Last batch of mindless ID changes

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6698 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2007-06-28 22:06:10 +00:00
parent f8afc6df84
commit c35f8c48d8
26 changed files with 231 additions and 316 deletions

View File

@ -34,7 +34,7 @@
</legalnotice>
</articleinfo>
<section>
<section id="Intro">
<title>Introduction</title>
<para>Shorewall version 4 is currently in development and is available for
@ -88,7 +88,7 @@
whichever one suits you in a particular case.</para>
</section>
<section>
<section id="Install">
<title>Installing Shorewall Version 4</title>
<para>You can download the development version of Shorewall Version 4 from
@ -129,7 +129,7 @@
Shorewall.</para>
</section>
<section>
<section id="Prereqs">
<title>Prerequisites for using the Shorewall Version 4 Perl-based
Compiler</title>
@ -161,7 +161,7 @@
</itemizedlist>
</section>
<section>
<section id="Incompatibilities">
<title>Incompatibilities Introduced in the Shorewall Version 4 Perl-based
Compiler</title>
@ -170,7 +170,7 @@
document</ulink> for details.</para>
</section>
<section>
<section id="CompilerSelection">
<title>Compiler Selection</title>
<para>If you only install one compiler, then that compiler will be

View File

@ -34,7 +34,7 @@
</legalnotice>
</articleinfo>
<section>
<section id="What">
<title>Shorewall-perl - What is it?</title>
<para>Shorewall-perl is a companion product to Shorewall. It requires
@ -76,7 +76,7 @@
</itemizedlist>
</section>
<section>
<section id="DownSide">
<title>Shorewall-perl - The down side</title>
<para>While there are advantages to using Shorewall-perl, there are also
@ -504,7 +504,7 @@ eth0 eth1:!192.168.4.9 ...</programlisting></para>
</itemizedlist>
</section>
<section>
<section id="Install">
<title>Shorewall-perl - Installation</title>
<caution>
@ -529,10 +529,10 @@ eth0 eth1:!192.168.4.9 ...</programlisting></para>
package.</para>
</section>
<section>
<section id="Using">
<title>Using Shorewall-perl</title>
<section>
<section id="V3.4.3">
<title>Using Shorewall-perl under Shorewall 3.4.2 and Shorewall
3.4.3</title>
@ -557,7 +557,7 @@ eth0 eth1:!192.168.4.9 ...</programlisting></para>
use be specified in <filename>shorewall.conf</filename>.</para>
</section>
<section>
<section id="V4.0.0">
<title>Using Shorewall-perl under Shorewall 3.4.4/4.0.0 Beta and
later.</title>

View File

@ -40,7 +40,7 @@
3.0.0 then please see the documentation for that release</emphasis></para>
</caution>
<section>
<section id="Doesnt">
<title>Shorewall Does not:</title>
<itemizedlist>
@ -90,7 +90,7 @@
</itemizedlist>
</section>
<section>
<section id="Patching">
<title>In Addition:</title>
<itemizedlist>

View File

@ -45,7 +45,7 @@
release.</emphasis></para>
</caution>
<section>
<section id="Transparent">
<title>Squid as a Transparent (Interception) Proxy</title>
<important>
@ -141,7 +141,7 @@ httpd_accel_uses_host_header on</programlisting>
</caution>
</section>
<section>
<section id="Configurations">
<title>Configurations</title>
<para>Three different configurations are covered:</para>
@ -256,7 +256,7 @@ DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.
ACCEPT Z SZ tcp SP
ACCEPT SZ net tcp 80,443</programlisting>
<example>
<example id="Example1">
<title>Squid on the firewall listening on port 8080 with access from the
<quote>loc</quote> zone:</title>

View File

@ -41,7 +41,7 @@
release.</emphasis></para>
</caution>
<section>
<section id="Background">
<title>Background</title>
<para>The traditional net-tools contain a program called
@ -52,7 +52,7 @@
class="devicefile">eth0:0</filename>) and ifconfig treats them more or
less like real interfaces.</para>
<example>
<example id="ifconfig">
<title>ifconfig</title>
<programlisting>[root@gateway root]# <command>ifconfig eth0:0</command>
@ -71,7 +71,7 @@ eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
it allows addresses to be <emphasis>labeled</emphasis> where these labels
take the form of ipconfig virtual interfaces.</para>
<example>
<example id="ip">
<title>ip</title>
<programlisting>[root@gateway root]# <command>ip addr show dev eth0</command>
@ -100,7 +100,7 @@ Device "eth0:0" does not exist.
discussion below.</para>
</section>
<section>
<section id="Adding">
<title>Adding Addresses to Interfaces</title>
<para>Most distributions have a facility for adding additional addresses
@ -143,21 +143,21 @@ iface eth0 inet static
<command>up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting>
</section>
<section>
<section id="How">
<title>So how do I handle more than one address on an interface?</title>
<para>The answer depends on what you are trying to do with the interfaces.
In the sub-sections that follow, we'll take a look at common
scenarios.</para>
<section>
<section id="Rules">
<title>Separate Rules</title>
<para>If you need to make a rule for traffic to/from the firewall itself
that only applies to a particular IP address, simply qualify the $FW
zone with the IP address.</para>
<example>
<example id="SSH">
<title>allow SSH from net to eth0:0 above</title>
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
@ -165,7 +165,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
</example>
</section>
<section>
<section id="DNAT">
<title>DNAT</title>
<para>Suppose that I had set up eth0:0 as above and I wanted to port
@ -178,7 +178,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting>
</section>
<section>
<section id="SNAT">
<title>SNAT</title>
<para>If you wanted to use eth0:0 as the IP address for outbound
@ -223,7 +223,7 @@ eth0:1 = 206.124.146.179
eth0:2 = 206.124.146.180</programlisting>
</section>
<section>
<section id="NAT">
<title>One-to-one NAT</title>
<para>If you wanted to use one-to-one NAT to link <filename
@ -257,7 +257,7 @@ eth0:2 = 206.124.146.180</programlisting>
pair, you simply qualify the local zone with the internal IP
address.</para>
<example>
<example id="SSH1">
<title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.</title>
@ -266,7 +266,7 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
</example>
</section>
<section>
<section id="Subnets">
<title>MULTIPLE SUBNETS</title>
<para>Sometimes multiple IP addresses are used because there are
@ -278,7 +278,7 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
consider the LAN segment itself as a zone and allow your firewall/router
to route between the two subnetworks.</para>
<example>
<example id="subnets">
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You simply want your firewall to route
@ -300,7 +300,7 @@ loc eth1 192.168.1.255,192.168.20.255 <emphasis role="bold">rout
ACCEPT rules for the traffic that you want to permit.</para>
</example>
<example>
<example id="subnets1">
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to make these subnetworks into

View File

@ -38,7 +38,7 @@
</legalnotice>
</articleinfo>
<section>
<section id="Routing">
<title>Routing vs. Firewalling.</title>
<para>One of the most misunderstood aspects of Shorewall is its
@ -62,7 +62,7 @@
in the following sections.</para>
</section>
<section>
<section id="Netfilter">
<title>Routing and Netfilter</title>
<para>The following diagram shows the relationship between routing
@ -80,7 +80,7 @@
through this maze, depending on where the packet originates. We will look
at each of these separately.</para>
<section>
<section id="Ingress">
<title>Packets Entering the Firewall from Outside</title>
<para>When a packet arrives from outside, it first undergoes Netfilter
@ -132,7 +132,7 @@
alternate routing table.</para>
</section>
<section>
<section id="Local">
<title>Packets Originating on the Firewall</title>
<para>Processing of packets that originate on the firewall itself are
@ -169,7 +169,7 @@
</section>
</section>
<section>
<section id="RoutingTables">
<title>Alternate Routing Table Configuration</title>
<para>The Shorewall 2.x <ulink
@ -186,7 +186,7 @@
prior to 2.3.2.</emphasis></para>
</section>
<section>
<section id="ProxyArp">
<title>Routing and Proxy ARP</title>
<para>There is one instance where Shorewall creates main routing table
@ -211,7 +211,7 @@
<programlisting><emphasis role="bold">ip route add 206.124.146.177 dev eth1</emphasis></programlisting>
</section>
<section>
<section id="MultiISP">
<title>Multiple Internet Connection Support in Shorewall 2.4.2 and
Later</title>

View File

@ -38,7 +38,7 @@
</legalnotice>
</articleinfo>
<section>
<section id="Background">
<title>Background</title>
<para>Systems where Shorewall runs normally function as
@ -70,7 +70,7 @@
</orderedlist>
</section>
<section>
<section id="Application">
<title>Application</title>
<para>There are cases where you want to create a bridge to join two or
@ -79,7 +79,7 @@
article.</para>
<para>If you do need to restrict traffic through the bridge, please refer
to the <ulink url="bridge.html">Shorewall Bridge/Firewall
to the <ulink url="bridge-Shorewall-perl.html">Shorewall Bridge/Firewall
documentation</ulink>. Also please refer to that documentation for
information about how to create a bridge.</para>

View File

@ -34,7 +34,7 @@
</legalnotice>
</articleinfo>
<section>
<section id="UPnP">
<title>UPnP</title>
<para>In Shorewall 2.2.4, support was added for UPnP (Universal Plug and
@ -78,7 +78,7 @@
<para></para>
</section>
<section>
<section id="linux-igd">
<title>linux-igd Configuration</title>
<para>In /etc/upnpd.conf, you will want:</para>
@ -88,7 +88,7 @@ prerouting_chain_name = UPnP
forward_chain_name = forwardUPnP</programlisting>
</section>
<section>
<section id="Shorewall">
<title>Shorewall Configuration</title>
<para>In <filename>/etc/shorewall/interfaces</filename>, you need the

View File

@ -38,7 +38,7 @@
</legalnotice>
</articleinfo>
<section>
<section id="vpn">
<title>Virtual Private Networking (VPN)</title>
<para>It is often the case that a system behind the firewall needs to be
@ -76,7 +76,7 @@
following: only one system may connect to the remote gateway and there are
firewall configuration requirements as follows:</para>
<table>
<table id="Table1">
<title>/etc/shorewall/rules</title>
<tgroup cols="7">

View File

@ -38,7 +38,7 @@
</legalnotice>
</articleinfo>
<section>
<section id="Taxonomy">
<title>Gateway-to-gateway traffic vs. Host-to-host traffic.</title>
<para>The purpose of a <firstterm>Virtual Private Network</firstterm>
@ -91,7 +91,7 @@
</orderedlist>
</section>
<section>
<section id="Netfilter">
<title>Relationship to Netfilter</title>
<para>When Netfilter is configured on a VPN gateway, each VPN packet goes
@ -118,7 +118,7 @@
<graphic align="center" fileref="images/VPNBasics.png" />
</section>
<section>
<section id="Shorewall">
<title>What does this mean with Shorewall?</title>
<para>When Shorewall is installed on a VPN gateway system, it categorizes
@ -185,7 +185,7 @@
</orderedlist>
</section>
<section>
<section id="Zones">
<title>Defining Remote Zones</title>
<para>Most VPN types are implemented using a virtual network device such
@ -209,7 +209,7 @@ loc eth1 detect
<emphasis role="bold">rem ppp0 192.168.10.0/24</emphasis></programlisting>
</section>
<section>
<section id="Traffic">
<title>Allowing Traffic</title>
<para>Normally, you will just allow all traffic between your remote
@ -224,7 +224,7 @@ loc rem ACCEPT</programlisting>
the remote clients to/from the firewall.</para>
</section>
<section>
<section id="Policies">
<title>Different Firewall Policies for Different Remote Systems</title>
<para>The /etc/shorewall/hosts file comes into play when:</para>
@ -274,7 +274,7 @@ rem2 tun+:10.0.1.0/24</emphasis></programlisting>
<ulink url="IPSEC-2.6.html">kernel 2.6 native IPSEC</ulink>.</para>
</section>
<section>
<section id="tunnels">
<title>Eliminating the /etc/shorewall/tunnels file</title>
<para>The <filename>/etc/shorewall/tunnels</filename> file provides no
@ -285,7 +285,7 @@ rem2 tun+:10.0.1.0/24</emphasis></programlisting>
<filename>/etc/shorewall/tunnels</filename> can be replaced by rules for
some common tunnel types.</para>
<section>
<section id="IPSEC">
<title>IPSEC</title>
<para>/<filename>etc/shorewall/tunnels</filename>:</para>
@ -316,7 +316,7 @@ ACCEPT Z2:1.2.3.4 $FW udp 500</programlisting>
are omitted.</para>
</section>
<section>
<section id="PPTP">
<title>PPTP</title>
<para><filename>/etc/shorewall/tunnels</filename>:</para>
@ -341,7 +341,7 @@ ACCEPT Z1:1.2.3.4 $FW 47</programlisting>
port 1723 rule.</para>
</section>
<section>
<section id="OpenVPN">
<title>OpenVPN</title>
<para><filename>/etc/shorewall/tunnels</filename>:</para>

View File

@ -48,7 +48,7 @@
running kernel 2.6.20 or later.</para>
</caution>
<section>
<section id="Environment">
<title>Xen Network Environment</title>
<para><ulink
@ -104,7 +104,7 @@
</itemizedlist>
</section>
<section>
<section id="Dom0">
<title>Configuring Shorewall in Dom0</title>
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
@ -147,7 +147,7 @@
only have to worry about protecting the local LAN from the systems running
in the DomU's.</para>
<section>
<section id="shorewall.conf">
<title>/etc/shorewall/shorewall.conf</title>
<para>Because Xen uses normal Linux bridging, you must enable bridge
@ -158,7 +158,7 @@
</blockquote>
</section>
<section>
<section id="zonesfile">
<title>/etc/shorewall/zones</title>
<para>One thing strange about configuring Shorewall in this environment
@ -181,7 +181,7 @@ net ipv4 #The local LAN and beyond
</blockquote>
</section>
<section>
<section id="interfaces">
<title>/etc/shorewall/interfaces</title>
<para>We must deal with two network interfaces. We must deal with the
@ -196,7 +196,7 @@ net eth0 detect dhcp
</blockquote>
</section>
<section>
<section id="hosts">
<title>/etc/shorewall/hosts</title>
<para>Here we define the zones <emphasis role="bold">ursa</emphasis> and
@ -218,7 +218,7 @@ net xenbr0:peth0
class="devicefile">peth0</filename> port on the bridge.</para>
</section>
<section>
<section id="policy">
<title>/etc/shorewall/policy</title>
<para>The policies shown here effectively isolate Domains 1...N.</para>
@ -237,7 +237,7 @@ all all REJECT info
</blockquote>
</section>
<section>
<section id="rules">
<title>/etc/shorewall/rules</title>
<para>These rules determine the traffic allowed into and out of the

View File

@ -40,7 +40,7 @@
documentation for that release.</para>
</caution>
<section>
<section id="Before">
<title>Before Xen</title>
<para>Prior to adopting <ulink url="Xen.html">Xen</ulink>, I had a home
@ -72,7 +72,7 @@
<para>The result was a very crowded and noisy room.</para>
</section>
<section>
<section id="After">
<title>After Xen</title>
<para>Xen has allowed me to reduce the noise and clutter considerably. I

View File

@ -47,7 +47,7 @@
running kernel 2.6.20 or later.</para>
</caution>
<section>
<section id="Before">
<title>Before Xen</title>
<para>Prior to adopting <ulink url="Xen.html">Xen</ulink>, I had a home
@ -79,7 +79,7 @@
<para>The result was a very crowded and noisy room.</para>
</section>
<section>
<section id="After">
<title>After Xen</title>
<para>Xen has allowed me to reduce the noise and clutter considerably. I

View File

@ -39,7 +39,7 @@
release.</emphasis></para>
</caution>
<section>
<section id="Features">
<title>Features</title>
<itemizedlist>

View File

@ -41,7 +41,7 @@
release.</emphasis></para>
</caution>
<section>
<section id="Log">
<title>How to Log Traffic Through a Shorewall Firewall</title>
<para>The disposition of packets entering a Shorewall firewall is
@ -95,7 +95,7 @@
</orderedlist>
</section>
<section>
<section id="Where">
<title>Where the Traffic is Logged and How to Change the
Destination</title>
@ -113,7 +113,7 @@
<emphasis>level</emphasis> is the term used by NetFilter. The syslog
documentation uses the term <emphasis>priority</emphasis>.</para>
<section>
<section id="Levels">
<title>Syslog Levels</title>
<para>Syslog levels are a method of describing to syslog (8) the
@ -165,7 +165,7 @@
Shorewall messages written to the console.</para>
</section>
<section>
<section id="ULOG">
<title>Configuring a Separate Log for Shorewall Messages (ulogd)</title>
<para>There are a couple of limitations to syslogd-based logging:</para>
@ -232,7 +232,7 @@ gateway:/etc/shorewall# </programl
</section>
</section>
<section>
<section id="Syslog-ng">
<title>Syslog-ng</title>
<para><ulink
@ -240,7 +240,7 @@ gateway:/etc/shorewall# </programl
is a post describing configuring syslog-ng to work with Shorewall.</para>
</section>
<section>
<section id="Contents">
<title>Understanding the Contents of Shorewall Log Messages</title>
<para>For general information on the contents of Netfilter log messages,

View File

@ -39,7 +39,7 @@
release.</emphasis></para>
</caution>
<section>
<section id="Requirements">
<title>Shorewall Requires:</title>
<itemizedlist>
@ -93,7 +93,7 @@
</itemizedlist>
</section>
<section>
<section id="Perl">
<title>Shorewall-perl Requirements</title>
<para><ulink url="Shorewall-perl.html">Shorewall-perl</ulink> is a

View File

@ -49,7 +49,7 @@
<para>The Russian Translations are courtesy of Alex at tut.by.</para>
<section>
<section id="Before">
<title>Before You Start</title>
<para>Please read the short article <ulink
@ -63,7 +63,7 @@
<para>These guides provide step-by-step instructions for configuring
Shorewall in common firewall setups.</para>
<section>
<section id="Single">
<title>If you want the firewall system to handle a <emphasis
role="bold">single public IP address</emphasis></title>
@ -98,7 +98,7 @@
</itemizedlist></para>
</section>
<section>
<section id="Multi">
<title>If you want the firewall system to handle more than one public IP
address</title>

View File

@ -126,12 +126,12 @@
instructions.</para>
<para>Shorewall views the network where it is running as being composed of
a set of zones. A zone is one or more hosts, which can be defined
as individual hosts or networks in
<filename class="directory">/etc/shorewall/hosts</filename>, or as
an entire interface in <filename
class="directory">/etc/shorewall/interfaces</filename>. In this
guide, we will use the following zones:</para>
a set of zones. A zone is one or more hosts, which can be defined as
individual hosts or networks in <filename
class="directory">/etc/shorewall/hosts</filename>, or as an entire
interface in <filename
class="directory">/etc/shorewall/interfaces</filename>. In this guide, we
will use the following zones:</para>
<variablelist>
<varlistentry>
@ -432,7 +432,7 @@ dmz eth2 detect</programlisting>
than one interface, simply include one entry for each interface and repeat
the zone name as many times as necessary.</para>
<example>
<example id="multi">
<title>Multiple Interfaces to a Zone</title>
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
@ -555,7 +555,7 @@ loc eth2 detect</programlisting>
subnet sizes, the size and its base-2 logarithm are given in the
following table:</para>
<table>
<table id="Logs">
<title>Base-2 Logarithms</title>
<tgroup cols="3">
@ -689,7 +689,7 @@ loc eth2 detect</programlisting>
size n. From the above table, we can derive the following one which is a
little easier to use.</para>
<table>
<table id="vlsm">
<title>VLSM</title>
<tgroup cols="3">
@ -849,7 +849,7 @@ loc eth2 detect</programlisting>
<quote><emphasis role="bold">a.b.c.d/v</emphasis></quote> using
<emphasis>CIDR Notation</emphasis>. Example:</para>
<table>
<table id="Subnet">
<title>Subnet</title>
<tgroup cols="2">
@ -891,7 +891,7 @@ loc eth2 detect</programlisting>
<para>There are two degenerate subnets that need mentioning; namely, the
subnet with one member and the subnet with 2 ** 32 members.</para>
<table>
<table id="degenerate">
<title>/32 and /0</title>
<tgroup cols="4">
@ -945,7 +945,7 @@ loc eth2 detect</programlisting>
address <emphasis role="bold">a.b.c.d</emphasis> and with the netmask
that corresponds to VLSM /<emphasis role="bold">v</emphasis>.</para>
<example>
<example id="Example0">
<title>192.0.2.65/29</title>
<para>The interface is configured with IP address 192.0.2.65 and
@ -955,7 +955,7 @@ loc eth2 detect</programlisting>
<para>/sbin/shorewall supports an ipcalc command that automatically
calculates information about a [sub]network.</para>
<example>
<example id="Example1">
<title>Using the <command>ipcalc </command>command</title>
<programlisting>shorewall ipcalc 10.10.10.0/25
@ -966,7 +966,7 @@ loc eth2 detect</programlisting>
</programlisting>
</example>
<example>
<example id="Example2">
<title>Using the <command>ipcalc</command> command</title>
<programlisting>shorewall ipcalc 10.10.10.0 255.255.255.128
@ -1075,8 +1075,8 @@ Destination Gateway Genmask Flgs MSS Win irtt Iface
requests -- they are totally independent.</para>
</section>
<section>
<title id="ARP">Address Resolution Protocol (ARP)</title>
<section id="ARP">
<title>Address Resolution Protocol (ARP)</title>
<para>When sending packets over Ethernet, IP addresses aren't used.
Rather Ethernet addressing is based on <emphasis>Media Access
@ -1580,8 +1580,8 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
rather than with the firewall's eth0.</para>
</section>
<section>
<title id="NAT">One-to-one NAT</title>
<section id="NAT">
<title>One-to-one NAT</title>
<para>With one-to-one NAT, you assign local systems RFC 1918 addresses
then establish a one-to-one mapping between those addresses and public
@ -2336,7 +2336,7 @@ foobar.net. 86400 IN A 192.0.2.177
86400 IN MX 1 &lt;backup MX&gt;.</programlisting>
</section>
<section>
<section id="Other">
<title>Some Things to Keep in Mind</title>
<itemizedlist>

View File

@ -47,7 +47,7 @@
system.</emphasis></para>
</caution>
<section>
<section id="Introduction">
<title>Introduction</title>
<para>Setting up Shorewall on a standalone Linux system is very easy if
@ -74,7 +74,7 @@
</listitem>
</itemizedlist>
<section>
<section id="System">
<title>System Requirements</title>
<para>Shorewall requires that you have the
@ -90,7 +90,7 @@
[root@gateway root]#</programlisting>
</section>
<section>
<section id="Before">
<title>Before you start</title>
<para>I recommend that you read through the guide first to familiarize
@ -121,7 +121,7 @@
</caution>
</section>
<section>
<section id="Conventions">
<title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged
@ -130,7 +130,7 @@
</section>
</section>
<section>
<section id="PPTP">
<title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -143,7 +143,7 @@
found in Europe, notably in Austria.</para>
</section>
<section>
<section id="Concepts">
<title>Shorewall Concepts</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -311,7 +311,7 @@ all all REJECT info</programlisting>
and make any changes that you wish.</para>
</section>
<section>
<section id="External">
<title>External Interface</title>
<para>The firewall has a single network interface. Where Internet
@ -377,7 +377,7 @@ root@lists:~# </programlisting>
</tip>
</section>
<section>
<section id="Addresses">
<title>IP Addresses</title>
<para>Before going further, we should say a few words about
@ -455,7 +455,7 @@ root@lists:~# </programlisting>
role="bold">SECTION NEW.</emphasis></para>
</important>
<example>
<example id="Example1">
<title>You want to run a Web Server and a IMAP Server on your firewall
system:</title>
@ -472,7 +472,7 @@ IMAP/ACCEPT net $FW</programlisting>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net $FW <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
<example>
<example id="Example2">
<title>You want to run a Web Server and a IMAP Server on your firewall
system:</title>
@ -499,7 +499,7 @@ SSH/ACCEPT net $FW </programlisting>
other connections as desired.</para>
</section>
<section>
<section id="Starting">
<title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -549,7 +549,7 @@ SSH/ACCEPT net $FW </programlisting>
</warning>
</section>
<section>
<section id="Problems">
<title>If it Doesn't Work</title>
<itemizedlist>
@ -574,7 +574,7 @@ SSH/ACCEPT net $FW </programlisting>
</itemizedlist>
</section>
<section>
<section id="Other">
<title>Additional Recommended Reading</title>
<para>I highly recommend that you review the <ulink
@ -582,91 +582,4 @@ SSH/ACCEPT net $FW </programlisting>
page</ulink> -- it contains helpful tips about Shorewall features than
make administering your firewall easier.</para>
</section>
<appendix>
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>2.0</revnumber>
<date>2005-09-12</date>
<authorinitials>TE</authorinitials>
<revremark>More 3.0 Updates</revremark>
</revision>
<revision>
<revnumber>1.9</revnumber>
<date>2005-09-02</date>
<authorinitials>CR</authorinitials>
<revremark>Update for Shorewall 3.0</revremark>
</revision>
<revision>
<revnumber>1.8</revnumber>
<date>2005-07-12</date>
<authorinitials>TE</authorinitials>
<revremark>Change reference to rfc1918 to bogons.</revremark>
</revision>
<revision>
<revnumber>1.7</revnumber>
<date>2004-02-16</date>
<authorinitials>TE</authorinitials>
<revremark>Move /etc/shorewall/rfc1918 to
/usr/share/shorewall.</revremark>
</revision>
<revision>
<revnumber>1.6</revnumber>
<date>2004-02-05</date>
<authorinitials>TE</authorinitials>
<revremark>Update for Shorewall 2.0</revremark>
</revision>
<revision>
<revnumber>1.5</revnumber>
<date>2004-01-05</date>
<authorinitials>TE</authorinitials>
<revremark>Standards Changes</revremark>
</revision>
<revision>
<revnumber>1.4</revnumber>
<date>2003-12-30</date>
<authorinitials>TE</authorinitials>
<revremark>Add tip about /etc/shorewall/rfc1918 updates.</revremark>
</revision>
<revision>
<revnumber>1.3</revnumber>
<date>2003-11-15</date>
<authorinitials>TE</authorinitials>
<revremark>Initial Docbook Conversion</revremark>
</revision>
</revhistory></para>
</appendix>
</article>

View File

@ -47,7 +47,7 @@
release</emphasis>.</para>
</caution>
<section>
<section id="CLI">
<title>/sbin/shorewall and /sbin/shorewall-lite</title>
<para><filename>/sbin/shorewall</filename> is the program that you use to
@ -111,7 +111,7 @@
url="Anatomy.html">Shorewall Anatomy article</ulink>.</para>
</section>
<section>
<section id="Starting">
<title>Starting, Stopping and Clearing</title>
<para>As explained in the <ulink
@ -173,7 +173,7 @@
State Diagram</link> section.</para>
</section>
<section>
<section id="Trace">
<title>Tracing Command Execution</title>
<para>If you include the word <emphasis role="bold">trace</emphasis> as
@ -182,7 +182,7 @@
<filename>/usr/share/shorewall/firewall</filename>, execution of the
latter program will be traced to STDERR.</para>
<example>
<example id="trace">
<title>Tracing <command>shorewall start</command></title>
<para>To trace the execution of <command>shorewall start</command> and
@ -197,7 +197,7 @@
</example>
</section>
<section>
<section id="Boot">
<title>Having Shorewall Start Automatically at Boot Time</title>
<para>The .rpm, .deb and .tgz all try to configure your startup scripts so
@ -420,7 +420,7 @@
</itemizedlist>
</section>
<section>
<section id="Commands">
<title>Commands</title>
<para>The general form of a command in Shorewall 4.0 is:</para>

View File

@ -48,7 +48,7 @@
release.</emphasis></para>
</caution>
<section>
<section id="First">
<title>Before Reporting a Problem or Asking a Question</title>
<para>There are a number of sources of Shorewall information. Please try
@ -361,7 +361,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
</itemizedlist>
</section>
<section>
<section id="Where">
<title>Where to Send your Problem Report or to Ask for Help</title>
<para><emphasis role="bold">If you haven't read the <link
@ -388,14 +388,14 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
a #shorewall channel at irc.freenode.net.</para>
</section>
<section>
<section id="Users">
<title>Subscribing to the Users Mailing List</title>
<para>To Subscribe to the users mailing list go to <ulink
url="https://lists.sourceforge.net/lists/listinfo/shorewall-users">https://lists.sourceforge.net/lists/listinfo/shorewall-users</ulink>.</para>
</section>
<section>
<section id="Announce">
<title>Subscribing to the Announce Mailing List</title>
<para>To Subscribe to the announce mailing list (low-traffic,read only) go
@ -405,7 +405,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
url="https://lists.sourceforge.net/lists/listinfo/shorewall-announce">https://lists.sourceforge.net/lists/listinfo/shorewall-announce</ulink></para>
</section>
<section>
<section id="Devel">
<title>Subscribing to the Development Mailing List</title>
<para>To Subscribe to the development mailing list go to <ulink
@ -420,7 +420,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
role="bold">Doh.......</emphasis></para>
</section>
<section>
<section id="Other">
<title>Other Mailing Lists</title>
<para>For information on other Shorewall mailing lists, go to <ulink

View File

@ -34,7 +34,7 @@
</legalnotice>
</articleinfo>
<section>
<section id="Background">
<title>Background</title>
<para>In early March 2006, i embarked on the journey of surveying
@ -58,7 +58,7 @@
limited and harder to use than Zoomerang.</para>
<section>
<title>Survey and results links</title>
<title id="Survey">Survey and results links</title>
<para>The survey is still open as of this writing, and can be accessed
at <ulink url="http://www.zoomerang.com/survey.zgi?p=WEB2253NNBCN44">the
@ -72,7 +72,7 @@
a link to the results is provided on the thank you page.</para>
</section>
<section>
<section id="Sample">
<title>Sample size</title>
<para>An important note about this survey is that it has a small sample
@ -96,7 +96,7 @@
installed base, likely far less.</para>
</section>
<section>
<section id="Factors">
<title>Other possible inaccuracies</title>
<para>Additionally, since the survey was open to multiple responses, it
@ -115,10 +115,10 @@
</section>
</section>
<section>
<section id="Results">
<title>Results analysis</title>
<section>
<section id="Org">
<title>Organisations</title>
<para>Small organisations dominate the spectrum of Shorewall users. The
@ -175,7 +175,7 @@
Shorewall.</para>
</section>
<section>
<section id="Users">
<title>Users</title>
<para>Unsurprisingly, 97% of survey respondents were male. Or to put it
@ -226,16 +226,16 @@
users, which is a concern for the future of the project.</para>
</section>
<section>
<section id="Hardware">
<title>Hardware</title>
<para>Ninety-three percent (93%) of users run Shorewall on i386 family
hardware, with a further 6% running it on x86-64/EM64T platforms. One
response was received indicating use of Shorewall on MIPS (Linksys WRT
platform). No responses were received for any other hardware platform.
While it is not surprising that Intel would be dominant, given
their market share, it seems a little skewed not to have any
representatives of other architectures.</para>
While it is not surprising that Intel would be dominant, given their
market share, it seems a little skewed not to have any representatives
of other architectures.</para>
<para>A good spread of CPU power is shown in the survey responses. The
largest group was 400-999 MHz (30%), with only 16% of responses
@ -258,7 +258,7 @@
second and third at 22% and 20% respectively.</para>
</section>
<section>
<section id="Network">
<title>Network</title>
<para>The majority of Shorewall systems (82%) use between two and four
@ -274,7 +274,7 @@
connection, with over half the responses (51%).</para>
</section>
<section>
<section id="Software">
<title>Software</title>
<para>The most popular Linux distribution on which users run Shorewall
@ -314,7 +314,7 @@
</itemizedlist>
</section>
<section>
<section id="Comments">
<title>Comments from users</title>
<para>Following is a sample of the comments we received about the survey
@ -365,10 +365,10 @@
</section>
</section>
<section>
<section id="Lessons">
<title>Lessons learned about survey technique</title>
<section>
<section id="Approach1">
<title>Treat surveys like releasing free software</title>
<itemizedlist>
@ -392,7 +392,7 @@
</itemizedlist>
</section>
<section>
<section id="Approach2">
<title>Start small and work towards what you want to know with specific,
concrete questions</title>
@ -413,7 +413,7 @@
user systems, and doesn't present a user interface per se.</para>
</section>
<section>
<section id="Approach3">
<title>Be prepared beforehand</title>
<para>Within hours of the survey's release, 50% of the results were in.
@ -425,7 +425,7 @@
and complete downloads of the results.</para>
</section>
<section>
<section id="Approach4">
<title>Incrementally improve your surveys</title>
<para>The final version of this survey was released still with a few
@ -436,7 +436,7 @@
</section>
</section>
<section>
<section id="Implications1">
<title>Possible implications for the Shorewall project</title>
<para>The users we have seem, on the whole, rather experienced, and very
@ -454,7 +454,7 @@
Connect might be a good way to serve the needs of our users.</para>
</section>
<section>
<section id="Implications2">
<title>Possible implications for other free software projects</title>
<itemizedlist>

View File

@ -47,7 +47,7 @@
system.</emphasis></para>
</caution>
<section>
<section id="Intro">
<title>Introduction</title>
<para>Setting up a Linux system as a firewall for a small network with DMZ
@ -91,7 +91,7 @@
<para>Here is a schematic of a typical installation.</para>
<figure>
<figure id="Figure1">
<title>schematic of a typical installation</title>
<mediaobject>
@ -101,7 +101,7 @@
</mediaobject>
</figure>
<section>
<section id="Reqs">
<title>Requirements</title>
<para>Shorewall requires that you have the
@ -117,7 +117,7 @@
[root@gateway root]#</programlisting>
</section>
<section>
<section id="Before">
<title>Before you start</title>
<para>I recommend that you first read through the guide to familiarize
@ -149,7 +149,7 @@
</caution>
</section>
<section>
<section id="Conventions">
<title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged
@ -161,7 +161,7 @@
</section>
</section>
<section>
<section id="PPTP">
<title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -173,7 +173,7 @@
notably in Austria.</para>
</section>
<section>
<section id="Concepts">
<title>Shorewall Concepts</title>
<para>The configuration files for Shorewall are contained in the directory
@ -356,10 +356,10 @@ $FW net ACCEPT</programlisting>
file and make any changes that you wish.</para>
</section>
<section>
<section id="Interfaces">
<title>Network Interfaces</title>
<figure>
<figure id="Figure2">
<title>DMZ</title>
<mediaobject>
@ -471,7 +471,7 @@ root@lists:~# </programlisting>
</tip>
</section>
<section>
<section id="Addresses">
<title>IP Addresses</title>
<para>Before going further, we should say a few words about Internet
@ -532,7 +532,7 @@ root@lists:~# </programlisting>
<varname>24</varname> refers to the number of consecutive <quote>1</quote>
bits from the left of the subnet mask.</para>
<table>
<table id="Table1">
<title>Example sub-network</title>
<tgroup cols="2">
@ -599,7 +599,7 @@ root@lists:~# </programlisting>
<para>The remainder of this quide will assume that you have configured
your network as shown here:</para>
<figure>
<figure id="Figure3">
<title>DMZ</title>
<mediaobject>
@ -627,7 +627,7 @@ root@lists:~# </programlisting>
</figure>
</section>
<section>
<section id="SNAT">
<title>IP Masquerading (SNAT)</title>
<para>The addresses reserved by RFC 1918 are sometimes referred to as
@ -731,7 +731,7 @@ DNAT net dmz:<emphasis>&lt;server local IP address&gt;</emphasis>[:<e
role="bold">SECTON NEW.</emphasis></para>
</important>
<example>
<example id="Example1">
<title>You run a Web Server on DMZ Computer 2 and you want to forward
incoming TCP port 80 to that system</title>
@ -812,7 +812,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
</important>
</section>
<section>
<section id="DNS">
<title>Domain Name Server (DNS)</title>
<para>Normally, when you connect to your ISP, as part of getting an IP
@ -908,7 +908,7 @@ SSH/ACCEPT loc dmz </programlisting>Those rules allow you to run
is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source zone&gt; &lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt; </emphasis></programlisting></para>
<example>
<example id="Example2">
<title>You want to run a publicly-available DNS server on your firewall
system</title>
@ -956,7 +956,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
remove other connections as required.</para>
</section>
<section>
<section id="Other">
<title>Some Things to Keep in Mind</title>
<itemizedlist>
@ -1012,7 +1012,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
</itemizedlist>
</section>
<section>
<section id="Starting">
<title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -1059,7 +1059,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
</warning></para>
</section>
<section>
<section id="Trouble">
<title>If it Doesn't Work</title>
<itemizedlist>
@ -1084,7 +1084,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
</itemizedlist>
</section>
<section>
<section id="Reading">
<title>Additional Recommended Reading</title>
<para>I highly recommend that you review the <ulink

View File

@ -85,7 +85,7 @@
</itemizedlist>
</warning>
<section>
<section id="Intro">
<title>Introduction</title>
<para>Starting with Version 2.5.5, Shorewall has builtin support for
@ -104,7 +104,7 @@
as covered by the next sections.</para>
</section>
<section>
<section id="LinuxTC">
<title>Linux traffic shaping and control</title>
<para>This section gives a brief introduction of how controlling traffic
@ -213,7 +213,7 @@
connection mark value to the current packet's mark (RESTORE).</para>
</section>
<section>
<section id="Kernel">
<title>Linux Kernel Configuration</title>
<para>You will need at least kernel 2.4.18 for this to work, please take a
@ -234,7 +234,7 @@
<graphic align="center" fileref="images/traffic_shaping2.6.png" />
</section>
<section>
<section id="Shorewall">
<title>Enable TC support in Shorewall</title>
<para>You need this support whether you use the builtin support or whether
@ -267,7 +267,7 @@
</itemizedlist>
</section>
<section>
<section id="Builtin">
<title>Using builtin traffic shaping/control</title>
<para>Shorewall's builtin traffic shaping feature provides a thin layer on
@ -327,7 +327,7 @@
url="http://www.speedcheck.arcor.de/cgi-bin/speedcheck.cgi">arcor speed
check</ulink>). Be sure to choose a test located near you.</para>
<section>
<section id="tcdevices">
<title>/etc/shorewall/tcdevices</title>
<para>This file allows you to define the incoming and outgoing bandwidth
@ -384,7 +384,7 @@
</listitem>
</itemizedlist>
<example>
<example id="Example0">
<title></title>
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
@ -396,7 +396,7 @@ ppp0 6000kbit 500kbit</programlisting>
</example>
</section>
<section>
<section id="tcclasses">
<title>/etc/shorewall/tcclasses</title>
<para>This file allows you to define the actual classes that are used to
@ -499,7 +499,7 @@ ppp0 6000kbit 500kbit</programlisting>
</itemizedlist>
</section>
<section>
<section id="tcrules">
<title>/etc/shorewall/tcrules</title>
<para>The fwmark classifier provides a convenient way to classify
@ -772,7 +772,7 @@ ppp0 6000kbit 500kbit</programlisting>
</listitem>
</itemizedlist>
<example>
<example id="Example1">
<title></title>
<para>All packets arriving on eth1 should be marked with 1. All
@ -786,7 +786,7 @@ ppp0 6000kbit 500kbit</programlisting>
3 $FW 0.0.0.0/0 all</programlisting>
</example>
<example>
<example id="Example2">
<title></title>
<para>All GRE (protocol 47) packets not originating on the firewall
@ -796,7 +796,7 @@ ppp0 6000kbit 500kbit</programlisting>
12 0.0.0.0/0 155.182.235.151 47</programlisting>
</example>
<example>
<example id="Example3">
<title></title>
<para>All SSH request packets originating in 192.168.1.0/24 and
@ -806,7 +806,7 @@ ppp0 6000kbit 500kbit</programlisting>
22 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example>
<example>
<example id="Example4">
<title></title>
<para>All SSH packets packets going out of the first device in in
@ -819,7 +819,7 @@ ppp0 6000kbit 500kbit</programlisting>
1:110 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting>
</example>
<example>
<example id="Example5">
<title></title>
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
@ -852,7 +852,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
</example>
</section>
<section>
<section id="ppp">
<title>ppp devices</title>
<para>If you use ppp/pppoe/pppoa) to connect to your internet provider
@ -871,10 +871,10 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
/sbin/shorewall refresh</programlisting>
</section>
<section>
<section id="Real">
<title>Real life examples</title>
<section>
<section id="Wondershaper">
<title>Configuration to replace Wondershaper</title>
<para>You are able to fully replace the wondershaper script by using
@ -890,14 +890,14 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
that this is just an 1:1 replacement doing exactly what wondershaper
should do. You are free to change it...</para>
<section>
<section id="realtcd">
<title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
ppp0 5000kbit 500kbit</programlisting>
</section>
<section>
<section id="realtcc">
<title>tcclasses file</title>
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
@ -906,7 +906,7 @@ ppp0 2 9*full/10 9*full/10 2 default
ppp0 3 8*full/10 8*full/10 2</programlisting>
</section>
<section>
<section id="realtcr">
<title>tcrules file</title>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
@ -923,7 +923,7 @@ ppp0 3 8*full/10 8*full/10 2</programlisting>
the example configuration files).</para>
</section>
<section>
<section id="lowpro">
<title>Setting hosts to low priority</title>
<para>lets assume the following settings from your old wondershaper
@ -957,7 +957,7 @@ NOPRIOPORTDST="6662 6663" </programlisting>
</section>
</section>
<section>
<section id="simiple">
<title>A simple setup</title>
<para>This is a simple setup for people sharing an internet connection
@ -965,7 +965,7 @@ NOPRIOPORTDST="6662 6663" </programlisting>
between 2 hosts which have the ip addresses 192.168.2.23 and
192.168.2.42</para>
<section>
<section id="simpletcd">
<title>tcdevices file</title>
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
@ -974,7 +974,7 @@ ppp0 6000kbit 700kbit</programlisting>
<para>We have 6mbit down and 700kbit upstream.</para>
</section>
<section>
<section id="simpletcc">
<title>tcclasses file</title>
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
@ -990,7 +990,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
same priority. The last class is for the remaining traffic.</para>
</section>
<section>
<section id="simpletcr">
<title>tcrules file</title>
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
@ -1007,7 +1007,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
</section>
</section>
<section>
<section id="Xen">
<title>A Warning to Xen Users</title>
<para>If you are running traffic shaping in your dom0 and traffic shaping
@ -1041,7 +1041,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
instructions.</para>
</section>
<section>
<section id="External">
<title id="tcstart">Using your own tc script</title>
<section id="owntcstart">
@ -1077,7 +1077,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
</orderedlist>
</section>
<section>
<section id="Start">
<title>Traffic control outside Shorewall</title>
<para>To start traffic shaping when you bring up your network
@ -1099,7 +1099,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
</section>
</section>
<section>
<section id="Testing">
<title>Testing Tools</title>
<para>At least one Shorewall user has found this tool helpful: <ulink

View File

@ -32,11 +32,11 @@
</legalnotice>
</articleinfo>
<section>
<section id="Start">
<title><quote>shorewall start</quote> and <quote>shorewall restart</quote>
Errors</title>
<section>
<section id="Start-shell">
<title>Shorewall-shell</title>
<para>If you use the Shorewall-shell compiler and you receive an error
@ -78,7 +78,7 @@
</listitem>
</itemizedlist>
<example>
<example id="Example1">
<title>Startup Error</title>
<para>During startup, a user sees the following:</para>
@ -107,7 +107,7 @@ iptables: No chain/target/match by that name
</example>
</section>
<section>
<section id="Start-perl">
<title>Shorewall-perl</title>
<para>If the error is detected by the Shorewall-perl compiler, it should
@ -187,7 +187,7 @@ gateway:~/test # </programlisting>A look at /var/lib/shorewall/restore at line
</section>
</section>
<section>
<section id="Network">
<title>Your Network Environment</title>
<para>Many times when people have problems with Shorewall, the problem is
@ -222,7 +222,7 @@ gateway:~/test # </programlisting>A look at /var/lib/shorewall/restore at line
</itemizedlist>
</section>
<section>
<section id="NewDevice">
<title>New Device Doesn't Work?</title>
<para>If you have just added a new device such as VOIP and it doesn't
@ -235,7 +235,7 @@ gateway:~/test # </programlisting>A look at /var/lib/shorewall/restore at line
url="Documentation.htm#INterfaces">/etc/shorewall/interfaces</ulink>.</para>
</section>
<section>
<section id="Connections">
<title>Connection Problems</title>
<para>One very important thing to remember is that not all connection
@ -289,7 +289,7 @@ LOGBURST=""</programlisting>This way, you will see all of the log messages
being generated (be sure to restart shorewall after clearing these
variables).</para>
<example>
<example id="Example2">
<title>Log Message</title>
<programlisting>Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2
@ -345,7 +345,7 @@ ACCEPT dmz loc udp 53</programlisting>
</example>
</section>
<section>
<section id="Ping">
<title>Ping Problems</title>
<para>Either can't ping when you think you should be able to or are able
@ -388,7 +388,7 @@ Ping/DROP net all</programlisting>
</itemizedlist>
</section>
<section>
<section id="Other">
<title>Some Things to Keep in Mind</title>
<itemizedlist>
@ -444,7 +444,7 @@ Ping/DROP net all</programlisting>
</itemizedlist>
</section>
<section>
<section id="More">
<title>Other Gotchas</title>
<itemizedlist>
@ -503,7 +503,7 @@ Ping/DROP net all</programlisting>
</itemizedlist>
</section>
<section>
<section id="Support">
<title>Still Having Problems?</title>
<para>See the <ulink url="support.htm">Shorewall Support

View File

@ -44,7 +44,7 @@
system.</emphasis></para>
</caution>
<section>
<section id="Intro">
<title>Introduction</title>
<para>Setting up a Linux system as a firewall for a small network is a
@ -74,7 +74,8 @@
</listitem>
</itemizedlist>
<para>Here is a schematic of a typical installation: <figure label="1">
<para>Here is a schematic of a typical installation: <figure id="Figure1"
label="1">
<title>Common two interface firewall configuration</title>
<mediaobject>
@ -105,7 +106,7 @@
</itemizedlist></para>
</caution></para>
<section>
<section id="System">
<title>System Requirements</title>
<para>Shorewall requires that you have the
@ -122,7 +123,7 @@
through it again making your configuration changes.</para>
</section>
<section>
<section id="Conventions">
<title>Conventions</title>
<para>Points at which configuration changes are recommended are flagged
@ -134,7 +135,7 @@
</section>
</section>
<section>
<section id="PPTP">
<title>PPTP/ADSL</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -147,7 +148,7 @@
found in Europe, notably in Austria.</para>
</section>
<section>
<section id="Concepts">
<title>Shorewall Concepts</title>
<para></para>
@ -331,7 +332,7 @@ $FW net ACCEPT</programlisting> The above policy will:
and make any changes that you wish.</para>
</section>
<section>
<section id="Interfaces">
<title>Network Interfaces</title>
<mediaobject>
@ -433,7 +434,7 @@ root@lists:~# </programlisting>
</tip></para>
</section>
<section>
<section id="Addresses">
<title>IP Addresses</title>
<para>Before going further, we should say a few words about Internet
@ -573,7 +574,7 @@ root@lists:~# </programlisting>
</warning></para>
</section>
<section>
<section id="SNAT">
<title>IP Masquerading (SNAT)</title>
<para>The addresses reserved by RFC 1918 are sometimes referred to as
@ -677,14 +678,14 @@ DNAT net loc:<emphasis>&lt;server local ip address&gt;</emphasis>[:<e
supplying the protocol and port(s) as shown in the following
examples.</para>
<para><example label="1">
<para><example id="Example1" label="1">
<title>Web Server</title>
<para>You run a Web Server on computer 2 and you want to forward
incoming <acronym>TCP</acronym> port 80 to that system:
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
Web/DNAT net loc:10.10.10.2</programlisting></para>
</example> <example label="2">
</example> <example id="Example2" label="2">
<title>FTP Server</title>
<para>You run an <acronym>FTP</acronym> Server on computer 1 so you
@ -737,7 +738,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
</important>
</section>
<section>
<section id="DNS">
<title>Domain Name Server (DNS)</title>
<para>Normally, when you connect to your ISP, as part of getting an IP
@ -821,7 +822,8 @@ SSH/ACCEPT loc $FW </programlisting>That rule allows you to run an
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
&lt;macro&gt;/ACCEPT $FW <emphasis>&lt;destination zone&gt;</emphasis></programlisting>The
general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example>
ACCEPT $FW <emphasis>&lt;destination zone&gt; &lt;protocol&gt; &lt;port&gt;</emphasis></programlisting><example
id="Example3">
<title>Web Server on Firewall</title>
<para>You want to run a Web Server on your firewall system:
@ -852,7 +854,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
file to add or delete other connections as required.</para>
</section>
<section>
<section id="Other">
<title>Some Things to Keep in Mind</title>
<itemizedlist>
@ -908,7 +910,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</itemizedlist>
</section>
<section>
<section id="Starting">
<title>Starting and Stopping Your Firewall</title>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -954,7 +956,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</warning></para>
</section>
<section>
<section id="Trouble">
<title>If it Doesn't Work</title>
<itemizedlist>
@ -979,7 +981,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
</itemizedlist>
</section>
<section>
<section id="Reading">
<title>Additional Recommended Reading</title>
<para>I highly recommend that you review the <ulink
@ -988,7 +990,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
make administering your firewall easier.</para>
</section>
<section>
<section id="Wireless">
<title>Adding a Wireless Segment to your Two-Interface Firewall</title>
<para>Once you have the two-interface setup working, the next logical step