diff --git a/docs/Shorewall-4.xml b/docs/Shorewall-4.xml index 15b6e4a7f..98933cad5 100644 --- a/docs/Shorewall-4.xml +++ b/docs/Shorewall-4.xml @@ -34,7 +34,7 @@ -
+
Introduction Shorewall version 4 is currently in development and is available for @@ -88,7 +88,7 @@ whichever one suits you in a particular case.
-
+
Installing Shorewall Version 4 You can download the development version of Shorewall Version 4 from @@ -129,7 +129,7 @@ Shorewall.
-
+
Prerequisites for using the Shorewall Version 4 Perl-based Compiler @@ -161,7 +161,7 @@
-
+
Incompatibilities Introduced in the Shorewall Version 4 Perl-based Compiler @@ -170,7 +170,7 @@ document for details.
-
+
Compiler Selection If you only install one compiler, then that compiler will be diff --git a/docs/Shorewall-perl.xml b/docs/Shorewall-perl.xml index 667ef974c..39fc3711f 100644 --- a/docs/Shorewall-perl.xml +++ b/docs/Shorewall-perl.xml @@ -34,7 +34,7 @@ -
+
Shorewall-perl - What is it? Shorewall-perl is a companion product to Shorewall. It requires @@ -76,7 +76,7 @@
-
+
Shorewall-perl - The down side While there are advantages to using Shorewall-perl, there are also @@ -504,7 +504,7 @@ eth0 eth1:!192.168.4.9 ...
-
+
Shorewall-perl - Installation @@ -529,10 +529,10 @@ eth0 eth1:!192.168.4.9 ... package.
-
+
Using Shorewall-perl -
+
Using Shorewall-perl under Shorewall 3.4.2 and Shorewall 3.4.3 @@ -557,7 +557,7 @@ eth0 eth1:!192.168.4.9 ... use be specified in shorewall.conf.
-
+
Using Shorewall-perl under Shorewall 3.4.4/4.0.0 Beta and later. diff --git a/docs/Shorewall_Doesnt.xml b/docs/Shorewall_Doesnt.xml index c90f72cf5..5f38df753 100644 --- a/docs/Shorewall_Doesnt.xml +++ b/docs/Shorewall_Doesnt.xml @@ -40,7 +40,7 @@ 3.0.0 then please see the documentation for that release -
+
Shorewall Does not: @@ -90,7 +90,7 @@
-
+
In Addition: diff --git a/docs/Shorewall_Squid_Usage.xml b/docs/Shorewall_Squid_Usage.xml index 0127c8b99..9004fba3c 100644 --- a/docs/Shorewall_Squid_Usage.xml +++ b/docs/Shorewall_Squid_Usage.xml @@ -45,7 +45,7 @@ release. -
+
Squid as a Transparent (Interception) Proxy @@ -141,7 +141,7 @@ httpd_accel_uses_host_header on
-
+
Configurations Three different configurations are covered: @@ -256,7 +256,7 @@ DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192. ACCEPT Z SZ tcp SP ACCEPT SZ net tcp 80,443 - + Squid on the firewall listening on port 8080 with access from the <quote>loc</quote> zone: diff --git a/docs/Shorewall_and_Aliased_Interfaces.xml b/docs/Shorewall_and_Aliased_Interfaces.xml index a61fb2e24..ae120f37a 100644 --- a/docs/Shorewall_and_Aliased_Interfaces.xml +++ b/docs/Shorewall_and_Aliased_Interfaces.xml @@ -41,7 +41,7 @@ release. -
+
Background The traditional net-tools contain a program called @@ -52,7 +52,7 @@ class="devicefile">eth0:0) and ifconfig treats them more or less like real interfaces. - + ifconfig [root@gateway root]# ifconfig eth0:0 @@ -71,7 +71,7 @@ eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55 it allows addresses to be labeled where these labels take the form of ipconfig virtual interfaces. - + ip [root@gateway root]# ip addr show dev eth0 @@ -100,7 +100,7 @@ Device "eth0:0" does not exist. discussion below.
-
+
Adding Addresses to Interfaces Most distributions have a facility for adding additional addresses @@ -143,21 +143,21 @@ iface eth0 inet static up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0
-
+
So how do I handle more than one address on an interface? The answer depends on what you are trying to do with the interfaces. In the sub-sections that follow, we'll take a look at common scenarios. -
+
Separate Rules If you need to make a rule for traffic to/from the firewall itself that only applies to a particular IP address, simply qualify the $FW zone with the IP address. - + allow SSH from net to eth0:0 above /etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S) @@ -165,7 +165,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22
-
+
DNAT Suppose that I had set up eth0:0 as above and I wanted to port @@ -178,7 +178,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22 DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178
-
+
SNAT If you wanted to use eth0:0 as the IP address for outbound @@ -223,7 +223,7 @@ eth0:1 = 206.124.146.179 eth0:2 = 206.124.146.180
-
+
One-to-one NAT If you wanted to use one-to-one NAT to link pair, you simply qualify the local zone with the internal IP address. - + You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3. @@ -266,7 +266,7 @@ ACCEPT net loc:192.168.1.3 tcp 22
-
+
MULTIPLE SUBNETS Sometimes multiple IP addresses are used because there are @@ -278,7 +278,7 @@ ACCEPT net loc:192.168.1.3 tcp 22 consider the LAN segment itself as a zone and allow your firewall/router to route between the two subnetworks. - + Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. You simply want your firewall to route @@ -300,7 +300,7 @@ loc eth1 192.168.1.255,192.168.20.255 <emphasis role="bold">rout ACCEPT rules for the traffic that you want to permit.</para> </example> - <example> + <example id="subnets1"> <title>Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. You want to make these subnetworks into @@ -334,4 +334,4 @@ loc2 eth1:192.168.20.0/24</programlisting> </example> </section> </section> -</article> +</article> \ No newline at end of file diff --git a/docs/Shorewall_and_Routing.xml b/docs/Shorewall_and_Routing.xml index eb365fbcc..ed45227c5 100644 --- a/docs/Shorewall_and_Routing.xml +++ b/docs/Shorewall_and_Routing.xml @@ -38,7 +38,7 @@ </legalnotice> </articleinfo> - <section> + <section id="Routing"> <title>Routing vs. Firewalling. One of the most misunderstood aspects of Shorewall is its @@ -62,7 +62,7 @@ in the following sections.
-
+
Routing and Netfilter The following diagram shows the relationship between routing @@ -80,7 +80,7 @@ through this maze, depending on where the packet originates. We will look at each of these separately. -
+
Packets Entering the Firewall from Outside When a packet arrives from outside, it first undergoes Netfilter @@ -132,7 +132,7 @@ alternate routing table.
-
+
Packets Originating on the Firewall Processing of packets that originate on the firewall itself are @@ -169,7 +169,7 @@
-
+
Alternate Routing Table Configuration The Shorewall 2.x
-
+
Routing and Proxy ARP There is one instance where Shorewall creates main routing table @@ -211,7 +211,7 @@ ip route add 206.124.146.177 dev eth1
-
+
Multiple Internet Connection Support in Shorewall 2.4.2 and Later diff --git a/docs/SimpleBridge.xml b/docs/SimpleBridge.xml index 992e847dc..00dde6695 100644 --- a/docs/SimpleBridge.xml +++ b/docs/SimpleBridge.xml @@ -38,7 +38,7 @@ -
+
Background Systems where Shorewall runs normally function as @@ -70,7 +70,7 @@
-
+
Application There are cases where you want to create a bridge to join two or @@ -79,7 +79,7 @@ article. If you do need to restrict traffic through the bridge, please refer - to the Shorewall Bridge/Firewall + to the Shorewall Bridge/Firewall documentation. Also please refer to that documentation for information about how to create a bridge. diff --git a/docs/UPnP.xml b/docs/UPnP.xml index a39c781e8..a9e3c40fa 100644 --- a/docs/UPnP.xml +++ b/docs/UPnP.xml @@ -34,7 +34,7 @@ -
+
UPnP In Shorewall 2.2.4, support was added for UPnP (Universal Plug and @@ -78,7 +78,7 @@
-
+
linux-igd Configuration In /etc/upnpd.conf, you will want: @@ -88,7 +88,7 @@ prerouting_chain_name = UPnP forward_chain_name = forwardUPnP
-
+
Shorewall Configuration In /etc/shorewall/interfaces, you need the diff --git a/docs/VPN.xml b/docs/VPN.xml index a78d87c54..55c1605bb 100644 --- a/docs/VPN.xml +++ b/docs/VPN.xml @@ -38,7 +38,7 @@ -
+
Virtual Private Networking (VPN) It is often the case that a system behind the firewall needs to be @@ -76,7 +76,7 @@ following: only one system may connect to the remote gateway and there are firewall configuration requirements as follows: - +
/etc/shorewall/rules diff --git a/docs/VPNBasics.xml b/docs/VPNBasics.xml index 8a5ade1f7..5ab97ac03 100644 --- a/docs/VPNBasics.xml +++ b/docs/VPNBasics.xml @@ -38,7 +38,7 @@ -
+
Gateway-to-gateway traffic vs. Host-to-host traffic. The purpose of a Virtual Private Network @@ -91,7 +91,7 @@
-
+
Relationship to Netfilter When Netfilter is configured on a VPN gateway, each VPN packet goes @@ -118,7 +118,7 @@
-
+
What does this mean with Shorewall? When Shorewall is installed on a VPN gateway system, it categorizes @@ -185,7 +185,7 @@
-
+
Defining Remote Zones Most VPN types are implemented using a virtual network device such @@ -209,7 +209,7 @@ loc eth1 detect rem ppp0 192.168.10.0/24
-
+
Allowing Traffic Normally, you will just allow all traffic between your remote @@ -224,7 +224,7 @@ loc rem ACCEPT the remote clients to/from the firewall.
-
+
Different Firewall Policies for Different Remote Systems The /etc/shorewall/hosts file comes into play when: @@ -274,7 +274,7 @@ rem2 tun+:10.0.1.0/24 kernel 2.6 native IPSEC.
-
+
Eliminating the /etc/shorewall/tunnels file The /etc/shorewall/tunnels file provides no @@ -285,7 +285,7 @@ rem2 tun+:10.0.1.0/24 /etc/shorewall/tunnels can be replaced by rules for some common tunnel types. -
+
IPSEC /etc/shorewall/tunnels: @@ -316,7 +316,7 @@ ACCEPT Z2:1.2.3.4 $FW udp 500 are omitted.
-
+
PPTP /etc/shorewall/tunnels: @@ -341,7 +341,7 @@ ACCEPT Z1:1.2.3.4 $FW 47 port 1723 rule.
-
+
OpenVPN /etc/shorewall/tunnels: diff --git a/docs/Xen.xml b/docs/Xen.xml index 68a89451b..ee2d12b4a 100644 --- a/docs/Xen.xml +++ b/docs/Xen.xml @@ -48,7 +48,7 @@ running kernel 2.6.20 or later. -
+
Xen Network Environment
-
+
Configuring Shorewall in Dom0 As I state in the answer to Shorewall FAQ @@ -147,7 +147,7 @@ only have to worry about protecting the local LAN from the systems running in the DomU's. -
+
/etc/shorewall/shorewall.conf Because Xen uses normal Linux bridging, you must enable bridge @@ -158,7 +158,7 @@
-
+
/etc/shorewall/zones One thing strange about configuring Shorewall in this environment @@ -181,7 +181,7 @@ net ipv4 #The local LAN and beyond
-
+
/etc/shorewall/interfaces We must deal with two network interfaces. We must deal with the @@ -196,7 +196,7 @@ net eth0 detect dhcp
-
+
/etc/shorewall/hosts Here we define the zones ursa and @@ -218,7 +218,7 @@ net xenbr0:peth0 class="devicefile">peth0 port on the bridge.
-
+
/etc/shorewall/policy The policies shown here effectively isolate Domains 1...N. @@ -237,7 +237,7 @@ all all REJECT info
-
+
/etc/shorewall/rules These rules determine the traffic allowed into and out of the diff --git a/docs/XenMyWay-Routed.xml b/docs/XenMyWay-Routed.xml index 13e04d3dd..3c6f0f99d 100644 --- a/docs/XenMyWay-Routed.xml +++ b/docs/XenMyWay-Routed.xml @@ -40,7 +40,7 @@ documentation for that release. -
+
Before Xen Prior to adopting Xen, I had a home @@ -72,7 +72,7 @@ The result was a very crowded and noisy room.
-
+
After Xen Xen has allowed me to reduce the noise and clutter considerably. I diff --git a/docs/XenMyWay.xml b/docs/XenMyWay.xml index 91eaa798f..8937b72cc 100644 --- a/docs/XenMyWay.xml +++ b/docs/XenMyWay.xml @@ -47,7 +47,7 @@ running kernel 2.6.20 or later. -
+
Before Xen Prior to adopting Xen, I had a home @@ -79,7 +79,7 @@ The result was a very crowded and noisy room.
-
+
After Xen Xen has allowed me to reduce the noise and clutter considerably. I diff --git a/docs/shorewall_features.xml b/docs/shorewall_features.xml index 05a5eb7b5..b2444e139 100644 --- a/docs/shorewall_features.xml +++ b/docs/shorewall_features.xml @@ -39,7 +39,7 @@ release. -
+
Features @@ -219,7 +219,7 @@ Bridge/Firewall support + role="bold">Bridge/Firewall support
diff --git a/docs/shorewall_logging.xml b/docs/shorewall_logging.xml index c64711151..e0f995e49 100644 --- a/docs/shorewall_logging.xml +++ b/docs/shorewall_logging.xml @@ -41,7 +41,7 @@ release. -
+
How to Log Traffic Through a Shorewall Firewall The disposition of packets entering a Shorewall firewall is @@ -95,7 +95,7 @@
-
+
Where the Traffic is Logged and How to Change the Destination @@ -113,7 +113,7 @@ level is the term used by NetFilter. The syslog documentation uses the term priority. -
+
Syslog Levels Syslog levels are a method of describing to syslog (8) the @@ -165,7 +165,7 @@ Shorewall messages written to the console.
-
+
Configuring a Separate Log for Shorewall Messages (ulogd) There are a couple of limitations to syslogd-based logging: @@ -232,7 +232,7 @@ gateway:/etc/shorewall#
-
+
Syslog-ng
-
+
Understanding the Contents of Shorewall Log Messages For general information on the contents of Netfilter log messages, @@ -250,4 +250,4 @@ gateway:/etc/shorewall# For Shorewall-specific information, see FAQ #17.
- + \ No newline at end of file diff --git a/docs/shorewall_prerequisites.xml b/docs/shorewall_prerequisites.xml index e02952bc1..d110c4b85 100644 --- a/docs/shorewall_prerequisites.xml +++ b/docs/shorewall_prerequisites.xml @@ -39,7 +39,7 @@ release. -
+
Shorewall Requires: @@ -93,7 +93,7 @@
-
+
Shorewall-perl Requirements Shorewall-perl is a @@ -101,6 +101,6 @@ It is much faster than the classic Shorewall-shell compiler and produces a firewall script that runs much faster. It's prerequisites are described in the Shorewall-perl - article. + article.
\ No newline at end of file diff --git a/docs/shorewall_quickstart_guide.xml b/docs/shorewall_quickstart_guide.xml index 1b70d091a..bc2465141 100644 --- a/docs/shorewall_quickstart_guide.xml +++ b/docs/shorewall_quickstart_guide.xml @@ -49,7 +49,7 @@ The Russian Translations are courtesy of Alex at tut.by. -
+
Before You Start Please read the short article These guides provide step-by-step instructions for configuring Shorewall in common firewall setups. -
+
If you want the firewall system to handle a <emphasis role="bold">single public IP address</emphasis> @@ -98,7 +98,7 @@
-
+
If you want the firewall system to handle more than one public IP address diff --git a/docs/shorewall_setup_guide.xml b/docs/shorewall_setup_guide.xml index f1a00144c..3eafaf70a 100644 --- a/docs/shorewall_setup_guide.xml +++ b/docs/shorewall_setup_guide.xml @@ -126,12 +126,12 @@ instructions. Shorewall views the network where it is running as being composed of - a set of zones. A zone is one or more hosts, which can be defined - as individual hosts or networks in - /etc/shorewall/hosts, or as - an entire interface in /etc/shorewall/interfaces. In this - guide, we will use the following zones: + a set of zones. A zone is one or more hosts, which can be defined as + individual hosts or networks in /etc/shorewall/hosts, or as an entire + interface in /etc/shorewall/interfaces. In this guide, we + will use the following zones: @@ -432,7 +432,7 @@ dmz eth2 detect than one interface, simply include one entry for each interface and repeat the zone name as many times as necessary. - + Multiple Interfaces to a Zone #ZONE INTERFACE BROADCAST OPTIONS @@ -555,7 +555,7 @@ loc eth2 detect subnet sizes, the size and its base-2 logarithm are given in the following table: -
+
Base-2 Logarithms @@ -689,7 +689,7 @@ loc eth2 detect size n. From the above table, we can derive the following one which is a little easier to use. -
+
VLSM @@ -849,7 +849,7 @@ loc eth2 detect a.b.c.d/v using CIDR Notation. Example: -
+
Subnet @@ -891,7 +891,7 @@ loc eth2 detect There are two degenerate subnets that need mentioning; namely, the subnet with one member and the subnet with 2 ** 32 members. -
+
/32 and /0 @@ -945,7 +945,7 @@ loc eth2 detect address a.b.c.d and with the netmask that corresponds to VLSM /v. - + 192.0.2.65/29 The interface is configured with IP address 192.0.2.65 and @@ -955,7 +955,7 @@ loc eth2 detect /sbin/shorewall supports an ipcalc command that automatically calculates information about a [sub]network. - + Using the <command>ipcalc </command>command shorewall ipcalc 10.10.10.0/25 @@ -966,7 +966,7 @@ loc eth2 detect - + Using the <command>ipcalc</command> command shorewall ipcalc 10.10.10.0 255.255.255.128 @@ -1075,8 +1075,8 @@ Destination Gateway Genmask Flgs MSS Win irtt Iface requests -- they are totally independent. -
- Address Resolution Protocol (ARP) +
+ Address Resolution Protocol (ARP) When sending packets over Ethernet, IP addresses aren't used. Rather Ethernet addressing is based on Media Access @@ -1580,8 +1580,8 @@ DNAT net loc:192.168.201.4 tcp www rather than with the firewall's eth0.
-
- One-to-one NAT +
+ One-to-one NAT With one-to-one NAT, you assign local systems RFC 1918 addresses then establish a one-to-one mapping between those addresses and public @@ -2336,7 +2336,7 @@ foobar.net. 86400 IN A 192.0.2.177 86400 IN MX 1 <backup MX>.
-
+
Some Things to Keep in Mind @@ -2429,4 +2429,4 @@ foobar.net. 86400 IN A 192.0.2.177 try command.
- + \ No newline at end of file diff --git a/docs/standalone.xml b/docs/standalone.xml index d56113c4a..ba38b42ee 100644 --- a/docs/standalone.xml +++ b/docs/standalone.xml @@ -47,7 +47,7 @@ system. -
+
Introduction Setting up Shorewall on a standalone Linux system is very easy if @@ -74,7 +74,7 @@ -
+
System Requirements Shorewall requires that you have the @@ -90,7 +90,7 @@ [root@gateway root]#
-
+
Before you start I recommend that you read through the guide first to familiarize @@ -121,7 +121,7 @@
-
+
Conventions Points at which configuration changes are recommended are flagged @@ -130,7 +130,7 @@
-
+
PPTP/ADSL @@ -143,7 +143,7 @@ found in Europe, notably in Austria.
-
+
Shorewall Concepts @@ -311,7 +311,7 @@ all all REJECT info and make any changes that you wish.
-
+
External Interface The firewall has a single network interface. Where Internet @@ -377,7 +377,7 @@ root@lists:~#
-
+
IP Addresses Before going further, we should say a few words about @@ -455,7 +455,7 @@ root@lists:~# role="bold">SECTION NEW. - + You want to run a Web Server and a IMAP Server on your firewall system: @@ -472,7 +472,7 @@ IMAP/ACCEPT net $FW #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT net $FW <protocol> <port> - + You want to run a Web Server and a IMAP Server on your firewall system: @@ -499,7 +499,7 @@ SSH/ACCEPT net $FW other connections as desired.
-
+
Starting and Stopping Your Firewall @@ -549,7 +549,7 @@ SSH/ACCEPT net $FW
-
+
If it Doesn't Work @@ -574,7 +574,7 @@ SSH/ACCEPT net $FW
-
+
Additional Recommended Reading I highly recommend that you review the page -- it contains helpful tips about Shorewall features than make administering your firewall easier.
- - - Revision History - - - - 2.0 - - 2005-09-12 - - TE - - More 3.0 Updates - - - - 1.9 - - 2005-09-02 - - CR - - Update for Shorewall 3.0 - - - - 1.8 - - 2005-07-12 - - TE - - Change reference to rfc1918 to bogons. - - - - 1.7 - - 2004-02-16 - - TE - - Move /etc/shorewall/rfc1918 to - /usr/share/shorewall. - - - - 1.6 - - 2004-02-05 - - TE - - Update for Shorewall 2.0 - - - - 1.5 - - 2004-01-05 - - TE - - Standards Changes - - - - 1.4 - - 2003-12-30 - - TE - - Add tip about /etc/shorewall/rfc1918 updates. - - - - 1.3 - - 2003-11-15 - - TE - - Initial Docbook Conversion - - - \ No newline at end of file diff --git a/docs/starting_and_stopping_shorewall.xml b/docs/starting_and_stopping_shorewall.xml index 12887a8ba..765d78249 100644 --- a/docs/starting_and_stopping_shorewall.xml +++ b/docs/starting_and_stopping_shorewall.xml @@ -47,7 +47,7 @@ release. -
+
/sbin/shorewall and /sbin/shorewall-lite /sbin/shorewall is the program that you use to @@ -111,7 +111,7 @@ url="Anatomy.html">Shorewall Anatomy article.
-
+
Starting, Stopping and Clearing As explained in the section.
-
+
Tracing Command Execution If you include the word trace as @@ -182,7 +182,7 @@ /usr/share/shorewall/firewall, execution of the latter program will be traced to STDERR. - + Tracing <command>shorewall start</command> To trace the execution of shorewall start and @@ -197,7 +197,7 @@
-
+
Having Shorewall Start Automatically at Boot Time The .rpm, .deb and .tgz all try to configure your startup scripts so @@ -420,7 +420,7 @@
-
+
Commands The general form of a command in Shorewall 4.0 is: diff --git a/docs/support.xml b/docs/support.xml index f67b1637c..051f388fd 100644 --- a/docs/support.xml +++ b/docs/support.xml @@ -48,7 +48,7 @@ release. -
+
Before Reporting a Problem or Asking a Question There are a number of sources of Shorewall information. Please try @@ -361,7 +361,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)
-
+
Where to Send your Problem Report or to Ask for Help If you haven't read the a #shorewall channel at irc.freenode.net.
-
+
Subscribing to the Users Mailing List To Subscribe to the users mailing list go to https://lists.sourceforge.net/lists/listinfo/shorewall-users.
-
+
Subscribing to the Announce Mailing List To Subscribe to the announce mailing list (low-traffic,read only) go @@ -405,7 +405,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006) url="https://lists.sourceforge.net/lists/listinfo/shorewall-announce">https://lists.sourceforge.net/lists/listinfo/shorewall-announce
-
+
Subscribing to the Development Mailing List To Subscribe to the development mailing list go to role="bold">Doh.......
-
+
Other Mailing Lists For information on other Shorewall mailing lists, go to -
+
Background In early March 2006, i embarked on the journey of surveying @@ -58,7 +58,7 @@ limited and harder to use than Zoomerang.
- Survey and results links + Survey and results links The survey is still open as of this writing, and can be accessed at the @@ -72,7 +72,7 @@ a link to the results is provided on the thank you page.
-
+
Sample size An important note about this survey is that it has a small sample @@ -96,7 +96,7 @@ installed base, likely far less.
-
+
Other possible inaccuracies Additionally, since the survey was open to multiple responses, it @@ -115,10 +115,10 @@
-
+
Results analysis -
+
Organisations Small organisations dominate the spectrum of Shorewall users. The @@ -175,7 +175,7 @@ Shorewall.
-
+
Users Unsurprisingly, 97% of survey respondents were male. Or to put it @@ -226,16 +226,16 @@ users, which is a concern for the future of the project.
-
+
Hardware Ninety-three percent (93%) of users run Shorewall on i386 family hardware, with a further 6% running it on x86-64/EM64T platforms. One response was received indicating use of Shorewall on MIPS (Linksys WRT platform). No responses were received for any other hardware platform. - While it is not surprising that Intel would be dominant, given - their market share, it seems a little skewed not to have any - representatives of other architectures. + While it is not surprising that Intel would be dominant, given their + market share, it seems a little skewed not to have any representatives + of other architectures. A good spread of CPU power is shown in the survey responses. The largest group was 400-999 MHz (30%), with only 16% of responses @@ -258,7 +258,7 @@ second and third at 22% and 20% respectively.
-
+
Network The majority of Shorewall systems (82%) use between two and four @@ -274,7 +274,7 @@ connection, with over half the responses (51%).
-
+
Software The most popular Linux distribution on which users run Shorewall @@ -314,7 +314,7 @@
-
+
Comments from users Following is a sample of the comments we received about the survey @@ -365,10 +365,10 @@
-
+
Lessons learned about survey technique -
+
Treat surveys like releasing free software @@ -392,7 +392,7 @@
-
+
Start small and work towards what you want to know with specific, concrete questions @@ -413,7 +413,7 @@ user systems, and doesn't present a user interface per se.
-
+
Be prepared beforehand Within hours of the survey's release, 50% of the results were in. @@ -425,7 +425,7 @@ and complete downloads of the results.
-
+
Incrementally improve your surveys The final version of this survey was released still with a few @@ -436,7 +436,7 @@
-
+
Possible implications for the Shorewall project The users we have seem, on the whole, rather experienced, and very @@ -454,7 +454,7 @@ Connect might be a good way to serve the needs of our users.
-
+
Possible implications for other free software projects @@ -472,4 +472,4 @@
- + \ No newline at end of file diff --git a/docs/three-interface.xml b/docs/three-interface.xml index d1404e4b2..7e787299e 100644 --- a/docs/three-interface.xml +++ b/docs/three-interface.xml @@ -47,7 +47,7 @@ system. -
+
Introduction Setting up a Linux system as a firewall for a small network with DMZ @@ -91,7 +91,7 @@ Here is a schematic of a typical installation. -
+
schematic of a typical installation @@ -101,7 +101,7 @@
-
+
Requirements Shorewall requires that you have the @@ -117,7 +117,7 @@ [root@gateway root]#
-
+
Before you start I recommend that you first read through the guide to familiarize @@ -149,7 +149,7 @@
-
+
Conventions Points at which configuration changes are recommended are flagged @@ -161,7 +161,7 @@
-
+
PPTP/ADSL @@ -173,7 +173,7 @@ notably in Austria.
-
+
Shorewall Concepts The configuration files for Shorewall are contained in the directory @@ -356,10 +356,10 @@ $FW net ACCEPT file and make any changes that you wish.
-
+
Network Interfaces -
+
DMZ @@ -471,7 +471,7 @@ root@lists:~#
-
+
IP Addresses Before going further, we should say a few words about Internet @@ -532,7 +532,7 @@ root@lists:~# 24 refers to the number of consecutive 1 bits from the left of the subnet mask. -
+
Example sub-network @@ -599,7 +599,7 @@ root@lists:~# The remainder of this quide will assume that you have configured your network as shown here: -
+
DMZ @@ -627,7 +627,7 @@ root@lists:~#
-
+
IP Masquerading (SNAT) The addresses reserved by RFC 1918 are sometimes referred to as @@ -731,7 +731,7 @@ DNAT net dmz:<server local IP address>[:SECTON NEW. - + You run a Web Server on DMZ Computer 2 and you want to forward incoming TCP port 80 to that system @@ -812,7 +812,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP
-
+
Domain Name Server (DNS) Normally, when you connect to your ISP, as part of getting an IP @@ -908,7 +908,7 @@ SSH/ACCEPT loc dmz Those rules allow you to run is:#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT <source zone> <destination zone> <protocol> <port> - + You want to run a publicly-available DNS server on your firewall system @@ -956,7 +956,7 @@ ACCEPT net $FW tcp 80
-
+
Some Things to Keep in Mind @@ -1012,7 +1012,7 @@ ACCEPT net $FW tcp 80
-
+
Starting and Stopping Your Firewall @@ -1059,7 +1059,7 @@ ACCEPT net $FW tcp 80
-
+
If it Doesn't Work @@ -1084,7 +1084,7 @@ ACCEPT net $FW tcp 80
-
+
Additional Recommended Reading I highly recommend that you review the -
+
Introduction Starting with Version 2.5.5, Shorewall has builtin support for @@ -104,7 +104,7 @@ as covered by the next sections.
-
+
Linux traffic shaping and control This section gives a brief introduction of how controlling traffic @@ -213,7 +213,7 @@ connection mark value to the current packet's mark (RESTORE).
-
+
Linux Kernel Configuration You will need at least kernel 2.4.18 for this to work, please take a @@ -234,7 +234,7 @@
-
+
Enable TC support in Shorewall You need this support whether you use the builtin support or whether @@ -267,7 +267,7 @@
-
+
Using builtin traffic shaping/control Shorewall's builtin traffic shaping feature provides a thin layer on @@ -327,7 +327,7 @@ url="http://www.speedcheck.arcor.de/cgi-bin/speedcheck.cgi">arcor speed check). Be sure to choose a test located near you. -
+
/etc/shorewall/tcdevices This file allows you to define the incoming and outgoing bandwidth @@ -384,7 +384,7 @@ - + Suppose you are using PPP over Ethernet (DSL) and ppp0 is the @@ -396,7 +396,7 @@ ppp0 6000kbit 500kbit
-
+
/etc/shorewall/tcclasses This file allows you to define the actual classes that are used to @@ -499,7 +499,7 @@ ppp0 6000kbit 500kbit
-
+
/etc/shorewall/tcrules The fwmark classifier provides a convenient way to classify @@ -772,7 +772,7 @@ ppp0 6000kbit 500kbit - + All packets arriving on eth1 should be marked with 1. All @@ -786,7 +786,7 @@ ppp0 6000kbit 500kbit 3 $FW 0.0.0.0/0 all - + All GRE (protocol 47) packets not originating on the firewall @@ -796,7 +796,7 @@ ppp0 6000kbit 500kbit 12 0.0.0.0/0 155.182.235.151 47 - + All SSH request packets originating in 192.168.1.0/24 and @@ -806,7 +806,7 @@ ppp0 6000kbit 500kbit 22 192.168.1.0/24 155.182.235.151 tcp 22 - + All SSH packets packets going out of the first device in in @@ -819,7 +819,7 @@ ppp0 6000kbit 500kbit 1:110 0.0.0.0/0 0.0.0.0/0 tcp - 22 - + Mark all ICMP echo traffic with packet mark 1. Mark all peer to @@ -852,7 +852,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
-
+
ppp devices If you use ppp/pppoe/pppoa) to connect to your internet provider @@ -871,10 +871,10 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - /sbin/shorewall refresh
-
+
Real life examples -
+
Configuration to replace Wondershaper You are able to fully replace the wondershaper script by using @@ -890,14 +890,14 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - - that this is just an 1:1 replacement doing exactly what wondershaper should do. You are free to change it... -
+
tcdevices file #INTERFACE IN-BANDWITH OUT-BANDWIDTH ppp0 5000kbit 500kbit
-
+
tcclasses file #INTERFACE MARK RATE CEIL PRIORITY OPTIONS @@ -906,7 +906,7 @@ ppp0 2 9*full/10 9*full/10 2 default ppp0 3 8*full/10 8*full/10 2
-
+
tcrules file #MARK SOURCE DEST PROTO PORT(S) CLIENT USER @@ -923,7 +923,7 @@ ppp0 3 8*full/10 8*full/10 2 the example configuration files).
-
+
Setting hosts to low priority lets assume the following settings from your old wondershaper @@ -957,7 +957,7 @@ NOPRIOPORTDST="6662 6663"
-
+
A simple setup This is a simple setup for people sharing an internet connection @@ -965,7 +965,7 @@ NOPRIOPORTDST="6662 6663" between 2 hosts which have the ip addresses 192.168.2.23 and 192.168.2.42 -
+
tcdevices file #INTERFACE IN-BANDWITH OUT-BANDWIDTH @@ -974,7 +974,7 @@ ppp0 6000kbit 700kbit We have 6mbit down and 700kbit upstream.
-
+
tcclasses file #INTERFACE MARK RATE CEIL PRIORITY OPTIONS @@ -990,7 +990,7 @@ ppp0 4 90kbit 200kbit 3 default
-
+
tcrules file #MARK SOURCE DEST PROTO PORT(S) CLIENT USER @@ -1007,7 +1007,7 @@ ppp0 4 90kbit 200kbit 3 default
-
+
A Warning to Xen Users If you are running traffic shaping in your dom0 and traffic shaping @@ -1041,7 +1041,7 @@ ppp0 4 90kbit 200kbit 3 default
-
+
Using your own tc script
@@ -1077,7 +1077,7 @@ ppp0 4 90kbit 200kbit 3 default
-
+
Traffic control outside Shorewall To start traffic shaping when you bring up your network @@ -1099,7 +1099,7 @@ ppp0 4 90kbit 200kbit 3 default
-
+
Testing Tools At least one Shorewall user has found this tool helpful: -
+
<quote>shorewall start</quote> and <quote>shorewall restart</quote> Errors -
+
Shorewall-shell If you use the Shorewall-shell compiler and you receive an error @@ -78,7 +78,7 @@ - + Startup Error During startup, a user sees the following: @@ -107,7 +107,7 @@ iptables: No chain/target/match by that name
-
+
Shorewall-perl If the error is detected by the Shorewall-perl compiler, it should @@ -187,7 +187,7 @@ gateway:~/test # A look at /var/lib/shorewall/restore at line
-
+
Your Network Environment Many times when people have problems with Shorewall, the problem is @@ -222,7 +222,7 @@ gateway:~/test # A look at /var/lib/shorewall/restore at line
-
+
New Device Doesn't Work? If you have just added a new device such as VOIP and it doesn't @@ -235,7 +235,7 @@ gateway:~/test # A look at /var/lib/shorewall/restore at line url="Documentation.htm#INterfaces">/etc/shorewall/interfaces.
-
+
Connection Problems One very important thing to remember is that not all connection @@ -289,7 +289,7 @@ LOGBURST=""This way, you will see all of the log messages being generated (be sure to restart shorewall after clearing these variables). - + Log Message Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2 @@ -345,7 +345,7 @@ ACCEPT dmz loc udp 53
-
+
Ping Problems Either can't ping when you think you should be able to or are able @@ -388,7 +388,7 @@ Ping/DROP net all
-
+
Some Things to Keep in Mind @@ -444,7 +444,7 @@ Ping/DROP net all
-
+
Other Gotchas @@ -503,7 +503,7 @@ Ping/DROP net all
-
+
Still Having Problems? See the Shorewall Support diff --git a/docs/two-interface.xml b/docs/two-interface.xml index 54412b81b..aa1147527 100644 --- a/docs/two-interface.xml +++ b/docs/two-interface.xml @@ -44,7 +44,7 @@ system. -
+
Introduction Setting up a Linux system as a firewall for a small network is a @@ -74,7 +74,8 @@ - Here is a schematic of a typical installation:
+ Here is a schematic of a typical installation:
Common two interface firewall configuration @@ -105,7 +106,7 @@ -
+
System Requirements Shorewall requires that you have the @@ -122,7 +123,7 @@ through it again making your configuration changes.
-
+
Conventions Points at which configuration changes are recommended are flagged @@ -134,7 +135,7 @@
-
+
PPTP/ADSL @@ -147,7 +148,7 @@ found in Europe, notably in Austria.
-
+
Shorewall Concepts @@ -331,7 +332,7 @@ $FW net ACCEPT The above policy will: and make any changes that you wish.
-
+
Network Interfaces @@ -433,7 +434,7 @@ root@lists:~#
-
+
IP Addresses Before going further, we should say a few words about Internet @@ -573,7 +574,7 @@ root@lists:~#
-
+
IP Masquerading (SNAT) The addresses reserved by RFC 1918 are sometimes referred to as @@ -677,14 +678,14 @@ DNAT net loc:<server local ip address>[: - + Web Server You run a Web Server on computer 2 and you want to forward incoming TCP port 80 to that system: #ACTION SOURCE DEST PROTO DEST PORT(S) Web/DNAT net loc:10.10.10.2 - + FTP Server You run an FTP Server on computer 1 so you @@ -737,7 +738,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000
-
+
Domain Name Server (DNS) Normally, when you connect to your ISP, as part of getting an IP @@ -821,7 +822,8 @@ SSH/ACCEPT loc $FW That rule allows you to run an systems, the general format using a macro is: #ACTION SOURCE DEST PROTO DEST PORT(S) <macro>/ACCEPT $FW <destination zone>The general format when not using defined actions is:#ACTION SOURCE DEST PROTO DEST PORT(S) -ACCEPT $FW <destination zone> <protocol> <port> +ACCEPT $FW <destination zone> <protocol> <port> Web Server on Firewall You want to run a Web Server on your firewall system: @@ -852,7 +854,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work
-
+
Some Things to Keep in Mind @@ -908,7 +910,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work
-
+
Starting and Stopping Your Firewall @@ -954,7 +956,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work
-
+
If it Doesn't Work @@ -979,7 +981,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work
-
+
Additional Recommended Reading I highly recommend that you review the
-
+
Adding a Wireless Segment to your Two-Interface Firewall Once you have the two-interface setup working, the next logical step