules for sending packets back out the
|
||||
same interface that they arrived on in two cases:</li>
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<ul>
|
||||
<li>There is an <u>explicit</u> policy for the source zone
|
||||
to or from the destination zone. An explicit policy names both zones
|
||||
and does not use the 'all' reserved word.</li>
|
||||
|
||||
<li>There is an <u>explicit</u> policy for the source zone to or
|
||||
from the destination zone. An explicit policy names both zones and does
|
||||
not use the 'all' reserved word.</li>
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>There are one or more rules for traffic for the source
|
||||
zone to or from the destination zone including rules that use the 'all'
|
||||
reserved word. Exception: if the source zone and destination zone are
|
||||
the same then the rule must be explicit - it must name the zone in both
|
||||
the SOURCE and DESTINATION columns.</li>
|
||||
|
||||
<li>There are one or more rules for traffic for the source zone to
|
||||
or from the destination zone including rules that use the 'all'
|
||||
reserved word. Exception: if the source zone and destination zone are
|
||||
the same then the rule must be explicit - it must name the zone in both
|
||||
the SOURCE and DESTINATION columns.</li>
|
||||
</ul>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
<h3>Version >= 1.3.14</h3>
|
||||
<img src="images/BD21298_3.gif" alt="" width="13"
|
||||
height="13">
|
||||
Beginning in version 1.3.14, Shorewall treats entries
|
||||
in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
|
||||
The change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
|
||||
(second) <b>column</b>:<br>
|
||||
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Beginning in version 1.3.14, Shorewall treats
|
||||
entries in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
|
||||
The change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
|
||||
(second) <b>column</b>:<br>
|
||||
<ul>
|
||||
<li>Prior to 1.3.14, Shorewall would detect the FIRST
|
||||
subnet on the interface (as shown by "ip addr show <i>interface</i>")
|
||||
and would masquerade traffic from that subnet. Any other subnets that
|
||||
routed through eth1 needed their own entry in /etc/shorewall/masq to
|
||||
be masqueraded or to have SNAT applied.</li>
|
||||
<li>Beginning with Shorewall 1.3.14, Shorewall uses
|
||||
the firewall's routing table to determine ALL subnets routed through
|
||||
the named interface. Traffic originating in ANY of those subnets is
|
||||
masqueraded or has SNAT applied.</li>
|
||||
|
||||
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
|
||||
interface (as shown by "ip addr show <i>interface</i>") and would
|
||||
masquerade traffic from that subnet. Any other subnets that routed
|
||||
through eth1 needed their own entry in /etc/shorewall/masq to be
|
||||
masqueraded or to have SNAT applied.</li>
|
||||
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
|
||||
routing table to determine ALL subnets routed through the named
|
||||
interface. Traffic originating in ANY of those subnets is
|
||||
masqueraded or has SNAT applied.</li>
|
||||
</ul>
|
||||
You will need to make a change to your configuration
|
||||
You will need to make a change to your configuration
|
||||
if:<br>
|
||||
|
||||
<ol>
|
||||
<li>You have one or more entries in /etc/shorewall/masq
|
||||
with an interface name in the SUBNET (second) column; and</li>
|
||||
<li>That interface connects to more than one subnetwork.</li>
|
||||
|
||||
<li>You have one or more entries in /etc/shorewall/masq with an
|
||||
interface name in the SUBNET (second) column; and</li>
|
||||
<li>That interface connects to more than one subnetwork.</li>
|
||||
</ol>
|
||||
Two examples:<br>
|
||||
<br>
|
||||
<b>Example 1</b> -- Suppose that your current config
|
||||
is as follows:<br>
|
||||
<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
|
||||
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
|
||||
required.<br>
|
||||
</blockquote>
|
||||
<b>Example 2</b>-- What if your current configuration
|
||||
is like this?<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE SUBNET ADDRESS <br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254 <br> [root@gateway test]#</pre>
|
||||
|
||||
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
|
||||
to:<br>
|
||||
</blockquote>
|
||||
|
||||
<pre> #INTERFACE SUBNET ADDRESS <br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
<img src="images/BD21298_3.gif" alt="" width="13"
|
||||
height="13">
|
||||
Version 1.3.14 also introduced simplified ICMP echo-request
|
||||
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
|
||||
is used to specify that the old (pre-1.3.14) ping handling is to
|
||||
be used (If the option is not set in your /etc/shorewall/shorewall.conf
|
||||
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting
|
||||
the old handling indefinitely so I urge current users to migrate to using
|
||||
the new handling as soon as possible. See the <a href="ping.html">'Ping'
|
||||
handling documentation</a> for details.<br>
|
||||
|
||||
Two examples:<br>
|
||||
<br>
|
||||
<b>Example 1</b> -- Suppose that your current config is as
|
||||
follows:<br>
|
||||
<br>
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
<blockquote>In this case, the second entry in /etc/shorewall/masq is no
|
||||
longer required.<br>
|
||||
</blockquote>
|
||||
<b>Example 2</b>-- What if your current configuration is like this?<br>
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE SUBNET ADDRESS <br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254 <br> [root@gateway test]#</pre>
|
||||
<blockquote>In this case, you would want to change the entry in
|
||||
/etc/shorewall/masq to:<br>
|
||||
</blockquote>
|
||||
<pre> #INTERFACE SUBNET ADDRESS <br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Version 1.3.14 also introduced simplified ICMP
|
||||
echo-request (ping) handling. The option OLD_PING_HANDLING=Yes in
|
||||
/etc/shorewall/shorewall.conf is used to specify that the old
|
||||
(pre-1.3.14) ping handling is to be used (If the option is not set in
|
||||
your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes is
|
||||
assumed). I don't plan on supporting the old handling indefinitely so I
|
||||
urge current users to migrate to using the new handling as soon as
|
||||
possible. See the <a href="ping.html">'Ping' handling documentation</a>
|
||||
for details.<br>
|
||||
<h3>Version 1.3.10</h3>
|
||||
If you have installed the 1.3.10 Beta 1 RPM and are
|
||||
now upgrading to version 1.3.10, you will need to use the '--force'
|
||||
If you have installed the 1.3.10 Beta 1 RPM and are
|
||||
now upgrading to version 1.3.10, you will need to use the '--force'
|
||||
option:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
|
||||
</blockquote>
|
||||
|
||||
<br>
|
||||
<blockquote>
|
||||
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
|
||||
</blockquote>
|
||||
<h3>Version >= 1.3.9</h3>
|
||||
The 'functions' file has moved to /usr/lib/shorewall/functions.
|
||||
If you have an application that uses functions from that file, your
|
||||
application will need to be changed to reflect this change of location.<br>
|
||||
|
||||
The 'functions' file has moved to /usr/lib/shorewall/functions. If you
|
||||
have an application that uses functions from that file, your
|
||||
application will need to be changed to reflect this change of location.<br>
|
||||
<h3>Version >= 1.3.8</h3>
|
||||
|
||||
<p>If you have a pair of firewall systems configured for failover
|
||||
or if you have asymmetric routing, you will need to modify
|
||||
your firewall setup slightly under Shorewall
|
||||
versions >= 1.3.8. Beginning with version 1.3.8,
|
||||
you must set NEWNOTSYN=Yes in your
|
||||
/etc/shorewall/shorewall.conf file.</p>
|
||||
|
||||
<p>If you have a pair of firewall systems configured for failover or if
|
||||
you have asymmetric routing, you will need to modify your firewall
|
||||
setup slightly under Shorewall versions >= 1.3.8. Beginning with
|
||||
version 1.3.8, you must set NEWNOTSYN=Yes in your
|
||||
/etc/shorewall/shorewall.conf file.</p>
|
||||
<h3>Version >= 1.3.7</h3>
|
||||
|
||||
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
|
||||
will need to include the following
|
||||
rules in their /etc/shorewall/icmpdef file (creating this
|
||||
file if necessary):</p>
|
||||
|
||||
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf will need to
|
||||
include the following rules in their /etc/shorewall/icmpdef file
|
||||
(creating this file if necessary):</p>
|
||||
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
|
||||
|
||||
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
|
||||
command from that file since the icmp.def file is now empty.</p>
|
||||
|
||||
<h3><b><a name="Bering">Upgrading </a>Bering to Shorewall >= 1.3.3</b></h3>
|
||||
|
||||
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
|
||||
|
||||
<p>Users having an /etc/shorewall/icmpdef file may remove the ".
|
||||
/etc/shorewall/icmp.def" command from that file since the icmp.def file
|
||||
is now empty.</p>
|
||||
<h3><b><a name="Bering">Upgrading </a>Bering to Shorewall >= 1.3.3</b></h3>
|
||||
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
|
||||
<ol>
|
||||
<li>Be sure you
|
||||
have a backup -- you will need
|
||||
to transcribe any Shorewall configuration
|
||||
changes that you have made to the new
|
||||
configuration.</li>
|
||||
<li>Replace the
|
||||
shorwall.lrp package provided on
|
||||
the Bering floppy with the later one. If you did
|
||||
not obtain the later version from Jacques's site,
|
||||
see additional instructions below.</li>
|
||||
<li>Edit the /var/lib/lrpkg/root.exclude.list
|
||||
file and remove the /var/lib/shorewall
|
||||
entry if present. Then do not
|
||||
forget to backup root.lrp !</li>
|
||||
|
||||
<li>Be sure you have a backup -- you will need to transcribe any
|
||||
Shorewall configuration changes that you have made to the new
|
||||
configuration.</li>
|
||||
<li>Replace the shorwall.lrp package provided on the Bering floppy
|
||||
with the later one. If you did not obtain the later version from
|
||||
Jacques's site, see additional instructions below.</li>
|
||||
<li>Edit the /var/lib/lrpkg/root.exclude.list file and remove the
|
||||
/var/lib/shorewall entry if present. Then do not forget to backup
|
||||
root.lrp !</li>
|
||||
</ol>
|
||||
|
||||
<p>The .lrp that I release isn't set up for a two-interface firewall like
|
||||
Jacques's. You need to follow the <a
|
||||
href="two-interface.htm">instructions for setting up a two-interface
|
||||
firewall</a> plus you also need to add the following two Bering-specific
|
||||
rules to /etc/shorewall/rules:</p>
|
||||
|
||||
<blockquote>
|
||||
<p>The .lrp that I release isn't set up for a two-interface firewall
|
||||
like Jacques's. You need to follow the <a href="two-interface.htm">instructions
|
||||
for setting up a two-interface firewall</a> plus you also need to add
|
||||
the following two Bering-specific rules to /etc/shorewall/rules:</p>
|
||||
<blockquote>
|
||||
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
|
||||
|
||||
<p align="left">If you have a pair of firewall systems configured for
|
||||
failover or if you have asymmetric routing, you will need to modify
|
||||
your firewall setup slightly under Shorewall versions
|
||||
1.3.6 and 1.3.7</p>
|
||||
|
||||
</blockquote>
|
||||
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
|
||||
<p align="left">If you have a pair of firewall systems configured for
|
||||
failover or if you have asymmetric routing, you will need to modify
|
||||
your firewall setup slightly under Shorewall versions
|
||||
1.3.6 and 1.3.7</p>
|
||||
<ol>
|
||||
<li>
|
||||
|
||||
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
|
||||
the following rule<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A
|
||||
newnotsyn -j RETURN # So that the connection tracking
|
||||
table can be rebuilt<br>
|
||||
|
||||
# from non-SYN packets after takeover.<br>
|
||||
</font> </p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left">Create /etc/shorewall/common (if you don't already
|
||||
have that file) and include the following:<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A
|
||||
common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
|
||||
#Accept Acks to rebuild connection<br>
|
||||
|
||||
#tracking table. <br>
|
||||
. /etc/shorewall/common.def</font> </p>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<p align="left">Create the file /etc/shorewall/newnotsyn and in it
|
||||
add the following rule<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A
|
||||
newnotsyn -j RETURN # So that the connection tracking
|
||||
table can be rebuilt<br>
|
||||
|
||||
# from non-SYN packets after takeover.<br>
|
||||
</font> </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">Create /etc/shorewall/common (if you don't already
|
||||
have that file) and include the following:<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A
|
||||
common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
|
||||
#Accept Acks to rebuild connection<br>
|
||||
|
||||
#tracking table. <br>
|
||||
. /etc/shorewall/common.def</font> </p>
|
||||
</li>
|
||||
</ol>
|
||||
|
||||
<h3 align="left">Versions >= 1.3.5</h3>
|
||||
|
||||
<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
|
||||
supported. </p>
|
||||
|
||||
<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
|
||||
supported. </p>
|
||||
<p align="left">Example 1:</p>
|
||||
|
||||
<div align="left">
|
||||
<div align="left">
|
||||
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<p align="left">Must be replaced with:</p>
|
||||
|
||||
<div align="left">
|
||||
<div align="left">
|
||||
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Example 2:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</div>
|
||||
<div align="left">
|
||||
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Must be replaced with:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</div>
|
||||
<div align="left">
|
||||
<pre> REDIRECT loc 3128 tcp 80</pre>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
<h3 align="left">Version >= 1.3.2</h3>
|
||||
|
||||
<p align="left">The functions and versions files together with the 'firewall'
|
||||
symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
|
||||
If you have applications that access these files, those
|
||||
applications should be modified accordingly.</p>
|
||||
|
||||
<p><font size="2"> Last updated 6/29/2003 - <a href="support.htm">Tom
|
||||
<p align="left">The functions and versions files together with the
|
||||
'firewall' symbolic link have moved from /etc/shorewall to
|
||||
/var/lib/shorewall. If you have applications that access these files,
|
||||
those applications should be modified accordingly.</p>
|
||||
<p><font size="2"> Last updated 10/30/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -2,65 +2,39 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Useful Links</title>
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
|
||||
bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Useful Links</font><br>
|
||||
</h1>
|
||||
<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Useful Links </h1>
|
||||
<h3>NetFilter Site: <a href="http://www.netfilter.org">http://www.netfilter.org<img
|
||||
src="images/netfilterlogo.png" alt="Netfilter Logo" width="94"
|
||||
height="33" hspace="4" align="middle" border="0">
|
||||
</a></h3>
|
||||
|
||||
height="33" hspace="4" align="middle" border="0"> </a></h3>
|
||||
<h3>Linux Advanced Routing and Traffic Control Howto: <a
|
||||
href="http://ds9a.nl/lartc">http://ds9a.nl/lartc</a></h3>
|
||||
|
||||
<h3>Iproute Downloads: <a href="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</a></h3>
|
||||
|
||||
<h3>LEAF Site: <a href="http://leaf-project.org">http://leaf-project.org<img
|
||||
src="images/leaflogo.jpg" alt="Leaf Logo" width="64" height="48"
|
||||
align="middle" hspace="4" border="0">
|
||||
</a></h3>
|
||||
|
||||
align="middle" hspace="4" border="0"> </a></h3>
|
||||
<h3>Bering LEAF Distribution: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></h3>
|
||||
|
||||
href="http://leaf.sourceforge.net/devel/jnilo">
|
||||
http://leaf.sourceforge.net/devel/jnilo</a></h3>
|
||||
<h3>Debian apt-get sources for Shorewall: <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html<img
|
||||
href="http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian">http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian<img
|
||||
src="images/openlogo-nd-50.png" alt="Open Logo" width="25" height="30"
|
||||
align="middle" hspace="4" border="0">
|
||||
<img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
|
||||
align="middle" border="0">
|
||||
</a><br>
|
||||
</h3>
|
||||
<br>
|
||||
<font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
align="middle" hspace="4" border="0"> <img src="images/debian.jpg"
|
||||
alt="Debian Logo" width="88" height="30" align="middle" border="0"> </a><br>
|
||||
</h3>
|
||||
<br>
|
||||
<font size="2">Last updated 11/20/2003 - <a href="support.htm">Tom
|
||||
Eastep</a></font>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,309 +1,267 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Whitelisting under Shorewall</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#3366ff" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Whitelisting under Shorewall</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left">For a brief time, the 1.2 version of Shorewall supported
|
||||
an /etc/shorewall/whitelist file. This file was intended to contain a list
|
||||
of IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist
|
||||
file was implemented as a stop-gap measure until the facilities necessary
|
||||
for implementing white lists using zones was in place. As of Version 1.3
|
||||
RC1, those facilities were available.</p>
|
||||
|
||||
<p align="left">White lists are most often used to give special privileges
|
||||
to a set of hosts within an organization. Let us suppose that we have the
|
||||
following environment:</p>
|
||||
|
||||
<body>
|
||||
<h1 style="text-align: center;">Whitelisting under Shorewall<br>
|
||||
</h1>
|
||||
<p align="left">For a brief time, the 1.2 version of Shorewall
|
||||
supported
|
||||
an /etc/shorewall/whitelist file. This file was intended to contain a
|
||||
list
|
||||
of IP addresses of hosts whose POLICY to all zones was ACCEPT. The
|
||||
whitelist file was implemented as a stop-gap measure until the
|
||||
facilities necessary for implementing white lists using zones was in
|
||||
place. As of Version 1.3 RC1, those facilities were available.</p>
|
||||
<p align="left">White lists are most often used to give special
|
||||
privileges to a set of hosts within an organization. Let us
|
||||
suppose that we have the following environment:</p>
|
||||
<ul>
|
||||
<li>A firewall with three interfaces -- one to the internet, one
|
||||
to a local network and one to a DMZ.</li>
|
||||
<li>The local network uses SNAT to the internet and is comprised
|
||||
of the class B network 10.10.0.0/16 (Note: While this example uses an RFC
|
||||
1918 local network, the technique described here in no way depends on
|
||||
that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static
|
||||
<li>A firewall with three interfaces -- one to the internet, one to a
|
||||
local network and one to a DMZ.</li>
|
||||
<li>The local network uses SNAT to the internet and is comprised of
|
||||
the class B network 10.10.0.0/16 (Note: While this example uses an RFC
|
||||
1918 local network, the technique described here in no way depends on
|
||||
that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static
|
||||
NAT, etc.).</li>
|
||||
<li>The network operations staff have workstations with IP addresses
|
||||
<li>The network operations staff have workstations with IP addresses
|
||||
in the class C network 10.10.10.0/24</li>
|
||||
<li>We want the network operations staff to have full access to all
|
||||
<li>We want the network operations staff to have full access to all
|
||||
other hosts.</li>
|
||||
<li>We want the network operations staff to bypass the transparent
|
||||
<li>We want the network operations staff to bypass the transparent
|
||||
HTTP proxy running on our firewall.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">The basic approach will be that we will place the operations
|
||||
staff's class C in its own zone called <b>ops</b>. Here are the appropriate
|
||||
configuration files:</p>
|
||||
|
||||
<p align="left">The basic approach will be that we will place the
|
||||
operations staff's class C in its own zone called <b>ops</b>. Here are
|
||||
the appropriate configuration files:</p>
|
||||
<h2 align="left">Zone File</h2>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table border="2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b> ZONE</b></td>
|
||||
<td><b> DISPLAY</b></td>
|
||||
<td><b> COMMENTS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>Net</td>
|
||||
<td>Internet</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ops</td>
|
||||
<td>Operations</td>
|
||||
<td>Operations Staff's Class C</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>Local</td>
|
||||
<td>Local Class B</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>dmz</td>
|
||||
<td>DMZ</td>
|
||||
<td>Demilitarized zone</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b> ZONE</b></td>
|
||||
<td><b> DISPLAY</b></td>
|
||||
<td><b> COMMENTS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>Net</td>
|
||||
<td>Internet</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ops</td>
|
||||
<td>Operations</td>
|
||||
<td>Operations Staff's Class C</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>Local</td>
|
||||
<td>Local Class B</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>dmz</td>
|
||||
<td>DMZ</td>
|
||||
<td>Demilitarized zone</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>The <b>ops </b>zone has been added to the standard 3-zone zones file --
|
||||
since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
|
||||
|
||||
</blockquote>
|
||||
<p>The <b>ops </b>zone has been added to the standard 3-zone zones
|
||||
file -- since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u>
|
||||
<b>loc</b>.</p>
|
||||
<h2>Interfaces File</h2>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table border="2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b> ZONE</b></td>
|
||||
<td><b> INTERFACE</b></td>
|
||||
<td><b> BROADCAST</b></td>
|
||||
<td><b> OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>eth0</td>
|
||||
<td><whatever></td>
|
||||
<td><options></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>dmz</td>
|
||||
<td>eth1</td>
|
||||
<td><whatever></td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>-</td>
|
||||
<td>eth2</td>
|
||||
<td>10.10.255.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b> ZONE</b></td>
|
||||
<td><b> INTERFACE</b></td>
|
||||
<td><b> BROADCAST</b></td>
|
||||
<td><b> OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>eth0</td>
|
||||
<td><whatever></td>
|
||||
<td><options></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>dmz</td>
|
||||
<td>eth1</td>
|
||||
<td><whatever></td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>-</td>
|
||||
<td>eth2</td>
|
||||
<td>10.10.255.255</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>,
|
||||
we don't specify a zone for it here.</p>
|
||||
|
||||
</blockquote>
|
||||
<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>,
|
||||
we don't specify a zone for it here.</p>
|
||||
<h2>Hosts File</h2>
|
||||
|
||||
<blockquote> <font face="Century Gothic, Arial, Helvetica">
|
||||
</font>
|
||||
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
|
||||
<table border="2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b> ZONE</b></td>
|
||||
<td><b> HOST(S)</b></td>
|
||||
<td><b> OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ops</td>
|
||||
<td>eth2:10.10.10.0/24</td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>eth2:0.0.0.0/0</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b> ZONE</b></td>
|
||||
<td><b> HOST(S)</b></td>
|
||||
<td><b> OPTIONS</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ops</td>
|
||||
<td>eth2:10.10.10.0/24</td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>eth2:0.0.0.0/0</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is stopped,
|
||||
only the hosts in the <b>ops</b> zone will be allowed to access the firewall
|
||||
and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than 10.10.0.0/16
|
||||
so that the limited broadcast address (255.255.255.255) falls into that
|
||||
zone. If I used 10.10.0.0/16 then I would have to have a separate entry for
|
||||
that special address.</p>
|
||||
|
||||
</blockquote>
|
||||
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall
|
||||
is stopped,
|
||||
only the hosts in the <b>ops</b> zone will be allowed to access the
|
||||
firewall
|
||||
and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than
|
||||
10.10.0.0/16
|
||||
so that the limited broadcast address (255.255.255.255) falls into that
|
||||
zone. If I used 10.10.0.0/16 then I would have to have a separate entry
|
||||
for that special address.</p>
|
||||
<h2>Policy File</h2>
|
||||
|
||||
<blockquote> <font face="Century Gothic, Arial, Helvetica">
|
||||
</font>
|
||||
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
|
||||
<table border="2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> POLICY</b></td>
|
||||
<td><b> LOG LEVEL</b></td>
|
||||
<td><b>LIMIT:BURST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><font color="#0000ff">ops</font></td>
|
||||
<td><font color="#0000ff">all</font></td>
|
||||
<td><font color="#0000ff">ACCEPT</font></td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><font color="#0000ff">all</font></td>
|
||||
<td><font color="#0000ff">ops</font></td>
|
||||
<td><font color="#0000ff">CONTINUE</font></td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>net</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>all</td>
|
||||
<td>DROP</td>
|
||||
<td>info</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>all</td>
|
||||
<td>all</td>
|
||||
<td>REJECT</td>
|
||||
<td>info</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> POLICY</b></td>
|
||||
<td><b> LOG LEVEL</b></td>
|
||||
<td><b>LIMIT:BURST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><font color="#0000ff">ops</font></td>
|
||||
<td><font color="#0000ff">all</font></td>
|
||||
<td><font color="#0000ff">ACCEPT</font></td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><font color="#0000ff">all</font></td>
|
||||
<td><font color="#0000ff">ops</font></td>
|
||||
<td><font color="#0000ff">CONTINUE</font></td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>loc</td>
|
||||
<td>net</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>all</td>
|
||||
<td>DROP</td>
|
||||
<td>info</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>all</td>
|
||||
<td>all</td>
|
||||
<td>REJECT</td>
|
||||
<td>info</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy
|
||||
file.<font color="#ff0000"><b></b></font></p>
|
||||
|
||||
</blockquote>
|
||||
<p>Two entries for <b>ops</b> have been added to the standard 3-zone
|
||||
policy file.<font color="#ff0000"><b></b></font></p>
|
||||
<h2>Rules File</h2>
|
||||
|
||||
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
|
||||
|
||||
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
|
||||
<table border="2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>REDIRECT</td>
|
||||
<td>loc!ops</td>
|
||||
<td>3128</td>
|
||||
<td>tcp</td>
|
||||
<td>http</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>...</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>REDIRECT</td>
|
||||
<td>loc!ops</td>
|
||||
<td>3128</td>
|
||||
<td>tcp</td>
|
||||
<td>http</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>...</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>This is the rule that transparently redirects web traffic to the transparent
|
||||
proxy running on the firewall. The SOURCE column explicitly excludes the
|
||||
<b>ops</b> zone from the rule.</p>
|
||||
|
||||
</blockquote>
|
||||
<p>This is the rule that transparently redirects web traffic to the
|
||||
transparent proxy running on the firewall. The SOURCE column explicitly
|
||||
excludes the <b>ops</b> zone from the rule.</p>
|
||||
<h2>Routestopped File</h2>
|
||||
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table border="2">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>INTERFACE</b><br>
|
||||
</td>
|
||||
<td><b> HOST(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>eth2<br>
|
||||
</td>
|
||||
<td>10.10.10.0/24</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>INTERFACE</b><br>
|
||||
</td>
|
||||
<td><b> HOST(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">eth1<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>eth2<br>
|
||||
</td>
|
||||
<td>10.10.10.0/24</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</blockquote>
|
||||
<p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
Loading…
Reference in New Issue
Block a user