mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Last batch of mindless ID changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6698 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
f8afc6df84
commit
c35f8c48d8
@ -34,7 +34,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Shorewall version 4 is currently in development and is available for
|
||||
@ -88,7 +88,7 @@
|
||||
whichever one suits you in a particular case.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Install">
|
||||
<title>Installing Shorewall Version 4</title>
|
||||
|
||||
<para>You can download the development version of Shorewall Version 4 from
|
||||
@ -129,7 +129,7 @@
|
||||
Shorewall.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Prereqs">
|
||||
<title>Prerequisites for using the Shorewall Version 4 Perl-based
|
||||
Compiler</title>
|
||||
|
||||
@ -161,7 +161,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Incompatibilities">
|
||||
<title>Incompatibilities Introduced in the Shorewall Version 4 Perl-based
|
||||
Compiler</title>
|
||||
|
||||
@ -170,7 +170,7 @@
|
||||
document</ulink> for details.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="CompilerSelection">
|
||||
<title>Compiler Selection</title>
|
||||
|
||||
<para>If you only install one compiler, then that compiler will be
|
||||
|
@ -34,7 +34,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="What">
|
||||
<title>Shorewall-perl - What is it?</title>
|
||||
|
||||
<para>Shorewall-perl is a companion product to Shorewall. It requires
|
||||
@ -76,7 +76,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="DownSide">
|
||||
<title>Shorewall-perl - The down side</title>
|
||||
|
||||
<para>While there are advantages to using Shorewall-perl, there are also
|
||||
@ -504,7 +504,7 @@ eth0 eth1:!192.168.4.9 ...</programlisting></para>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Install">
|
||||
<title>Shorewall-perl - Installation</title>
|
||||
|
||||
<caution>
|
||||
@ -529,10 +529,10 @@ eth0 eth1:!192.168.4.9 ...</programlisting></para>
|
||||
package.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Using">
|
||||
<title>Using Shorewall-perl</title>
|
||||
|
||||
<section>
|
||||
<section id="V3.4.3">
|
||||
<title>Using Shorewall-perl under Shorewall 3.4.2 and Shorewall
|
||||
3.4.3</title>
|
||||
|
||||
@ -557,7 +557,7 @@ eth0 eth1:!192.168.4.9 ...</programlisting></para>
|
||||
use be specified in <filename>shorewall.conf</filename>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="V4.0.0">
|
||||
<title>Using Shorewall-perl under Shorewall 3.4.4/4.0.0 Beta and
|
||||
later.</title>
|
||||
|
||||
|
@ -40,7 +40,7 @@
|
||||
3.0.0 then please see the documentation for that release</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Doesnt">
|
||||
<title>Shorewall Does not:</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -90,7 +90,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Patching">
|
||||
<title>In Addition:</title>
|
||||
|
||||
<itemizedlist>
|
||||
|
@ -45,7 +45,7 @@
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Transparent">
|
||||
<title>Squid as a Transparent (Interception) Proxy</title>
|
||||
|
||||
<important>
|
||||
@ -141,7 +141,7 @@ httpd_accel_uses_host_header on</programlisting>
|
||||
</caution>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Configurations">
|
||||
<title>Configurations</title>
|
||||
|
||||
<para>Three different configurations are covered:</para>
|
||||
@ -256,7 +256,7 @@ DNAT loc dmz:192.0.2.177:3128 tcp 80 - !192.
|
||||
ACCEPT Z SZ tcp SP
|
||||
ACCEPT SZ net tcp 80,443</programlisting>
|
||||
|
||||
<example>
|
||||
<example id="Example1">
|
||||
<title>Squid on the firewall listening on port 8080 with access from the
|
||||
<quote>loc</quote> zone:</title>
|
||||
|
||||
|
@ -41,7 +41,7 @@
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Background">
|
||||
<title>Background</title>
|
||||
|
||||
<para>The traditional net-tools contain a program called
|
||||
@ -52,7 +52,7 @@
|
||||
class="devicefile">eth0:0</filename>) and ifconfig treats them more or
|
||||
less like real interfaces.</para>
|
||||
|
||||
<example>
|
||||
<example id="ifconfig">
|
||||
<title>ifconfig</title>
|
||||
|
||||
<programlisting>[root@gateway root]# <command>ifconfig eth0:0</command>
|
||||
@ -71,7 +71,7 @@ eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55
|
||||
it allows addresses to be <emphasis>labeled</emphasis> where these labels
|
||||
take the form of ipconfig virtual interfaces.</para>
|
||||
|
||||
<example>
|
||||
<example id="ip">
|
||||
<title>ip</title>
|
||||
|
||||
<programlisting>[root@gateway root]# <command>ip addr show dev eth0</command>
|
||||
@ -100,7 +100,7 @@ Device "eth0:0" does not exist.
|
||||
discussion below.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Adding">
|
||||
<title>Adding Addresses to Interfaces</title>
|
||||
|
||||
<para>Most distributions have a facility for adding additional addresses
|
||||
@ -143,21 +143,21 @@ iface eth0 inet static
|
||||
<command>up ip addr add 206.124.146.178/24 brd 206.124.146.255 dev eth0 label eth0:0</command></programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="How">
|
||||
<title>So how do I handle more than one address on an interface?</title>
|
||||
|
||||
<para>The answer depends on what you are trying to do with the interfaces.
|
||||
In the sub-sections that follow, we'll take a look at common
|
||||
scenarios.</para>
|
||||
|
||||
<section>
|
||||
<section id="Rules">
|
||||
<title>Separate Rules</title>
|
||||
|
||||
<para>If you need to make a rule for traffic to/from the firewall itself
|
||||
that only applies to a particular IP address, simply qualify the $FW
|
||||
zone with the IP address.</para>
|
||||
|
||||
<example>
|
||||
<example id="SSH">
|
||||
<title>allow SSH from net to eth0:0 above</title>
|
||||
|
||||
<para><optional><filename>/etc/shorewall/rules</filename></optional><programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
@ -165,7 +165,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="DNAT">
|
||||
<title>DNAT</title>
|
||||
|
||||
<para>Suppose that I had set up eth0:0 as above and I wanted to port
|
||||
@ -178,7 +178,7 @@ ACCEPT net $FW:206.124.146.178 tcp 22</programlisting></para>
|
||||
DNAT net loc:192.168.1.3 tcp 80 - 206.124.146.178 </programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="SNAT">
|
||||
<title>SNAT</title>
|
||||
|
||||
<para>If you wanted to use eth0:0 as the IP address for outbound
|
||||
@ -223,7 +223,7 @@ eth0:1 = 206.124.146.179
|
||||
eth0:2 = 206.124.146.180</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="NAT">
|
||||
<title>One-to-one NAT</title>
|
||||
|
||||
<para>If you wanted to use one-to-one NAT to link <filename
|
||||
@ -257,7 +257,7 @@ eth0:2 = 206.124.146.180</programlisting>
|
||||
pair, you simply qualify the local zone with the internal IP
|
||||
address.</para>
|
||||
|
||||
<example>
|
||||
<example id="SSH1">
|
||||
<title>You want to allow SSH from the net to 206.124.146.178 a.k.a.
|
||||
192.168.1.3.</title>
|
||||
|
||||
@ -266,7 +266,7 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Subnets">
|
||||
<title>MULTIPLE SUBNETS</title>
|
||||
|
||||
<para>Sometimes multiple IP addresses are used because there are
|
||||
@ -278,7 +278,7 @@ ACCEPT net loc:192.168.1.3 tcp 22</programlisting></para>
|
||||
consider the LAN segment itself as a zone and allow your firewall/router
|
||||
to route between the two subnetworks.</para>
|
||||
|
||||
<example>
|
||||
<example id="subnets">
|
||||
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
|
||||
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
|
||||
eth1:0 is 192.168.20.254. You simply want your firewall to route
|
||||
@ -300,7 +300,7 @@ loc eth1 192.168.1.255,192.168.20.255 <emphasis role="bold">rout
|
||||
ACCEPT rules for the traffic that you want to permit.</para>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<example id="subnets1">
|
||||
<title>Local interface eth1 interfaces to 192.168.1.0/24 and
|
||||
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
|
||||
eth1:0 is 192.168.20.254. You want to make these subnetworks into
|
||||
|
@ -38,7 +38,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Routing">
|
||||
<title>Routing vs. Firewalling.</title>
|
||||
|
||||
<para>One of the most misunderstood aspects of Shorewall is its
|
||||
@ -62,7 +62,7 @@
|
||||
in the following sections.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Netfilter">
|
||||
<title>Routing and Netfilter</title>
|
||||
|
||||
<para>The following diagram shows the relationship between routing
|
||||
@ -80,7 +80,7 @@
|
||||
through this maze, depending on where the packet originates. We will look
|
||||
at each of these separately.</para>
|
||||
|
||||
<section>
|
||||
<section id="Ingress">
|
||||
<title>Packets Entering the Firewall from Outside</title>
|
||||
|
||||
<para>When a packet arrives from outside, it first undergoes Netfilter
|
||||
@ -132,7 +132,7 @@
|
||||
alternate routing table.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Local">
|
||||
<title>Packets Originating on the Firewall</title>
|
||||
|
||||
<para>Processing of packets that originate on the firewall itself are
|
||||
@ -169,7 +169,7 @@
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="RoutingTables">
|
||||
<title>Alternate Routing Table Configuration</title>
|
||||
|
||||
<para>The Shorewall 2.x <ulink
|
||||
@ -186,7 +186,7 @@
|
||||
prior to 2.3.2.</emphasis></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="ProxyArp">
|
||||
<title>Routing and Proxy ARP</title>
|
||||
|
||||
<para>There is one instance where Shorewall creates main routing table
|
||||
@ -211,7 +211,7 @@
|
||||
<programlisting><emphasis role="bold">ip route add 206.124.146.177 dev eth1</emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="MultiISP">
|
||||
<title>Multiple Internet Connection Support in Shorewall 2.4.2 and
|
||||
Later</title>
|
||||
|
||||
|
@ -38,7 +38,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Background">
|
||||
<title>Background</title>
|
||||
|
||||
<para>Systems where Shorewall runs normally function as
|
||||
@ -70,7 +70,7 @@
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Application">
|
||||
<title>Application</title>
|
||||
|
||||
<para>There are cases where you want to create a bridge to join two or
|
||||
@ -79,7 +79,7 @@
|
||||
article.</para>
|
||||
|
||||
<para>If you do need to restrict traffic through the bridge, please refer
|
||||
to the <ulink url="bridge.html">Shorewall Bridge/Firewall
|
||||
to the <ulink url="bridge-Shorewall-perl.html">Shorewall Bridge/Firewall
|
||||
documentation</ulink>. Also please refer to that documentation for
|
||||
information about how to create a bridge.</para>
|
||||
|
||||
|
@ -34,7 +34,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="UPnP">
|
||||
<title>UPnP</title>
|
||||
|
||||
<para>In Shorewall 2.2.4, support was added for UPnP (Universal Plug and
|
||||
@ -78,7 +78,7 @@
|
||||
<para></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="linux-igd">
|
||||
<title>linux-igd Configuration</title>
|
||||
|
||||
<para>In /etc/upnpd.conf, you will want:</para>
|
||||
@ -88,7 +88,7 @@ prerouting_chain_name = UPnP
|
||||
forward_chain_name = forwardUPnP</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Shorewall">
|
||||
<title>Shorewall Configuration</title>
|
||||
|
||||
<para>In <filename>/etc/shorewall/interfaces</filename>, you need the
|
||||
|
@ -38,7 +38,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="vpn">
|
||||
<title>Virtual Private Networking (VPN)</title>
|
||||
|
||||
<para>It is often the case that a system behind the firewall needs to be
|
||||
@ -76,7 +76,7 @@
|
||||
following: only one system may connect to the remote gateway and there are
|
||||
firewall configuration requirements as follows:</para>
|
||||
|
||||
<table>
|
||||
<table id="Table1">
|
||||
<title>/etc/shorewall/rules</title>
|
||||
|
||||
<tgroup cols="7">
|
||||
|
@ -38,7 +38,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Taxonomy">
|
||||
<title>Gateway-to-gateway traffic vs. Host-to-host traffic.</title>
|
||||
|
||||
<para>The purpose of a <firstterm>Virtual Private Network</firstterm>
|
||||
@ -91,7 +91,7 @@
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Netfilter">
|
||||
<title>Relationship to Netfilter</title>
|
||||
|
||||
<para>When Netfilter is configured on a VPN gateway, each VPN packet goes
|
||||
@ -118,7 +118,7 @@
|
||||
<graphic align="center" fileref="images/VPNBasics.png" />
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Shorewall">
|
||||
<title>What does this mean with Shorewall?</title>
|
||||
|
||||
<para>When Shorewall is installed on a VPN gateway system, it categorizes
|
||||
@ -185,7 +185,7 @@
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Zones">
|
||||
<title>Defining Remote Zones</title>
|
||||
|
||||
<para>Most VPN types are implemented using a virtual network device such
|
||||
@ -209,7 +209,7 @@ loc eth1 detect
|
||||
<emphasis role="bold">rem ppp0 192.168.10.0/24</emphasis></programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Traffic">
|
||||
<title>Allowing Traffic</title>
|
||||
|
||||
<para>Normally, you will just allow all traffic between your remote
|
||||
@ -224,7 +224,7 @@ loc rem ACCEPT</programlisting>
|
||||
the remote clients to/from the firewall.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Policies">
|
||||
<title>Different Firewall Policies for Different Remote Systems</title>
|
||||
|
||||
<para>The /etc/shorewall/hosts file comes into play when:</para>
|
||||
@ -274,7 +274,7 @@ rem2 tun+:10.0.1.0/24</emphasis></programlisting>
|
||||
<ulink url="IPSEC-2.6.html">kernel 2.6 native IPSEC</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="tunnels">
|
||||
<title>Eliminating the /etc/shorewall/tunnels file</title>
|
||||
|
||||
<para>The <filename>/etc/shorewall/tunnels</filename> file provides no
|
||||
@ -285,7 +285,7 @@ rem2 tun+:10.0.1.0/24</emphasis></programlisting>
|
||||
<filename>/etc/shorewall/tunnels</filename> can be replaced by rules for
|
||||
some common tunnel types.</para>
|
||||
|
||||
<section>
|
||||
<section id="IPSEC">
|
||||
<title>IPSEC</title>
|
||||
|
||||
<para>/<filename>etc/shorewall/tunnels</filename>:</para>
|
||||
@ -316,7 +316,7 @@ ACCEPT Z2:1.2.3.4 $FW udp 500</programlisting>
|
||||
are omitted.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="PPTP">
|
||||
<title>PPTP</title>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
@ -341,7 +341,7 @@ ACCEPT Z1:1.2.3.4 $FW 47</programlisting>
|
||||
port 1723 rule.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="OpenVPN">
|
||||
<title>OpenVPN</title>
|
||||
|
||||
<para><filename>/etc/shorewall/tunnels</filename>:</para>
|
||||
|
16
docs/Xen.xml
16
docs/Xen.xml
@ -48,7 +48,7 @@
|
||||
running kernel 2.6.20 or later.</para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Environment">
|
||||
<title>Xen Network Environment</title>
|
||||
|
||||
<para><ulink
|
||||
@ -104,7 +104,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Dom0">
|
||||
<title>Configuring Shorewall in Dom0</title>
|
||||
|
||||
<para>As I state in the answer to <ulink url="FAQ.htm#faq2">Shorewall FAQ
|
||||
@ -147,7 +147,7 @@
|
||||
only have to worry about protecting the local LAN from the systems running
|
||||
in the DomU's.</para>
|
||||
|
||||
<section>
|
||||
<section id="shorewall.conf">
|
||||
<title>/etc/shorewall/shorewall.conf</title>
|
||||
|
||||
<para>Because Xen uses normal Linux bridging, you must enable bridge
|
||||
@ -158,7 +158,7 @@
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="zonesfile">
|
||||
<title>/etc/shorewall/zones</title>
|
||||
|
||||
<para>One thing strange about configuring Shorewall in this environment
|
||||
@ -181,7 +181,7 @@ net ipv4 #The local LAN and beyond
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="interfaces">
|
||||
<title>/etc/shorewall/interfaces</title>
|
||||
|
||||
<para>We must deal with two network interfaces. We must deal with the
|
||||
@ -196,7 +196,7 @@ net eth0 detect dhcp
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="hosts">
|
||||
<title>/etc/shorewall/hosts</title>
|
||||
|
||||
<para>Here we define the zones <emphasis role="bold">ursa</emphasis> and
|
||||
@ -218,7 +218,7 @@ net xenbr0:peth0
|
||||
class="devicefile">peth0</filename> port on the bridge.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="policy">
|
||||
<title>/etc/shorewall/policy</title>
|
||||
|
||||
<para>The policies shown here effectively isolate Domains 1...N.</para>
|
||||
@ -237,7 +237,7 @@ all all REJECT info
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="rules">
|
||||
<title>/etc/shorewall/rules</title>
|
||||
|
||||
<para>These rules determine the traffic allowed into and out of the
|
||||
|
@ -40,7 +40,7 @@
|
||||
documentation for that release.</para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Before">
|
||||
<title>Before Xen</title>
|
||||
|
||||
<para>Prior to adopting <ulink url="Xen.html">Xen</ulink>, I had a home
|
||||
@ -72,7 +72,7 @@
|
||||
<para>The result was a very crowded and noisy room.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="After">
|
||||
<title>After Xen</title>
|
||||
|
||||
<para>Xen has allowed me to reduce the noise and clutter considerably. I
|
||||
|
@ -47,7 +47,7 @@
|
||||
running kernel 2.6.20 or later.</para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Before">
|
||||
<title>Before Xen</title>
|
||||
|
||||
<para>Prior to adopting <ulink url="Xen.html">Xen</ulink>, I had a home
|
||||
@ -79,7 +79,7 @@
|
||||
<para>The result was a very crowded and noisy room.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="After">
|
||||
<title>After Xen</title>
|
||||
|
||||
<para>Xen has allowed me to reduce the noise and clutter considerably. I
|
||||
|
@ -39,7 +39,7 @@
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Features">
|
||||
<title>Features</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -219,7 +219,7 @@
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="bridge-Shorewall-perl.html"><emphasis
|
||||
role="bold">Bridge</emphasis>/Firewall support</ulink> </para>
|
||||
role="bold">Bridge</emphasis>/Firewall support</ulink></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
@ -41,7 +41,7 @@
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Log">
|
||||
<title>How to Log Traffic Through a Shorewall Firewall</title>
|
||||
|
||||
<para>The disposition of packets entering a Shorewall firewall is
|
||||
@ -95,7 +95,7 @@
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Where">
|
||||
<title>Where the Traffic is Logged and How to Change the
|
||||
Destination</title>
|
||||
|
||||
@ -113,7 +113,7 @@
|
||||
<emphasis>level</emphasis> is the term used by NetFilter. The syslog
|
||||
documentation uses the term <emphasis>priority</emphasis>.</para>
|
||||
|
||||
<section>
|
||||
<section id="Levels">
|
||||
<title>Syslog Levels</title>
|
||||
|
||||
<para>Syslog levels are a method of describing to syslog (8) the
|
||||
@ -165,7 +165,7 @@
|
||||
Shorewall messages written to the console.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="ULOG">
|
||||
<title>Configuring a Separate Log for Shorewall Messages (ulogd)</title>
|
||||
|
||||
<para>There are a couple of limitations to syslogd-based logging:</para>
|
||||
@ -232,7 +232,7 @@ gateway:/etc/shorewall# </programl
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Syslog-ng">
|
||||
<title>Syslog-ng</title>
|
||||
|
||||
<para><ulink
|
||||
@ -240,7 +240,7 @@ gateway:/etc/shorewall# </programl
|
||||
is a post describing configuring syslog-ng to work with Shorewall.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Contents">
|
||||
<title>Understanding the Contents of Shorewall Log Messages</title>
|
||||
|
||||
<para>For general information on the contents of Netfilter log messages,
|
||||
|
@ -39,7 +39,7 @@
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Requirements">
|
||||
<title>Shorewall Requires:</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -93,7 +93,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Perl">
|
||||
<title>Shorewall-perl Requirements</title>
|
||||
|
||||
<para><ulink url="Shorewall-perl.html">Shorewall-perl</ulink> is a
|
||||
@ -101,6 +101,6 @@
|
||||
It is much faster than the classic Shorewall-shell compiler and produces a
|
||||
firewall script that runs much faster. It's prerequisites are described in
|
||||
<ulink url="Shorewall-perl.html#Prerequisites">the Shorewall-perl
|
||||
article</ulink>. </para>
|
||||
article</ulink>.</para>
|
||||
</section>
|
||||
</article>
|
@ -49,7 +49,7 @@
|
||||
|
||||
<para>The Russian Translations are courtesy of Alex at tut.by.</para>
|
||||
|
||||
<section>
|
||||
<section id="Before">
|
||||
<title>Before You Start</title>
|
||||
|
||||
<para>Please read the short article <ulink
|
||||
@ -63,7 +63,7 @@
|
||||
<para>These guides provide step-by-step instructions for configuring
|
||||
Shorewall in common firewall setups.</para>
|
||||
|
||||
<section>
|
||||
<section id="Single">
|
||||
<title>If you want the firewall system to handle a <emphasis
|
||||
role="bold">single public IP address</emphasis></title>
|
||||
|
||||
@ -98,7 +98,7 @@
|
||||
</itemizedlist></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Multi">
|
||||
<title>If you want the firewall system to handle more than one public IP
|
||||
address</title>
|
||||
|
||||
|
@ -126,12 +126,12 @@
|
||||
instructions.</para>
|
||||
|
||||
<para>Shorewall views the network where it is running as being composed of
|
||||
a set of zones. A zone is one or more hosts, which can be defined
|
||||
as individual hosts or networks in
|
||||
<filename class="directory">/etc/shorewall/hosts</filename>, or as
|
||||
an entire interface in <filename
|
||||
class="directory">/etc/shorewall/interfaces</filename>. In this
|
||||
guide, we will use the following zones:</para>
|
||||
a set of zones. A zone is one or more hosts, which can be defined as
|
||||
individual hosts or networks in <filename
|
||||
class="directory">/etc/shorewall/hosts</filename>, or as an entire
|
||||
interface in <filename
|
||||
class="directory">/etc/shorewall/interfaces</filename>. In this guide, we
|
||||
will use the following zones:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
@ -432,7 +432,7 @@ dmz eth2 detect</programlisting>
|
||||
than one interface, simply include one entry for each interface and repeat
|
||||
the zone name as many times as necessary.</para>
|
||||
|
||||
<example>
|
||||
<example id="multi">
|
||||
<title>Multiple Interfaces to a Zone</title>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
@ -555,7 +555,7 @@ loc eth2 detect</programlisting>
|
||||
subnet sizes, the size and its base-2 logarithm are given in the
|
||||
following table:</para>
|
||||
|
||||
<table>
|
||||
<table id="Logs">
|
||||
<title>Base-2 Logarithms</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
@ -689,7 +689,7 @@ loc eth2 detect</programlisting>
|
||||
size n. From the above table, we can derive the following one which is a
|
||||
little easier to use.</para>
|
||||
|
||||
<table>
|
||||
<table id="vlsm">
|
||||
<title>VLSM</title>
|
||||
|
||||
<tgroup cols="3">
|
||||
@ -849,7 +849,7 @@ loc eth2 detect</programlisting>
|
||||
<quote><emphasis role="bold">a.b.c.d/v</emphasis></quote> using
|
||||
<emphasis>CIDR Notation</emphasis>. Example:</para>
|
||||
|
||||
<table>
|
||||
<table id="Subnet">
|
||||
<title>Subnet</title>
|
||||
|
||||
<tgroup cols="2">
|
||||
@ -891,7 +891,7 @@ loc eth2 detect</programlisting>
|
||||
<para>There are two degenerate subnets that need mentioning; namely, the
|
||||
subnet with one member and the subnet with 2 ** 32 members.</para>
|
||||
|
||||
<table>
|
||||
<table id="degenerate">
|
||||
<title>/32 and /0</title>
|
||||
|
||||
<tgroup cols="4">
|
||||
@ -945,7 +945,7 @@ loc eth2 detect</programlisting>
|
||||
address <emphasis role="bold">a.b.c.d</emphasis> and with the netmask
|
||||
that corresponds to VLSM /<emphasis role="bold">v</emphasis>.</para>
|
||||
|
||||
<example>
|
||||
<example id="Example0">
|
||||
<title>192.0.2.65/29</title>
|
||||
|
||||
<para>The interface is configured with IP address 192.0.2.65 and
|
||||
@ -955,7 +955,7 @@ loc eth2 detect</programlisting>
|
||||
<para>/sbin/shorewall supports an ipcalc command that automatically
|
||||
calculates information about a [sub]network.</para>
|
||||
|
||||
<example>
|
||||
<example id="Example1">
|
||||
<title>Using the <command>ipcalc </command>command</title>
|
||||
|
||||
<programlisting>shorewall ipcalc 10.10.10.0/25
|
||||
@ -966,7 +966,7 @@ loc eth2 detect</programlisting>
|
||||
</programlisting>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<example id="Example2">
|
||||
<title>Using the <command>ipcalc</command> command</title>
|
||||
|
||||
<programlisting>shorewall ipcalc 10.10.10.0 255.255.255.128
|
||||
@ -1075,8 +1075,8 @@ Destination Gateway Genmask Flgs MSS Win irtt Iface
|
||||
requests -- they are totally independent.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title id="ARP">Address Resolution Protocol (ARP)</title>
|
||||
<section id="ARP">
|
||||
<title>Address Resolution Protocol (ARP)</title>
|
||||
|
||||
<para>When sending packets over Ethernet, IP addresses aren't used.
|
||||
Rather Ethernet addressing is based on <emphasis>Media Access
|
||||
@ -1580,8 +1580,8 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
rather than with the firewall's eth0.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title id="NAT">One-to-one NAT</title>
|
||||
<section id="NAT">
|
||||
<title>One-to-one NAT</title>
|
||||
|
||||
<para>With one-to-one NAT, you assign local systems RFC 1918 addresses
|
||||
then establish a one-to-one mapping between those addresses and public
|
||||
@ -2336,7 +2336,7 @@ foobar.net. 86400 IN A 192.0.2.177
|
||||
86400 IN MX 1 <backup MX>.</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Other">
|
||||
<title>Some Things to Keep in Mind</title>
|
||||
|
||||
<itemizedlist>
|
||||
|
@ -47,7 +47,7 @@
|
||||
system.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Introduction">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Setting up Shorewall on a standalone Linux system is very easy if
|
||||
@ -74,7 +74,7 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<section>
|
||||
<section id="System">
|
||||
<title>System Requirements</title>
|
||||
|
||||
<para>Shorewall requires that you have the
|
||||
@ -90,7 +90,7 @@
|
||||
[root@gateway root]#</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Before">
|
||||
<title>Before you start</title>
|
||||
|
||||
<para>I recommend that you read through the guide first to familiarize
|
||||
@ -121,7 +121,7 @@
|
||||
</caution>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Conventions">
|
||||
<title>Conventions</title>
|
||||
|
||||
<para>Points at which configuration changes are recommended are flagged
|
||||
@ -130,7 +130,7 @@
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="PPTP">
|
||||
<title>PPTP/ADSL</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
@ -143,7 +143,7 @@
|
||||
found in Europe, notably in Austria.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Concepts">
|
||||
<title>Shorewall Concepts</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
@ -311,7 +311,7 @@ all all REJECT info</programlisting>
|
||||
and make any changes that you wish.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="External">
|
||||
<title>External Interface</title>
|
||||
|
||||
<para>The firewall has a single network interface. Where Internet
|
||||
@ -377,7 +377,7 @@ root@lists:~# </programlisting>
|
||||
</tip>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Addresses">
|
||||
<title>IP Addresses</title>
|
||||
|
||||
<para>Before going further, we should say a few words about
|
||||
@ -455,7 +455,7 @@ root@lists:~# </programlisting>
|
||||
role="bold">SECTION NEW.</emphasis></para>
|
||||
</important>
|
||||
|
||||
<example>
|
||||
<example id="Example1">
|
||||
<title>You want to run a Web Server and a IMAP Server on your firewall
|
||||
system:</title>
|
||||
|
||||
@ -472,7 +472,7 @@ IMAP/ACCEPT net $FW</programlisting>
|
||||
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
|
||||
ACCEPT net $FW <emphasis><protocol></emphasis> <emphasis><port></emphasis></programlisting>
|
||||
|
||||
<example>
|
||||
<example id="Example2">
|
||||
<title>You want to run a Web Server and a IMAP Server on your firewall
|
||||
system:</title>
|
||||
|
||||
@ -499,7 +499,7 @@ SSH/ACCEPT net $FW </programlisting>
|
||||
other connections as desired.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Starting">
|
||||
<title>Starting and Stopping Your Firewall</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
@ -549,7 +549,7 @@ SSH/ACCEPT net $FW </programlisting>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Problems">
|
||||
<title>If it Doesn't Work</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -574,7 +574,7 @@ SSH/ACCEPT net $FW </programlisting>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Other">
|
||||
<title>Additional Recommended Reading</title>
|
||||
|
||||
<para>I highly recommend that you review the <ulink
|
||||
@ -582,91 +582,4 @@ SSH/ACCEPT net $FW </programlisting>
|
||||
page</ulink> -- it contains helpful tips about Shorewall features than
|
||||
make administering your firewall easier.</para>
|
||||
</section>
|
||||
|
||||
<appendix>
|
||||
<title>Revision History</title>
|
||||
|
||||
<para><revhistory>
|
||||
<revision>
|
||||
<revnumber>2.0</revnumber>
|
||||
|
||||
<date>2005-09-12</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>More 3.0 Updates</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.9</revnumber>
|
||||
|
||||
<date>2005-09-02</date>
|
||||
|
||||
<authorinitials>CR</authorinitials>
|
||||
|
||||
<revremark>Update for Shorewall 3.0</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.8</revnumber>
|
||||
|
||||
<date>2005-07-12</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Change reference to rfc1918 to bogons.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.7</revnumber>
|
||||
|
||||
<date>2004-02-16</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Move /etc/shorewall/rfc1918 to
|
||||
/usr/share/shorewall.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.6</revnumber>
|
||||
|
||||
<date>2004-02-05</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Update for Shorewall 2.0</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.5</revnumber>
|
||||
|
||||
<date>2004-01-05</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Standards Changes</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.4</revnumber>
|
||||
|
||||
<date>2003-12-30</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Add tip about /etc/shorewall/rfc1918 updates.</revremark>
|
||||
</revision>
|
||||
|
||||
<revision>
|
||||
<revnumber>1.3</revnumber>
|
||||
|
||||
<date>2003-11-15</date>
|
||||
|
||||
<authorinitials>TE</authorinitials>
|
||||
|
||||
<revremark>Initial Docbook Conversion</revremark>
|
||||
</revision>
|
||||
</revhistory></para>
|
||||
</appendix>
|
||||
</article>
|
@ -47,7 +47,7 @@
|
||||
release</emphasis>.</para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="CLI">
|
||||
<title>/sbin/shorewall and /sbin/shorewall-lite</title>
|
||||
|
||||
<para><filename>/sbin/shorewall</filename> is the program that you use to
|
||||
@ -111,7 +111,7 @@
|
||||
url="Anatomy.html">Shorewall Anatomy article</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Starting">
|
||||
<title>Starting, Stopping and Clearing</title>
|
||||
|
||||
<para>As explained in the <ulink
|
||||
@ -173,7 +173,7 @@
|
||||
State Diagram</link> section.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Trace">
|
||||
<title>Tracing Command Execution</title>
|
||||
|
||||
<para>If you include the word <emphasis role="bold">trace</emphasis> as
|
||||
@ -182,7 +182,7 @@
|
||||
<filename>/usr/share/shorewall/firewall</filename>, execution of the
|
||||
latter program will be traced to STDERR.</para>
|
||||
|
||||
<example>
|
||||
<example id="trace">
|
||||
<title>Tracing <command>shorewall start</command></title>
|
||||
|
||||
<para>To trace the execution of <command>shorewall start</command> and
|
||||
@ -197,7 +197,7 @@
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Boot">
|
||||
<title>Having Shorewall Start Automatically at Boot Time</title>
|
||||
|
||||
<para>The .rpm, .deb and .tgz all try to configure your startup scripts so
|
||||
@ -420,7 +420,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Commands">
|
||||
<title>Commands</title>
|
||||
|
||||
<para>The general form of a command in Shorewall 4.0 is:</para>
|
||||
|
@ -48,7 +48,7 @@
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="First">
|
||||
<title>Before Reporting a Problem or Asking a Question</title>
|
||||
|
||||
<para>There are a number of sources of Shorewall information. Please try
|
||||
@ -361,7 +361,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Where">
|
||||
<title>Where to Send your Problem Report or to Ask for Help</title>
|
||||
|
||||
<para><emphasis role="bold">If you haven't read the <link
|
||||
@ -388,14 +388,14 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
||||
a #shorewall channel at irc.freenode.net.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Users">
|
||||
<title>Subscribing to the Users Mailing List</title>
|
||||
|
||||
<para>To Subscribe to the users mailing list go to <ulink
|
||||
url="https://lists.sourceforge.net/lists/listinfo/shorewall-users">https://lists.sourceforge.net/lists/listinfo/shorewall-users</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Announce">
|
||||
<title>Subscribing to the Announce Mailing List</title>
|
||||
|
||||
<para>To Subscribe to the announce mailing list (low-traffic,read only) go
|
||||
@ -405,7 +405,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
||||
url="https://lists.sourceforge.net/lists/listinfo/shorewall-announce">https://lists.sourceforge.net/lists/listinfo/shorewall-announce</ulink></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Devel">
|
||||
<title>Subscribing to the Development Mailing List</title>
|
||||
|
||||
<para>To Subscribe to the development mailing list go to <ulink
|
||||
@ -420,7 +420,7 @@ State:Stopped (Thu Mar 30 14:08:11 PDT 2006)</programlisting>
|
||||
role="bold">Doh.......</emphasis></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Other">
|
||||
<title>Other Mailing Lists</title>
|
||||
|
||||
<para>For information on other Shorewall mailing lists, go to <ulink
|
||||
|
@ -34,7 +34,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Background">
|
||||
<title>Background</title>
|
||||
|
||||
<para>In early March 2006, i embarked on the journey of surveying
|
||||
@ -58,7 +58,7 @@
|
||||
limited and harder to use than Zoomerang.</para>
|
||||
|
||||
<section>
|
||||
<title>Survey and results links</title>
|
||||
<title id="Survey">Survey and results links</title>
|
||||
|
||||
<para>The survey is still open as of this writing, and can be accessed
|
||||
at <ulink url="http://www.zoomerang.com/survey.zgi?p=WEB2253NNBCN44">the
|
||||
@ -72,7 +72,7 @@
|
||||
a link to the results is provided on the thank you page.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Sample">
|
||||
<title>Sample size</title>
|
||||
|
||||
<para>An important note about this survey is that it has a small sample
|
||||
@ -96,7 +96,7 @@
|
||||
installed base, likely far less.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Factors">
|
||||
<title>Other possible inaccuracies</title>
|
||||
|
||||
<para>Additionally, since the survey was open to multiple responses, it
|
||||
@ -115,10 +115,10 @@
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Results">
|
||||
<title>Results analysis</title>
|
||||
|
||||
<section>
|
||||
<section id="Org">
|
||||
<title>Organisations</title>
|
||||
|
||||
<para>Small organisations dominate the spectrum of Shorewall users. The
|
||||
@ -175,7 +175,7 @@
|
||||
Shorewall.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Users">
|
||||
<title>Users</title>
|
||||
|
||||
<para>Unsurprisingly, 97% of survey respondents were male. Or to put it
|
||||
@ -226,16 +226,16 @@
|
||||
users, which is a concern for the future of the project.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Hardware">
|
||||
<title>Hardware</title>
|
||||
|
||||
<para>Ninety-three percent (93%) of users run Shorewall on i386 family
|
||||
hardware, with a further 6% running it on x86-64/EM64T platforms. One
|
||||
response was received indicating use of Shorewall on MIPS (Linksys WRT
|
||||
platform). No responses were received for any other hardware platform.
|
||||
While it is not surprising that Intel would be dominant, given
|
||||
their market share, it seems a little skewed not to have any
|
||||
representatives of other architectures.</para>
|
||||
While it is not surprising that Intel would be dominant, given their
|
||||
market share, it seems a little skewed not to have any representatives
|
||||
of other architectures.</para>
|
||||
|
||||
<para>A good spread of CPU power is shown in the survey responses. The
|
||||
largest group was 400-999 MHz (30%), with only 16% of responses
|
||||
@ -258,7 +258,7 @@
|
||||
second and third at 22% and 20% respectively.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Network">
|
||||
<title>Network</title>
|
||||
|
||||
<para>The majority of Shorewall systems (82%) use between two and four
|
||||
@ -274,7 +274,7 @@
|
||||
connection, with over half the responses (51%).</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Software">
|
||||
<title>Software</title>
|
||||
|
||||
<para>The most popular Linux distribution on which users run Shorewall
|
||||
@ -314,7 +314,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Comments">
|
||||
<title>Comments from users</title>
|
||||
|
||||
<para>Following is a sample of the comments we received about the survey
|
||||
@ -365,10 +365,10 @@
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Lessons">
|
||||
<title>Lessons learned about survey technique</title>
|
||||
|
||||
<section>
|
||||
<section id="Approach1">
|
||||
<title>Treat surveys like releasing free software</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -392,7 +392,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Approach2">
|
||||
<title>Start small and work towards what you want to know with specific,
|
||||
concrete questions</title>
|
||||
|
||||
@ -413,7 +413,7 @@
|
||||
user systems, and doesn't present a user interface per se.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Approach3">
|
||||
<title>Be prepared beforehand</title>
|
||||
|
||||
<para>Within hours of the survey's release, 50% of the results were in.
|
||||
@ -425,7 +425,7 @@
|
||||
and complete downloads of the results.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Approach4">
|
||||
<title>Incrementally improve your surveys</title>
|
||||
|
||||
<para>The final version of this survey was released still with a few
|
||||
@ -436,7 +436,7 @@
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Implications1">
|
||||
<title>Possible implications for the Shorewall project</title>
|
||||
|
||||
<para>The users we have seem, on the whole, rather experienced, and very
|
||||
@ -454,7 +454,7 @@
|
||||
Connect might be a good way to serve the needs of our users.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Implications2">
|
||||
<title>Possible implications for other free software projects</title>
|
||||
|
||||
<itemizedlist>
|
||||
|
@ -47,7 +47,7 @@
|
||||
system.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Setting up a Linux system as a firewall for a small network with DMZ
|
||||
@ -91,7 +91,7 @@
|
||||
|
||||
<para>Here is a schematic of a typical installation.</para>
|
||||
|
||||
<figure>
|
||||
<figure id="Figure1">
|
||||
<title>schematic of a typical installation</title>
|
||||
|
||||
<mediaobject>
|
||||
@ -101,7 +101,7 @@
|
||||
</mediaobject>
|
||||
</figure>
|
||||
|
||||
<section>
|
||||
<section id="Reqs">
|
||||
<title>Requirements</title>
|
||||
|
||||
<para>Shorewall requires that you have the
|
||||
@ -117,7 +117,7 @@
|
||||
[root@gateway root]#</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Before">
|
||||
<title>Before you start</title>
|
||||
|
||||
<para>I recommend that you first read through the guide to familiarize
|
||||
@ -149,7 +149,7 @@
|
||||
</caution>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Conventions">
|
||||
<title>Conventions</title>
|
||||
|
||||
<para>Points at which configuration changes are recommended are flagged
|
||||
@ -161,7 +161,7 @@
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="PPTP">
|
||||
<title>PPTP/ADSL</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
@ -173,7 +173,7 @@
|
||||
notably in Austria.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Concepts">
|
||||
<title>Shorewall Concepts</title>
|
||||
|
||||
<para>The configuration files for Shorewall are contained in the directory
|
||||
@ -356,10 +356,10 @@ $FW net ACCEPT</programlisting>
|
||||
file and make any changes that you wish.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Interfaces">
|
||||
<title>Network Interfaces</title>
|
||||
|
||||
<figure>
|
||||
<figure id="Figure2">
|
||||
<title>DMZ</title>
|
||||
|
||||
<mediaobject>
|
||||
@ -471,7 +471,7 @@ root@lists:~# </programlisting>
|
||||
</tip>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Addresses">
|
||||
<title>IP Addresses</title>
|
||||
|
||||
<para>Before going further, we should say a few words about Internet
|
||||
@ -532,7 +532,7 @@ root@lists:~# </programlisting>
|
||||
<varname>24</varname> refers to the number of consecutive <quote>1</quote>
|
||||
bits from the left of the subnet mask.</para>
|
||||
|
||||
<table>
|
||||
<table id="Table1">
|
||||
<title>Example sub-network</title>
|
||||
|
||||
<tgroup cols="2">
|
||||
@ -599,7 +599,7 @@ root@lists:~# </programlisting>
|
||||
<para>The remainder of this quide will assume that you have configured
|
||||
your network as shown here:</para>
|
||||
|
||||
<figure>
|
||||
<figure id="Figure3">
|
||||
<title>DMZ</title>
|
||||
|
||||
<mediaobject>
|
||||
@ -627,7 +627,7 @@ root@lists:~# </programlisting>
|
||||
</figure>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="SNAT">
|
||||
<title>IP Masquerading (SNAT)</title>
|
||||
|
||||
<para>The addresses reserved by RFC 1918 are sometimes referred to as
|
||||
@ -731,7 +731,7 @@ DNAT net dmz:<emphasis><server local IP address></emphasis>[:<e
|
||||
role="bold">SECTON NEW.</emphasis></para>
|
||||
</important>
|
||||
|
||||
<example>
|
||||
<example id="Example1">
|
||||
<title>You run a Web Server on DMZ Computer 2 and you want to forward
|
||||
incoming TCP port 80 to that system</title>
|
||||
|
||||
@ -812,7 +812,7 @@ DNAT loc dmz:10.10.11.2 tcp 80 - $ETH0_IP</pr
|
||||
</important>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="DNS">
|
||||
<title>Domain Name Server (DNS)</title>
|
||||
|
||||
<para>Normally, when you connect to your ISP, as part of getting an IP
|
||||
@ -908,7 +908,7 @@ SSH/ACCEPT loc dmz </programlisting>Those rules allow you to run
|
||||
is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT <emphasis><source zone> <destination zone> <protocol> <port> </emphasis></programlisting></para>
|
||||
|
||||
<example>
|
||||
<example id="Example2">
|
||||
<title>You want to run a publicly-available DNS server on your firewall
|
||||
system</title>
|
||||
|
||||
@ -956,7 +956,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
remove other connections as required.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Other">
|
||||
<title>Some Things to Keep in Mind</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -1012,7 +1012,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Starting">
|
||||
<title>Starting and Stopping Your Firewall</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
@ -1059,7 +1059,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
</warning></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Trouble">
|
||||
<title>If it Doesn't Work</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -1084,7 +1084,7 @@ ACCEPT net $FW tcp 80 </programlisting><it
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Reading">
|
||||
<title>Additional Recommended Reading</title>
|
||||
|
||||
<para>I highly recommend that you review the <ulink
|
||||
|
@ -85,7 +85,7 @@
|
||||
</itemizedlist>
|
||||
</warning>
|
||||
|
||||
<section>
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Starting with Version 2.5.5, Shorewall has builtin support for
|
||||
@ -104,7 +104,7 @@
|
||||
as covered by the next sections.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="LinuxTC">
|
||||
<title>Linux traffic shaping and control</title>
|
||||
|
||||
<para>This section gives a brief introduction of how controlling traffic
|
||||
@ -213,7 +213,7 @@
|
||||
connection mark value to the current packet's mark (RESTORE).</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Kernel">
|
||||
<title>Linux Kernel Configuration</title>
|
||||
|
||||
<para>You will need at least kernel 2.4.18 for this to work, please take a
|
||||
@ -234,7 +234,7 @@
|
||||
<graphic align="center" fileref="images/traffic_shaping2.6.png" />
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Shorewall">
|
||||
<title>Enable TC support in Shorewall</title>
|
||||
|
||||
<para>You need this support whether you use the builtin support or whether
|
||||
@ -267,7 +267,7 @@
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Builtin">
|
||||
<title>Using builtin traffic shaping/control</title>
|
||||
|
||||
<para>Shorewall's builtin traffic shaping feature provides a thin layer on
|
||||
@ -327,7 +327,7 @@
|
||||
url="http://www.speedcheck.arcor.de/cgi-bin/speedcheck.cgi">arcor speed
|
||||
check</ulink>). Be sure to choose a test located near you.</para>
|
||||
|
||||
<section>
|
||||
<section id="tcdevices">
|
||||
<title>/etc/shorewall/tcdevices</title>
|
||||
|
||||
<para>This file allows you to define the incoming and outgoing bandwidth
|
||||
@ -384,7 +384,7 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<example>
|
||||
<example id="Example0">
|
||||
<title></title>
|
||||
|
||||
<para>Suppose you are using PPP over Ethernet (DSL) and ppp0 is the
|
||||
@ -396,7 +396,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="tcclasses">
|
||||
<title>/etc/shorewall/tcclasses</title>
|
||||
|
||||
<para>This file allows you to define the actual classes that are used to
|
||||
@ -499,7 +499,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="tcrules">
|
||||
<title>/etc/shorewall/tcrules</title>
|
||||
|
||||
<para>The fwmark classifier provides a convenient way to classify
|
||||
@ -772,7 +772,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<example>
|
||||
<example id="Example1">
|
||||
<title></title>
|
||||
|
||||
<para>All packets arriving on eth1 should be marked with 1. All
|
||||
@ -786,7 +786,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
3 $FW 0.0.0.0/0 all</programlisting>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<example id="Example2">
|
||||
<title></title>
|
||||
|
||||
<para>All GRE (protocol 47) packets not originating on the firewall
|
||||
@ -796,7 +796,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
12 0.0.0.0/0 155.182.235.151 47</programlisting>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<example id="Example3">
|
||||
<title></title>
|
||||
|
||||
<para>All SSH request packets originating in 192.168.1.0/24 and
|
||||
@ -806,7 +806,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
22 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<example id="Example4">
|
||||
<title></title>
|
||||
|
||||
<para>All SSH packets packets going out of the first device in in
|
||||
@ -819,7 +819,7 @@ ppp0 6000kbit 500kbit</programlisting>
|
||||
1:110 0.0.0.0/0 0.0.0.0/0 tcp - 22</programlisting>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<example id="Example5">
|
||||
<title></title>
|
||||
|
||||
<para>Mark all ICMP echo traffic with packet mark 1. Mark all peer to
|
||||
@ -852,7 +852,7 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="ppp">
|
||||
<title>ppp devices</title>
|
||||
|
||||
<para>If you use ppp/pppoe/pppoa) to connect to your internet provider
|
||||
@ -871,10 +871,10 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
|
||||
/sbin/shorewall refresh</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Real">
|
||||
<title>Real life examples</title>
|
||||
|
||||
<section>
|
||||
<section id="Wondershaper">
|
||||
<title>Configuration to replace Wondershaper</title>
|
||||
|
||||
<para>You are able to fully replace the wondershaper script by using
|
||||
@ -890,14 +890,14 @@ SAVE 0.0.0.0/0 0.0.0.0/0 all - - -
|
||||
that this is just an 1:1 replacement doing exactly what wondershaper
|
||||
should do. You are free to change it...</para>
|
||||
|
||||
<section>
|
||||
<section id="realtcd">
|
||||
<title>tcdevices file</title>
|
||||
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
ppp0 5000kbit 500kbit</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="realtcc">
|
||||
<title>tcclasses file</title>
|
||||
|
||||
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
@ -906,7 +906,7 @@ ppp0 2 9*full/10 9*full/10 2 default
|
||||
ppp0 3 8*full/10 8*full/10 2</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="realtcr">
|
||||
<title>tcrules file</title>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||
@ -923,7 +923,7 @@ ppp0 3 8*full/10 8*full/10 2</programlisting>
|
||||
the example configuration files).</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="lowpro">
|
||||
<title>Setting hosts to low priority</title>
|
||||
|
||||
<para>lets assume the following settings from your old wondershaper
|
||||
@ -957,7 +957,7 @@ NOPRIOPORTDST="6662 6663" </programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="simiple">
|
||||
<title>A simple setup</title>
|
||||
|
||||
<para>This is a simple setup for people sharing an internet connection
|
||||
@ -965,7 +965,7 @@ NOPRIOPORTDST="6662 6663" </programlisting>
|
||||
between 2 hosts which have the ip addresses 192.168.2.23 and
|
||||
192.168.2.42</para>
|
||||
|
||||
<section>
|
||||
<section id="simpletcd">
|
||||
<title>tcdevices file</title>
|
||||
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
@ -974,7 +974,7 @@ ppp0 6000kbit 700kbit</programlisting>
|
||||
<para>We have 6mbit down and 700kbit upstream.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="simpletcc">
|
||||
<title>tcclasses file</title>
|
||||
|
||||
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
@ -990,7 +990,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
|
||||
same priority. The last class is for the remaining traffic.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="simpletcr">
|
||||
<title>tcrules file</title>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER
|
||||
@ -1007,7 +1007,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Xen">
|
||||
<title>A Warning to Xen Users</title>
|
||||
|
||||
<para>If you are running traffic shaping in your dom0 and traffic shaping
|
||||
@ -1041,7 +1041,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
|
||||
instructions.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="External">
|
||||
<title id="tcstart">Using your own tc script</title>
|
||||
|
||||
<section id="owntcstart">
|
||||
@ -1077,7 +1077,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Start">
|
||||
<title>Traffic control outside Shorewall</title>
|
||||
|
||||
<para>To start traffic shaping when you bring up your network
|
||||
@ -1099,7 +1099,7 @@ ppp0 4 90kbit 200kbit 3 default</pro
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Testing">
|
||||
<title>Testing Tools</title>
|
||||
|
||||
<para>At least one Shorewall user has found this tool helpful: <ulink
|
||||
|
@ -32,11 +32,11 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Start">
|
||||
<title><quote>shorewall start</quote> and <quote>shorewall restart</quote>
|
||||
Errors</title>
|
||||
|
||||
<section>
|
||||
<section id="Start-shell">
|
||||
<title>Shorewall-shell</title>
|
||||
|
||||
<para>If you use the Shorewall-shell compiler and you receive an error
|
||||
@ -78,7 +78,7 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<example>
|
||||
<example id="Example1">
|
||||
<title>Startup Error</title>
|
||||
|
||||
<para>During startup, a user sees the following:</para>
|
||||
@ -107,7 +107,7 @@ iptables: No chain/target/match by that name
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Start-perl">
|
||||
<title>Shorewall-perl</title>
|
||||
|
||||
<para>If the error is detected by the Shorewall-perl compiler, it should
|
||||
@ -187,7 +187,7 @@ gateway:~/test # </programlisting>A look at /var/lib/shorewall/restore at line
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Network">
|
||||
<title>Your Network Environment</title>
|
||||
|
||||
<para>Many times when people have problems with Shorewall, the problem is
|
||||
@ -222,7 +222,7 @@ gateway:~/test # </programlisting>A look at /var/lib/shorewall/restore at line
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="NewDevice">
|
||||
<title>New Device Doesn't Work?</title>
|
||||
|
||||
<para>If you have just added a new device such as VOIP and it doesn't
|
||||
@ -235,7 +235,7 @@ gateway:~/test # </programlisting>A look at /var/lib/shorewall/restore at line
|
||||
url="Documentation.htm#INterfaces">/etc/shorewall/interfaces</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Connections">
|
||||
<title>Connection Problems</title>
|
||||
|
||||
<para>One very important thing to remember is that not all connection
|
||||
@ -289,7 +289,7 @@ LOGBURST=""</programlisting>This way, you will see all of the log messages
|
||||
being generated (be sure to restart shorewall after clearing these
|
||||
variables).</para>
|
||||
|
||||
<example>
|
||||
<example id="Example2">
|
||||
<title>Log Message</title>
|
||||
|
||||
<programlisting>Jun 27 15:37:56 gateway kernel: Shorewall:all2all:REJECT:IN=eth2
|
||||
@ -345,7 +345,7 @@ ACCEPT dmz loc udp 53</programlisting>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Ping">
|
||||
<title>Ping Problems</title>
|
||||
|
||||
<para>Either can't ping when you think you should be able to or are able
|
||||
@ -388,7 +388,7 @@ Ping/DROP net all</programlisting>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Other">
|
||||
<title>Some Things to Keep in Mind</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -444,7 +444,7 @@ Ping/DROP net all</programlisting>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="More">
|
||||
<title>Other Gotchas</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -503,7 +503,7 @@ Ping/DROP net all</programlisting>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Support">
|
||||
<title>Still Having Problems?</title>
|
||||
|
||||
<para>See the <ulink url="support.htm">Shorewall Support
|
||||
|
@ -44,7 +44,7 @@
|
||||
system.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Setting up a Linux system as a firewall for a small network is a
|
||||
@ -74,7 +74,8 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>Here is a schematic of a typical installation: <figure label="1">
|
||||
<para>Here is a schematic of a typical installation: <figure id="Figure1"
|
||||
label="1">
|
||||
<title>Common two interface firewall configuration</title>
|
||||
|
||||
<mediaobject>
|
||||
@ -105,7 +106,7 @@
|
||||
</itemizedlist></para>
|
||||
</caution></para>
|
||||
|
||||
<section>
|
||||
<section id="System">
|
||||
<title>System Requirements</title>
|
||||
|
||||
<para>Shorewall requires that you have the
|
||||
@ -122,7 +123,7 @@
|
||||
through it again making your configuration changes.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Conventions">
|
||||
<title>Conventions</title>
|
||||
|
||||
<para>Points at which configuration changes are recommended are flagged
|
||||
@ -134,7 +135,7 @@
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="PPTP">
|
||||
<title>PPTP/ADSL</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
@ -147,7 +148,7 @@
|
||||
found in Europe, notably in Austria.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Concepts">
|
||||
<title>Shorewall Concepts</title>
|
||||
|
||||
<para></para>
|
||||
@ -331,7 +332,7 @@ $FW net ACCEPT</programlisting> The above policy will:
|
||||
and make any changes that you wish.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Interfaces">
|
||||
<title>Network Interfaces</title>
|
||||
|
||||
<mediaobject>
|
||||
@ -433,7 +434,7 @@ root@lists:~# </programlisting>
|
||||
</tip></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Addresses">
|
||||
<title>IP Addresses</title>
|
||||
|
||||
<para>Before going further, we should say a few words about Internet
|
||||
@ -573,7 +574,7 @@ root@lists:~# </programlisting>
|
||||
</warning></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="SNAT">
|
||||
<title>IP Masquerading (SNAT)</title>
|
||||
|
||||
<para>The addresses reserved by RFC 1918 are sometimes referred to as
|
||||
@ -677,14 +678,14 @@ DNAT net loc:<emphasis><server local ip address></emphasis>[:<e
|
||||
supplying the protocol and port(s) as shown in the following
|
||||
examples.</para>
|
||||
|
||||
<para><example label="1">
|
||||
<para><example id="Example1" label="1">
|
||||
<title>Web Server</title>
|
||||
|
||||
<para>You run a Web Server on computer 2 and you want to forward
|
||||
incoming <acronym>TCP</acronym> port 80 to that system:
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
Web/DNAT net loc:10.10.10.2</programlisting></para>
|
||||
</example> <example label="2">
|
||||
</example> <example id="Example2" label="2">
|
||||
<title>FTP Server</title>
|
||||
|
||||
<para>You run an <acronym>FTP</acronym> Server on computer 1 so you
|
||||
@ -737,7 +738,7 @@ DNAT net loc:10.10.10.2:80 tcp 5000</programlisting>
|
||||
</important>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="DNS">
|
||||
<title>Domain Name Server (DNS)</title>
|
||||
|
||||
<para>Normally, when you connect to your ISP, as part of getting an IP
|
||||
@ -821,7 +822,8 @@ SSH/ACCEPT loc $FW </programlisting>That rule allows you to run an
|
||||
systems, the general format using a macro is: <programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
<macro>/ACCEPT $FW <emphasis><destination zone></emphasis></programlisting>The
|
||||
general format when not using defined actions is:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
ACCEPT $FW <emphasis><destination zone> <protocol> <port></emphasis></programlisting><example>
|
||||
ACCEPT $FW <emphasis><destination zone> <protocol> <port></emphasis></programlisting><example
|
||||
id="Example3">
|
||||
<title>Web Server on Firewall</title>
|
||||
|
||||
<para>You want to run a Web Server on your firewall system:
|
||||
@ -852,7 +854,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
file to add or delete other connections as required.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Other">
|
||||
<title>Some Things to Keep in Mind</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -908,7 +910,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Starting">
|
||||
<title>Starting and Stopping Your Firewall</title>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
|
||||
@ -954,7 +956,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
</warning></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Trouble">
|
||||
<title>If it Doesn't Work</title>
|
||||
|
||||
<itemizedlist>
|
||||
@ -979,7 +981,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Reading">
|
||||
<title>Additional Recommended Reading</title>
|
||||
|
||||
<para>I highly recommend that you review the <ulink
|
||||
@ -988,7 +990,7 @@ ACCEPT loc $FW tcp 80 #Allow Weblet to work</progra
|
||||
make administering your firewall easier.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Wireless">
|
||||
<title>Adding a Wireless Segment to your Two-Interface Firewall</title>
|
||||
|
||||
<para>Once you have the two-interface setup working, the next logical step
|
||||
|
Loading…
Reference in New Issue
Block a user