Last batch of mindless ID changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6698 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-28 22:06:10 +00:00
parent f8afc6df84
commit c35f8c48d8
26 changed files with 231 additions and 316 deletions

View File

@ -34,7 +34,7 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<section> <section id="Intro">
<title>Introduction</title> <title>Introduction</title>
<para>Shorewall version 4 is currently in development and is available for <para>Shorewall version 4 is currently in development and is available for
@ -88,7 +88,7 @@
whichever one suits you in a particular case.</para> whichever one suits you in a particular case.</para>
</section> </section>
<section> <section id="Install">
<title>Installing Shorewall Version 4</title> <title>Installing Shorewall Version 4</title>
<para>You can download the development version of Shorewall Version 4 from <para>You can download the development version of Shorewall Version 4 from
@ -129,7 +129,7 @@
Shorewall.</para> Shorewall.</para>
</section> </section>
<section> <section id="Prereqs">
<title>Prerequisites for using the Shorewall Version 4 Perl-based <title>Prerequisites for using the Shorewall Version 4 Perl-based
Compiler</title> Compiler</title>
@ -161,7 +161,7 @@
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Incompatibilities">
<title>Incompatibilities Introduced in the Shorewall Version 4 Perl-based <title>Incompatibilities Introduced in the Shorewall Version 4 Perl-based
Compiler</title> Compiler</title>
@ -170,7 +170,7 @@
document</ulink> for details.</para> document</ulink> for details.</para>
</section> </section>
<section> <section id="CompilerSelection">
<title>Compiler Selection</title> <title>Compiler Selection</title>
<para>If you only install one compiler, then that compiler will be <para>If you only install one compiler, then that compiler will be

View File

@ -34,7 +34,7 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<section> <section id="What">
<title>Shorewall-perl - What is it?</title> <title>Shorewall-perl - What is it?</title>
<para>Shorewall-perl is a companion product to Shorewall. It requires <para>Shorewall-perl is a companion product to Shorewall. It requires
@ -76,7 +76,7 @@
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="DownSide">
<title>Shorewall-perl - The down side</title> <title>Shorewall-perl - The down side</title>
<para>While there are advantages to using Shorewall-perl, there are also <para>While there are advantages to using Shorewall-perl, there are also
@ -504,7 +504,7 @@ eth0 eth1:!192.168.4.9 ...</programlisting></para>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Install">
<title>Shorewall-perl - Installation</title> <title>Shorewall-perl - Installation</title>
<caution> <caution>
@ -529,10 +529,10 @@ eth0 eth1:!192.168.4.9 ...</programlisting></para>
package.</para> package.</para>
</section> </section>
<section> <section id="Using">
<title>Using Shorewall-perl</title> <title>Using Shorewall-perl</title>
<section> <section id="V3.4.3">
<title>Using Shorewall-perl under Shorewall 3.4.2 and Shorewall <title>Using Shorewall-perl under Shorewall 3.4.2 and Shorewall
3.4.3</title> 3.4.3</title>
@ -557,7 +557,7 @@ eth0 eth1:!192.168.4.9 ...</programlisting></para>
use be specified in <filename>shorewall.conf</filename>.</para> use be specified in <filename>shorewall.conf</filename>.</para>
</section> </section>
<section> <section id="V4.0.0">
<title>Using Shorewall-perl under Shorewall 3.4.4/4.0.0 Beta and <title>Using Shorewall-perl under Shorewall 3.4.4/4.0.0 Beta and
later.</title> later.</title>

View File

@ -40,7 +40,7 @@
3.0.0 then please see the documentation for that release</emphasis></para> 3.0.0 then please see the documentation for that release</emphasis></para>
</caution> </caution>
<section> <section id="Doesnt">
<title>Shorewall Does not:</title> <title>Shorewall Does not:</title>
<itemizedlist> <itemizedlist>
@ -90,7 +90,7 @@
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Patching">
<title>In Addition:</title> <title>In Addition:</title>
<itemizedlist> <itemizedlist>

View File

@ -45,7 +45,7 @@
release.</emphasis></para> release.</emphasis></para>
</caution> </caution>
<section> <section id="Transparent">
<title>Squid as a Transparent (Interception) Proxy</title> <title>Squid as a Transparent (Interception) Proxy</title>
<important> <important>
@ -141,7 +141,7 @@ httpd_accel_uses_host_header on</programlisting>
</caution> </caution>
</section> </section>
<section> <section id="Configurations">
<title>Configurations</title> <title>Configurations</title>
<para>Three different configurations are covered:</para> <para>Three different configurations are covered:</para>
@ -256,7 +256,7 @@ DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.
ACCEPT Z SZ tcp SP ACCEPT Z SZ tcp SP
ACCEPT SZ net tcp 80,443</programlisting> ACCEPT SZ net tcp 80,443</programlisting>
<example> <example id="Example1">
<title>Squid on the firewall listening on port 8080 with access from the <title>Squid on the firewall listening on port 8080 with access from the
<quote>loc</quote> zone:</title> <quote>loc</quote> zone:</title>

View File

@ -41,7 +41,7 @@
release.</emphasis></para> release.</emphasis></para>
</caution> </caution>
<section> <section id="Background">
<title>Background</title> <title>Background</title>
<para>The traditional net-tools contain a program called <para>The traditional net-tools contain a program called
@ -52,7 +52,7 @@
class="devicefile">eth0:0</filename>) and ifconfig treats them more or class="devicefile">eth0:0</filename>) and ifconfig treats them more or
less like real interfaces.</para> less like real interfaces.</para>
<example> <example id="ifconfig">
<title>ifconfig</title> <title>ifconfig</title>
<programlisting>[root@gateway root]# <command>ifconfig eth0:0</command> <programlisting>[root@gateway root]# <command>ifconfig eth0:0</command>
@ -71,7 +71,7 @@ eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
it allows addresses to be <emphasis>labeled</emphasis> where these labels it allows addresses to be <emphasis>labeled</emphasis> where these labels
take the form of ipconfig virtual interfaces.</para> take the form of ipconfig virtual interfaces.</para>
<example> <example id="ip">
<title>ip</title> <title>ip</title>
<programlisting>[root@gateway root]# <command>ip addr show dev eth0</command> <programlisting>[root@gateway root]# <command>ip addr show dev eth0</command>
@ -100,7 +100,7 @@ Device "eth0:0" does not exist.
discussion below.</para> discussion below.</para>
</section> </section>
<section> <section id="Adding">
<title>Adding Addresses to Interfaces</title> <title>Adding Addresses to Interfaces</title>
<para>Most distributions have a facility for adding additional addresses <para>Most distributions have a facility for adding additional addresses
@ -143,21 +143,21 @@ iface eth0 inet static
<command>up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting> <command>up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting>
</section> </section>
<section> <section id="How">
<title>So how do I handle more than one address on an interface?</title> <title>So how do I handle more than one address on an interface?</title>
<para>The answer depends on what you are trying to do with the interfaces. <para>The answer depends on what you are trying to do with the interfaces.
In the sub-sections that follow, we'll take a look at common In the sub-sections that follow, we'll take a look at common
scenarios.</para> scenarios.</para>
<section> <section id="Rules">
<title>Separate Rules</title> <title>Separate Rules</title>
<para>If you need to make a rule for traffic to/from the firewall itself <para>If you need to make a rule for traffic to/from the firewall itself
that only applies to a particular IP address, simply qualify the $FW that only applies to a particular IP address, simply qualify the $FW
zone with the IP address.</para> zone with the IP address.</para>
<example> <example id="SSH">
<title>allow SSH from net to eth0:0 above</title> <title>allow SSH from net to eth0:0 above</title>
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
@ -165,7 +165,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
</example> </example>
</section> </section>
<section> <section id="DNAT">
<title>DNAT</title> <title>DNAT</title>
<para>Suppose that I had set up eth0:0 as above and I wanted to port <para>Suppose that I had set up eth0:0 as above and I wanted to port
@ -178,7 +178,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting> DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting>
</section> </section>
<section> <section id="SNAT">
<title>SNAT</title> <title>SNAT</title>
<para>If you wanted to use eth0:0 as the IP address for outbound <para>If you wanted to use eth0:0 as the IP address for outbound
@ -223,7 +223,7 @@ eth0:1 = 206.124.146.179
eth0:2 = 206.124.146.180</programlisting> eth0:2 = 206.124.146.180</programlisting>
</section> </section>
<section> <section id="NAT">
<title>One-to-one NAT</title> <title>One-to-one NAT</title>
<para>If you wanted to use one-to-one NAT to link <filename <para>If you wanted to use one-to-one NAT to link <filename
@ -257,7 +257,7 @@ eth0:2 = 206.124.146.180</programlisting>
pair, you simply qualify the local zone with the internal IP pair, you simply qualify the local zone with the internal IP
address.</para> address.</para>
<example> <example id="SSH1">
<title>You want to allow SSH from the net to 206.124.146.178 a.k.a. <title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.</title> 192.168.1.3.</title>
@ -266,7 +266,7 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
</example> </example>
</section> </section>
<section> <section id="Subnets">
<title>MULTIPLE SUBNETS</title> <title>MULTIPLE SUBNETS</title>
<para>Sometimes multiple IP addresses are used because there are <para>Sometimes multiple IP addresses are used because there are
@ -278,7 +278,7 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
consider the LAN segment itself as a zone and allow your firewall/router consider the LAN segment itself as a zone and allow your firewall/router
to route between the two subnetworks.</para> to route between the two subnetworks.</para>
<example> <example id="subnets">
<title>Local interface eth1 interfaces to 192.168.1.0/24 and <title>Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You simply want your firewall to route eth1:0 is 192.168.20.254. You simply want your firewall to route
@ -300,7 +300,7 @@ loc eth1 192.168.1.255,192.168.20.255 <emphasis role="bold">rout
ACCEPT rules for the traffic that you want to permit.</para> ACCEPT rules for the traffic that you want to permit.</para>
</example> </example>
<example> <example id="subnets1">
<title>Local interface eth1 interfaces to 192.168.1.0/24 and <title>Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to make these subnetworks into eth1:0 is 192.168.20.254. You want to make these subnetworks into

View File

@ -38,7 +38,7 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<section> <section id="Routing">
<title>Routing vs. Firewalling.</title> <title>Routing vs. Firewalling.</title>
<para>One of the most misunderstood aspects of Shorewall is its <para>One of the most misunderstood aspects of Shorewall is its
@ -62,7 +62,7 @@
in the following sections.</para> in the following sections.</para>
</section> </section>
<section> <section id="Netfilter">
<title>Routing and Netfilter</title> <title>Routing and Netfilter</title>
<para>The following diagram shows the relationship between routing <para>The following diagram shows the relationship between routing
@ -80,7 +80,7 @@
through this maze, depending on where the packet originates. We will look through this maze, depending on where the packet originates. We will look
at each of these separately.</para> at each of these separately.</para>
<section> <section id="Ingress">
<title>Packets Entering the Firewall from Outside</title> <title>Packets Entering the Firewall from Outside</title>
<para>When a packet arrives from outside, it first undergoes Netfilter <para>When a packet arrives from outside, it first undergoes Netfilter
@ -132,7 +132,7 @@
alternate routing table.</para> alternate routing table.</para>
</section> </section>
<section> <section id="Local">
<title>Packets Originating on the Firewall</title> <title>Packets Originating on the Firewall</title>
<para>Processing of packets that originate on the firewall itself are <para>Processing of packets that originate on the firewall itself are
@ -169,7 +169,7 @@
</section> </section>
</section> </section>
<section> <section id="RoutingTables">
<title>Alternate Routing Table Configuration</title> <title>Alternate Routing Table Configuration</title>
<para>The Shorewall 2.x <ulink <para>The Shorewall 2.x <ulink
@ -186,7 +186,7 @@
prior to 2.3.2.</emphasis></para> prior to 2.3.2.</emphasis></para>
</section> </section>
<section> <section id="ProxyArp">
<title>Routing and Proxy ARP</title> <title>Routing and Proxy ARP</title>
<para>There is one instance where Shorewall creates main routing table <para>There is one instance where Shorewall creates main routing table
@ -211,7 +211,7 @@
<programlisting><emphasis role="bold">ip route add 206.124.146.177 dev eth1</emphasis></programlisting> <programlisting><emphasis role="bold">ip route add 206.124.146.177 dev eth1</emphasis></programlisting>
</section> </section>
<section> <section id="MultiISP">
<title>Multiple Internet Connection Support in Shorewall 2.4.2 and <title>Multiple Internet Connection Support in Shorewall 2.4.2 and
Later</title> Later</title>

View File

@ -38,7 +38,7 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<section> <section id="Background">
<title>Background</title> <title>Background</title>
<para>Systems where Shorewall runs normally function as <para>Systems where Shorewall runs normally function as
@ -70,7 +70,7 @@
</orderedlist> </orderedlist>
</section> </section>
<section> <section id="Application">
<title>Application</title> <title>Application</title>
<para>There are cases where you want to create a bridge to join two or <para>There are cases where you want to create a bridge to join two or
@ -79,7 +79,7 @@
article.</para> article.</para>
<para>If you do need to restrict traffic through the bridge, please refer <para>If you do need to restrict traffic through the bridge, please refer
to the <ulink url="bridge.html">Shorewall Bridge/Firewall to the <ulink url="bridge-Shorewall-perl.html">Shorewall Bridge/Firewall
documentation</ulink>. Also please refer to that documentation for documentation</ulink>. Also please refer to that documentation for
information about how to create a bridge.</para> information about how to create a bridge.</para>

View File

@ -34,7 +34,7 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<section> <section id="UPnP">
<title>UPnP</title> <title>UPnP</title>
<para>In Shorewall 2.2.4, support was added for UPnP (Universal Plug and <para>In Shorewall 2.2.4, support was added for UPnP (Universal Plug and
@ -78,7 +78,7 @@
<para></para> <para></para>
</section> </section>
<section> <section id="linux-igd">
<title>linux-igd Configuration</title> <title>linux-igd Configuration</title>
<para>In /etc/upnpd.conf, you will want:</para> <para>In /etc/upnpd.conf, you will want:</para>
@ -88,7 +88,7 @@ prerouting_chain_name = UPnP
forward_chain_name = forwardUPnP</programlisting> forward_chain_name = forwardUPnP</programlisting>
</section> </section>
<section> <section id="Shorewall">
<title>Shorewall Configuration</title> <title>Shorewall Configuration</title>
<para>In <filename>/etc/shorewall/interfaces</filename>, you need the <para>In <filename>/etc/shorewall/interfaces</filename>, you need the

View File

@ -38,7 +38,7 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<section> <section id="vpn">
<title>Virtual Private Networking (VPN)</title> <title>Virtual Private Networking (VPN)</title>
<para>It is often the case that a system behind the firewall needs to be <para>It is often the case that a system behind the firewall needs to be
@ -76,7 +76,7 @@
following: only one system may connect to the remote gateway and there are following: only one system may connect to the remote gateway and there are
firewall configuration requirements as follows:</para> firewall configuration requirements as follows:</para>
<table> <table id="Table1">
<title>/etc/shorewall/rules</title> <title>/etc/shorewall/rules</title>
<tgroup cols="7"> <tgroup cols="7">

View File

@ -38,7 +38,7 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<section> <section id="Taxonomy">
<title>Gateway-to-gateway traffic vs. Host-to-host traffic.</title> <title>Gateway-to-gateway traffic vs. Host-to-host traffic.</title>
<para>The purpose of a <firstterm>Virtual Private Network</firstterm> <para>The purpose of a <firstterm>Virtual Private Network</firstterm>
@ -91,7 +91,7 @@
</orderedlist> </orderedlist>
</section> </section>
<section> <section id="Netfilter">
<title>Relationship to Netfilter</title> <title>Relationship to Netfilter</title>
<para>When Netfilter is configured on a VPN gateway, each VPN packet goes <para>When Netfilter is configured on a VPN gateway, each VPN packet goes
@ -118,7 +118,7 @@
<graphic align="center" fileref="images/VPNBasics.png" /> <graphic align="center" fileref="images/VPNBasics.png" />
</section> </section>
<section> <section id="Shorewall">
<title>What does this mean with Shorewall?</title> <title>What does this mean with Shorewall?</title>
<para>When Shorewall is installed on a VPN gateway system, it categorizes <para>When Shorewall is installed on a VPN gateway system, it categorizes
@ -185,7 +185,7 @@
</orderedlist> </orderedlist>
</section> </section>
<section> <section id="Zones">
<title>Defining Remote Zones</title> <title>Defining Remote Zones</title>
<para>Most VPN types are implemented using a virtual network device such <para>Most VPN types are implemented using a virtual network device such
@ -209,7 +209,7 @@ loc eth1 detect
<emphasis role="bold">rem ppp0 192.168.10.0/24</emphasis></programlisting> <emphasis role="bold">rem ppp0 192.168.10.0/24</emphasis></programlisting>
</section> </section>
<section> <section id="Traffic">
<title>Allowing Traffic</title> <title>Allowing Traffic</title>
<para>Normally, you will just allow all traffic between your remote <para>Normally, you will just allow all traffic between your remote
@ -224,7 +224,7 @@ loc rem ACCEPT</programlisting>
the remote clients to/from the firewall.</para> the remote clients to/from the firewall.</para>
</section> </section>
<section> <section id="Policies">
<title>Different Firewall Policies for Different Remote Systems</title> <title>Different Firewall Policies for Different Remote Systems</title>
<para>The /etc/shorewall/hosts file comes into play when:</para> <para>The /etc/shorewall/hosts file comes into play when:</para>
@ -274,7 +274,7 @@ rem2 tun+:10.0.1.0/24</emphasis></programlisting>
<ulink url="IPSEC-2.6.html">kernel 2.6 native IPSEC</ulink>.</para> <ulink url="IPSEC-2.6.html">kernel 2.6 native IPSEC</ulink>.</para>
</section> </section>
<section> <section id="tunnels">
<title>Eliminating the /etc/shorewall/tunnels file</title> <title>Eliminating the /etc/shorewall/tunnels file</title>
<para>The <filename>/etc/shorewall/tunnels</filename> file provides no <para>The <filename>/etc/shorewall/tunnels</filename> file provides no
@ -285,7 +285,7 @@ rem2 tun+:10.0.1.0/24</emphasis></programlisting>
<filename>/etc/shorewall/tunnels</filename> can be replaced by rules for <filename>/etc/shorewall/tunnels</filename> can be replaced by rules for
some common tunnel types.</para> some common tunnel types.</para>
<section> <section id="IPSEC">
<title>IPSEC</title> <title>IPSEC</title>
<para>/<filename>etc/shorewall/tunnels</filename>:</para> <para>/<filename>etc/shorewall/tunnels</filename>:</para>
@ -316,7 +316,7 @@ ACCEPT Z2:1.2.3.4 $FW udp 500</programlisting>
are omitted.</para> are omitted.</para>
</section> </section>
<section> <section id="PPTP">
<title>PPTP</title> <title>PPTP</title>
<para><filename>/etc/shorewall/tunnels</filename>:</para> <para><filename>/etc/shorewall/tunnels</filename>:</para>
@ -341,7 +341,7 @@ ACCEPT Z1:1.2.3.4 $FW 47</programlisting>
port 1723 rule.</para> port 1723 rule.</para>
</section> </section>
<section> <section id="OpenVPN">
<title>OpenVPN</title> <title>OpenVPN</title>
<para><filename>/etc/shorewall/tunnels</filename>:</para> <para><filename>/etc/shorewall/tunnels</filename>:</para>

View File

@ -48,7 +48,7 @@
running kernel 2.6.20 or later.</para> running kernel 2.6.20 or later.</para>
</caution> </caution>
<section> <section id="Environment">
<title>Xen Network Environment</title> <title>Xen Network Environment</title>
<para><ulink <para><ulink
@ -104,7 +104,7 @@
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Dom0">
<title>Configuring Shorewall in Dom0</title> <title>Configuring Shorewall in Dom0</title>
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ <para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
@ -147,7 +147,7 @@
only have to worry about protecting the local LAN from the systems running only have to worry about protecting the local LAN from the systems running
in the DomU's.</para> in the DomU's.</para>
<section> <section id="shorewall.conf">
<title>/etc/shorewall/shorewall.conf</title> <title>/etc/shorewall/shorewall.conf</title>
<para>Because Xen uses normal Linux bridging, you must enable bridge <para>Because Xen uses normal Linux bridging, you must enable bridge
@ -158,7 +158,7 @@
</blockquote> </blockquote>
</section> </section>
<section> <section id="zonesfile">
<title>/etc/shorewall/zones</title> <title>/etc/shorewall/zones</title>
<para>One thing strange about configuring Shorewall in this environment <para>One thing strange about configuring Shorewall in this environment
@ -181,7 +181,7 @@ net ipv4 #The local LAN and beyond
</blockquote> </blockquote>
</section> </section>
<section> <section id="interfaces">
<title>/etc/shorewall/interfaces</title> <title>/etc/shorewall/interfaces</title>
<para>We must deal with two network interfaces. We must deal with the <para>We must deal with two network interfaces. We must deal with the
@ -196,7 +196,7 @@ net eth0 detect dhcp
</blockquote> </blockquote>
</section> </section>
<section> <section id="hosts">
<title>/etc/shorewall/hosts</title> <title>/etc/shorewall/hosts</title>
<para>Here we define the zones <emphasis role="bold">ursa</emphasis> and <para>Here we define the zones <emphasis role="bold">ursa</emphasis> and
@ -218,7 +218,7 @@ net xenbr0:peth0
class="devicefile">peth0</filename> port on the bridge.</para> class="devicefile">peth0</filename> port on the bridge.</para>
</section> </section>
<section> <section id="policy">
<title>/etc/shorewall/policy</title> <title>/etc/shorewall/policy</title>
<para>The policies shown here effectively isolate Domains 1...N.</para> <para>The policies shown here effectively isolate Domains 1...N.</para>
@ -237,7 +237,7 @@ all all REJECT info
</blockquote> </blockquote>
</section> </section>
<section> <section id="rules">
<title>/etc/shorewall/rules</title> <title>/etc/shorewall/rules</title>
<para>These rules determine the traffic allowed into and out of the <para>These rules determine the traffic allowed into and out of the

View File

@ -40,7 +40,7 @@
documentation for that release.</para> documentation for that release.</para>
</caution> </caution>
<section> <section id="Before">
<title>Before Xen</title> <title>Before Xen</title>
<para>Prior to adopting <ulink url="Xen.html">Xen</ulink>, I had a home <para>Prior to adopting <ulink url="Xen.html">Xen</ulink>, I had a home
@ -72,7 +72,7 @@
<para>The result was a very crowded and noisy room.</para> <para>The result was a very crowded and noisy room.</para>
</section> </section>
<section> <section id="After">
<title>After Xen</title> <title>After Xen</title>
<para>Xen has allowed me to reduce the noise and clutter considerably. I <para>Xen has allowed me to reduce the noise and clutter considerably. I

View File

@ -47,7 +47,7 @@
running kernel 2.6.20 or later.</para> running kernel 2.6.20 or later.</para>
</caution> </caution>
<section> <section id="Before">
<title>Before Xen</title> <title>Before Xen</title>
<para>Prior to adopting <ulink url="Xen.html">Xen</ulink>, I had a home <para>Prior to adopting <ulink url="Xen.html">Xen</ulink>, I had a home
@ -79,7 +79,7 @@
<para>The result was a very crowded and noisy room.</para> <para>The result was a very crowded and noisy room.</para>
</section> </section>
<section> <section id="After">
<title>After Xen</title> <title>After Xen</title>
<para>Xen has allowed me to reduce the noise and clutter considerably. I <para>Xen has allowed me to reduce the noise and clutter considerably. I

View File

@ -39,7 +39,7 @@
release.</emphasis></para> release.</emphasis></para>
</caution> </caution>
<section> <section id="Features">
<title>Features</title> <title>Features</title>
<itemizedlist> <itemizedlist>
@ -219,7 +219,7 @@
<listitem> <listitem>
<para><ulink url="bridge-Shorewall-perl.html"><emphasis <para><ulink url="bridge-Shorewall-perl.html"><emphasis
role="bold">Bridge</emphasis>/Firewall support</ulink> </para> role="bold">Bridge</emphasis>/Firewall support</ulink></para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>

View File

@ -41,7 +41,7 @@
release.</emphasis></para> release.</emphasis></para>
</caution> </caution>
<section> <section id="Log">
<title>How to Log Traffic Through a Shorewall Firewall</title> <title>How to Log Traffic Through a Shorewall Firewall</title>
<para>The disposition of packets entering a Shorewall firewall is <para>The disposition of packets entering a Shorewall firewall is
@ -95,7 +95,7 @@
</orderedlist> </orderedlist>
</section> </section>
<section> <section id="Where">
<title>Where the Traffic is Logged and How to Change the <title>Where the Traffic is Logged and How to Change the
Destination</title> Destination</title>
@ -113,7 +113,7 @@
<emphasis>level</emphasis> is the term used by NetFilter. The syslog <emphasis>level</emphasis> is the term used by NetFilter. The syslog
documentation uses the term <emphasis>priority</emphasis>.</para> documentation uses the term <emphasis>priority</emphasis>.</para>
<section> <section id="Levels">
<title>Syslog Levels</title> <title>Syslog Levels</title>
<para>Syslog levels are a method of describing to syslog (8) the <para>Syslog levels are a method of describing to syslog (8) the
@ -165,7 +165,7 @@
Shorewall messages written to the console.</para> Shorewall messages written to the console.</para>
</section> </section>
<section> <section id="ULOG">
<title>Configuring a Separate Log for Shorewall Messages (ulogd)</title> <title>Configuring a Separate Log for Shorewall Messages (ulogd)</title>
<para>There are a couple of limitations to syslogd-based logging:</para> <para>There are a couple of limitations to syslogd-based logging:</para>
@ -232,7 +232,7 @@ gateway:/etc/shorewall# </programl
</section> </section>
</section> </section>
<section> <section id="Syslog-ng">
<title>Syslog-ng</title> <title>Syslog-ng</title>
<para><ulink <para><ulink
@ -240,7 +240,7 @@ gateway:/etc/shorewall# </programl
is a post describing configuring syslog-ng to work with Shorewall.</para> is a post describing configuring syslog-ng to work with Shorewall.</para>
</section> </section>
<section> <section id="Contents">
<title>Understanding the Contents of Shorewall Log Messages</title> <title>Understanding the Contents of Shorewall Log Messages</title>
<para>For general information on the contents of Netfilter log messages, <para>For general information on the contents of Netfilter log messages,

View File

@ -39,7 +39,7 @@
release.</emphasis></para> release.</emphasis></para>
</caution> </caution>
<section> <section id="Requirements">
<title>Shorewall Requires:</title> <title>Shorewall Requires:</title>
<itemizedlist> <itemizedlist>
@ -93,7 +93,7 @@
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Perl">
<title>Shorewall-perl Requirements</title> <title>Shorewall-perl Requirements</title>
<para><ulink url="Shorewall-perl.html">Shorewall-perl</ulink> is a <para><ulink url="Shorewall-perl.html">Shorewall-perl</ulink> is a
@ -101,6 +101,6 @@
It is much faster than the classic Shorewall-shell compiler and produces a It is much faster than the classic Shorewall-shell compiler and produces a
firewall script that runs much faster. It's prerequisites are described in firewall script that runs much faster. It's prerequisites are described in
<ulink url="Shorewall-perl.html#Prerequisites">the Shorewall-perl <ulink url="Shorewall-perl.html#Prerequisites">the Shorewall-perl
article</ulink>. </para> article</ulink>.</para>
</section> </section>
</article> </article>

View File

@ -49,7 +49,7 @@
<para>The Russian Translations are courtesy of Alex at tut.by.</para> <para>The Russian Translations are courtesy of Alex at tut.by.</para>
<section> <section id="Before">
<title>Before You Start</title> <title>Before You Start</title>
<para>Please read the short article <ulink <para>Please read the short article <ulink
@ -63,7 +63,7 @@
<para>These guides provide step-by-step instructions for configuring <para>These guides provide step-by-step instructions for configuring
Shorewall in common firewall setups.</para> Shorewall in common firewall setups.</para>
<section> <section id="Single">
<title>If you want the firewall system to handle a <emphasis <title>If you want the firewall system to handle a <emphasis
role="bold">single public IP address</emphasis></title> role="bold">single public IP address</emphasis></title>
@ -98,7 +98,7 @@
</itemizedlist></para> </itemizedlist></para>
</section> </section>
<section> <section id="Multi">
<title>If you want the firewall system to handle more than one public IP <title>If you want the firewall system to handle more than one public IP
address</title> address</title>

View File

@ -126,12 +126,12 @@
instructions.</para> instructions.</para>
<para>Shorewall views the network where it is running as being composed of <para>Shorewall views the network where it is running as being composed of
a set of zones. A zone is one or more hosts, which can be defined a set of zones. A zone is one or more hosts, which can be defined as
as individual hosts or networks in individual hosts or networks in <filename
<filename class="directory">/etc/shorewall/hosts</filename>, or as class="directory">/etc/shorewall/hosts</filename>, or as an entire
an entire interface in <filename interface in <filename
class="directory">/etc/shorewall/interfaces</filename>. In this class="directory">/etc/shorewall/interfaces</filename>. In this guide, we
guide, we will use the following zones:</para> will use the following zones:</para>
<variablelist> <variablelist>
<varlistentry> <varlistentry>
@ -432,7 +432,7 @@ dmz eth2 detect</programlisting>
than one interface, simply include one entry for each interface and repeat than one interface, simply include one entry for each interface and repeat
the zone name as many times as necessary.</para> the zone name as many times as necessary.</para>
<example> <example id="multi">
<title>Multiple Interfaces to a Zone</title> <title>Multiple Interfaces to a Zone</title>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS <programlisting>#ZONE INTERFACE BROADCAST OPTIONS
@ -555,7 +555,7 @@ loc eth2 detect</programlisting>
subnet sizes, the size and its base-2 logarithm are given in the subnet sizes, the size and its base-2 logarithm are given in the
following table:</para> following table:</para>
<table> <table id="Logs">
<title>Base-2 Logarithms</title> <title>Base-2 Logarithms</title>
<tgroup cols="3"> <tgroup cols="3">
@ -689,7 +689,7 @@ loc eth2 detect</programlisting>
size n. From the above table, we can derive the following one which is a size n. From the above table, we can derive the following one which is a
little easier to use.</para> little easier to use.</para>
<table> <table id="vlsm">
<title>VLSM</title> <title>VLSM</title>
<tgroup cols="3"> <tgroup cols="3">
@ -849,7 +849,7 @@ loc eth2 detect</programlisting>
<quote><emphasis role="bold">a.b.c.d/v</emphasis></quote> using <quote><emphasis role="bold">a.b.c.d/v</emphasis></quote> using
<emphasis>CIDR Notation</emphasis>. Example:</para> <emphasis>CIDR Notation</emphasis>. Example:</para>
<table> <table id="Subnet">
<title>Subnet</title> <title>Subnet</title>
<tgroup cols="2"> <tgroup cols="2">
@ -891,7 +891,7 @@ loc eth2 detect</programlisting>
<para>There are two degenerate subnets that need mentioning; namely, the <para>There are two degenerate subnets that need mentioning; namely, the
subnet with one member and the subnet with 2 ** 32 members.</para> subnet with one member and the subnet with 2 ** 32 members.</para>
<table> <table id="degenerate">
<title>/32 and /0</title> <title>/32 and /0</title>
<tgroup cols="4"> <tgroup cols="4">
@ -945,7 +945,7 @@ loc eth2 detect</programlisting>
address <emphasis role="bold">a.b.c.d</emphasis> and with the netmask address <emphasis role="bold">a.b.c.d</emphasis> and with the netmask
that corresponds to VLSM /<emphasis role="bold">v</emphasis>.</para> that corresponds to VLSM /<emphasis role="bold">v</emphasis>.</para>
<example> <example id="Example0">
<title>192.0.2.65/29</title> <title>192.0.2.65/29</title>
<para>The interface is configured with IP address 192.0.2.65 and <para>The interface is configured with IP address 192.0.2.65 and
@ -955,7 +955,7 @@ loc eth2 detect</programlisting>
<para>/sbin/shorewall supports an ipcalc command that automatically <para>/sbin/shorewall supports an ipcalc command that automatically
calculates information about a [sub]network.</para> calculates information about a [sub]network.</para>
<example> <example id="Example1">
<title>Using the <command>ipcalc </command>command</title> <title>Using the <command>ipcalc </command>command</title>
<programlisting>shorewall ipcalc 10.10.10.0/25 <programlisting>shorewall ipcalc 10.10.10.0/25
@ -966,7 +966,7 @@ loc eth2 detect</programlisting>
</programlisting> </programlisting>
</example> </example>
<example> <example id="Example2">
<title>Using the <command>ipcalc</command> command</title> <title>Using the <command>ipcalc</command> command</title>
<programlisting>shorewall ipcalc 10.10.10.0 255.255.255.128 <programlisting>shorewall ipcalc 10.10.10.0 255.255.255.128
@ -1075,8 +1075,8 @@ Destination Gateway Genmask Flgs MSS Win irtt Iface
requests -- they are totally independent.</para> requests -- they are totally independent.</para>
</section> </section>
<section> <section id="ARP">
<title id="ARP">Address Resolution Protocol (ARP)</title> <title>Address Resolution Protocol (ARP)</title>
<para>When sending packets over Ethernet, IP addresses aren't used. <para>When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <emphasis>Media Access Rather Ethernet addressing is based on <emphasis>Media Access
@ -1580,8 +1580,8 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
rather than with the firewall's eth0.</para> rather than with the firewall's eth0.</para>
</section> </section>
<section> <section id="NAT">
<title id="NAT">One-to-one NAT</title> <title>One-to-one NAT</title>
<para>With one-to-one NAT, you assign local systems RFC 1918 addresses <para>With one-to-one NAT, you assign local systems RFC 1918 addresses
then establish a one-to-one mapping between those addresses and public then establish a one-to-one mapping between those addresses and public
@ -2336,7 +2336,7 @@ foobar.net. 86400 IN A 192.0.2.177
86400 IN MX 1 &lt;backup MX&gt;.</programlisting> 86400 IN MX 1 &lt;backup MX&gt;.</programlisting>
</section> </section>
<section> <section id="Other">
<title>Some Things to Keep in Mind</title> <title>Some Things to Keep in Mind</title>
<itemizedlist> <itemizedlist>

View File

@ -47,7 +47,7 @@
system.</emphasis></para> system.</emphasis></para>
</caution> </caution>
<section> <section id="Introduction">
<title>Introduction</title> <title>Introduction</title>
<para>Setting up Shorewall on a standalone Linux system is very easy if <para>Setting up Shorewall on a standalone Linux system is very easy if
@ -74,7 +74,7 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<section> <section id="System">
<title>System Requirements</title> <title>System Requirements</title>
<para>Shorewall requires that you have the <para>Shorewall requires that you have the
@ -90,7 +90,7 @@
[root@gateway root]#</programlisting> [root@gateway root]#</programlisting>
</section> </section>
<section> <section id="Before">
<title>Before you start</title> <title>Before you start</title>
<para>I recommend that you read through the guide first to familiarize <para>I recommend that you read through the guide first to familiarize
@ -121,7 +121,7 @@
</caution> </caution>
</section> </section>
<section> <section id="Conventions">
<title>Conventions</title> <title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged <para>Points at which configuration changes are recommended are flagged
@ -130,7 +130,7 @@
</section> </section>
</section> </section>
<section> <section id="PPTP">
<title>PPTP/ADSL</title> <title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -143,7 +143,7 @@
found in Europe, notably in Austria.</para> found in Europe, notably in Austria.</para>
</section> </section>
<section> <section id="Concepts">
<title>Shorewall Concepts</title> <title>Shorewall Concepts</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -311,7 +311,7 @@ all all REJECT info</programlisting>
and make any changes that you wish.</para> and make any changes that you wish.</para>
</section> </section>
<section> <section id="External">
<title>External Interface</title> <title>External Interface</title>
<para>The firewall has a single network interface. Where Internet <para>The firewall has a single network interface. Where Internet
@ -377,7 +377,7 @@ root@lists:~# </programlisting>
</tip> </tip>
</section> </section>
<section> <section id="Addresses">
<title>IP Addresses</title> <title>IP Addresses</title>
<para>Before going further, we should say a few words about <para>Before going further, we should say a few words about
@ -455,7 +455,7 @@ root@lists:~# </programlisting>
role="bold">SECTION NEW.</emphasis></para> role="bold">SECTION NEW.</emphasis></para>
</important> </important>
<example> <example id="Example1">
<title>You want to run a Web Server and a IMAP Server on your firewall <title>You want to run a Web Server and a IMAP Server on your firewall
system:</title> system:</title>
@ -472,7 +472,7 @@ IMAP/ACCEPT net $FW</programlisting>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net $FW <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting> ACCEPT net $FW <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
<example> <example id="Example2">
<title>You want to run a Web Server and a IMAP Server on your firewall <title>You want to run a Web Server and a IMAP Server on your firewall
system:</title> system:</title>
@ -499,7 +499,7 @@ SSH/ACCEPT net $FW </programlisting>
other connections as desired.</para> other connections as desired.</para>
</section> </section>
<section> <section id="Starting">
<title>Starting and Stopping Your Firewall</title> <title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -549,7 +549,7 @@ SSH/ACCEPT net $FW </programlisting>
</warning> </warning>
</section> </section>
<section> <section id="Problems">
<title>If it Doesn't Work</title> <title>If it Doesn't Work</title>
<itemizedlist> <itemizedlist>
@ -574,7 +574,7 @@ SSH/ACCEPT net $FW </programlisting>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Other">
<title>Additional Recommended Reading</title> <title>Additional Recommended Reading</title>
<para>I highly recommend that you review the <ulink <para>I highly recommend that you review the <ulink
@ -582,91 +582,4 @@ SSH/ACCEPT net $FW </programlisting>
page</ulink> -- it contains helpful tips about Shorewall features than page</ulink> -- it contains helpful tips about Shorewall features than
make administering your firewall easier.</para> make administering your firewall easier.</para>
</section> </section>
<appendix>
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>2.0</revnumber>
<date>2005-09-12</date>
<authorinitials>TE</authorinitials>
<revremark>More 3.0 Updates</revremark>
</revision>
<revision>
<revnumber>1.9</revnumber>
<date>2005-09-02</date>
<authorinitials>CR</authorinitials>
<revremark>Update for Shorewall 3.0</revremark>
</revision>
<revision>
<revnumber>1.8</revnumber>
<date>2005-07-12</date>
<authorinitials>TE</authorinitials>
<revremark>Change reference to rfc1918 to bogons.</revremark>
</revision>
<revision>
<revnumber>1.7</revnumber>
<date>2004-02-16</date>
<authorinitials>TE</authorinitials>
<revremark>Move /etc/shorewall/rfc1918 to
/usr/share/shorewall.</revremark>
</revision>
<revision>
<revnumber>1.6</revnumber>
<date>2004-02-05</date>
<authorinitials>TE</authorinitials>
<revremark>Update for Shorewall 2.0</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2004-01-05</date>
<authorinitials>TE</authorinitials>
<revremark>Standards Changes</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2003-12-30</date>
<authorinitials>TE</authorinitials>
<revremark>Add tip about /etc/shorewall/rfc1918 updates.</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2003-11-15</date>
<authorinitials>TE</authorinitials>
<revremark>Initial Docbook Conversion</revremark>
</revision>
</revhistory></para>
</appendix>
</article> </article>

View File

@ -47,7 +47,7 @@
release</emphasis>.</para> release</emphasis>.</para>
</caution> </caution>
<section> <section id="CLI">
<title>/sbin/shorewall and /sbin/shorewall-lite</title> <title>/sbin/shorewall and /sbin/shorewall-lite</title>
<para><filename>/sbin/shorewall</filename> is the program that you use to <para><filename>/sbin/shorewall</filename> is the program that you use to
@ -111,7 +111,7 @@
url="Anatomy.html">Shorewall Anatomy article</ulink>.</para> url="Anatomy.html">Shorewall Anatomy article</ulink>.</para>
</section> </section>
<section> <section id="Starting">
<title>Starting, Stopping and Clearing</title> <title>Starting, Stopping and Clearing</title>
<para>As explained in the <ulink <para>As explained in the <ulink
@ -173,7 +173,7 @@
State Diagram</link> section.</para> State Diagram</link> section.</para>
</section> </section>
<section> <section id="Trace">
<title>Tracing Command Execution</title> <title>Tracing Command Execution</title>
<para>If you include the word <emphasis role="bold">trace</emphasis> as <para>If you include the word <emphasis role="bold">trace</emphasis> as
@ -182,7 +182,7 @@
<filename>/usr/share/shorewall/firewall</filename>, execution of the <filename>/usr/share/shorewall/firewall</filename>, execution of the
latter program will be traced to STDERR.</para> latter program will be traced to STDERR.</para>
<example> <example id="trace">
<title>Tracing <command>shorewall start</command></title> <title>Tracing <command>shorewall start</command></title>
<para>To trace the execution of <command>shorewall start</command> and <para>To trace the execution of <command>shorewall start</command> and
@ -197,7 +197,7 @@
</example> </example>
</section> </section>
<section> <section id="Boot">
<title>Having Shorewall Start Automatically at Boot Time</title> <title>Having Shorewall Start Automatically at Boot Time</title>
<para>The .rpm, .deb and .tgz all try to configure your startup scripts so <para>The .rpm, .deb and .tgz all try to configure your startup scripts so
@ -420,7 +420,7 @@
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Commands">
<title>Commands</title> <title>Commands</title>
<para>The general form of a command in Shorewall 4.0 is:</para> <para>The general form of a command in Shorewall 4.0 is:</para>

View File

@ -48,7 +48,7 @@
release.</emphasis></para> release.</emphasis></para>
</caution> </caution>
<section> <section id="First">
<title>Before Reporting a Problem or Asking a Question</title> <title>Before Reporting a Problem or Asking a Question</title>
<para>There are a number of sources of Shorewall information. Please try <para>There are a number of sources of Shorewall information. Please try
@ -361,7 +361,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Where">
<title>Where to Send your Problem Report or to Ask for Help</title> <title>Where to Send your Problem Report or to Ask for Help</title>
<para><emphasis role="bold">If you haven't read the <link <para><emphasis role="bold">If you haven't read the <link
@ -388,14 +388,14 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
a #shorewall channel at irc.freenode.net.</para> a #shorewall channel at irc.freenode.net.</para>
</section> </section>
<section> <section id="Users">
<title>Subscribing to the Users Mailing List</title> <title>Subscribing to the Users Mailing List</title>
<para>To Subscribe to the users mailing list go to <ulink <para>To Subscribe to the users mailing list go to <ulink
url="https://lists.sourceforge.net/lists/listinfo/shorewall-users">https://lists.sourceforge.net/lists/listinfo/shorewall-users</ulink>.</para> url="https://lists.sourceforge.net/lists/listinfo/shorewall-users">https://lists.sourceforge.net/lists/listinfo/shorewall-users</ulink>.</para>
</section> </section>
<section> <section id="Announce">
<title>Subscribing to the Announce Mailing List</title> <title>Subscribing to the Announce Mailing List</title>
<para>To Subscribe to the announce mailing list (low-traffic,read only) go <para>To Subscribe to the announce mailing list (low-traffic,read only) go
@ -405,7 +405,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
url="https://lists.sourceforge.net/lists/listinfo/shorewall-announce">https://lists.sourceforge.net/lists/listinfo/shorewall-announce</ulink></para> url="https://lists.sourceforge.net/lists/listinfo/shorewall-announce">https://lists.sourceforge.net/lists/listinfo/shorewall-announce</ulink></para>
</section> </section>
<section> <section id="Devel">
<title>Subscribing to the Development Mailing List</title> <title>Subscribing to the Development Mailing List</title>
<para>To Subscribe to the development mailing list go to <ulink <para>To Subscribe to the development mailing list go to <ulink
@ -420,7 +420,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
role="bold">Doh.......</emphasis></para> role="bold">Doh.......</emphasis></para>
</section> </section>
<section> <section id="Other">
<title>Other Mailing Lists</title> <title>Other Mailing Lists</title>
<para>For information on other Shorewall mailing lists, go to <ulink <para>For information on other Shorewall mailing lists, go to <ulink

View File

@ -34,7 +34,7 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<section> <section id="Background">
<title>Background</title> <title>Background</title>
<para>In early March 2006, i embarked on the journey of surveying <para>In early March 2006, i embarked on the journey of surveying
@ -58,7 +58,7 @@
limited and harder to use than Zoomerang.</para> limited and harder to use than Zoomerang.</para>
<section> <section>
<title>Survey and results links</title> <title id="Survey">Survey and results links</title>
<para>The survey is still open as of this writing, and can be accessed <para>The survey is still open as of this writing, and can be accessed
at <ulink url="http://www.zoomerang.com/survey.zgi?p=WEB2253NNBCN44">the at <ulink url="http://www.zoomerang.com/survey.zgi?p=WEB2253NNBCN44">the
@ -72,7 +72,7 @@
a link to the results is provided on the thank you page.</para> a link to the results is provided on the thank you page.</para>
</section> </section>
<section> <section id="Sample">
<title>Sample size</title> <title>Sample size</title>
<para>An important note about this survey is that it has a small sample <para>An important note about this survey is that it has a small sample
@ -96,7 +96,7 @@
installed base, likely far less.</para> installed base, likely far less.</para>
</section> </section>
<section> <section id="Factors">
<title>Other possible inaccuracies</title> <title>Other possible inaccuracies</title>
<para>Additionally, since the survey was open to multiple responses, it <para>Additionally, since the survey was open to multiple responses, it
@ -115,10 +115,10 @@
</section> </section>
</section> </section>
<section> <section id="Results">
<title>Results analysis</title> <title>Results analysis</title>
<section> <section id="Org">
<title>Organisations</title> <title>Organisations</title>
<para>Small organisations dominate the spectrum of Shorewall users. The <para>Small organisations dominate the spectrum of Shorewall users. The
@ -175,7 +175,7 @@
Shorewall.</para> Shorewall.</para>
</section> </section>
<section> <section id="Users">
<title>Users</title> <title>Users</title>
<para>Unsurprisingly, 97% of survey respondents were male. Or to put it <para>Unsurprisingly, 97% of survey respondents were male. Or to put it
@ -226,16 +226,16 @@
users, which is a concern for the future of the project.</para> users, which is a concern for the future of the project.</para>
</section> </section>
<section> <section id="Hardware">
<title>Hardware</title> <title>Hardware</title>
<para>Ninety-three percent (93%) of users run Shorewall on i386 family <para>Ninety-three percent (93%) of users run Shorewall on i386 family
hardware, with a further 6% running it on x86-64/EM64T platforms. One hardware, with a further 6% running it on x86-64/EM64T platforms. One
response was received indicating use of Shorewall on MIPS (Linksys WRT response was received indicating use of Shorewall on MIPS (Linksys WRT
platform). No responses were received for any other hardware platform. platform). No responses were received for any other hardware platform.
While it is not surprising that Intel would be dominant, given While it is not surprising that Intel would be dominant, given their
their market share, it seems a little skewed not to have any market share, it seems a little skewed not to have any representatives
representatives of other architectures.</para> of other architectures.</para>
<para>A good spread of CPU power is shown in the survey responses. The <para>A good spread of CPU power is shown in the survey responses. The
largest group was 400-999 MHz (30%), with only 16% of responses largest group was 400-999 MHz (30%), with only 16% of responses
@ -258,7 +258,7 @@
second and third at 22% and 20% respectively.</para> second and third at 22% and 20% respectively.</para>
</section> </section>
<section> <section id="Network">
<title>Network</title> <title>Network</title>
<para>The majority of Shorewall systems (82%) use between two and four <para>The majority of Shorewall systems (82%) use between two and four
@ -274,7 +274,7 @@
connection, with over half the responses (51%).</para> connection, with over half the responses (51%).</para>
</section> </section>
<section> <section id="Software">
<title>Software</title> <title>Software</title>
<para>The most popular Linux distribution on which users run Shorewall <para>The most popular Linux distribution on which users run Shorewall
@ -314,7 +314,7 @@
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Comments">
<title>Comments from users</title> <title>Comments from users</title>
<para>Following is a sample of the comments we received about the survey <para>Following is a sample of the comments we received about the survey
@ -365,10 +365,10 @@
</section> </section>
</section> </section>
<section> <section id="Lessons">
<title>Lessons learned about survey technique</title> <title>Lessons learned about survey technique</title>
<section> <section id="Approach1">
<title>Treat surveys like releasing free software</title> <title>Treat surveys like releasing free software</title>
<itemizedlist> <itemizedlist>
@ -392,7 +392,7 @@
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Approach2">
<title>Start small and work towards what you want to know with specific, <title>Start small and work towards what you want to know with specific,
concrete questions</title> concrete questions</title>
@ -413,7 +413,7 @@
user systems, and doesn't present a user interface per se.</para> user systems, and doesn't present a user interface per se.</para>
</section> </section>
<section> <section id="Approach3">
<title>Be prepared beforehand</title> <title>Be prepared beforehand</title>
<para>Within hours of the survey's release, 50% of the results were in. <para>Within hours of the survey's release, 50% of the results were in.
@ -425,7 +425,7 @@
and complete downloads of the results.</para> and complete downloads of the results.</para>
</section> </section>
<section> <section id="Approach4">
<title>Incrementally improve your surveys</title> <title>Incrementally improve your surveys</title>
<para>The final version of this survey was released still with a few <para>The final version of this survey was released still with a few
@ -436,7 +436,7 @@
</section> </section>
</section> </section>
<section> <section id="Implications1">
<title>Possible implications for the Shorewall project</title> <title>Possible implications for the Shorewall project</title>
<para>The users we have seem, on the whole, rather experienced, and very <para>The users we have seem, on the whole, rather experienced, and very
@ -454,7 +454,7 @@
Connect might be a good way to serve the needs of our users.</para> Connect might be a good way to serve the needs of our users.</para>
</section> </section>
<section> <section id="Implications2">
<title>Possible implications for other free software projects</title> <title>Possible implications for other free software projects</title>
<itemizedlist> <itemizedlist>

View File

@ -47,7 +47,7 @@
system.</emphasis></para> system.</emphasis></para>
</caution> </caution>
<section> <section id="Intro">
<title>Introduction</title> <title>Introduction</title>
<para>Setting up a Linux system as a firewall for a small network with DMZ <para>Setting up a Linux system as a firewall for a small network with DMZ
@ -91,7 +91,7 @@
<para>Here is a schematic of a typical installation.</para> <para>Here is a schematic of a typical installation.</para>
<figure> <figure id="Figure1">
<title>schematic of a typical installation</title> <title>schematic of a typical installation</title>
<mediaobject> <mediaobject>
@ -101,7 +101,7 @@
</mediaobject> </mediaobject>
</figure> </figure>
<section> <section id="Reqs">
<title>Requirements</title> <title>Requirements</title>
<para>Shorewall requires that you have the <para>Shorewall requires that you have the
@ -117,7 +117,7 @@
[root@gateway root]#</programlisting> [root@gateway root]#</programlisting>
</section> </section>
<section> <section id="Before">
<title>Before you start</title> <title>Before you start</title>
<para>I recommend that you first read through the guide to familiarize <para>I recommend that you first read through the guide to familiarize
@ -149,7 +149,7 @@
</caution> </caution>
</section> </section>
<section> <section id="Conventions">
<title>Conventions</title> <title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged <para>Points at which configuration changes are recommended are flagged
@ -161,7 +161,7 @@
</section> </section>
</section> </section>
<section> <section id="PPTP">
<title>PPTP/ADSL</title> <title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -173,7 +173,7 @@
notably in Austria.</para> notably in Austria.</para>
</section> </section>
<section> <section id="Concepts">
<title>Shorewall Concepts</title> <title>Shorewall Concepts</title>
<para>The configuration files for Shorewall are contained in the directory <para>The configuration files for Shorewall are contained in the directory
@ -356,10 +356,10 @@ $FW net ACCEPT</programlisting>
file and make any changes that you wish.</para> file and make any changes that you wish.</para>
</section> </section>
<section> <section id="Interfaces">
<title>Network Interfaces</title> <title>Network Interfaces</title>
<figure> <figure id="Figure2">
<title>DMZ</title> <title>DMZ</title>
<mediaobject> <mediaobject>
@ -471,7 +471,7 @@ root@lists:~# </programlisting>
</tip> </tip>
</section> </section>
<section> <section id="Addresses">
<title>IP Addresses</title> <title>IP Addresses</title>
<para>Before going further, we should say a few words about Internet <para>Before going further, we should say a few words about Internet
@ -532,7 +532,7 @@ root@lists:~# </programlisting>
<varname>24</varname> refers to the number of consecutive <quote>1</quote> <varname>24</varname> refers to the number of consecutive <quote>1</quote>
bits from the left of the subnet mask.</para> bits from the left of the subnet mask.</para>
<table> <table id="Table1">
<title>Example sub-network</title> <title>Example sub-network</title>
<tgroup cols="2"> <tgroup cols="2">
@ -599,7 +599,7 @@ root@lists:~# </programlisting>
<para>The remainder of this quide will assume that you have configured <para>The remainder of this quide will assume that you have configured
your network as shown here:</para> your network as shown here:</para>
<figure> <figure id="Figure3">
<title>DMZ</title> <title>DMZ</title>
<mediaobject> <mediaobject>
@ -627,7 +627,7 @@ root@lists:~# </programlisting>
</figure> </figure>
</section> </section>
<section> <section id="SNAT">
<title>IP Masquerading (SNAT)</title> <title>IP Masquerading (SNAT)</title>
<para>The addresses reserved by RFC 1918 are sometimes referred to as <para>The addresses reserved by RFC 1918 are sometimes referred to as
@ -731,7 +731,7 @@ DNAT net dmz:<emphasis>&lt;server local IP address&gt;</emphasis>[:<e
role="bold">SECTON NEW.</emphasis></para> role="bold">SECTON NEW.</emphasis></para>
</important> </important>
<example> <example id="Example1">
<title>You run a Web Server on DMZ Computer 2 and you want to forward <title>You run a Web Server on DMZ Computer 2 and you want to forward
incoming TCP port 80 to that system</title> incoming TCP port 80 to that system</title>
@ -812,7 +812,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
</important> </important>
</section> </section>
<section> <section id="DNS">
<title>Domain Name Server (DNS)</title> <title>Domain Name Server (DNS)</title>
<para>Normally, when you connect to your ISP, as part of getting an IP <para>Normally, when you connect to your ISP, as part of getting an IP
@ -908,7 +908,7 @@ SSH/ACCEPT loc dmz </programlisting>Those rules allow you to run
is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source zone&gt; &lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt; </emphasis></programlisting></para> ACCEPT <emphasis>&lt;source zone&gt; &lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt; </emphasis></programlisting></para>
<example> <example id="Example2">
<title>You want to run a publicly-available DNS server on your firewall <title>You want to run a publicly-available DNS server on your firewall
system</title> system</title>
@ -956,7 +956,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
remove other connections as required.</para> remove other connections as required.</para>
</section> </section>
<section> <section id="Other">
<title>Some Things to Keep in Mind</title> <title>Some Things to Keep in Mind</title>
<itemizedlist> <itemizedlist>
@ -1012,7 +1012,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Starting">
<title>Starting and Stopping Your Firewall</title> <title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -1059,7 +1059,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
</warning></para> </warning></para>
</section> </section>
<section> <section id="Trouble">
<title>If it Doesn't Work</title> <title>If it Doesn't Work</title>
<itemizedlist> <itemizedlist>
@ -1084,7 +1084,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Reading">
<title>Additional Recommended Reading</title> <title>Additional Recommended Reading</title>
<para>I highly recommend that you review the <ulink <para>I highly recommend that you review the <ulink

View File

@ -85,7 +85,7 @@
</itemizedlist> </itemizedlist>
</warning> </warning>
<section> <section id="Intro">
<title>Introduction</title> <title>Introduction</title>
<para>Starting with Version 2.5.5, Shorewall has builtin support for <para>Starting with Version 2.5.5, Shorewall has builtin support for
@ -104,7 +104,7 @@
as covered by the next sections.</para> as covered by the next sections.</para>
</section> </section>
<section> <section id="LinuxTC">
<title>Linux traffic shaping and control</title> <title>Linux traffic shaping and control</title>
<para>This section gives a brief introduction of how controlling traffic <para>This section gives a brief introduction of how controlling traffic
@ -213,7 +213,7 @@
connection mark value to the current packet's mark (RESTORE).</para> connection mark value to the current packet's mark (RESTORE).</para>
</section> </section>
<section> <section id="Kernel">
<title>Linux Kernel Configuration</title> <title>Linux Kernel Configuration</title>
<para>You will need at least kernel 2.4.18 for this to work, please take a <para>You will need at least kernel 2.4.18 for this to work, please take a
@ -234,7 +234,7 @@
<graphic align="center" fileref="images/traffic_shaping2.6.png" /> <graphic align="center" fileref="images/traffic_shaping2.6.png" />
</section> </section>
<section> <section id="Shorewall">
<title>Enable TC support in Shorewall</title> <title>Enable TC support in Shorewall</title>
<para>You need this support whether you use the builtin support or whether <para>You need this support whether you use the builtin support or whether
@ -267,7 +267,7 @@
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Builtin">
<title>Using builtin traffic shaping/control</title> <title>Using builtin traffic shaping/control</title>
<para>Shorewall's builtin traffic shaping feature provides a thin layer on <para>Shorewall's builtin traffic shaping feature provides a thin layer on
@ -327,7 +327,7 @@
url="http://www.speedcheck.arcor.de/cgi-bin/speedcheck.cgi">arcor speed url="http://www.speedcheck.arcor.de/cgi-bin/speedcheck.cgi">arcor speed
check</ulink>). Be sure to choose a test located near you.</para> check</ulink>). Be sure to choose a test located near you.</para>
<section> <section id="tcdevices">
<title>/etc/shorewall/tcdevices</title> <title>/etc/shorewall/tcdevices</title>
<para>This file allows you to define the incoming and outgoing bandwidth <para>This file allows you to define the incoming and outgoing bandwidth
@ -384,7 +384,7 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<example> <example id="Example0">
<title></title> <title></title>
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the <para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
@ -396,7 +396,7 @@ ppp0 6000kbit 500kbit</programlisting>
</example> </example>
</section> </section>
<section> <section id="tcclasses">
<title>/etc/shorewall/tcclasses</title> <title>/etc/shorewall/tcclasses</title>
<para>This file allows you to define the actual classes that are used to <para>This file allows you to define the actual classes that are used to
@ -499,7 +499,7 @@ ppp0 6000kbit 500kbit</programlisting>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="tcrules">
<title>/etc/shorewall/tcrules</title> <title>/etc/shorewall/tcrules</title>
<para>The fwmark classifier provides a convenient way to classify <para>The fwmark classifier provides a convenient way to classify
@ -772,7 +772,7 @@ ppp0 6000kbit 500kbit</programlisting>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<example> <example id="Example1">
<title></title> <title></title>
<para>All packets arriving on eth1 should be marked with 1. All <para>All packets arriving on eth1 should be marked with 1. All
@ -786,7 +786,7 @@ ppp0 6000kbit 500kbit</programlisting>
3 $FW 0.0.0.0/0 all</programlisting> 3 $FW 0.0.0.0/0 all</programlisting>
</example> </example>
<example> <example id="Example2">
<title></title> <title></title>
<para>All GRE (protocol 47) packets not originating on the firewall <para>All GRE (protocol 47) packets not originating on the firewall
@ -796,7 +796,7 @@ ppp0 6000kbit 500kbit</programlisting>
12 0.0.0.0/0 155.182.235.151 47</programlisting> 12 0.0.0.0/0 155.182.235.151 47</programlisting>
</example> </example>
<example> <example id="Example3">
<title></title> <title></title>
<para>All SSH request packets originating in 192.168.1.0/24 and <para>All SSH request packets originating in 192.168.1.0/24 and
@ -806,7 +806,7 @@ ppp0 6000kbit 500kbit</programlisting>
22 192.168.1.0/24 155.182.235.151 tcp 22</programlisting> 22 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example> </example>
<example> <example id="Example4">
<title></title> <title></title>
<para>All SSH packets packets going out of the first device in in <para>All SSH packets packets going out of the first device in in
@ -819,7 +819,7 @@ ppp0 6000kbit 500kbit</programlisting>
1:110 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting> 1:110 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting>
</example> </example>
<example> <example id="Example5">
<title></title> <title></title>
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to <para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
@ -852,7 +852,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
</example> </example>
</section> </section>
<section> <section id="ppp">
<title>ppp devices</title> <title>ppp devices</title>
<para>If you use ppp/pppoe/pppoa) to connect to your internet provider <para>If you use ppp/pppoe/pppoa) to connect to your internet provider
@ -871,10 +871,10 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
/sbin/shorewall refresh</programlisting> /sbin/shorewall refresh</programlisting>
</section> </section>
<section> <section id="Real">
<title>Real life examples</title> <title>Real life examples</title>
<section> <section id="Wondershaper">
<title>Configuration to replace Wondershaper</title> <title>Configuration to replace Wondershaper</title>
<para>You are able to fully replace the wondershaper script by using <para>You are able to fully replace the wondershaper script by using
@ -890,14 +890,14 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
that this is just an 1:1 replacement doing exactly what wondershaper that this is just an 1:1 replacement doing exactly what wondershaper
should do. You are free to change it...</para> should do. You are free to change it...</para>
<section> <section id="realtcd">
<title>tcdevices file</title> <title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
ppp0 5000kbit 500kbit</programlisting> ppp0 5000kbit 500kbit</programlisting>
</section> </section>
<section> <section id="realtcc">
<title>tcclasses file</title> <title>tcclasses file</title>
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS <programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
@ -906,7 +906,7 @@ ppp0 2 9*full/10 9*full/10 2 default
ppp0 3 8*full/10 8*full/10 2</programlisting> ppp0 3 8*full/10 8*full/10 2</programlisting>
</section> </section>
<section> <section id="realtcr">
<title>tcrules file</title> <title>tcrules file</title>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER <programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
@ -923,7 +923,7 @@ ppp0 3 8*full/10 8*full/10 2</programlisting>
the example configuration files).</para> the example configuration files).</para>
</section> </section>
<section> <section id="lowpro">
<title>Setting hosts to low priority</title> <title>Setting hosts to low priority</title>
<para>lets assume the following settings from your old wondershaper <para>lets assume the following settings from your old wondershaper
@ -957,7 +957,7 @@ NOPRIOPORTDST="6662 6663" </programlisting>
</section> </section>
</section> </section>
<section> <section id="simiple">
<title>A simple setup</title> <title>A simple setup</title>
<para>This is a simple setup for people sharing an internet connection <para>This is a simple setup for people sharing an internet connection
@ -965,7 +965,7 @@ NOPRIOPORTDST="6662 6663" </programlisting>
between 2 hosts which have the ip addresses 192.168.2.23 and between 2 hosts which have the ip addresses 192.168.2.23 and
192.168.2.42</para> 192.168.2.42</para>
<section> <section id="simpletcd">
<title>tcdevices file</title> <title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH <programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
@ -974,7 +974,7 @@ ppp0 6000kbit 700kbit</programlisting>
<para>We have 6mbit down and 700kbit upstream.</para> <para>We have 6mbit down and 700kbit upstream.</para>
</section> </section>
<section> <section id="simpletcc">
<title>tcclasses file</title> <title>tcclasses file</title>
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS <programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
@ -990,7 +990,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
same priority. The last class is for the remaining traffic.</para> same priority. The last class is for the remaining traffic.</para>
</section> </section>
<section> <section id="simpletcr">
<title>tcrules file</title> <title>tcrules file</title>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER <programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
@ -1007,7 +1007,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
</section> </section>
</section> </section>
<section> <section id="Xen">
<title>A Warning to Xen Users</title> <title>A Warning to Xen Users</title>
<para>If you are running traffic shaping in your dom0 and traffic shaping <para>If you are running traffic shaping in your dom0 and traffic shaping
@ -1041,7 +1041,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
instructions.</para> instructions.</para>
</section> </section>
<section> <section id="External">
<title id="tcstart">Using your own tc script</title> <title id="tcstart">Using your own tc script</title>
<section id="owntcstart"> <section id="owntcstart">
@ -1077,7 +1077,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
</orderedlist> </orderedlist>
</section> </section>
<section> <section id="Start">
<title>Traffic control outside Shorewall</title> <title>Traffic control outside Shorewall</title>
<para>To start traffic shaping when you bring up your network <para>To start traffic shaping when you bring up your network
@ -1099,7 +1099,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
</section> </section>
</section> </section>
<section> <section id="Testing">
<title>Testing Tools</title> <title>Testing Tools</title>
<para>At least one Shorewall user has found this tool helpful: <ulink <para>At least one Shorewall user has found this tool helpful: <ulink

View File

@ -32,11 +32,11 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<section> <section id="Start">
<title><quote>shorewall start</quote> and <quote>shorewall restart</quote> <title><quote>shorewall start</quote> and <quote>shorewall restart</quote>
Errors</title> Errors</title>
<section> <section id="Start-shell">
<title>Shorewall-shell</title> <title>Shorewall-shell</title>
<para>If you use the Shorewall-shell compiler and you receive an error <para>If you use the Shorewall-shell compiler and you receive an error
@ -78,7 +78,7 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<example> <example id="Example1">
<title>Startup Error</title> <title>Startup Error</title>
<para>During startup, a user sees the following:</para> <para>During startup, a user sees the following:</para>
@ -107,7 +107,7 @@ iptables: No chain/target/match by that name
</example> </example>
</section> </section>
<section> <section id="Start-perl">
<title>Shorewall-perl</title> <title>Shorewall-perl</title>
<para>If the error is detected by the Shorewall-perl compiler, it should <para>If the error is detected by the Shorewall-perl compiler, it should
@ -187,7 +187,7 @@ gateway:~/test # </programlisting>A look at /var/lib/shorewall/restore at line
</section> </section>
</section> </section>
<section> <section id="Network">
<title>Your Network Environment</title> <title>Your Network Environment</title>
<para>Many times when people have problems with Shorewall, the problem is <para>Many times when people have problems with Shorewall, the problem is
@ -222,7 +222,7 @@ gateway:~/test # </programlisting>A look at /var/lib/shorewall/restore at line
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="NewDevice">
<title>New Device Doesn't Work?</title> <title>New Device Doesn't Work?</title>
<para>If you have just added a new device such as VOIP and it doesn't <para>If you have just added a new device such as VOIP and it doesn't
@ -235,7 +235,7 @@ gateway:~/test # </programlisting>A look at /var/lib/shorewall/restore at line
url="Documentation.htm#INterfaces">/etc/shorewall/interfaces</ulink>.</para> url="Documentation.htm#INterfaces">/etc/shorewall/interfaces</ulink>.</para>
</section> </section>
<section> <section id="Connections">
<title>Connection Problems</title> <title>Connection Problems</title>
<para>One very important thing to remember is that not all connection <para>One very important thing to remember is that not all connection
@ -289,7 +289,7 @@ LOGBURST=""</programlisting>This way, you will see all of the log messages
being generated (be sure to restart shorewall after clearing these being generated (be sure to restart shorewall after clearing these
variables).</para> variables).</para>
<example> <example id="Example2">
<title>Log Message</title> <title>Log Message</title>
<programlisting>Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2 <programlisting>Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2
@ -345,7 +345,7 @@ ACCEPT dmz loc udp 53</programlisting>
</example> </example>
</section> </section>
<section> <section id="Ping">
<title>Ping Problems</title> <title>Ping Problems</title>
<para>Either can't ping when you think you should be able to or are able <para>Either can't ping when you think you should be able to or are able
@ -388,7 +388,7 @@ Ping/DROP net all</programlisting>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Other">
<title>Some Things to Keep in Mind</title> <title>Some Things to Keep in Mind</title>
<itemizedlist> <itemizedlist>
@ -444,7 +444,7 @@ Ping/DROP net all</programlisting>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="More">
<title>Other Gotchas</title> <title>Other Gotchas</title>
<itemizedlist> <itemizedlist>
@ -503,7 +503,7 @@ Ping/DROP net all</programlisting>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Support">
<title>Still Having Problems?</title> <title>Still Having Problems?</title>
<para>See the <ulink url="support.htm">Shorewall Support <para>See the <ulink url="support.htm">Shorewall Support

View File

@ -44,7 +44,7 @@
system.</emphasis></para> system.</emphasis></para>
</caution> </caution>
<section> <section id="Intro">
<title>Introduction</title> <title>Introduction</title>
<para>Setting up a Linux system as a firewall for a small network is a <para>Setting up a Linux system as a firewall for a small network is a
@ -74,7 +74,8 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>Here is a schematic of a typical installation: <figure label="1"> <para>Here is a schematic of a typical installation: <figure id="Figure1"
label="1">
<title>Common two interface firewall configuration</title> <title>Common two interface firewall configuration</title>
<mediaobject> <mediaobject>
@ -105,7 +106,7 @@
</itemizedlist></para> </itemizedlist></para>
</caution></para> </caution></para>
<section> <section id="System">
<title>System Requirements</title> <title>System Requirements</title>
<para>Shorewall requires that you have the <para>Shorewall requires that you have the
@ -122,7 +123,7 @@
through it again making your configuration changes.</para> through it again making your configuration changes.</para>
</section> </section>
<section> <section id="Conventions">
<title>Conventions</title> <title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged <para>Points at which configuration changes are recommended are flagged
@ -134,7 +135,7 @@
</section> </section>
</section> </section>
<section> <section id="PPTP">
<title>PPTP/ADSL</title> <title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -147,7 +148,7 @@
found in Europe, notably in Austria.</para> found in Europe, notably in Austria.</para>
</section> </section>
<section> <section id="Concepts">
<title>Shorewall Concepts</title> <title>Shorewall Concepts</title>
<para></para> <para></para>
@ -331,7 +332,7 @@ $FW net ACCEPT</programlisting> The above policy will:
and make any changes that you wish.</para> and make any changes that you wish.</para>
</section> </section>
<section> <section id="Interfaces">
<title>Network Interfaces</title> <title>Network Interfaces</title>
<mediaobject> <mediaobject>
@ -433,7 +434,7 @@ root@lists:~# </programlisting>
</tip></para> </tip></para>
</section> </section>
<section> <section id="Addresses">
<title>IP Addresses</title> <title>IP Addresses</title>
<para>Before going further, we should say a few words about Internet <para>Before going further, we should say a few words about Internet
@ -573,7 +574,7 @@ root@lists:~# </programlisting>
</warning></para> </warning></para>
</section> </section>
<section> <section id="SNAT">
<title>IP Masquerading (SNAT)</title> <title>IP Masquerading (SNAT)</title>
<para>The addresses reserved by RFC 1918 are sometimes referred to as <para>The addresses reserved by RFC 1918 are sometimes referred to as
@ -677,14 +678,14 @@ DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<e
supplying the protocol and port(s) as shown in the following supplying the protocol and port(s) as shown in the following
examples.</para> examples.</para>
<para><example label="1"> <para><example id="Example1" label="1">
<title>Web Server</title> <title>Web Server</title>
<para>You run a Web Server on computer 2 and you want to forward <para>You run a Web Server on computer 2 and you want to forward
incoming <acronym>TCP</acronym> port 80 to that system: incoming <acronym>TCP</acronym> port 80 to that system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Web/DNAT net loc:10.10.10.2</programlisting></para> Web/DNAT net loc:10.10.10.2</programlisting></para>
</example> <example label="2"> </example> <example id="Example2" label="2">
<title>FTP Server</title> <title>FTP Server</title>
<para>You run an <acronym>FTP</acronym> Server on computer 1 so you <para>You run an <acronym>FTP</acronym> Server on computer 1 so you
@ -737,7 +738,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
</important> </important>
</section> </section>
<section> <section id="DNS">
<title>Domain Name Server (DNS)</title> <title>Domain Name Server (DNS)</title>
<para>Normally, when you connect to your ISP, as part of getting an IP <para>Normally, when you connect to your ISP, as part of getting an IP
@ -821,7 +822,8 @@ SSH/ACCEPT loc $FW </programlisting>That rule allows you to run an
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
&lt;macro&gt;/ACCEPT $FW <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The &lt;macro&gt;/ACCEPT $FW <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S) general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example> ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example
id="Example3">
<title>Web Server on Firewall</title> <title>Web Server on Firewall</title>
<para>You want to run a Web Server on your firewall system: <para>You want to run a Web Server on your firewall system:
@ -852,7 +854,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
file to add or delete other connections as required.</para> file to add or delete other connections as required.</para>
</section> </section>
<section> <section id="Other">
<title>Some Things to Keep in Mind</title> <title>Some Things to Keep in Mind</title>
<itemizedlist> <itemizedlist>
@ -908,7 +910,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Starting">
<title>Starting and Stopping Your Firewall</title> <title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -954,7 +956,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</warning></para> </warning></para>
</section> </section>
<section> <section id="Trouble">
<title>If it Doesn't Work</title> <title>If it Doesn't Work</title>
<itemizedlist> <itemizedlist>
@ -979,7 +981,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section id="Reading">
<title>Additional Recommended Reading</title> <title>Additional Recommended Reading</title>
<para>I highly recommend that you review the <ulink <para>I highly recommend that you review the <ulink
@ -988,7 +990,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
make administering your firewall easier.</para> make administering your firewall easier.</para>
</section> </section>
<section> <section id="Wireless">
<title>Adding a Wireless Segment to your Two-Interface Firewall</title> <title>Adding a Wireless Segment to your Two-Interface Firewall</title>
<para>Once you have the two-interface setup working, the next logical step <para>Once you have the two-interface setup working, the next logical step