diff --git a/STABLE/changelog.txt b/STABLE/changelog.txt index 64be1589b..f47da6b25 100644 --- a/STABLE/changelog.txt +++ b/STABLE/changelog.txt @@ -1,66 +1,9 @@ -Changes since 1.3.14 +Changes since 1.4.0 -1. All versions changed to 1.4. +1. Implement NONE policy. -2. Rework of error message generation to make the 'firewall' script - smaller. +2. Never create rules for : to itself. -3. Deimplemented MERGE_HOSTS=No. +3. Always allow intrazone traffic. -4. Generate error for : name in interfaces file. - -5. Deimplement old ping handling. - -6. Deimplement 'routestopped' interface/hosts option. - -7. Strip comments from potentially large files while the firewall is - still up and running during 'restart'. - -8. Disallow the old port forwarding/redirection syntax. - -9. Reorganize shorewall.conf. - -10. Added support for LOG target. - -11. Move firewall and version (one more time....) - -12. Add late DNS reply rule to the common chain. - -12. Corrected rule number calculation problem in 'shorewall add' command - processing. - -13. Update Documentation for 1.4 - -14. Remove icmp.def file. - -15. Added CONTINUE rule target. - -16. Added Andrew Zhoglo's fix for logunclean. - -17. Removed 'multi' option. - -18. Support 802.11b devices with maclist. - -19. Don't detect loopback simply by name. - -20. Removed trailing white space from all files. - -21. Improved parsing of comma-separated lists. - -22. Add ECN Removal support - -23. Add TCP ports 445 and 139 to the common silent list. - -24. Remove 'check' command support. - -25. Restore 'check' command support. - -26. Remove unused function find_interface_broadcasts() - -27. Remove stale comments in the params file. - -28. Silently drop INVALID state packets - -29. Ignore the 'default' route when detecting masq'd networks. - -30. REALLY process the params file first now (honest). +4. Correct building of ECN interface list under ash. diff --git a/STABLE/documentation/Documentation.htm b/STABLE/documentation/Documentation.htm index 357fe5341..3fff0057c 100644 --- a/STABLE/documentation/Documentation.htm +++ b/STABLE/documentation/Documentation.htm @@ -2,306 +2,309 @@ - + - + - + Shorewall 1.4 Documentation - - + + - + - + - + - - - + + - + + - - + +
+
- +

Shorewall 1.4 Reference

-
- +

This documentation is intended primarily for reference. - Step-by-step instructions for configuring Shorewall -in common setups may be found in the QuickStart Guides.

- +

Components

- +

Shorewall consists of the following components:

- +
    -
  • params - -- a parameter file installed in /etc/shorewall that can - be used to establish the values of shell variables for use -in other files.
    • -
  • shorewall.conf - -- a parameter file installed in /etc/shorewall that - is used to set several firewall parameters.
    • -
  • zones - - a parameter file installed in /etc/shorewall that defines - a network partitioning into "zones"
    • -
  • policy - -- a parameter file installed in /etc/shorewall/ that - establishes overall firewall policy.
    • -
  • rules - -- a parameter file installed in /etc/shorewall and used - to express firewall rules that are exceptions to the high-level - policies established in /etc/shorewall/policy.
    • -
  • blacklist - -- a parameter file installed in /etc/shorewall and used - to list blacklisted IP/subnet/MAC addresses.
    • -
  • ecn -- a parameter file installed in /etc/shorewall -and used to selectively disable Explicit Congestion Notification (ECN - RFC -3168).
    -
    • -
  • functions -- a set of shell - functions used by both the firewall and shorewall shell programs. - Installed in /etc/shorewall prior to version 1.3.2, in /var/lib/shorewall - in version s 1.3.2-1.3.8 and in /usr/lib/shorewall in later versions.
    • -
  • modules - -- a parameter file installed in /etc/shorewall and that - specifies kernel modules and their parameters. Shorewall will - automatically load the modules specified in this file.
    • -
  • params + -- a parameter file installed in /etc/shorewall that can + be used to establish the values of shell variables for use + in other files.
    • +
  • shorewall.conf + -- a parameter file installed in /etc/shorewall that + is used to set several firewall parameters.
    • +
  • zones + - a parameter file installed in /etc/shorewall that defines + a network partitioning into "zones"
    • +
  • policy + -- a parameter file installed in /etc/shorewall/ that + establishes overall firewall policy.
    • +
  • rules + -- a parameter file installed in /etc/shorewall and +used to express firewall rules that are exceptions to +the high-level policies established in /etc/shorewall/policy.
    • +
  • blacklist + -- a parameter file installed in /etc/shorewall and +used to list blacklisted IP/subnet/MAC addresses.
    • +
  • ecn -- a parameter file installed in /etc/shorewall + and used to selectively disable Explicit Congestion Notification (ECN - RFC + 3168).
    +
    • +
  • functions -- a set of shell + functions used by both the firewall and shorewall shell +programs. Installed in /etc/shorewall prior to version 1.3.2, +in /var/lib/shorewall in version s 1.3.2-1.3.8 and in /usr/lib/shorewall +in later versions.
    • +
  • modules + -- a parameter file installed in /etc/shorewall and that + specifies kernel modules and their parameters. Shorewall will + automatically load the modules specified in this file.
    • +
  • tos -- a parameter file installed in /etc/shorewall that is used to specify how the Type of Service (TOS) field in packets is to be set.
    -
    • -
  • common.def - -- a parameter file installed in in /etc/shorewall that -defines firewall-wide rules that are applied before a DROP -or REJECT policy is applied.
    • -
  • interfaces - -- a parameter file installed in /etc/shorewall/ - and used to describe the interfaces on the firewall system.
    • -
  • hosts -- - a parameter file installed in /etc/shorewall/ and -used to describe individual hosts or subnetworks in zones.
    • -
  • maclist -- a -parameter file installed in /etc/shorewall and used to verify the -MAC address (and possibly also the IP address(es)) of devices.
    -
    • -
  • masq -- This file also describes IP masquerading under Shorewall - and is installed in /etc/shorewall.
    • -
  • +
  • common.def + -- a parameter file installed in in /etc/shorewall that + defines firewall-wide rules that are applied before a DROP + or REJECT policy is applied.
    • +
  • interfaces + -- a parameter file installed in /etc/shorewall/ + and used to describe the interfaces on the firewall system.
    • +
  • hosts + -- a parameter file installed in /etc/shorewall/ and + used to describe individual hosts or subnetworks in +zones.
    • +
  • maclist -- +a parameter file installed in /etc/shorewall and used to verify +the MAC address (and possibly also the IP address(es)) of devices.
    +
    • +
  • masq + - This file also describes IP masquerading under Shorewall + and is installed in /etc/shorewall.
    • +
  • firewall -- a shell - program that reads the configuration files in /etc/shorewall - and configures your firewall. This file is installed -in your init.d directory (/etc/rc.d/init.d ) where it + program that reads the configuration files in /etc/shorewall + and configures your firewall. This file is installed + in your init.d directory (/etc/rc.d/init.d ) where it is renamed shorewall. /etc/shorewall/firewall (/var/lib/shorewall/firewall - in versions 1.3.2-1.3.8 and /usr/lib/shorewall/firewall in 1.3.9 - and later) is a symbolic link to this program.
    • -
  • nat -- - a parameter file in /etc/shorewall used to define +
  • nat +-- a parameter file in /etc/shorewall used to define static NAT .
    • -
  • proxyarp - -- a parameter file in /etc/shorewall used to define proxyarp + -- a parameter file in /etc/shorewall used to define Proxy Arp .
    • -
  • rfc1918 - -- a parameter file in /etc/shorewall used to define the treatment +
  • rfc1918 + -- a parameter file in /etc/shorewall used to define the treatment of packets under the norfc1918 interface option.
    • -
  • routestopped - -- a parameter file in /etc/shorewall used to define those - hosts that can access the firewall when Shorewall is stopped.
    • -
  • routestopped + -- a parameter file in /etc/shorewall used to define those + hosts that can access the firewall when Shorewall is stopped.
    • +
  • tcrules -- a parameter file in /etc/shorewall used to define rules for classifying - packets for Traffic Shaping/Control.
    • -
  • tunnels - -- a parameter file in /etc/shorewall used to define - IPSec tunnels.
    • -
  • shorewall - -- a shell program (requiring a Bourne shell or - derivative) used to control and monitor -the firewall. This should be placed in /sbin or in /usr/sbin - (the install.sh script and the rpm install this file -in /sbin).
    • -
  • version -- a file created - in /etc/shorewall/ (/var/lib/shorewall in version - 1.3.2-1.3.8 and /usr/lib/shorewall beginning in version 1.3.9) - that describes the version of Shorewall installed - on your system.
    • - + packets for Traffic Shaping/Control. +
  • tunnels + -- a parameter file in /etc/shorewall used to define + IPSec tunnels.
    • +
  • shorewall + -- a shell program (requiring a Bourne shell or + derivative) used to control and monitor + the firewall. This should be placed in /sbin or in /usr/sbin + (the install.sh script and the rpm install this file + in /sbin).
    • +
  • version -- a file created + in /etc/shorewall/ (/var/lib/shorewall in version + 1.3.2-1.3.8 and /usr/lib/shorewall beginning in version 1.3.9) + that describes the version of Shorewall installed + on your system.
    • +
- +

/etc/shorewall/params

- +

You may use the file /etc/shorewall/params file to set shell variables - that you can then use in some of the other configuration - files.

+ that you can then use in some of the other configuration + files.

- +

It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally - within the Shorewall programs

+ within the Shorewall programs

- +

Example:

- + 
 	NET_IF=eth0
	NET_BCAST=130.252.100.255
	NET_OPTIONS=blacklist,norfc1918
- +

Example (/etc/shorewall/interfaces record):

- + 
	net $NET_IF $NET_BCAST $NET_OPTIONS
- +

The result will be the same as if the record had been written

- + 
	net eth0 130.252.100.255 blacklist,norfc1918
- +

Variables may be used anywhere in the other configuration - files.

+ files.

- +

/etc/shorewall/zones

- +

This file is used to define the network zones. There is one entry - in /etc/shorewall/zones for each zone; Columns in an entry - are:

+ in /etc/shorewall/zones for each zone; Columns in an entry + are:

- +
    -
  • ZONE - short name for the -zone. The name should be 5 characters or less in length and -consist of lower-case letters or numbers. Short names must begin - with a letter and the name assigned to the firewall is reserved -for use by Shorewall itself. Note that the output produced - by iptables is much easier to read if you select short names +
  • ZONE - short name for the + zone. The name should be 5 characters or less in length +and consist of lower-case letters or numbers. Short names must +begin with a letter and the name assigned to the firewall is +reserved for use by Shorewall itself. Note that the output produced + by iptables is much easier to read if you select short names that are three characters or less in length. The name "all" may not be used as a zone name nor may the zone name assigned to the firewall itself via the FW variable in /etc/shorewall/shorewall.conf.
    • -
  • DISPLAY - The name of the -zone as displayed during Shorewall startup.
    • -
  • COMMENTS - Any comments that - you want to make about the zone. Shorewall ignores these - comments.
    • - +
  • DISPLAY - The name of the + zone as displayed during Shorewall startup.
    • +
  • COMMENTS - Any comments +that you want to make about the zone. Shorewall ignores +these comments.
    • +
- +

The /etc/shorewall/zones file released with Shorewall is as follows:

- + - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + - + - +
ZONE DISPLAY COMMENTS
netNetInternet
locLocalLocal networks
dmzDMZDemilitarized zone
ZONE DISPLAY COMMENTS
netNetInternet
locLocalLocal networks
dmzDMZDemilitarized zone
- +

You may add, delete and modify entries in the /etc/shorewall/zones file - as desired so long as you have at least one zone defined.

+ as desired so long as you have at least one zone defined.

- +

Warning 1: If you rename or delete a zone, you should perform "shorewall - stop; shorewall start" to install the change rather than - "shorewall restart".

+ stop; shorewall start" to install the change rather than + "shorewall restart".

- +

Warning 2: The order of entries in the /etc/shorewall/zones file is - significant in some cases.

+ significant in some cases.

- +

/etc/shorewall/interfaces

- +

This file is used to tell the firewall which of your firewall's network - interfaces are connected to which zone. There will be one - entry in /etc/shorewall/interfaces for each of your interfaces. - Columns in an entry are:

- + interfaces are connected to which zone. There will be +one entry in /etc/shorewall/interfaces for each of your interfaces. + Columns in an entry are:

+
    -
  • ZONE - A zone defined in -the /etc/shorewall/zones file or - "-". If you specify "-", you must use the -/etc/shorewall/hosts file to define the zones - accessed via this interface.
    • -
  • INTERFACE - the name of the - interface (examples: eth0, ppp0, ipsec+). Each interface can - be listed on only one record in this file. DO - NOT INCLUDE THE LOOPBACK INTERFACE (lo) IN THIS FILE!!!
    • -
  • BROADCAST - the broadcast -address(es) for the sub-network(s) attached to the interface. -This should be left empty for P-T-P interfaces (ppp*, ippp*); if - you need to specify options for such an interface, enter "-" +
  • ZONE - A zone defined in + the /etc/shorewall/zones file or + "-". If you specify "-", you must use the + /etc/shorewall/hosts file to define the zones + accessed via this interface.
    • +
  • INTERFACE - the name of +the interface (examples: eth0, ppp0, ipsec+). Each interface +can be listed on only one record in this file. DO NOT INCLUDE THE LOOPBACK INTERFACE +(lo) IN THIS FILE!!!
    • +
  • BROADCAST - the broadcast + address(es) for the sub-network(s) attached to the interface. + This should be left empty for P-T-P interfaces (ppp*, ippp*); +if you need to specify options for such an interface, enter "-" in this column. If you supply the special value "detect" in this column, the firewall will automatically determine the broadcast - address. In order to use "detect": + address. In order to use "detect": - +
      -
    • the -interface must be up before you start your firewall
      • -
    • the interface must only be attached -to a single sub-network (i.e., there must have a single broadcast - address).
      • +
    • the + interface must be up before you start your firewall
      • +
    • the interface must only be attached + to a single sub-network (i.e., there must have a single broadcast + address).
      • - +
    -
    • -
  • OPTIONS - a comma-separated - list of options. Possible options include: +
    • +
  • OPTIONS - a comma-separated + list of options. Possible options include: - +

    tcpflags (added in version 1.3.11) - This option causes Shorewall to make sanity checks on the header flags in TCP packets arriving on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these @@ -309,61 +312,62 @@ flag combinations are typically used for "silent" port scans. Packets failing these checks are logged according to the TCP_FLAGS_LOG_LEVEL option in /etc/shorewall/shorewall.conf and are disposed of according to the TCP_FLAGS_DISPOSITION option.
    -
    - blacklist     - This option causes incoming packets - on this interface to be checked against the
    + blacklist - This option causes incoming packets + on this interface to be checked against the     blacklist.
    -
    - dhcp     - The interface is assigned an -IP address via DHCP or is used by a DHCP server running -on the firewall. The firewall will be configured to allow -DHCP traffic to and from the interface even when the firewall - is stopped. You may also wish to use this option if you have a static -IP but you are on a LAN segment that has a lot of Laptops that use -DHCP and you select the norfc1918 option (see below).

    +
    + dhcp - The interface is assigned an + IP address via DHCP or is used by a DHCP server running + on the firewall. The firewall will be configured to allow + DHCP traffic to and from the interface even when the firewall + is stopped. You may also wish to use this option if you have a +static IP but you are on a LAN segment that has a lot of Laptops + that use DHCP and you select the norfc1918 option +(see below).

    - +

    norfc1918 - Packets arriving on this interface and that have a source address that is reserved in RFC 1918 or in other - RFCs will be dropped after being optionally logged. If packet mangling is enabled in /etc/shorewall/shorewall.conf - , then packets arriving on this interface that have a + , then packets arriving on this interface that have a destination address that is reserved by one of these RFCs will also be logged and dropped.
    -
    - Addresses blocked by the standard + Addresses blocked by the standard rfc1918 file include those - addresses reserved by RFC1918 plus other ranges reserved by + addresses reserved by RFC1918 plus other ranges reserved by the IANA or by other RFCs.

    - +

    Beware that as IPv4 addresses become in increasingly short supply, - ISPs are beginning to use RFC 1918 addresses within their - own infrastructure. Also, many cable and DSL "modems" have - an RFC 1918 address that can be used through a web browser for - management and monitoring functions. If you want to specify norfc1918 - on your external interface but need to allow access to certain - addresses from the above list, see FAQ -14.

    + ISPs are beginning to use RFC 1918 addresses within their + own infrastructure. Also, many cable and DSL "modems" have + an RFC 1918 address that can be used through a web browser for + management and monitoring functions. If you want to specify + norfc1918 on your external interface but need to allow +access to certain addresses from the above list, see FAQ 14.

    - +

    routefilter - Invoke the Kernel's route filtering - (anti-spoofing) facility on this interface. The kernel - will reject any packets incoming on this interface that have - a source address that would be routed outbound through another - interface on the firewall. Warning: - If you specify this option for an interface then the - interface must be up prior to starting the firewall.

    + (anti-spoofing) facility on this interface. The kernel + will reject any packets incoming on this interface that have + a source address that would be routed outbound through another + interface on the firewall. Warning: + If you specify this option for an interface then +the interface must be up prior to starting the firewall.

    - +

    dropunclean - Packets from this interface that are selected by the 'unclean' match target in iptables will be optionally logged and then dropped. @@ -372,22 +376,22 @@ the IANA or by other RFCs.

    kernel, either in the kernel itself or as a module. UNCLEAN support is broken in some versions of the kernel but appears to work ok in 2.4.17-rc1.
    -
    - Update 12/17/2001: The - unclean match patch from 2.4.17-rc1 is - available - for download. I am currently running - this patch applied to kernel 2.4.16.

    +
    + Update 12/17/2001: The + unclean match patch from 2.4.17-rc1 is + available + for download. I am currently running + this patch applied to kernel 2.4.16.

    - +

    Update 12/20/2001: I've - seen a number of tcp connection requests - with OPT (020405B40000080A...) being - dropped in the badpkt chain. This appears to be - a bug in the remote TCP stack whereby it is 8-byte aligning - a timestamp (TCP option 8) but rather than padding -with 0x01 it is padding with 0x00. It's a tough call + seen a number of tcp connection requests + with OPT (020405B40000080A...) being + dropped in the badpkt chain. This appears to be + a bug in the remote TCP stack whereby it is 8-byte aligning + a timestamp (TCP option 8) but rather than padding + with 0x01 it is padding with 0x00. It's a tough call whether to deny people access to your servers because of this rather minor bug in their networking software. If you wish to disable the check that causes @@ -396,626 +400,612 @@ these connections to be dropped, against 2.4.17-rc2.

    - +

    logunclean - This option works like dropunclean - with the exception that packets selected - by the 'unclean' match target in iptables -are logged but not dropped. The -level at which the packets are logged is determined by - the setting of LOGUNCLEAN -and if LOGUNCLEAN has not been set, "info" is assumed.

    + with the exception that packets selected + by the 'unclean' match target in iptables + are logged but not dropped. The + level at which the packets are logged is determined by + the setting of LOGUNCLEAN + and if LOGUNCLEAN has not been set, "info" is assumed.

    - +

    proxyarp (Added in version 1.3.5) - This option causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp - and is used when implementing Proxy ARP - Sub-netting as described at - - http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do - not set this option if you are implementing -Proxy ARP through entries in + and is used when implementing Proxy +ARP Sub-netting as described at + + http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. +Do not set this option if you are implementing + Proxy ARP through entries in /etc/shorewall/proxyarp.
    -
    - maclist (Added in version 1.3.10) - -If this option is specified, all connection requests from this -interface are subject to MAC Verification. - May only be specified for ethernet interfaces.

    -
    • - +
    + maclist (Added in version 1.3.10) +- If this option is specified, all connection requests from this + interface are subject to MAC Verification. + May only be specified for ethernet interfaces.

    + +
- +

My recommendations concerning options:
-

- +

+
    -
  • External Interface -- tcpflags,blacklist,norfc1918,routefilter
    • -
  • Wireless Interface -- maclist,routefilter,tcpflags
    -
    • -
  • Don't use dropunclean -- It's broken in - my opinion
    • -
  • Use logunclean only when you are trying - to debug a problem
    • -
  • Use dhcp and proxyarp when needed.
    -
    • - +
  • External Interface -- tcpflags,blacklist,norfc1918,routefilter
    • +
  • Wireless Interface -- maclist,routefilter,tcpflags
    +
    • +
  • Don't use dropunclean -- It's broken +in my opinion
    • +
  • Use logunclean only when you are trying + to debug a problem
    • +
  • Use dhcp and proxyarp when needed.
    +
    • +
- +

- +

Example 1: You have a conventional firewall setup in which eth0 connects - to a Cable or DSL modem and eth1 connects to your local -network and eth0 gets its IP address via DHCP. You want to + to a Cable or DSL modem and eth1 connects to your local + network and eth0 gets its IP address via DHCP. You want to check all packets entering from the internet against the black list. Your /etc/shorewall/interfaces - file would be as follows:

- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,norfc1918,blacklist
loceth1detect
-
-
+ file would be as follows:

-

Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces - file would be:

- +
-
- - + - - - - - - - - - - - - + + + + + + + + + + + + + + + + + - +
ZONE INTERFACE BROADCAST OPTIONS
netppp0
-
-
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,norfc1918,blacklist
loceth1detect
+
-
+
- -

Example 3: You have local interface eth1 with two IP - addresses - 192.168.1.1/24 and 192.168.12.1/24

+ +

Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces + file would be:

- +
- + - - - - - - - - - - + + + + + + + + + + - - - + + + - + - + +
ZONE INTERFACE BROADCAST OPTIONS
loceth1
ZONE INTERFACE BROADCAST OPTIONS
netppp0192.168.1.255,192.168.12.255
-

+
+
- -

/etc/shorewall/hosts - Configuration

+ +

Example 3: You have local interface eth1 with two IP + addresses - 192.168.1.1/24 and 192.168.12.1/24

- + +
+ + + + + + + + + + + + + + + + + + + + + + +
ZONE INTERFACE BROADCAST OPTIONS
loceth1192.168.1.255,192.168.12.255
+
+
+ + +

/etc/shorewall/hosts + Configuration

+ +

For most applications, specifying zones entirely in terms of network interfaces is sufficient. There may be times though where you need to define a zone to be a more general collection of hosts. This is the purpose of the /etc/shorewall/hosts file.

- -

WARNING: 90% of - Shorewall users don't need to put entries in this file and - 80% of those who try to add such entries do it wrong. - Unless you are ABSOLUTELY SURE that you need entries in - this file, don't touch it.

- - + +

WARNING: The only times that you need +entries in /etc/shorewall/hosts are:
+

+
    +
  1. You have more than one zone connecting through a single interface; +or
    2. +
  2. You have a zone that has multiple subnetworks that connect through +a single interface and you want the Shorewall box to route traffic between +those subnetworks.
    +
    3. +
+IF YOU DON'T HAVE EITHER OF THOSE SITUATIONS THEN DON'T TOUCH THIS FILE!!

Columns in this file are:

- -
    -
  • ZONE - A zone defined in -the /etc/shorewall/zones file.
    • -
  • HOST(S) - The name of a network - interface followed by a colon (":") followed by either:
    • - -
- - -
- - -
    - -
  1. An IP address (example - - eth1:192.168.1.3)
    2. - -
  2. A subnet in CIDR notation - (example - eth2:192.168.2.0/24)
    3. - - - -
- - - -

The interface name much match an entry in /etc/shorewall/interfaces.

-
- - -
    -
  • OPTIONS - A comma-separated - list of option
    • - -
- - -
- - -

maclist - Added in version 1.3.10. If specified, connection - requests from the hosts specified in this entry are subject to - MAC Verification. This option is only - valid for ethernet interfaces.
-

-
- - - -

If you don't define any hosts for a zone, the hosts in the zone default - to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are - the interfaces to the zone.

- - - -

Note: You probably DON'T - want to specify any hosts for your internet zone since the hosts that -you specify will be the only ones that you will be able to access without -adding additional rules.

- - - - -

Example:

- - -

Your local interface is eth1 and you have two groups of local hosts that - you want to make into separate zones:

-
    -
  • 192.168.1.0/25
    • -
  • 192.168.1.128/25
    • - +
  • ZONE - A zone defined +in the /etc/shorewall/zones file.
    • +
  • HOST(S) - The name of a +network interface followed by a colon (":") followed +by either:
    • +
-

Your /etc/shorewall/interfaces file might look like:

- -
- - - - - - - - - - - - - - - - - - - - - + + +
    + +
  1. An IP address (example + - eth1:192.168.1.3)
    2. + +
  2. A subnet in CIDR notation + (example - eth2:192.168.2.0/24)
    3. - - -
- - -
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,norfc1918
-eth1detect
-
-
+ + - -

The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces - to multiple zones.

+ +

The interface name much match an entry in /etc/shorewall/interfaces.

+ - - -

Your /etc/shorewall/hosts file might look like:

- - - -
- - - - - - - - - - - - - - - - - - - - - -
ZONE HOST(S) OPTIONS
loc1eth1:192.168.1.0/25
-
loc2eth1:192.168.1.128/25
-
-
- - - - - -

Nested and Overlapping -Zones

- - - -

The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow - you to define nested or overlapping zones. Such overlapping/nested zones - are allowed and Shorewall processes zones in the order that - they appear in the /etc/shorewall/zones file. So if you have - nested zones, you want the sub-zone to appear before the super-zone - and in the case of overlapping zones, the rules that will apply - to hosts that belong to both zones is determined by which zone -appears first in /etc/shorewall/zones.

- - - -

Hosts that belong to more than one zone may be managed by the rules - of all of those zones. This is done through use of the special - CONTINUE policy described below.

- - - -

- /etc/shorewall/policy Configuration.

- - -

This file is used to describe the firewall policy regarding establishment - of connections. Connection establishment is described in -terms of clients who initiate connections and servers -who receive those connection requests. Policies defined -in /etc/shorewall/policy describe which zones are allowed -to establish connections with other zones.

- - - -

Policies established in /etc/shorewall/policy can be viewed as default - policies. If no rule in /etc/shorewall/rules applies to -a particular connection request then the policy from /etc/shorewall/policy - is applied.

- - - -

Four policies are defined:

- - +
    -
  • ACCEPT - The connection is - allowed.
    • -
  • DROP - The connection request - is ignored.
    • -
  • REJECT - The connection request - is rejected with an RST (TCP) or an ICMP destination-unreachable - packet being returned to the client.
    • -
  • CONTINUE - The connection - is neither ACCEPTed, DROPped nor REJECTed. CONTINUE may -be used when one or both of the zones named in the entry are - sub-zones of or intersect with another zone. For more information, - see below.
    • - +
  • OPTIONS - A comma-separated + list of option
    • +
- -

For each policy specified in /etc/shorewall/policy, you can indicate - that you want a message sent to your system log each time - that the policy is applied.

+
+ + +

maclist - Added in version 1.3.10. If specified, connection + requests from the hosts specified in this entry are subject to + MAC Verification. This option is only + valid for ethernet interfaces.
+

+
- -

Entries in /etc/shorewall/policy have four columns as follows:

+ +

If you don't define any hosts for a zone, the hosts in the zone default + to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... +are the interfaces to the zone.

- -
    - -
  1. SOURCE - - The name of a client zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all").
    2. - -
  2. DEST - - The name of a destination zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all"). Shorewall automatically - allows all traffic from the firewall to itself so the name of the firewall zone cannot appear in both the - SOURCE and DEST columns.
    3. - -
  3. POLICY - - The default policy for connection requests from the SOURCE - zone to the DESTINATION zone.
    4. - -
  4. LOG - LEVEL - Optional. If left empty, no log message is generated - when the policy is applied. Otherwise, this column should contain - an integer or name indicating a syslog level.
    5. - -
  5. LIMIT:BURST - - Optional. If left empty, TCP connection requests - from the SOURCE zone to the DEST zone will - not be rate-limited. Otherwise, this column specifies the maximum - rate at which TCP connection requests will be accepted followed - by a colon (":") followed by the maximum burst size that will be - tolerated. Example: 10/sec:40 specifies that the maximum - rate of TCP connection requests allowed will be 10 per second and - a burst of 40 connections will be tolerated. Connection requests -in excess of these limits will be dropped.
    6. + +

    Note: You probably DON'T + want to specify any hosts for your internet zone since the hosts that + you specify will be the only ones that you will be able to access without + adding additional rules.

    - -
+ + +

Example 1:

- -

In the SOURCE and DEST columns, you can enter "all" to indicate all - zones.

+ +

Your local interface is eth1 and you have two groups of local hosts that + you want to make into separate zones:

+ + +
    +
  • 192.168.1.0/25
    • +
  • 192.168.1.128/
    • + +
+ + +

Your /etc/shorewall/interfaces file might look like:

- -

The policy file installed by default is as follows:

- - - -
- - + +
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - +
SOURCEDEST POLICY LOG LEVELLIMIT:BURST
locnetACCEPT
-
-
netallDROPinfo
-
allallREJECTinfo
-
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,norfc1918
-eth1192.168.1.127,192.168.1.255
+
+
-
+
- -

This table may be interpreted as follows:

+ +

The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces + to multiple zones.

- + + +

Your /etc/shorewall/hosts file might look like:

+ + + +
+ + + + + + + + + + + + + + + + + + + + + + +
ZONE HOST(S) OPTIONS
loc1eth1:192.168.1.0/25
+
loc2eth1:192.168.1.128/25
+
+
+ + + + + +

Example 2:

+ + + +

Your local interface is eth1 and you have two groups of local hosts that +you want to consider as one zone and you want Shorewall to route between +them:

+ +
    -
  • All connection requests from the local - network to hosts on the internet are accepted.
    • -
  • All connection requests originating -from the internet are ignored and logged at level KERNEL.INFO.
    • -
  • All other connection requests are rejected - and logged.
    • - +
  • 192.168.1.0/25
    • +
  • 192.168.1.128/25
- -

WARNING:

- - -

The firewall script processes the - /etc/shorewall/policy file from top to bottom and uses - the first applicable policy that it finds. For example, - in the following policy file, the policy for (loc, loc) connections - would be ACCEPT as specified in the first entry even though the - third entry in the file specifies REJECT.

- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + +

Your /etc/shorewall/interfaces file might look like:

- - - - - -
SOURCEDESTPOLICYLOG LEVELLIMIT:BURST
locallACCEPT
-
-
netallDROPinfo
-
loclocREJECTinfo
-
-
- - -

- The CONTINUE policy

- - -

Where zones are nested or overlapping , the - CONTINUE policy allows hosts that are within multiple zones - to be managed under the rules of all of these zones. Let's look - at an example:

- - -

/etc/shorewall/zones:

- -
- + + + + + + + + + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - + + + + + + +
ZONE INTERFACE BROADCAST OPTIONS
neteth0detectdhcp,norfc1918
loc
+ 		eth1192.168.1.127,192.168.1.255
+
+
ZONE DISPLAY COMMENTS
samSamSam's system at home
netInternetThe Internet
locLocLocal Network
+
+ + + + + +

Your /etc/shorewall/hosts file might look like:

+ + + +
+ + + + + + + + + + + + + + + + + + + + + + +
ZONE HOST(S) OPTIONS
loceth1:192.168.1.0/25
+
loceth1:192.168.1.128/25
+
+
+ + + + + +

Nested and Overlapping +Zones

+ + + +

The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow + you to define nested or overlapping zones. Such overlapping/nested zones + are allowed and Shorewall processes zones in the order +that they appear in the /etc/shorewall/zones file. So if you +have nested zones, you want the sub-zone to appear before +the super-zone and in the case of overlapping zones, the rules +that will apply to hosts that belong to both zones is determined +by which zone appears first in /etc/shorewall/zones.

+ + + +

Hosts that belong to more than one zone may be managed by the rules + of all of those zones. This is done through use of the special + CONTINUE policy described below.

+ + + +

+ /etc/shorewall/policy Configuration.

+ + +

This file is used to describe the firewall policy regarding establishment + of connections. Connection establishment is described in +terms of clients who initiate connections and servers + who receive those connection requests. Policies defined + in /etc/shorewall/policy describe which zones are allowed +to establish connections with other zones.

+ + + +

Policies established in /etc/shorewall/policy can be viewed as default + policies. If no rule in /etc/shorewall/rules applies to + a particular connection request then the policy from /etc/shorewall/policy + is applied.

+ + + +

Four policies are defined:

+ + +
    +
  • ACCEPT - The connection +is allowed.
    • +
  • DROP - The connection request + is ignored.
    • +
  • REJECT - The connection +request is rejected with an RST (TCP) or an ICMP destination-unreachable + packet being returned to the client.
    • +
  • CONTINUE - The connection + is neither ACCEPTed, DROPped nor REJECTed. CONTINUE may + be used when one or both of the zones named in the entry are + sub-zones of or intersect with another zone. For more information, + see below.
    • +
  • NONE - (Added in version 1.4.1) - Shorewall should not set up +any infrastructure for handling traffic from the SOURCE zone to the DEST +zone. When this policy is specified, the LOG LEVEL and BURST:LIMIT + columns must be left blank.
    +
    • + +
+ + + +

For each policy specified in /etc/shorewall/policy, you can indicate + that you want a message sent to your system log each time + that the policy is applied.

+ + + +

Entries in /etc/shorewall/policy have four columns as follows:

+ + + +
    + +
  1. +SOURCE - The name of a client zone (a zone defined in the + /etc/shorewall/zones file , the + name of the firewall zone or "all").
    2. + +
  2. +DEST - The name of a destination zone (a zone defined in +the /etc/shorewall/zones file , the + name of the firewall zone or "all"). Shorewall +automatically allows all traffic from the firewall to itself so +the name of the firewall zone cannot appear in both +the SOURCE and DEST columns.
    3. + +
  3. +POLICY - The default policy for connection requests from +the SOURCE zone to the DESTINATION zone.
    4. + +
  4. +LOG LEVEL - Optional. If left empty, no log message is +generated when the policy is applied. Otherwise, this column +should contain an integer or name indicating a syslog level.
    5. + +
  5. LIMIT:BURST + - Optional. If left empty, TCP connection requests + from the SOURCE zone to the DEST zone will + not be rate-limited. Otherwise, this column specifies the maximum + rate at which TCP connection requests will be accepted followed + by a colon (":") followed by the maximum burst size that will be + tolerated. Example: 10/sec:40 specifies that the maximum + rate of TCP connection requests allowed will be 10 per second and + a burst of 40 connections will be tolerated. Connection requests + in excess of these limits will be dropped.
    6. + + + +
+ + + +

In the SOURCE and DEST columns, you can enter "all" to indicate all + zones.

+ + + +

The policy file installed by default is as follows:

+ + + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1023,38 +1013,77 @@ from the internet are ignored and logged at level KERNEL.INFO - +
SOURCEDEST POLICY LOG LEVELLIMIT:BURST
locnetACCEPT
+
+
netallDROPinfo
+
allallREJECTinfo
+
-
+ + + + +

This table may be interpreted as follows:

+ + +
    +
  • All connection requests from the +local network to hosts on the internet are accepted.
    • +
  • All connection requests originating + from the internet are ignored and logged at level KERNEL.INFO.
    • +
  • All other connection requests are +rejected and logged.
    • + +
-

/etc/shorewall/interfaces:

+

WARNING:

-
- +

The firewall script processes the + /etc/shorewall/policy file from top to bottom and uses + the first applicable policy that it finds. For example, + in the following policy file, the policy for (loc, loc) connections + would be ACCEPT as specified in the first entry even though the + third entry in the file specifies REJECT.

+ + +
+ + - + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1062,38 +1091,70 @@ from the internet are ignored and logged at level KERNEL.INFO - +
ZONE INTERFACE BROADCAST OPTIONS
-eth0detectdhcp,norfc1918
loceth1detect
-
SOURCEDESTPOLICYLOG LEVELLIMIT:BURST
locallACCEPT
+
+
netallDROPinfo
+
loclocREJECTinfo
+
-
+
-

/etc/shorewall/hosts:

+

IntraZone Traffic

+Shorewall allows a zone to be associated with more than one interface or +with multiple networks that interface through a single interface. Beginning +with Shorewall 1.4.1, Shorewall will ACCEPT all traffic from a zone to itself +provided that there is no explicit policy governing traffic from that zone +to itself (an explicit policy does not specify "all" in either the SOURCE +or DEST column) and that there are no rules concerning connections from that +zone to itself. If there is an explicit policy or if there are one or more +rules, then traffic within the zone is handled just like traffic between +zones is.
+

Any time that you have multiple interfaces associated with a single zone, +you should ask yourself if you really want traffic routed between those interfaces. +Cases where you might not want that behavior are:
+

+
    +
  1. Multiple 'net' interfaces to different ISPs. You don't want to route +traffic from one ISP to the other through your firewall.
    2. +
  2. Multiple VPN clients. You don't necessarily want them to all be able +to communicate between themselves using your gateway/router.
    +
    3. +
+

+ The CONTINUE policy

-
+

Where zones are nested or overlapping , the + CONTINUE policy allows hosts that are within multiple zones + to be managed under the rules of all of these zones. Let's look + at an example:

+ +

/etc/shorewall/zones:

+ + +
+ - + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + @@ -1102,519 +1163,238 @@ from the internet are ignored and logged at level KERNEL.INFO -
ZONE HOST(S) OPTIONS
neteth0:0.0.0.0/0
-
sameth0:206.191.149.197
-
ZONE DISPLAY COMMENTS
samSamSam's system at home
netInternetThe Internet
locLocLocal Network
-
+
-

Note that Sam's home system is a member of both the sam zone - and the net - zone and as described above , that means - that sam must be listed before net in /etc/shorewall/zones.

+

/etc/shorewall/interfaces:

-

/etc/shorewall/policy:

- - -
+
- + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + +
SOURCE DEST POLICY LOG LEVEL
locnetACCEPT
-
samallCONTINUE
-
netallDROPinfo
allallREJECTinfo
ZONE INTERFACE BROADCAST OPTIONS
-eth0detectdhcp,norfc1918
loceth1detect
+
+
+ + +

/etc/shorewall/hosts:

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + +
ZONE HOST(S) OPTIONS
neteth0:0.0.0.0/0
+
sameth0:206.191.149.197
+
-
+
- -

The second entry above says that when Sam is the client, connection - requests should first be process under rules where the source - zone is sam and if there is no match then the connection - request should be treated under rules where the source zone is - net. It is important that this policy be listed BEFORE -the next policy (net to all).

+ +

Note that Sam's home system is a member of both the sam zone + and the net + zone and as described above , that means + that sam must be listed before net in /etc/shorewall/zones.

- -

Partial /etc/shorewall/rules:

+ +

/etc/shorewall/policy:

- -
+ - + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + - + -
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST
...
-
-
-
-
-
-
SOURCE DEST POLICY LOG LEVEL
locnetACCEPT
+
DNATsamloc:192.168.1.3tcpssh-
-
DNATnetloc:192.168.1.5tcpwww-
-
...
-
-
-
-
-
-
samallCONTINUE
+
netallDROPinfo
allallREJECTinfo
-
- - -

Given these two rules, Sam can connect to the firewall's internet interface - with ssh and the connection request will be forwarded to -192.168.1.3. Like all hosts in the net zone, Sam can -connect to the firewall's internet interface on TCP port 80 -and the connection request will be forwarded to 192.168.1.5. The -order of the rules is not significant.

- - -

Sometimes it is necessary to suppress port forwarding - for a sub-zone. For example, suppose that all hosts can -SSH to the firewall and be forwarded to 192.168.1.5 EXCEPT -Sam. When Sam connects to the firewall's external IP, he should -be connected to the firewall itself. Because of the way that Netfilter - is constructed, this requires two rules as follows:

- - -
- -

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST

-
-
-
-
-
-
-
...
-
-
-
-
-
-
DNATsamfwtcpssh-
-
DNATnet!samloc:192.168.1.3tcpssh-
-
...
-
-
-
-
-
-
-

The first rule allows Sam SSH - access to the firewall. The second - rule says that any clients from the - net zone with the exception of those - in the 'sam' zone should have their - connection port forwarded to - 192.168.1.3. If you need to exclude - more than one zone in this way, - you can list -the zones separated by - commas (e.g., net!sam,joe,fred). - This technique also may be used when - the ACTION is REDIRECT.

+

The second entry above says that when Sam is the client, connection + requests should first be process under rules where the +source zone is sam and if there is no match then the +connection request should be treated under rules where the source +zone is net. It is important that this policy be listed +BEFORE the next policy (net to all).

+ +

Partial /etc/shorewall/rules:

- -

- /etc/shorewall/rules

- - - -

The /etc/shorewall/rules file defines exceptions to the policies established - in the /etc/shorewall/policy file. There is one entry in - /etc/shorewall/rules for each of these rules.
-

- -

Shorewall automatically enables firewall->firewall traffic over the - loopback interface (lo) -- that traffic cannot be regulated using - rules and any rule that tries to regulate such traffic will generate - a warning and will be ignored.
-

- - - -

Entries in the file have the following columns:

- -
    -
  • ACTION - - -
      -
    • ACCEPT, DROP, REJECT, CONTINUE. These - have the same meaning here as in the policy file above.
      • -
    • DNAT -- Causes the connection request - to be forwarded to the system specified in the DEST column - (port forwarding). "DNAT" stands for "Destination - Network Address Translation"
      • -
    • DNAT- -- The above ACTION (DNAT) generates two - iptables rules: 1) and header-rewriting rule in the Netfilter 'nat' - table and; 2) an ACCEPT rule in the Netfilter 'filter' table. DNAT- - works like DNAT but only generates the header-rewriting rule.
      -
      • -
    • REDIRECT -- Causes the connection -request to be redirected to a port on the local (firewall) -system.
      • -
    • LOG - Log the packet -- requires a syslog level (see below).
      • - - - -
    - - - -

    The ACTION may optionally be followed by ":" and a syslog level (example: REJECT:info). -This causes the packet to be logged at the specified level prior -to being processed according to the specified ACTION. Note: if the -ACTION is LOG then you MUST specify a syslog level.
    -
    - The use of DNAT or REDIRECT requires that - you have NAT enabled.
    -

    -
    • -
  • SOURCE - Describes the source -hosts to which the rule applies.. The contents of this field -must begin with the name of a zone defined in /etc/shorewall/zones, - $FW or "all". If the ACTION is DNAT or REDIRECT, sub-zones may - be excluded from the rule by following the initial zone name with - "!' and a comma-separated list of those sub-zones to be excluded. - There is an example above.
    -
    - If the source is not 'all' then the source - may be further restricted by adding a colon (":") followed -by a comma-separated list of qualifiers. Qualifiers are may - include: - - -
      -
    • An interface name - refers to any -connection requests arriving on the specified interface -(example loc:eth4). Beginning with Shorwall 1.3.9, the interface -name may optionally be followed by a colon (":") and an IP address or -subnet (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24).
      • -
    • An IP address - refers to a connection - request from the host with the specified address -(example net:155.186.235.151). If the ACTION is DNAT, this must -not be a DNS name.
      • -
    • A MAC Address in Shorewall - format.
      • -
    • A subnet - refers to a connection -request from any host in the specified subnet (example -net:155.186.235.0/24).
      • - - - -
    -
    • -
  • DEST - Describes the destination - host(s) to which the rule applies. May take most of the forms - described above for SOURCE plus the following two additional - forms: - - -
      -
    • An IP address followed by a colon -and the port number that the server -is listening on (service names from /etc/services are not - allowed - example loc:192.168.1.3:80).
      -
      • -
    • A single port number (again, service - names are not allowed) -- this form is only allowed if - the ACTION is REDIRECT and refers to a server running on the firewall - itself and listening on the specified port.
      • - - - -
    -Restrictions:
    -
      -
    • MAC addresses may not be specified.
      • -
    • In DNAT rules, only an IP address may be given -- DNS names are -not permitted.
      • -
    • You may not specify both an IP address and an interface name in -the DEST column.
      -
      • -
    -
    • -
  • PROTO - Protocol. Must be -a protocol name from /etc/protocols, a number or "all". - Specifies the protocol of the connection request.
    • -
  • DEST PORT(S) - Port or -port range (<low port>:<high port>) being connected -to. May only be specified if the protocol is tcp, udp or -icmp. For icmp, this column's contents are interpreted as -an icmp type. If you don't want to specify DEST PORT(S) but need - to include information in one of the columns to the right, - enter "-" in this column. You may give a list of ports and/or port -ranges separated by commas. Port numbers may be either integers -or service names from /etc/services.
    • -
  • SOURCE PORTS(S) - -May be used to restrict the rule to a particular client port -or port range (a port range is specified as <low port number>:<high - port number>). If you don't want to restrict client ports but - want to specify something in the next column, enter "-" in this column. - If you wish to specify a list of port number or ranges, separate - the list elements with commas (with no embedded white space). -Port numbers may be either integers or service names from /etc/services.
    • -
  • ORIGINAL DEST - This column -may only be non-empty if the ACTION is DNAT or REDIRECT.
    -
    - If DNAT or REDIRECT is the ACTION and the - ORIGINAL DEST column is left empty, any connection request - arriving at the firewall from the SOURCE that matches the rule - will be forwarded or redirected. This works fine for connection - requests arriving from the internet where the firewall has -only a single external IP address. When the firewall has multiple - external IP addresses or when the SOURCE is other than the internet, - there will usually be a desire for the rule to only apply to those - connection requests directed to a particular IP address (see - Example 2 below for another usage). That IP address (or a comma-separated - list of such addresses) is specified in the ORIGINAL DEST column.
    -
    - The IP address may be optionally followed - by ":" and a second IP address. This latter address, if present, - is used as the source address for packets forwarded to the -server (This is called "Source NAT" or SNAT).
    - -
    - - Note: When using SNAT, it -is a good idea to qualify the source with an IP address or subnet. -Otherwise, it is likely that SNAT will occur on connections other than -those described in the rule. The reason for this is that SNAT occurs in - the Netfilter POSTROUTING hook where it is not possible to restrict -the scope of a rule by incoming interface.
    -
    -     Example: DNAT loc:192.168.1.0/24 - loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3
    -
    -     If SNAT is not used (no ":" and - second IP address), the original source address is used. - If you want any destination address to match the rule but want - to specify SNAT, simply use a colon followed by the SNAT address.
    • - -
- - - -

Example 1. You wish to forward all - ssh connection requests from the internet to local system - 192.168.1.3.

- - -
+ - + - - - - - - - - + + + + + + + + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -1623,16 +1403,387 @@ the scope of a rule by incoming interface.
- +
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
DNATnetloc:192.168.1.3tcpssh
-
-
...
+
+
+
+
+
+
DNATsamloc:192.168.1.3tcpssh-
+
DNATnetloc:192.168.1.5tcpwww-
+
...
+
+
+
+
+
+
-
+ - + +

Given these two rules, Sam can connect to the firewall's internet interface + with ssh and the connection request will be forwarded to + 192.168.1.3. Like all hosts in the net zone, Sam can + connect to the firewall's internet interface on TCP port 80 + and the connection request will be forwarded to 192.168.1.5. +The order of the rules is not significant.

+ + +

Sometimes it is necessary to suppress port forwarding + for a sub-zone. For example, suppose that all hosts can + SSH to the firewall and be forwarded to 192.168.1.5 EXCEPT +Sam. When Sam connects to the firewall's external IP, he should +be connected to the firewall itself. Because of the way that Netfilter + is constructed, this requires two rules as follows:

+ + +
+ + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST

+
+
+
+
+
+
+
...
+
+
+
+
+
+
DNATsamfwtcpssh-
+
DNATnet!samloc:192.168.1.3tcpssh-
+
...
+
+
+
+
+
+
+
+ + +

The first rule allows Sam SSH + access to the firewall. The second + rule says that any clients from the + net zone with the exception of those + in the 'sam' zone should have their + connection port forwarded to + 192.168.1.3. If you need to exclude + more than one zone in this way, + you can list +the zones separated by + commas (e.g., net!sam,joe,fred). + This technique also may be used when + the ACTION is REDIRECT.

+ + + +

+ /etc/shorewall/rules

+ + + +

The /etc/shorewall/rules file defines exceptions to the policies established + in the /etc/shorewall/policy file. There is one entry in + /etc/shorewall/rules for each of these rules.
+

+ +

Shorewall automatically enables firewall->firewall traffic over the + loopback interface (lo) -- that traffic cannot be regulated using + rules and any rule that tries to regulate such traffic will generate + a warning and will be ignored.
+

+ + + +

Entries in the file have the following columns:

+ +
    +
  • ACTION + + +
      +
    • ACCEPT, DROP, REJECT, CONTINUE. +These have the same meaning here as in the policy file +above.
      • +
    • DNAT -- Causes the connection request + to be forwarded to the system specified in the DEST column + (port forwarding). "DNAT" stands for "Destination + Network Address Translation"
      • +
    • DNAT- -- The above ACTION (DNAT) generates +two iptables rules: 1) and header-rewriting rule in the Netfilter +'nat' table and; 2) an ACCEPT rule in the Netfilter 'filter' table. +DNAT- works like DNAT but only generates the header-rewriting rule.
      +
      • +
    • REDIRECT -- Causes the connection + request to be redirected to a port on the local (firewall) + system.
      • +
    • LOG - Log the packet -- requires a syslog level (see below).
      • + + + +
    + + + +

    The ACTION may optionally be followed by ":" and a syslog level (example: REJECT:info). +This causes the packet to be logged at the specified level prior +to being processed according to the specified ACTION. Note: if the +ACTION is LOG then you MUST specify a syslog level.
    +
    + The use of DNAT or REDIRECT requires +that you have NAT enabled.
    +

    +
    • +
  • SOURCE - Describes the source + hosts to which the rule applies.. The contents of this field + must begin with the name of a zone defined in /etc/shorewall/zones, + $FW or "all". If the ACTION is DNAT or REDIRECT, sub-zones may + be excluded from the rule by following the initial zone name with + "!' and a comma-separated list of those sub-zones to be excluded. + There is an example above.
    +
    + If the source is not 'all' then the source + may be further restricted by adding a colon (":") followed + by a comma-separated list of qualifiers. Qualifiers are may + include: + + +
      +
    • An interface name - refers to any + connection requests arriving on the specified interface + (example loc:eth4). Beginning with Shorwall 1.3.9, the interface + name may optionally be followed by a colon (":") and an IP address or + subnet (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24).
      • +
    • An IP address - refers to a connection + request from the host with the specified address +(example net:155.186.235.151). If the ACTION is DNAT, this must +not be a DNS name.
      • +
    • A MAC Address in Shorewall format.
      • +
    • A subnet - refers to a connection + request from any host in the specified subnet (example + net:155.186.235.0/24).
      • + + + +
    +
    • +
  • DEST - Describes the destination + host(s) to which the rule applies. May take most of the forms + described above for SOURCE plus the following two additional + forms: + + +
      +
    • An IP address followed by a colon + and the port number that the server + is listening on (service names from /etc/services are not + allowed - example loc:192.168.1.3:80).
      +
      • +
    • A single port number (again, service + names are not allowed) -- this form is only allowed +if the ACTION is REDIRECT and refers to a server running on the +firewall itself and listening on the specified port.
      • + + + +
    + Restrictions:
    + +
      +
    • MAC addresses may not be specified.
      • +
    • In DNAT rules, only an IP address may be given -- DNS names are + not permitted.
      • +
    • You may not specify both an IP address and an interface name +in the DEST column.
      +
      • + +
    +
    • +
  • PROTO - Protocol. Must +be a protocol name from /etc/protocols, a number or +"all". Specifies the protocol of the connection request.
    • +
  • DEST PORT(S) - Port +or port range (<low port>:<high port>) being connected + to. May only be specified if the protocol is tcp, udp +or icmp. For icmp, this column's contents are interpreted + as an icmp type. If you don't want to specify DEST PORT(S) but +need to include information in one of the columns to the right, + enter "-" in this column. You may give a list of ports and/or port +ranges separated by commas. Port numbers may be either integers +or service names from /etc/services.
    • +
  • SOURCE PORTS(S) - + May be used to restrict the rule to a particular client port + or port range (a port range is specified as <low port number>:<high + port number>). If you don't want to restrict client ports but + want to specify something in the next column, enter "-" in this +column. If you wish to specify a list of port number or ranges, +separate the list elements with commas (with no embedded white + space). Port numbers may be either integers or service names from +/etc/services.
    • +
  • ORIGINAL DEST - This column + may only be non-empty if the ACTION is DNAT or REDIRECT.
    +
    + If DNAT or REDIRECT is the ACTION and +the ORIGINAL DEST column is left empty, any connection request + arriving at the firewall from the SOURCE that matches the rule + will be forwarded or redirected. This works fine for connection + requests arriving from the internet where the firewall has + only a single external IP address. When the firewall has multiple + external IP addresses or when the SOURCE is other than the internet, + there will usually be a desire for the rule to only apply to those + connection requests directed to a particular IP address (see + Example 2 below for another usage). That IP address (or a comma-separated + list of such addresses) is specified in the ORIGINAL DEST column.
    +
    + The IP address may be optionally followed + by ":" and a second IP address. This latter address, if present, + is used as the source address for packets forwarded to the + server (This is called "Source NAT" or SNAT).
    + +
    + + Note: When using SNAT, it + is a good idea to qualify the source with an IP address or subnet. +Otherwise, it is likely that SNAT will occur on connections other than +those described in the rule. The reason for this is that SNAT occurs in + the Netfilter POSTROUTING hook where it is not possible to restrict +the scope of a rule by incoming interface.
    +
    +     Example: DNAT loc:192.168.1.0/24 + loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3
    +
    +     If SNAT is not used (no ":" +and second IP address), the original source address is +used. If you want any destination address to match the rule +but want to specify SNAT, simply use a colon followed by the SNAT + address.
    • + +
+ + + +

Example 1. You wish to forward all + ssh connection requests from the internet to local system + 192.168.1.3.

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
DNATnetloc:192.168.1.3tcpssh
+
+
+
+ +

Example 2. You want to redirect all local www connection requests - EXCEPT those - to your own http server - (206.124.146.177) to a Squid - transparent proxy running on the firewall + EXCEPT those + to your own http server + (206.124.146.177) to a Squid + transparent proxy running on the firewall and listening on port 3128. Squid will of course require access to remote web servers. This example shows yet another use for the ORIGINAL @@ -1644,556 +1795,191 @@ to remote web servers. This example shows yet destined to 206.124.146.177 are redirected to local port 3128.

- +
+ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST
REDIRECTloc3128tcpwww -
- 		!206.124.146.177
ACCEPTfwnettcpwww
-
-
-
- - -

Example 3. You want to run a web server at 155.186.235.222 in -your DMZ and have it accessible remotely and locally. the DMZ is managed - by Proxy ARP or by classical sub-netting.

- - -
- - - + - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + - +
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST		ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
ACCEPTnetdmz:155.186.235.222tcpwww-
-
ACCEPTlocdmz:155.186.235.222tcpwww
-
-
REDIRECTloc3128tcpwww -
+ 		!206.124.146.177
ACCEPTfwnettcpwww
+
+
-
+ - -

Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded - DMZ. Your internet interface address is 155.186.235.151 - and you want the FTP server to be accessible from the internet - in addition to the local 192.168.1.0/24 and dmz 192.168.2.0/24 - subnetworks. Note that since the server is in the 192.168.2.0/24 - subnetwork, we can assume that access to the server from that subnet - will not involve the firewall (but see FAQ - 2). Note that unless you - have more than one external - IP address, you can leave - the ORIGINAL DEST column - blank in the first rule. You - cannot leave it blank -in the second rule though - because then all -ftp connections - originating in the local - subnet 192.168.1.0/24 would - be sent to 192.168.2.2 - regardless of the site that - the user was trying to - connect to. That is - clearly not what you -want - .

+ +

Example 3. You want to run a web server at 155.186.235.222 in +your DMZ and have it accessible remotely and locally. the DMZ is managed + by Proxy ARP or by classical sub-netting.

- -
+ - + - - - - - - - + + + + + + + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - + -
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST		ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
DNATnetdmz:192.168.2.2tcpftp
-
-
DNATloc:192.168.1.0/24dmz:192.168.2.2tcpftp-155.186.235.151
ACCEPTnetdmz:155.186.235.222tcpwww-
+
ACCEPTlocdmz:155.186.235.222tcpwww
+
+
-
- - - - -

If you are running wu-ftpd, you should restrict the range of passive - in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions - so I use port range 65500-65535. In /etc/ftpaccess, this - entry is appropriate:

- - - - -
- - - -

passive ports 0.0.0.0/0 65500 65534

-
- - - - -

If you are running pure-ftpd, you would include "-p 65500:65534" on - the pure-ftpd runline.

- - - - -

The important point here is to ensure that the port range used for FTP - passive connections is unique and will not overlap with -any usage on the firewall system.

- - - - -

Example 5. You - wish to allow unlimited - DMZ access to the host - with MAC address - 02:00:08:E3:FA:55.

- - - - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTIONSOURCEDEST PROTODEST
- PORT(S)		SOURCE
- PORT(S)		ORIGINAL
- DEST
ACCEPTloc:~02-00-08-E3-FA-55dmzall
-
-
-
+ +

Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded + DMZ. Your internet interface address is 155.186.235.151 + and you want the FTP server to be accessible from the internet + in addition to the local 192.168.1.0/24 and dmz 192.168.2.0/24 + subnetworks. Note that since the server is in the 192.168.2.0/24 + subnetwork, we can assume that access to the server from that subnet + will not involve the firewall (but see FAQ + 2). Note that unless you + have more than one external + IP address, you can leave + the ORIGINAL DEST column + blank in the first rule. You + cannot leave it blank +in the second rule though + because then all + ftp connections + originating in the local + subnet 192.168.1.0/24 would + be sent to 192.168.2.2 + regardless of the site that + the user was trying to + connect to. That +is clearly not what +you want + .

- Example - 6. You wish to allow access to the SMTP server in your DMZ -from all zones.
- -
- - - - - - - - - - - - - - - - - - - - - - - - - -
ACTION
- 		SOURCE
- 		DEST
- 		PROTO
- 		DEST
- PORT(S)
- 		SOURCE
- PORT(S)
- 		ORIGINAL
- DEST
-
ACCEPT
- 		all
- 		dmz
- 		tcp
- 		25
-
-
-
-
- Note: When 'all' is used as a source or destination, - intra-zone traffic is not affected. In this example, if there were - two DMZ interfaces then the above rule would NOT enable SMTP traffic - between hosts on these interfaces.
-
- Example 7 (For advanced users running Shorewall version - 1.3.13 or later). From the internet, you with to forward tcp -port 25 directed to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177 -in your DMZ. You also want to allow access from the internet directly -to tcp port 25 on 192.0.2.177.
- -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTION
- 		SOURCE
- 		DEST
- 		PROTO
- 		DEST
- PORT(S)
- 		SOURCE
- PORT(S)
- 		ORIGINAL
- DEST
-
DNAT-
- 		net
- 		dmz:192.0.2.177
- 		tcp
- 		25
- 		0
- 		192.0.2.178
-
DNAT-
- 		net
- 		dmz:192.0.2.177
- 		tcp
- 		25
- 		0
- 		192.0.2.179
-
ACCEPT
- 		net
- 		dmz:192.0.2.177
- 		tcp
- 		25
-
-
-
-
- Using "DNAT-" rather than "DNAT" avoids two extra copies - of the third rule from being generated.
- -

Look here for information on other services. -

- - - - -

- /etc/shorewall/common

- - - - -

Shorewall allows - definition of rules that - apply between all zones. - By default, these rules - are defined in the file - /etc/shorewall/common.def - but may be modified to - suit individual - requirements. Rather - than - modify -/etc/shorewall/common.def, - you should copy that - file to - /etc/shorewall/common - and modify that - file.

- - - - -

The /etc/shorewall/common - file - is expected to - contain iptables - commands; rather than - running iptables - directly, you should run - it indirectly using the - Shorewall function - 'run_iptables'. - That way, if iptables - encounters an error, the - firewall will be safely - stopped.

- - - - -

- /etc/shorewall/masq

- - - - -

The /etc/shorewall/masq file is used to define classical IP Masquerading - and Source Network Address Translation (SNAT). There is one - entry in the file for each subnet that you want to masquerade. - In order to make use of this feature, you must have NAT enabled .

- - - - -

Columns are:

-
    -
  • INTERFACE - The interface -that will masquerade the subnet; this is normally your -internet interface. This interface name can be optionally - qualified by adding ":" and a subnet or host IP. When this - qualification is added, only packets addressed to that host or subnet - will be masqueraded. Beginning with Shorewall version 1.3.14, if -you have set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf, - you can cause Shorewall to create an alias label of the form interfacename:digit - (e.g., eth0:0) by placing that label in this column. See example - 5 below. Alias labels created in this way allow the alias to be visible - to the ipconfig utility. THAT IS THE ONLY THING THAT THIS LABEL -IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION.
    • -
  • SUBNET - The subnet that -you want to have masqueraded through the INTERFACE. This -may be expressed as a single IP address, a subnet or an interface - name. In the latter instance, the interface must be configured and - started before Shorewall is started as Shorewall will determine - the subnet based on information obtained from the 'ip' utility. - When using Shorewall 1.3.13 or earlier, when - an interface name is specified, Shorewall will only masquerade traffic -from the first subnetwork on the named interface; if the interface interfaces - to more that one subnetwork, you will need to add additional entries to - this file for each of those other subnetworks. Beginning with Shorewall -1.3.14, shorewall will masquerade/SNAT traffic from any host that is routed -through the named interface.
    -
    - The subnet may be optionally followed by - "!' and a comma-separated list of addresses and/or subnets - that are to be excluded from masquerading.
    • -
  • ADDRESS - The source address -to be used for outgoing packets. This column is optional and -if left blank, the current primary IP address of the interface - in the first column is used. If you have a static IP on that interface, - listing it here makes processing of output packets a little less - expensive for the firewall. If you specify an address in this column, -it must be an IP address configured on the INTERFACE or you must have ADD_SNAT_ALIASES - enabled in /etc/shorewall/shorewall.conf.
    • - -
+
- - -

Example 1: You have eth0 connected to a cable modem and eth1 - connected to your local subnetwork 192.168.9.0/24. Your -/etc/shorewall/masq file would look like:

- - -
- - + - + - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -2203,88 +1989,460 @@ it must be an IP address configured on the INTERFACE or you must have ADD_SNA - +
INTERFACE SUBNETADDRESS
eth0192.168.9.0/24
-
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
DNATnetdmz:192.168.2.2tcpftp
+
+
DNATloc:192.168.1.0/24dmz:192.168.2.2tcpftp-155.186.235.151
-
+
- -

Example 2: You have a number of IPSEC tunnels through ipsec0 - and you want to masquerade traffic from your 192.168.9.0/24 - subnet to the remote subnet 10.1.0.0/16 only.

+ + +

If you are running wu-ftpd, you should restrict the range of passive + in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions + so I use port range 65500-65535. In /etc/ftpaccess, this + entry is appropriate:

- + +
- + + +

passive ports 0.0.0.0/0 65500 65534

+
+ + + + +

If you are running pure-ftpd, you would include "-p 65500:65534" on + the pure-ftpd runline.

+ + + + +

The important point here is to ensure that the port range used for FTP + passive connections is unique and will not overlap with +any usage on the firewall system.

+ + + + +

Example 5. You + wish to allow unlimited + DMZ access to the host + with MAC address + 02:00:08:E3:FA:55.

+ + + + +
+ + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDEST PROTODEST
+ PORT(S)		SOURCE
+ PORT(S)		ORIGINAL
+ DEST
ACCEPTloc:~02-00-08-E3-FA-55dmzall
+
+
+
+
+ + + Example + 6. You wish to allow access to the SMTP server in your DMZ +from all zones.
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTION
+ 		SOURCE
+ 		DEST
+ 		PROTO
+ 		DEST
+ PORT(S)
+ 		SOURCE
+ PORT(S)
+ 		ORIGINAL
+ DEST
+
ACCEPT
+ 		all
+ 		dmz
+ 		tcp
+ 		25
+
+
+
+
+ Note: When 'all' is used as a source or destination, + intra-zone traffic is not affected. In this example, if there were + two DMZ interfaces then the above rule would NOT enable SMTP traffic + between hosts on these interfaces.
+
+ Example 7 (For advanced users running Shorewall version + 1.3.13 or later). From the internet, you with to forward tcp +port 25 directed to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177 +in your DMZ. You also want to allow access from the internet directly +to tcp port 25 on 192.0.2.177.
+ +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTION
+ 		SOURCE
+ 		DEST
+ 		PROTO
+ 		DEST
+ PORT(S)
+ 		SOURCE
+ PORT(S)
+ 		ORIGINAL
+ DEST
+
DNAT-
+ 		net
+ 		dmz:192.0.2.177
+ 		tcp
+ 		25
+ 		0
+ 		192.0.2.178
+
DNAT-
+ 		net
+ 		dmz:192.0.2.177
+ 		tcp
+ 		25
+ 		0
+ 		192.0.2.179
+
ACCEPT
+ 		net
+ 		dmz:192.0.2.177
+ 		tcp
+ 		25
+
+
+
+
+ Using "DNAT-" rather than "DNAT" avoids two extra copies + of the third rule from being generated.
+ +

Look here for information on other services. +

+ + + + +

+ /etc/shorewall/common

+ + + + +

Shorewall allows + definition of rules that + apply between all zones. + By default, these rules + are defined in the file + /etc/shorewall/common.def + but may be modified to + suit individual + requirements. Rather + +than modify + /etc/shorewall/common.def, + you should copy that + file to + /etc/shorewall/common + and modify + that file.

+ + + + +

The /etc/shorewall/common + +file is expected to + contain iptables + commands; rather than + running iptables + directly, you should run + it indirectly using +the Shorewall + function 'run_iptables'. + That way, if iptables + encounters an error, the + firewall will be safely + stopped.

+ + + + +

+ /etc/shorewall/masq

+ + + + +

The /etc/shorewall/masq file is used to define classical IP Masquerading + and Source Network Address Translation (SNAT). There is +one entry in the file for each subnet that you want to masquerade. + In order to make use of this feature, you must have NAT enabled .

+ + + + +

Columns are:

+ +
    +
  • INTERFACE - The interface + that will masquerade the subnet; this is normally your + internet interface. This interface name can be optionally + qualified by adding ":" and a subnet or host IP. When this + qualification is added, only packets addressed to that host or +subnet will be masqueraded. Beginning with Shorewall version 1.3.14, +if you have set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf, + you can cause Shorewall to create an alias label of the form + interfacename:digit (e.g., eth0:0) by placing that label +in this column. See example 5 below. Alias labels created in this way +allow the alias to be visible to the ipconfig utility. THAT IS +THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE +ELSE IN YOUR SHOREWALL CONFIGURATION.
    • +
  • SUBNET - The subnet that + you want to have masqueraded through the INTERFACE. This + may be expressed as a single IP address, a subnet or an interface + name. In the latter instance, the interface must be configured +and started before Shorewall is started as Shorewall will determine + the subnet based on information obtained from the 'ip' utility. + When using Shorewall 1.3.13 or earlier, when + an interface name is specified, Shorewall will only masquerade traffic + from the first subnetwork on the named interface; if the interface interfaces + to more that one subnetwork, you will need to add additional entries +to this file for each of those other subnetworks. Beginning with Shorewall +1.3.14, shorewall will masquerade/SNAT traffic from any host that is routed +through the named interface.
    +
    + The subnet may be optionally followed +by "!' and a comma-separated list of addresses and/or subnets + that are to be excluded from masquerading.
    • +
  • ADDRESS - The source address + to be used for outgoing packets. This column is optional and + if left blank, the current primary IP address of the interface + in the first column is used. If you have a static IP on that +interface, listing it here makes processing of output packets +a little less expensive for the firewall. If you specify an address in +this column, it must be an IP address configured on the INTERFACE or +you must have ADD_SNAT_ALIASES enabled in /etc/shorewall/shorewall.conf.
    • + +
+ + + +

Example 1: You have eth0 connected to a cable modem and eth1 + connected to your local subnetwork 192.168.9.0/24. Your + /etc/shorewall/masq file would look like:

+ + +
+ + + + - - - - - - - - - + + + + + + + + + - +
INTERFACE SUBNETADDRESS
ipsec0:10.1.0.0/16192.168.9.0/24
-
INTERFACE SUBNETADDRESS
eth0192.168.9.0/24
+
-
+ -

Example 3: You have a DSL line connected on eth0 and a local - network - (192.168.10.0/24) - connected to eth1. You - want all local->net - connections to use - source address - 206.124.146.176.

+

Example 2: You have a number of IPSEC tunnels through ipsec0 + and you want to masquerade traffic from your 192.168.9.0/24 + subnet to the remote subnet 10.1.0.0/16 only.

- -
- + + +
+ + + - - - - - - - - - - - + + + + + + + + + + - + - + + +
INTERFACE SUBNETADDRESS
eth0192.168.10.0/24206.124.146.176
INTERFACE SUBNETADDRESS
ipsec0:10.1.0.0/16192.168.9.0/24
+
- + +

Example 3: You have a DSL line connected on eth0 and a local + network + (192.168.10.0/24) + connected to eth1. You + want all local->net + connections to use + source address + 206.124.146.176.

+ + +
+ + + + + + + + + + + + + + + + + + + + + + +
INTERFACE SUBNETADDRESS
eth0192.168.10.0/24206.124.146.176
+
+ + +

Example 4: Same as example 3 except that you wish @@ -2295,72 +2453,72 @@ it must be an IP address configured on the INTERFACE or you must have ADD_SNA - +

+ + + + + + + + + + + + + + + + + + + + + + +
INTERFACE SUBNETADDRESS
eth0192.168.10.0/24!192.168.10.44,192.168.10.45206.124.146.176
+
+ + + Example 5 (Shorewall version >= 1.3.14): You have a second + IP address (206.124.146.177) assigned to you and wish to use it for +SNAT of the subnet 192.168.12.0/24. You want to give that address the +name eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
- - - - - - - - - - - - - - - - - - - - - -
INTERFACE SUBNETADDRESS
eth0192.168.10.0/24!192.168.10.44,192.168.10.45206.124.146.176
-
- - -Example 5 (Shorewall version >= 1.3.14): You have a second -IP address (206.124.146.177) assigned to you and wish to use it for SNAT -of the subnet 192.168.12.0/24. You want to give that address the name -eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
-
- + - - - - - - + - - - - + + + + + + + + + - + - +
INTERFACE SUBNETADDRESS
eth0:0192.168.12.0/24206.124.146.177
INTERFACE SUBNETADDRESS
eth0:0192.168.12.0/24206.124.146.177
-
- + +

/etc/shorewall/proxyarp

- +

If you want to use proxy ARP on an entire sub-network, @@ -2370,30 +2528,30 @@ eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/shorewall href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/"> http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. - If you decide to use - the technique - described in that - HOWTO, you can set - the proxy_arp flag - for an interface - (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) + If you decide to use + the technique + described in that + HOWTO, you can set + the proxy_arp flag + for an interface + (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) -by including the - proxyarp option - in the interface's - record in - - /etc/shorewall/interfaces. - When using -Proxy ARP - sub-netting, you do - NOT include - any entries in - /etc/shorewall/proxyarp.

+ by including the + proxyarp option + in the interface's + record in + + /etc/shorewall/interfaces. + When using + Proxy ARP + sub-netting, you do + NOT include + any entries in + /etc/shorewall/proxyarp.

- +

The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is typically used for @@ -2401,52 +2559,52 @@ Proxy ARP on a small set of systems since you need one entry - in - this file for each - system using proxy - ARP. Columns are:

- + in + this file for each + system using proxy + ARP. Columns are:

+
    -
  • ADDRESS - address of the -system.
    • -
  • INTERFACE - the interface -that connects to the system. If the interface is obvious -from the subnetting, you may enter "-" in this column.
    • -
  • EXTERNAL - the external interface - that you want to honor ARP requests for the ADDRESS specified - in the first column.
    • -
  • HAVEROUTE - If - you already have - a route through - INTERFACE - to ADDRESS, - this -column should - contain - "Yes" - or - "yes". - If you want - Shorewall to add - the route, the - column should - contain - "No" - or - "no".
    • - +
  • ADDRESS - address of the + system.
    • +
  • INTERFACE - the interface + that connects to the system. If the interface is obvious + from the subnetting, you may enter "-" in this column.
    • +
  • EXTERNAL - the external +interface that you want to honor ARP requests for the +ADDRESS specified in the first column.
    • +
  • HAVEROUTE - If + you already have + a route through + INTERFACE + to ADDRESS, + this + column should + contain + "Yes" + or + "yes". + If you want + Shorewall to add + the route, the + column should + contain + "No" + or + "no".
    • +
- +

Note: After you have made a change to the /etc/shorewall/proxyarp - file, you may need to flush the ARP cache of all routers -on the LAN segment connected to the interface specified in the -EXTERNAL column of the change/added entry(s). If you are having -problems communicating between an individual host (A) on that -segment and a system whose entry has changed, you may need to -flush the ARP cache on host A as well.

+ file, you may need to flush the ARP cache of all routers + on the LAN segment connected to the interface specified in the + EXTERNAL column of the change/added entry(s). If you are having + problems communicating between an individual host (A) on that + segment and a system whose entry has changed, you may need to + flush the ARP cache on host A as well.

- +

ISPs typically have ARP configured with long TTL (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump -nei <external interface> host <IP addr>"), it may @@ -2456,106 +2614,108 @@ order after changing my proxy ARP settings.

- +

Example: You have public IP addresses 155.182.235.0/28. You configure your - firewall as follows:

- + firewall as follows:

+
    -
  • eth0 - 155.186.235.1 (internet connection)
    • -
  • eth1 - 192.168.9.0/24 (masqueraded -local systems)
    • -
  • eth2 - 192.168.10.1 (interface to your - DMZ)
    • - +
  • eth0 - 155.186.235.1 (internet connection)
    • +
  • eth1 - 192.168.9.0/24 (masqueraded + local systems)
    • +
  • eth2 - 192.168.10.1 (interface to +your DMZ)
    • +
- +

In your DMZ, you want to install a Web/FTP server with public address - 155.186.235.4. On the Web server, you subnet just like the - firewall's eth0 and you configure 155.186.235.1 as the default - gateway. In your /etc/shorewall/proxyarp file, you will have:

+ 155.186.235.4. On the Web server, you subnet just like +the firewall's eth0 and you configure 155.186.235.1 as the +default gateway. In your /etc/shorewall/proxyarp file, you +will have:

- +
- + - + - - - - - - - - - - - - + + + + + + + + + + + + - + - + +
ADDRESS INTERFACE EXTERNALHAVEROUTE
155.186.235.4eth2eth0No
ADDRESS INTERFACE EXTERNALHAVEROUTE
155.186.235.4eth2eth0No
-
+ - +

Note: You may want to configure the servers in your DMZ with a subnet - that is smaller than the subnet of your internet interface. - See the Proxy ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) - for details. In this case you will want to place "Yes" in - the HAVEROUTE column.

+ for details. In this case you will want to place "Yes" +in the HAVEROUTE column.

- +

Warning: Do not use Proxy ARP and FreeS/Wan on the same system unless you are prepared to suffer the consequences. - If you start or restart Shorewall with an IPSEC tunnel active, - the proxied IP addresses are mistakenly assigned to the IPSEC - tunnel device (ipsecX) rather than to the interface that you -specify in the INTERFACE column of /etc/shorewall/proxyarp. I haven't -had the time to debug this problem so I can't say if it is a bug + If you start or restart Shorewall with an IPSEC tunnel active, + the proxied IP addresses are mistakenly assigned to the IPSEC + tunnel device (ipsecX) rather than to the interface that you + specify in the INTERFACE column of /etc/shorewall/proxyarp. I haven't + had the time to debug this problem so I can't say if it is a bug in the Kernel or in FreeS/Wan.

- +

You might be able to work around this problem using the following - (I haven't tried it):

- + (I haven't tried it):

+

In /etc/shorewall/init, include:

- +

qt service ipsec stop

- +

In /etc/shorewall/start, include:

- +

qt service ipsec start

- +

/etc/shorewall/nat

- +

The /etc/shorewall/nat file is used to define static NAT. There is one - entry in the file for each static NAT relationship that -you wish to define. In order to make use of this feature, you -must have NAT enabled .

+ entry in the file for each static NAT relationship that + you wish to define. In order to make use of this feature, +you must have NAT enabled .

- +

IMPORTANT: If @@ -2567,52 +2727,53 @@ must have NAT enabled .

static NAT. Port forwarding can be accomplished - with - simple entries in - the - - rules file. - Also, in most - cases - - Proxy ARP - provides a - superior solution - to static NAT - because the - internal systems + with + simple entries in + the + + rules file. + Also, in most + cases + + Proxy ARP + provides a + superior solution + to static NAT + because the + internal systems are accessed - using - the same IP - address internally - and externally.

+ using + the same IP + address internally + and externally.

- +

Columns in an entry are:

- +
    -
  • EXTERNAL - External IP address - - This should NOT be the primary IP address of the - interface named in the next column.
    • -
  • INTERFACE - Interface that - you want the EXTERNAL IP address to appear on. Beginning - with Shorewall version 1.3.14, if you have set ADD_IP_ALIASES=Yes in +
  • EXTERNAL - External IP +address - This should NOT be the primary IP address +of the interface named in the next column.
    • +
  • INTERFACE - Interface that + you want the EXTERNAL IP address to appear on. Beginning + with Shorewall version 1.3.14, if you have set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf,  you can specify an alias label of the form interfacename:digit (e.g., eth0:0) and Shorewall will create the alias with that label. Alias labels created -in this way allow the alias to be visible to the ipconfig utility. - THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR -ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION. 
    • -
  • INTERNAL - Internal IP address.
    • -
  • ALL - INTERFACES - - If Yes - or yes (or - left - empty), - NAT + in this way allow the alias to be visible to the ipconfig utility. + THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY +NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION. 
    • +
  • INTERNAL - Internal IP +address.
    • +
  • ALL + INTERFACES + - If Yes + or yes (or + left + empty), + NAT will be effective @@ -2622,339 +2783,340 @@ ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION. then NAT will be effective - only - through + only + through -the - interface - named in - the - INTERFACE - column.
    • -
  • LOCAL - If Yes or yes and the - ALL INTERFACES column contains Yes or yes, NAT will be -effective from the firewall system. Note: For + the + interface + named in + the + INTERFACE + column.
    • +
  • LOCAL - If Yes or yes and +the ALL INTERFACES column contains Yes or yes, NAT will +be effective from the firewall system. Note: For this to work, you must be running kernel 2.4.19 or later and iptables 1.2.6a or later and you must have enabled CONFIG_IP_NF_NAT_LOCAL - in your kernel.
    • - + in your kernel. +
- +

Look here for additional information and an example. -

+

- +

/etc/shorewall/tunnels

- +

The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP, - OpenVPN and PPTP - tunnels with end-points on your firewall. To use ipsec, you must - install version 1.9, 1.91 or the current OpenVPN and PPTP + tunnels with end-points on your firewall. To use ipsec, you must + install version 1.9, 1.91 or the current FreeS/WAN development snapshot.

- +

Note: For kernels 2.4.4 and above, you will need to use version 1.91 - or a development snapshot as patching with version 1.9 + or a development snapshot as patching with version 1.9 results in kernel compilation errors.

- +

Instructions for setting up IPSEC tunnels may - be found here, instructions - for IPIP and GRE tunnels are here, instructions + for IPIP and GRE tunnels are here, instructions for OpenVPN tunnels are here, and - instructions for PPTP tunnels are here.

- + instructions for PPTP tunnels are here.

+

/etc/shorewall/shorewall.conf

- +

This file is used to set the following firewall parameters:

- +
    -
  • CLEAR_TC - Added at version - 1.3.13
    - If this option is set to 'No' then Shorewall won't clear the -current traffic control rules during [re]start. This setting is intended -for use by people that prefer to configure traffic shaping when the network -interfaces come up rather than when the firewall is started. If that -is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply -an /etc/shorewall/tcstart file. That way, your traffic shaping rules -can still use the 'fwmark' classifier based on packet marking defined -in /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is assumed.
    -
    • -
  • MARK_IN_FORWARD_CHAIN - Added at version 1.3.12
    - If your kernel has a FORWARD chain in the mangle table, - you may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified - in the tcrules file to occur - in that chain rather than in the PREROUTING chain. This permits you - to mark inbound traffic based on its destination address when SNAT -or Masquerading are in use. To determine if your kernel has a FORWARD +
  • CLEAR_TC - Added at +version 1.3.13
    + If this option is set to 'No' then Shorewall won't clear the + current traffic control rules during [re]start. This setting is intended + for use by people that prefer to configure traffic shaping when the +network interfaces come up rather than when the firewall is started. +If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and +do not supply an /etc/shorewall/tcstart file. That way, your traffic +shaping rules can still use the 'fwmark' classifier based on packet marking +defined in /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is assumed.
    +
    • +
  • MARK_IN_FORWARD_CHAIN - Added at version 1.3.12
    + If your kernel has a FORWARD chain in the mangle table, + you may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified + in the tcrules file to +occur in that chain rather than in the PREROUTING chain. This permits +you to mark inbound traffic based on its destination address when +SNAT or Masquerading are in use. To determine if your kernel has a FORWARD chain in the mangle table, use the "/sbin/shorewall show mangle" command; -if a FORWARD chain is displayed then your kernel will support this + if a FORWARD chain is displayed then your kernel will support this option. If this option is not specified or if it is given the empty value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
    -
    • -
  • RFC1918_LOG_LEVEL - Added at version 1.3.12
    - This parameter determines the level at which packets -logged under the 'norfc1918' - mechanism are logged. The value must be a valid +
  • RFC1918_LOG_LEVEL - Added at version 1.3.12
    + This parameter determines the level at which packets + logged under the     'norfc1918' + mechanism are logged. The value must be a valid syslog level and if no level is given, - then info is assumed. Prior to Shorewall version 1.3.12, these packets - are always logged at the info level.
    • -
  • TCP_FLAGS_DISPOSITION - Added in Version -1.3.11
    - Determines the disposition of TCP packets that fail the - checks enabled by the tcpflags interface - option and must have a value of ACCEPT (accept the packet), REJECT - (send an RST response) or DROP (ignore the packet). If not set or -if set to the empty value (e.g., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP - is assumed.
    • -
  • TCP_FLAGS_LOG_LEVEL - Added in Version + then info is assumed. Prior to Shorewall version 1.3.12, these packets + are always logged at the info level.
    • +
  • TCP_FLAGS_DISPOSITION - Added in Version 1.3.11
    - Determines the syslog - level for logging packets that fail the checks enabled by the + Determines the disposition of TCP packets that fail +the checks enabled by the tcpflags +interface option and must have a value of ACCEPT (accept the packet), +REJECT (send an RST response) or DROP (ignore the packet). If not +set or if set to the empty value (e.g., TCP_FLAGS_DISPOSITION="") +then TCP_FLAGS_DISPOSITION=DROP is assumed.
    • +
  • TCP_FLAGS_LOG_LEVEL - Added in Version + 1.3.11
    + Determines the syslog + level for logging packets that fail the checks enabled by the tcpflags interface option.The value must be a valid syslogd log level. If you don't want to log these packets, set to the empty value (e.g., TCP_FLAGS_LOG_LEVEL="").
    -
    • -
  • MACLIST_DISPOSITION - Added in Version - 1.3.10
    - Determines the disposition of connections requests - that fail MAC Verification and - must have the value ACCEPT (accept the connection request anyway), REJECT - (reject the connection request) or DROP (ignore the connection request). - If not set or if set to the empty value (e.g., MACLIST_DISPOSITION="") - then MACLIST_DISPOSITION=REJECT is assumed.
    • -
  • MACLIST_LOG_LEVEL - Added in Version - 1.3.10
    - Determines the +
  • MACLIST_DISPOSITION - Added in Version + 1.3.10
    + Determines the disposition of connections requests + that fail     MAC Verification and + must have the value ACCEPT (accept the connection request anyway), REJECT + (reject the connection request) or DROP (ignore the connection request). + If not set or if set to the empty value (e.g., MACLIST_DISPOSITION="") + then MACLIST_DISPOSITION=REJECT is assumed.
    • +
  • MACLIST_LOG_LEVEL - Added in Version + 1.3.10
    + Determines the syslog level for logging connection -requests that fail MAC Verification. -The value must be a valid syslogd log level. If you don't want -to log these connection requests, set to the empty value (e.g., + requests that fail MAC Verification. + The value must be a valid syslogd log level. If you don't want + to log these connection requests, set to the empty value (e.g., MACLIST_LOG_LEVEL="").
    -
    • -
  • NEWNOTSYN - Added in Version 1.3.8
    - When set to "Yes" or "yes", Shorewall will filter - TCP packets that are not part of an established connention -and that are not SYN packets (SYN flag on - ACK flag off). If set -to "No", Shorewall will silently drop such packets. If not set -or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No is -assumed.
    -
    - If you have a HA setup with failover to another - firewall, you should have NEWNOTSYN=Yes on both firewalls. +
    • +
  • NEWNOTSYN - Added in Version 1.3.8
    + When set to "Yes" or "yes", Shorewall will +filter TCP packets that are not part of an established connention + and that are not SYN packets (SYN flag on - ACK flag off). If +set to "No", Shorewall will silently drop such packets. If not +set or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No + is assumed.
    +
    + If you have a HA setup with failover to another + firewall, you should have NEWNOTSYN=Yes on both firewalls. You should also select NEWNOTSYN=Yes if you have asymmetric routing.
    -
    • -
  • LOGNEWNOTSYN - Added in Version -1.3.6
    - Beginning with version 1.3.6, Shorewall -drops non-SYN TCP packets that are not part of an existing -connection. If you would like to log these packets, set LOGNEWNOTSYN -to the syslog level at which -you want the packets logged. Example: LOGNEWNOTSYN=ULOG|
    -
    - Note: Packets logged under this -option are usually the result of broken remote IP stacks -rather than the result of any sort of attempt to breach your -firewall.
    • -
  • DETECT_DNAT_ADDRS - - Added in Version 1.3.4
    - If set to "Yes" or "yes", Shorewall will detect the IP address(es) - of the interface(es) to the source zone and will include this +
    • +
  • LOGNEWNOTSYN - Added in Version + 1.3.6
    + Beginning with version 1.3.6, Shorewall + drops non-SYN TCP packets that are not part of an existing + connection. If you would like to log these packets, set LOGNEWNOTSYN + to the syslog level at which + you want the packets logged. Example: LOGNEWNOTSYN=ULOG|
    +
    + Note: Packets logged under this + option are usually the result of broken remote IP stacks + rather than the result of any sort of attempt to breach your + firewall.
    • +
  • DETECT_DNAT_ADDRS + - Added in Version 1.3.4
    + If set to "Yes" or "yes", Shorewall will detect the IP address(es) + of the interface(es) to the source zone and will include this (these) address(es) in DNAT rules as the original destination IP address. If set to "No" or "no", Shorewall will not detect this (these) address(es) and any destination IP address will match the DNAT rule. If not specified or empty, "DETECT_DNAT_ADDRS=Yes" is assumed.
    -
    • -
  • MULTIPORT - Added in Version - 1.3.2
    - If set to "Yes" or "yes", Shorewall will - use the Netfilter multiport facility. In order to use +
    • +
  • MULTIPORT - Added in +Version 1.3.2
    + If set to "Yes" or "yes", Shorewall will + use the Netfilter multiport facility. In order to use this facility, your kernel must have multiport support (CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used, Shorewall will generate a single rule from each record in the /etc/shorewall/rules file that meets these criteria:
    - +
      -
    • No port range(s) specified
      • -
    • Specifies 15 or fewer ports
      • +
    • No port range(s) specified
      • +
    • Specifies 15 or fewer ports
      • - +
    - +

    Rules not meeting those criteria will continue to generate an individual - rule for each listed port or port range.

    -
    • -
  • NAT_BEFORE_RULES
    - If set to "No" or "no", port forwarding -rules can override the contents of the /etc/shorewall/nat - file. If set to "Yes" or "yes", port forwarding rules cannot - override static NAT. If not set or set to an empty value, "Yes" - is assumed.
    • -
  • FW
    + rule for each listed port or port range.

    +
    • +
  • NAT_BEFORE_RULES
    + If set to "No" or "no", port forwarding + rules can override the contents of the /etc/shorewall/nat + file. If set to "Yes" or "yes", port forwarding rules cannot + override static NAT. If not set or set to an empty value, "Yes" + is assumed.
    • +
  • FW
    -     This - parameter - specifies the - name of the - firewall zone. - If not set - or if -set to an - empty string, - the value - "fw" - is assumed.
    • -
  • SUBSYSLOCK
    - This parameter should be set to the - name of a file that the firewall should create if it starts - successfully and remove when it stops. Creating and removing - this file allows Shorewall to work with your distribution's - initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall. - For Debian, the value is /var/state/shorewall and in LEAF it - is /var/run/shorwall. - - Example: SUBSYSLOCK=/var/lock/subsys/shorewall.
    • -
  • STATEDIR
    - This parameter specifies the name -of a directory where Shorewall stores state information. - If the directory doesn't exist when Shorewall starts, - it will create the directory. Example: STATEDIR=/tmp/shorewall.
    -
    - NOTE: If you change the STATEDIR -variable while the firewall is running, create the new directory +     This + parameter + specifies the + name of the + firewall zone. + If not set + or if + set to an + empty string, + the value + "fw" + is assumed.
    • +
  • SUBSYSLOCK
    + This parameter should be set to +the name of a file that the firewall should create if +it starts successfully and remove when it stops. Creating + and removing this file allows Shorewall to work with your distribution's + initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall. + For Debian, the value is /var/state/shorewall and in LEAF +it is + /var/run/shorwall. + Example: SUBSYSLOCK=/var/lock/subsys/shorewall.
    • +
  • STATEDIR
    + This parameter specifies the name + of a directory where Shorewall stores state information. + If the directory doesn't exist when Shorewall starts, + it will create the directory. Example: STATEDIR=/tmp/shorewall.
    +
    + NOTE: If you change the STATEDIR + variable while the firewall is running, create the new directory if necessary then copy the contents of the old directory to the new directory.
    • -
  • MODULESDIR
    - This parameter specifies the directory - where your kernel netfilter modules may be found. If -you leave the variable empty, Shorewall will supply the - value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.
    • -
  • LOGRATE and LOGBURST
    - These parameters set the match rate - and initial burst size for logged packets. Please see the - iptables man page for a description of the behavior of these - parameters (the iptables option --limit is set by LOGRATE and - --limit-burst is set by LOGBURST). If both parameters are set - empty, no rate-limiting will occur.
    -
    - Example:
    - LOGRATE=10/minute
    - LOGBURST=5
    -
    • -
  • LOGFILE
    +
  • MODULESDIR
    + This parameter specifies the directory + where your kernel netfilter modules may be found. If + you leave the variable empty, Shorewall will supply the + value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.
    • +
  • LOGRATE and LOGBURST
    + These parameters set the match +rate and initial burst size for logged packets. Please +see the iptables man page for a description of the behavior + of these parameters (the iptables option --limit is set by +LOGRATE and --limit-burst is set by LOGBURST). If both parameters + are set empty, no rate-limiting will occur.
    +
    + Example:
    + LOGRATE=10/minute
    + LOGBURST=5
    +
    • +
  • LOGFILE
    - This parameter - tells the - /sbin/shorewall - program where - to look for - Shorewall - messages -when -processing the - "show - log", - "monitor", - "status" - and - "hits" - commands. If - not assigned - or if assigned - an empty + This parameter + tells the + /sbin/shorewall + program where + to look for + Shorewall + messages + when + processing the + "show + log", + "monitor", + "status" + and + "hits" + commands. If + not assigned + or if assigned + an empty value, /var/log/messages - is assumed.
    • -
  • NAT_ENABLED
    - This parameter determines whether -Shorewall supports NAT operations. NAT operations include:
    -
    - Static NAT
    - Port Forwarding
    - Port Redirection
    - Masquerading
    -
    - If the parameter has no value or -has a value of "Yes" or "yes" then NAT is enabled. If the -parameter has a value of "no" or "No" then NAT is disabled.
    -
    • -
  • MANGLE_ENABLED
    - This parameter determines if packet - mangling is enabled. If the parameter has no value or -has a value of "Yes" or "yes" than packet mangling is enabled. - If the parameter has a value of "no" or "No" then packet mangling + is +assumed.
    • +
  • NAT_ENABLED
    + This parameter determines whether + Shorewall supports NAT operations. NAT operations include:
    +
    + Static NAT
    + Port Forwarding
    + Port Redirection
    + Masquerading
    +
    + If the parameter has no value or + has a value of "Yes" or "yes" then NAT is enabled. If +the parameter has a value of "no" or "No" then NAT is disabled.
    +
    • +
  • MANGLE_ENABLED
    + This parameter determines if packet + mangling is enabled. If the parameter has no value or + has a value of "Yes" or "yes" than packet mangling is enabled. + If the parameter has a value of "no" or "No" then packet mangling is disabled. If packet mangling is disabled, the /etc/shorewall/tos file is ignored.
    -
    • -
  • IP_FORWARDING
    - This parameter determines whether -Shorewall enables or disables IPV4 Packet Forwarding -(/proc/sys/net/ipv4/ip_forward). Possible values are:
    -
    - On or on - packet forwarding -will be enabled.
    - Off or off - packet forwarding - will be disabled.
    - Keep or keep - Shorewall will -neither enable nor disable packet forwarding.
    -
    - If this variable is not set or is -given an empty value (IP_FORWARD="") then IP_FORWARD=On -is assumed.
    -
    • -
  • ADD_IP_ALIASES
    - This parameter determines whether -Shorewall automatically adds the - external address(es) -in /etc/shorewall/nat . If the variable - is set to "Yes" or "yes" then Shorewall automatically - adds these aliases. If it is set to "No" or "no", you must - add these aliases yourself using your distribution's network -configuration tools.
    -
    - If this variable is not set or is -given an empty value (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes - is assumed.
    • -
  • ADD_SNAT_ALIASES
    - This parameter determines whether Shorewall - automatically adds the SNAT ADDRESS in +
  • IP_FORWARDING
    + This parameter determines whether + Shorewall enables or disables IPV4 Packet Forwarding + (/proc/sys/net/ipv4/ip_forward). Possible values are:
    +
    + On or on - packet forwarding + will be enabled.
    + Off or off - packet forwarding + will be disabled.
    + Keep or keep - Shorewall will + neither enable nor disable packet forwarding.
    +
    + If this variable is not set or +is given an empty value (IP_FORWARD="") then IP_FORWARD=On + is assumed.
    +
    • +
  • ADD_IP_ALIASES
    + This parameter determines whether + Shorewall automatically adds the + external address(es) + in     /etc/shorewall/nat . If the variable + is set to "Yes" or "yes" then Shorewall automatically + adds these aliases. If it is set to "No" or "no", you must + add these aliases yourself using your distribution's network + configuration tools.
    +
    + If this variable is not set or is + given an empty value (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes + is assumed.
    • +
  • ADD_SNAT_ALIASES
    + This parameter determines whether Shorewall + automatically adds the SNAT ADDRESS in /etc/shorewall/masq. If the variable is set to "Yes" or "yes" then Shorewall automatically adds these addresses. If it is set to "No" or "no", you must add these addresses yourself using your distribution's network configuration tools.
    -
    - If this variable is not set or is -given an empty value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No - is assumed.
    -
    • -
  • LOGUNCLEAN
    +
    + If this variable is not set or is + given an empty value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No + is assumed.
    +
    • +
  • LOGUNCLEAN
    - This parameter - determines the - logging level - of - mangled/invalid - packets - controlled by - the 'dropunclean and logunclean' interface @@ -2981,75 +3143,75 @@ empty level (Example: LOGUNCLEAN=debug).
    • -
  • BLACKLIST_DISPOSITION
    +
  • BLACKLIST_DISPOSITION
    - This parameter - determines the - disposition of - packets from - blacklisted - hosts. It -may have -the value - DROP if the - packets are to - be dropped or - REJECT if the - packets are to - be replied - with an ICMP - port - unreachable - reply or - a TCP -RST (tcp - only). If you - do not assign - a value or if - you assign an - empty value - then DROP is - assumed.
    • -
  • BLACKLIST_LOGLEVEL
    + This parameter + determines the + disposition of + packets from + blacklisted + hosts. It + may +have the value + DROP if the + packets are to + be dropped or + REJECT if the + packets are to + be replied + with an +ICMP port + unreachable + reply +or a TCP + RST (tcp + only). If you + do not assign + a value or if + you assign an + empty value + then DROP is + assumed.
    • +
  • BLACKLIST_LOGLEVEL
    - This paremter - determines if - packets from - blacklisted - hosts are - logged and it - determines - the -syslog level - that they are - to be logged - at. Its value - is a syslog level (Example: BLACKLIST_LOGLEVEL=debug). -If you do not - assign a value - or if you - assign an - empty value - then packets - from - blacklisted - hosts are not - logged.
    • -
  • CLAMPMSS
    + If you do not + assign a value + or if you + assign an + empty value + then packets + from + blacklisted + hosts are not + logged.
    • +
  • CLAMPMSS
    - This parameter - enables the - TCP Clamp MSS - to PMTU - feature of - Netfilter and - is usually - required when - your + This parameter + enables the + TCP Clamp MSS + to PMTU + feature of + Netfilter and + is usually + required +when your internet connection is through PPPoE @@ -3075,126 +3237,126 @@ to "No" in your kernel.
    • -
  • ROUTE_FILTER
    - If this parameter is given the value "Yes" - or "yes" then route filtering (anti-spoofing) is enabled - on all network interfaces. The default value is "no".
    • - +
  • ROUTE_FILTER
    + If this parameter is given the value +"Yes" or "yes" then route filtering (anti-spoofing) is + enabled on all network interfaces. The default value is "no".
    • +
- +

/etc/shorewall/modules Configuration

- +

The file /etc/shorewall/modules contains commands for loading the kernel - modules required by Shorewall-defined firewall rules. Shorewall - will source this file during start/restart provided that -it exists and that the directory specified by the MODULESDIR + modules required by Shorewall-defined firewall rules. +Shorewall will source this file during start/restart provided +that it exists and that the directory specified by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf above).

- +

The file that is released with Shorewall calls the Shorewall function - "loadmodule" for the set of modules that I load.

+ "loadmodule" for the set of modules that I load.

- +

The loadmodule function is called as follows:

- +
- +

loadmodule <modulename> [ <module parameters> ]

-
+ - +

where

- +
- +

<modulename>

- +
- +

is the name of the modules without the trailing ".o" (example ip_conntrack).

-
+
- +

<module parameters>

- +
- +

Optional parameters to the insmod utility.

+
- - +

The function determines if the module named by <modulename> - is already loaded and if not then the function determines - if the ".o" file corresponding to the module exists in the - moduledirectory; if so, then the following command -is executed:

+ is already loaded and if not then the function determines + if the ".o" file corresponding to the module exists in the + moduledirectory; if so, then the following command + is executed:

- +
- +

insmod moduledirectory/<modulename>.o <module - parameters>

-
+ parameters>

+ - +

If the file doesn't exist, the function determines of the ".o.gz" file corresponding to the module exists in the moduledirectory. If it does, the function assumes that the running configuration supports @@ -3202,218 +3364,223 @@ compressed modules and execute the following command:

- +
- +

insmod moduledirectory/<modulename>.o.gz <module - parameters>

-
+ parameters>

+ - + +

/etc/shorewall/tos Configuration

+

The /etc/shorewall/tos file allows you to set the Type of Service field - in packet headers based on packet source, packet destination, - protocol, source port and destination port. In order for - this file to be processed by Shorewall, you must have mangle support enabled .

+

Entries in the file have the following columns:

- + +
    -
  • SOURCE -- The source zone. - May be qualified by following the zone name with a colon - (":") and either an IP address, an IP subnet, a MAC address - in Shorewall Format or the name of an +
  • SOURCE -- The source zone. + May be qualified by following the zone name with a colon + (":") and either an IP address, an IP subnet, a MAC address + in Shorewall Format or the name of an interface. This column may also contain the name of the firewall zone to indicate packets originating on the firewall itself or "all" to indicate any source.
    • -
  • DEST -- The destination zone. - May be qualified by following the zone name with a colon - (":") and either an IP address or an IP subnet. Because packets - are marked prior to routing, you may not specify the name - of an interface. This column may also contain "all" to indicate - any destination.
    • -
  • PROTOCOL -- The name of a -protocol in /etc/protocols or the protocol's number.
    • -
  • SOURCE PORT(S) -- The source - port or a port range. For all ports, place a hyphen ("-") - in this column.
    • -
  • DEST PORT(S) -- The destination - port or a port range. To indicate all ports, place a hyphen - ("-") in this column.
    • -
  • TOS -- The type of service. - Must be one of the following:
    • - +
  • DEST -- The destination +zone. May be qualified by following the zone name with +a colon (":") and either an IP address or an IP subnet. +Because packets are marked prior to routing, you may not specify + the name of an interface. This column may also contain + "all" to indicate any destination.
    • +
  • PROTOCOL -- The name of +a protocol in /etc/protocols or the protocol's number.
    • +
  • SOURCE PORT(S) -- The source + port or a port range. For all ports, place a hyphen +("-") in this column.
    • +
  • DEST PORT(S) -- The destination + port or a port range. To indicate all ports, place a +hyphen ("-") in this column.
    • +
  • TOS -- The type of service. + Must be one of the following:
    • +
- +
- +
- +

Minimize-Delay (16)
- Maximize-Throughput (8)
- Maximize-Reliability (4)
- Minimize-Cost (2)
- Normal-Service (0)

-
-
+ Maximize-Throughput (8)
+ Maximize-Reliability (4)
+ Minimize-Cost (2)
+ Normal-Service (0)

+ + - +

The /etc/shorewall/tos file that is included with Shorewall contains - the following entries.

+ the following entries.

- +
- + - + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + + - +
SOURCEDESTPROTOCOLSOURCE
- PORT(S)		DEST PORT(S)TOS
allalltcp-ssh16
allalltcpssh-16
allalltcp-ftp16
allalltcpftp-16
allalltcp-ftp-data8
allalltcpftp-data-8
SOURCEDESTPROTOCOLSOURCE
+ PORT(S)		DEST PORT(S)TOS
allalltcp-ssh16
allalltcpssh-16
allalltcp-ftp16
allalltcpftp-16
allalltcp-ftp-data8
allalltcpftp-data-8
-
+ + -

WARNING: Users have reported that odd routing problems result from - adding the ESP and AH protocols to the /etc/shorewall/tos + adding the ESP and AH protocols to the /etc/shorewall/tos file.

- +

/etc/shorewall/blacklist

- +

Each line in /etc/shorewall/blacklist contains - an - IP - address, a MAC address in Shorewall Format or subnet address. - Example:

+ Example:

- + 
      130.252.100.69
      206.124.146.0/24
- +

Packets from hosts listed in - the - blacklist - file - will + the + blacklist + file + will -be - disposed - of - according - to - the + be + disposed + of + according + to + the value assigned @@ -3447,186 +3614,189 @@ be blacklist. The black list is designed to prevent listed hosts/subnets from accessing services on your network.
-

- +

+

Beginning with Shorewall 1.3.8, the blacklist file has three columns:
-

- +

+
    -
  • ADDRESS/SUBNET - As described above.
    • -
  • PROTOCOL - Optional. If specified, - only packets specifying this protocol will be blocked.
    • -
  • PORTS - Optional; may only be given - if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated - list of port numbers or service names (from /etc/services). If present, - only packets destined for the specified protocol and one of the - listed ports are blocked. When the PROTOCOL is icmp, the PORTS column - contains a comma-separated list of ICMP type numbers or names (see - "iptables -h icmp").
    -
    • - +
  • ADDRESS/SUBNET - As described +above.
    • +
  • PROTOCOL - Optional. If specified, + only packets specifying this protocol will be blocked.
    • +
  • PORTS - Optional; may only be +given if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated + list of port numbers or service names (from /etc/services). If +present, only packets destined for the specified protocol and one +of the listed ports are blocked. When the PROTOCOL is icmp, the PORTS +column contains a comma-separated list of ICMP type numbers or names +(see "iptables -h icmp").
    +
    • +
- +

Shorewall also has a dynamic blacklist - capability.

+ capability.

+ -

IMPORTANT: The Shorewall blacklist file is NOT - designed to police your users' web browsing -- to do that, -I suggest that you install and configure Squid (http://www.squid-cache.org).

- +

/etc/shorewall/rfc1918 (Added in Version 1.3.1)

- +

This file lists the subnets affected by the norfc1918 - interface option. Columns in the file are:

+ interface option. Columns in the file are:

- +
    -
  • SUBNET - The subnet using - VLSM notation (e.g., 192.168.0.0/16).
    • +
  • SUBNET - The subnet +using VLSM notation (e.g., 192.168.0.0/16).
    • -
  • TARGET - What to - do with packets to/from the SUBNET: +
  • TARGET - What +to do with packets to/from the SUBNET: - +
      -
    • RETURN - Process the -packet normally thru the rules and policies.
      • +
    • RETURN - Process the + packet normally thru the rules and policies.
      • -
    • DROP - Silently drop -the packet.
      • +
    • DROP - Silently drop + the packet.
      • -
    • logdrop - Log then drop - the packet -- see the RFC1918_LOG_LEVEL parameter - above.
      • +
    • logdrop - Log then +drop the packet -- see the RFC1918_LOG_LEVEL +parameter above.
      • - +
    -
    • - + +
- +

/etc/shorewall/routestopped (Added in Version - 1.3.4)

+ 1.3.4) - +

This file defines the hosts that are accessible from the firewall when - the firewall is stopped. Columns in the file are:

+ the firewall is stopped. Columns in the file are:

- +
    -
  • INTERFACE - The firewall - interface through which the host(s) comminicate with the firewall.
    • +
  • INTERFACE - The firewall + interface through which the host(s) comminicate with the firewall.
    • -
  • HOST(S) - (Optional) - -A comma-separated list of IP/Subnet addresses. If not supplied -or supplied as "-" then 0.0.0.0/0 is assumed.
    • - +
  • HOST(S) - (Optional) +- A comma-separated list of IP/Subnet addresses. If not supplied + or supplied as "-" then 0.0.0.0/0 is assumed.
    • +
- +

Example: When your firewall is stopped, you want firewall accessibility - from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ - interfaces through eth1 and your local hosts through eth2.

+ from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ + interfaces through eth1 and your local hosts through eth2.

- +
- + - - + + - + - + - + - + - + - + - + - + - + - + - + - + - +
INTERFACEINTERFACEHOST(S)HOST(S)
eth2eth2192.168.1.0/24192.168.1.0/24
eth1eth1--
-
+ - +

/etc/shorewall/maclist (Added in Version 1.3.10)

- This file is described in the MAC Validation Documentation.
- +

/etc/shorewall/ecn (Added in Version 1.4.0)

- This file is described in the ECN Control Documentation.
-
- -

Updated 3/6/2003 - Tom Eastep -

+
+ +

Updated 3/21/2003 - Tom Eastep +

- +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-

+

+
+
diff --git a/STABLE/documentation/FAQ.htm b/STABLE/documentation/FAQ.htm index 93634625a..3420efd42 100644 --- a/STABLE/documentation/FAQ.htm +++ b/STABLE/documentation/FAQ.htm @@ -3,1269 +3,1395 @@ - + - + - + - + Shorewall FAQ - + - + - - - + + - + + - - + +
+
+ - - +

Shorewall FAQs

-
- + +

PORT FORWARDING
+

+

1. I want to forward UDP - port 7777 to my my personal PC with IP address - 192.168.1.5. I've looked everywhere and can't find how - to do it.

- - -

1a. Ok -- I followed those instructions - but it doesn't work.
-

- - -

1b. I'm still having problems with - port forwarding

- - -

2. I port forward www requests - to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 - in my local network. External clients can browse - http://www.mydomain.com but internal clients can't.

- - -

2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 - addresses to hosts in Z. Hosts in Z cannot communicate - with each other using their external (non-RFC1918 addresses) - so they can't access each other using their DNS names.

- - -

3. I want to use Netmeeting - or MSN Instant Messenger with Shorewall. What - do I do?

- - -

4. I just used an online port scanner - to check my firewall and it shows some ports as - 'closed' rather than 'blocked'. Why?

- - -

4a. I just ran an nmap UDP scan - of my firewall and it showed 100s of ports as open!!!!

- - -

5. I've installed Shorewall and now - I can't ping through the firewall

- - -

6. Where are the log messages - written and how do I change the destination?

- - - -

6a. Are there any log parsers - that work with Shorewall?

- -

6b. DROP messages on port 10619 are flooding the logs with their connect - requests. Can i exclude these error messages for this port temporarily - from logging in Shorewall?
-

- -

6c. All day long I get a steady flow - of these DROP messages from port 53 to some high numbered - port. They get dropped, but what the heck are they?
-

- -

6d. Why is the MAC address - in Shorewall log messages so long? I thought MAC addresses were - only 6 bytes in length.
-

- -

7. When I stop Shorewall using -'shorewall stop', I can't connect to anything. Why doesn't that command - work?

- - -

8. When I try to start Shorewall - on RedHat I get messages about insmod failing -- - what's wrong?
-

- - -

8a. When I try to start Shorewall -on RedHat I get a message referring me to FAQ #8
-

- -

9. Why can't Shorewall detect - my interfaces properly?

+ port 7777 to my my personal PC with IP address + 192.168.1.5. I've looked everywhere and can't find +how to do it.

-

10. What distributions does - it work with?

+

1a. Ok -- I followed those instructions + but it doesn't work.
+

- + + +

1b. I'm still having problems with + port forwarding

+ +

1c. From the internet, I want to connect +to port 1022 on my firewall and have the firewall forward the connection +to port 22 on local system 192.168.1.3. How do I do that?
+

+ +

DNS and PORT FORWARDING/NAT
+

+ +

2. I port forward www requests + to www.mydomain.com (IP 130.151.100.69) to system + 192.168.1.5 in my local network. External clients +can browse http://www.mydomain.com but internal + clients can't.

+ + +

2a. I have a zone "Z" with an RFC1918 + subnet and I use static NAT to assign non-RFC1918 + addresses to hosts in Z. Hosts in Z cannot communicate + with each other using their external (non-RFC1918 addresses) + so they can't access each other using their DNS names.

+ + +

NETMEETING/MSN
+

+ +

3. I want to use Netmeeting + or MSN Instant Messenger with Shorewall. +What do I do?

+ + +

OPEN PORTS
+

+ +

4. I just used an online port scanner + to check my firewall and it shows some ports +as 'closed' rather than 'blocked'. Why?

+ + +

4a. I just ran an nmap UDP scan + of my firewall and it showed 100s of ports as open!!!!

+ + +

CONNECTION PROBLEMS

+ + +

5. I've installed Shorewall and now + I can't ping through the firewall
+
+ 15. My local systems can't see + out to the net

+ +

LOGGING
+

+ +

6. Where are the log messages + written and how do I change the destination?

+ + + +

6a. Are there any log parsers + that work with Shorewall?

+ +

6b. DROP messages on port 10619 are flooding the logs with their connect + requests. Can i exclude these error messages for this port temporarily + from logging in Shorewall?
+

+ +

6c. All day long I get a steady flow + of these DROP messages from port 53 to some high numbered + port. They get dropped, but what the heck are they?
+

+ +

6d. Why is the MAC address + in Shorewall log messages so long? I thought MAC addresses +were only 6 bytes in length.
+

+ +

16. Shorewall is writing log messages + all over my console making it unusable!
+

+ 17. How do I find out why this traffic is +getting logged?
+
+ 21. I see these strange log entries + occasionally; what are they?
+ +

STARTING AND STOPPING
+

+ +

7. When I stop Shorewall using +'shorewall stop', I can't connect to anything. Why doesn't that command + work?

+ + +

8. When I try to start Shorewall + on RedHat I get messages about insmod failing + -- what's wrong?
+

+ + +

8a. When I try to start Shorewall + on RedHat I get a message referring me to FAQ #8
+

+ +

9. Why can't Shorewall detect + my interfaces properly at startup?

+ + 22. I have some + iptables commands that I want to run when Shorewall +starts. Which file do I put them in?
+ +

ABOUT SHOREWALL
+

+ +

10. What distributions does + it work with?

+ +

11. What features does it support?

- +

12. Is there a GUI?

- +

13. Why do you call it "Shorewall"?

- + 23. Why do you use such + ugly fonts on your web site?
+
+ 25. How to I tell which version of Shorewall + I am running?
+ +

RFC 1918
+

+

14. I'm connected via a cable modem - and it has an internel web server that allows me to - configure/monitor it but as expected if I enable -rfc1918 blocking for my eth0 interface, it also blocks + and it has an internel web server that allows me + to configure/monitor it but as expected if I enable + rfc1918 blocking for my eth0 interface, it also blocks the cable modems web server.

- +

14a. Even though it assigns public - IP addresses, my ISP's DHCP server has an RFC 1918 - address. If I enable RFC 1918 filtering on my external -interface, my DHCP client cannot renew its lease.

+ IP addresses, my ISP's DHCP server has an RFC 1918 + address. If I enable RFC 1918 filtering on my external + interface, my DHCP client cannot renew its lease.

- -

15. My local systems can't see - out to the net

+ +

ALIAS IP ADDRESSES/VIRTUAL INTERFACES
+

- -

16. Shorewall is writing log messages - all over my console making it unusable!
-

- 17. How do I find out why this traffic is -getting logged?
-
- 18. Is there - any way to use aliased ip addresses with Shorewall, - and maintain separate rulesets for different IPs?
-
- 19. I have added - entries to /etc/shorewall/tcrules but they don't -seem to do anything. Why?
-
- 20. I have just -set up a server. Do I have to change Shorewall to allow access - to my server from the internet?
-
- 21. I see these strange - log entries occasionally; what are they?
-
- 22. I have some iptables - commands that I want to run when Shorewall starts. Which - file do I put them in?
-
- 23. Why do you use such ugly - fonts on your web site?
-
- 24. How can I allow conections - to let's say the ssh port only from specific IP Addresses -on the internet?
-
- 25. How to I tell which version of Shorewall - I am running?
+ 18. Is there any +way to use aliased ip addresses with Shorewall, and + maintain separate rulesets for different IPs?
+ +

MISCELLANEOUS
+

+ 19. I have added entries to /etc/shorewall/tcrules + but they don't seem to do anything. Why?
+
+ 20. I have +just set up a server. Do I have to change Shorewall to +allow access to my server from the internet?
+
+ 24. How can I allow conections + to let's say the ssh port only from specific IP Addresses + on the internet?

- -
+
+
+ +

1. I want to forward UDP port 7777 to - my my personal PC with IP address 192.168.1.5. I've - looked everywhere and can't find how to do it.

+ my my personal PC with IP address 192.168.1.5. I've + looked everywhere and can't find how to do it. - +

Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. The format of a - port-forwarding rule to a local system is as follows:

- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local - IP address>[:<local port>]<protocol><port #>
-
-
-
- - -

So to forward UDP port 7777 to internal system 192.168.1.5, - the rule is:

- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:192.168.1.5udp7777
-
-
-
- - -
If - you want to forward requests directed to a particular address - ( <external IP> ) on your firewall to an internal -system:
- - -
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local - IP address>[:<local port>]<protocol><port #>-<external -IP>
-
- - Finally, if you need to forward a range of ports, in the PORT -column specify the range as low-port:high-port.
- -

1a. Ok -- I followed those instructions - but it doesn't work

- - -

Answer: That is usually the result of one of two things:

- - -
    -
  • You are trying to test - from inside your firewall (no, that won't work -- see - FAQ #2).
    • -
  • You have a more basic - problem with your local system such as an incorrect default - gateway configured (it should be set to the IP address -of your firewall's internal interface).
    • - - -
- - -

1b. I'm still having problems with port - forwarding

- Answer: To further diagnose -this problem:
- - -
    -
  • As root, type "iptables -t nat - -Z". This clears the NetFilter counters in the nat table.
    • -
  • Try to connect to the redirected - port from an external host.
    • -
  • As root type "shorewall show -nat"
    • -
  • Locate the appropriate DNAT rule. - It will be in a chain called <source zone>_dnat - ('net_dnat' in the above examples).
    • -
  • Is the packet count in the first - column non-zero? If so, the connection request is reaching - the firewall and is being redirected to the server. In this - case, the problem is usually a missing or incorrect default -gateway setting on the server (the server's default gateway should - be the IP address of the firewall's interface to the server).
    • -
  • If the packet count is zero:
    • - - - -
      -
    • the connection request is not - reaching your server (possibly it is being blocked by your - ISP); or
      • -
    • you are trying to connect to - a secondary IP address on your firewall and your rule is -only redirecting the primary IP address (You need to specify - the secondary IP address in the "ORIG. DEST." column in your -DNAT rule); or
      • -
    • your DNAT rule doesn't match - the connection request in some other way. In that case, -you may have to use a packet sniffer such as tcpdump or ethereal -to further diagnose the problem.
      -
      • - - - -
    - - -
- - -

2. I port forward www requests to www.mydomain.com - (IP 130.151.100.69) to system 192.168.1.5 in my local - network. External clients can browse http://www.mydomain.com - but internal clients can't.

- - -

Answer: I have two objections to this setup.

- - -
    -
  • Having an internet-accessible - server in your local network is like raising foxes -in the corner of your hen house. If the server is compromised, - there's nothing between that server and your other internal - systems. For the cost of another NIC and a cross-over cable, - you can put your server in a DMZ such that it is isolated from - your local systems - assuming that the Server can be located - near the Firewall, of course :-)
    • -
  • The accessibility problem - is best solved using Bind Version 9 "views" - (or using a separate DNS server for local clients) such that www.mydomain.com - resolves to 130.141.100.69 externally and 192.168.1.5 internally. - That's what I do here at shorewall.net for my local systems - that use static NAT.
    • - - -
- + do port forwarding under Shorewall. The format of + a port-forwarding rule to a local system is as follows:

-

If you insist on an IP solution to the accessibility problem - rather than a DNS solution, then assuming that your - external interface is eth0 and your internal interface - is eth1 and that eth1 has IP address 192.168.1.254 with subnet - 192.168.1.0/24, in /etc/shorewall/rules, add:

+
- + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATnetloc:<local + IP address>[:<local port>]<protocol><port +#>
+
+
+
+ + +

So to forward UDP port 7777 to internal system 192.168.1.5, + the rule is:

+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATnetloc:192.168.1.5udp7777
+
+
+
+ + +
If + you want to forward requests directed to a particular address + ( <external IP> ) on your firewall to an internal + system:
+ + +
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATnetloc:<local + IP address>[:<local port>]<protocol><port +#>-<external + IP>
+
+ + Finally, if you need to forward a range of ports, in the PORT + column specify the range as low-port:high-port.
+ +

1a. Ok -- I followed those instructions + but it doesn't work

+ + +

Answer: That is usually the result of one of three +things:

+ + +
    +
  • You are trying +to test from inside your firewall (no, that won't work +-- see FAQ #2).
    • +
  • You have a more +basic problem with your local system such as an incorrect +default gateway configured (it should be set to the IP address + of your firewall's internal interface).
    • +
  • Your ISP is blocking that particular port inbound.
    +
    • + + +
+ + +

1b. I'm still having problems with port + forwarding

+ Answer: To further diagnose + this problem:
+ + +
    +
  • As root, type "iptables -t + nat -Z". This clears the NetFilter counters in the nat +table.
    • +
  • Try to connect to the redirected + port from an external host.
    • +
  • As root type "shorewall show + nat"
    • +
  • Locate the appropriate DNAT + rule. It will be in a chain called <source zone>_dnat + ('net_dnat' in the above examples).
    • +
  • Is the packet count in the + first column non-zero? If so, the connection request +is reaching the firewall and is being redirected to the server. + In this case, the problem is usually a missing or incorrect + default gateway setting on the server (the server's default + gateway should be the IP address of the firewall's interface + to the server).
    • +
  • If the packet count is zero:
    • + + + +
      +
    • the connection request +is not reaching your server (possibly it is being blocked +by your ISP); or
      • +
    • you are trying to connect + to a secondary IP address on your firewall and your rule + is only redirecting the primary IP address (You need to specify + the secondary IP address in the "ORIG. DEST." column in your + DNAT rule); or
      • +
    • your DNAT rule doesn't +match the connection request in some other way. In that +case, you may have to use a packet sniffer such as tcpdump or + ethereal to further diagnose the problem.
      +
      • + + + +
    + + +
+ + +

1c. From the internet, I want + to connect to port 1022 on my firewall and have the firewall forward the +connection to port 22 on local system 192.168.1.3. How do I do that?

+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATnet
+ 		loc:192.168.1.3:22tcp1022
+
+
+
+
+
+ +

2. I port forward www requests to www.mydomain.com + (IP 130.151.100.69) to system 192.168.1.5 in my local + network. External clients can browse http://www.mydomain.com + but internal clients can't.

+ + +

Answer: I have two objections to this setup.

+ + +
    +
  • Having an internet-accessible + server in your local network is like raising foxes + in the corner of your hen house. If the server is compromised, + there's nothing between that server and your other internal + systems. For the cost of another NIC and a cross-over cable, + you can put your server in a DMZ such that it is isolated +from your local systems - assuming that the Server can be located + near the Firewall, of course :-)
    • +
  • The accessibility + problem is best solved using Bind Version 9 "views" + (or using a separate DNS server for local clients) such that www.mydomain.com + resolves to 130.141.100.69 externally and 192.168.1.5 internally. + That's what I do here at shorewall.net for my local systems + that use static NAT.
    • + + +
+ + + +

If you insist on an IP solution to the accessibility problem + rather than a DNS solution, then assuming that your + external interface is eth0 and your internal interface + is eth1 and that eth1 has IP address 192.168.1.254 with + subnet 192.168.1.0/24, in /etc/shorewall/rules, add:

+ +
- -
+ +
- + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - + + - +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
-
-
+ +
- -
+ +

That rule only works of course if you have a static external - IP address. If you have a dynamic IP address and -are running Shorewall 1.3.4 or later then include this -in /etc/shorewall/init:

-
+ IP address. If you have a dynamic IP address and + are running Shorewall 1.3.4 or later then include this + in /etc/shorewall/init:

+
- -
+ +
     ETH0_IP=`find_interface_address eth0`
-
+
- -
+ +

and make your DNAT rule:

-
+
- -
+ +
- + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + - + + - +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
-
-
+ +
- -
+ +

Using this technique, you will want to configure your DHCP/PPPoE - client to automatically restart Shorewall each time - that you get a new IP address.

-
+ client to automatically restart Shorewall each time + that you get a new IP address.

+
- +

2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 addresses - to hosts in Z. Hosts in Z cannot communicate with each -other using their external (non-RFC1918 addresses) so they -can't access each other using their DNS names.

+ subnet and I use static NAT to assign non-RFC1918 + addresses to hosts in Z. Hosts in Z cannot communicate + with each other using their external (non-RFC1918 addresses) + so they can't access each other using their DNS names. - +

Answer: This is another problem that is best solved - using Bind Version 9 "views". It allows both external - and internal clients to access a NATed host using the -host's DNS name.

+ using Bind Version 9 "views". It allows both external + and internal clients to access a NATed host using the + host's DNS name.

- +

Another good way to approach this problem is to switch from - static NAT to Proxy ARP. That way, the hosts in Z -have non-RFC1918 addresses and can be accessed externally -and internally using the same address.

+ static NAT to Proxy ARP. That way, the hosts in +Z have non-RFC1918 addresses and can be accessed externally + and internally using the same address.

- +

If you don't like those solutions and prefer routing all Z->Z traffic through your firewall then:

- +

a) Set the Z->Z policy to ACCEPT.
- b) Masquerade Z to itself.
-
- Example:

+ b) Masquerade Z to itself.
+
+ Example:

- +

Zone: dmz
- Interface: eth2
- Subnet: 192.168.2.0/24

+ Interface: eth2
+ Subnet: 192.168.2.0/24

- +

In /etc/shorewall/interfaces:

- +
- + - - - - - - - - - - - - - + + + + + + + + + + + + + - + + - +
ZONEINTERFACEBROADCASTOPTIONS
dmzeth2192.168.2.255
-
ZONEINTERFACEBROADCASTOPTIONS
dmzeth2192.168.2.255
+
-
+ - +

In /etc/shorewall/policy:

- +
- + - - - - - - - - - - - - - + + + + + + + + + + + + + - + + - +
SOURCE DESTINATIONPOLICYLIMIT:BURST
dmzdmzACCEPT
-
SOURCE + DESTINATIONPOLICYLIMIT:BURST
dmzdmzACCEPT
+
-
+ - +

In /etc/shorewall/masq:

- +
- + - - - - - - - - - - - + + + + + + + + + + + - + + - +
INTERFACE - SUBNETADDRESS
eth2192.168.2.0/24
-
INTERFACE + SUBNETADDRESS
eth2192.168.2.0/24
+
-
+ - +

3. I want to use Netmeeting or MSN Instant - Messenger with Shorewall. What do I do?

+ Messenger with Shorewall. What do I do? - +

Answer: There is an H.323 connection - tracking/NAT module that may help with Netmeeting. - Look here for a solution - for MSN IM but be aware that there are significant security risks involved - with this solution. Also check the Netfilter mailing list - archives at http://www.netfilter.org. -

+ tracking/NAT module that may help with Netmeeting. + Look here for a solution + for MSN IM but be aware that there are significant security risks +involved with this solution. Also check the Netfilter mailing + list archives at http://www.netfilter.org. +

- +

4. I just used an online port scanner - to check my firewall and it shows some ports as -'closed' rather than 'blocked'. Why?

+ to check my firewall and it shows some ports as + 'closed' rather than 'blocked'. Why? - +

Answer: The common.def included with version 1.3.x - always rejects connection requests on TCP port 113 - rather than dropping them. This is necessary to prevent - outgoing connection problems to services that use the - 'Auth' mechanism for identifying requesting users. Shorewall - also rejects TCP ports 135, 137 and 139 as well as UDP ports - 137-139. These are ports that are used by Windows (Windows can - be configured to use the DCE cell locator on port 135). Rejecting - these connection requests rather than dropping them cuts down - slightly on the amount of Windows chatter on LAN segments connected - to the Firewall.

+ always rejects connection requests on TCP port + 113 rather than dropping them. This is necessary to + prevent outgoing connection problems to services that use + the 'Auth' mechanism for identifying requesting users. Shorewall + also rejects TCP ports 135, 137 and 139 as well as UDP ports + 137-139. These are ports that are used by Windows (Windows + can be configured to use the DCE cell locator on port + 135). Rejecting these connection requests rather than dropping + them cuts down slightly on the amount of Windows chatter on LAN segments + connected to the Firewall.

- +

If you are seeing port 80 being 'closed', that's probably - your ISP preventing you from running a web server - in violation of your Service Agreement.

+ your ISP preventing you from running a web server + in violation of your Service Agreement.

- +

4a. I just ran an nmap UDP scan of my - firewall and it showed 100s of ports as open!!!!

+ firewall and it showed 100s of ports as open!!!! - +

Answer: Take a deep breath and read the nmap man page - section about UDP scans. If nmap gets nothing - back from your firewall then it reports the port as -open. If you want to see which UDP ports are really open, - temporarily change your net->all policy to REJECT, restart - Shorewall and do the nmap UDP scan again.

+ section about UDP scans. If nmap gets nothing + back from your firewall then it reports the port as + open. If you want to see which UDP ports are really open, + temporarily change your net->all policy to REJECT, restart + Shorewall and do the nmap UDP scan again.

- +

5. I've installed Shorewall and now I - can't ping through the firewall

+ can't ping through the firewall - +

Answer: If you want your firewall to be totally open - for "ping",

+ for "ping",

- +

a) Create /etc/shorewall/common if it doesn't already exist. -
- b) Be sure that the first -command in the file is ". /etc/shorewall/common.def"
- c) Add the following to /etc/shorewall/common -

+
+ b) Be sure that the first + command in the file is ". /etc/shorewall/common.def"
+ c) Add the following +to /etc/shorewall/common

- +
- +

run_iptables -A icmpdef -p ICMP --icmp-type echo-request - -j ACCEPT
-

-
- For a complete description of Shorewall 'ping' management, - see this page. - -

6. Where are the log messages written - and how do I change the destination?

+ -j ACCEPT
+

+ + For a complete description of Shorewall 'ping' + management, see this page. - + +

6. Where are the log messages written + and how do I change the destination?

+ +

Answer: NetFilter uses the kernel's equivalent of syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility (see "man openlog") and you get to choose the log level (again, see "man syslog") in your policies and rules. The destination for messaged logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). - When you have changed /etc/syslog.conf, be sure to restart - syslogd (on a RedHat system, "service syslog restart"). -

+ When you have changed /etc/syslog.conf, be sure to + restart syslogd (on a RedHat system, "service syslog restart"). +

- +

By default, older versions of Shorewall ratelimited log messages - through settings - in /etc/shorewall/shorewall.conf -- If you want to log - all messages, set:

+ through settings + in /etc/shorewall/shorewall.conf -- If you want to +log all messages, set:

- -
+ +
     LOGLIMIT=""
     LOGBURST=""
-Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages -to a separate file.
-
+ to a separate file.
+
- +

6a. Are there any log parsers that work - with Shorewall?

+ with Shorewall? - +

Answer: Here are several links that may be helpful: -

+

- +
- +

http://www.shorewall.net/pub/shorewall/parsefw/
- http://www.fireparse.com
- http://cert.uni-stuttgart.de/projects/fwlogwatch
- http://www.logwatch.org
- http://gege.org/iptables
-

-
- I personnaly use Logwatch. It emails me a report - each day from my various systems with each report summarizing -the logged activity on the corresponding system. - -

6b. DROP messages on port 10619 - are flooding the logs with their connect requests. Can i exclude - these error messages for this port temporarily from logging in Shorewall?

- Temporarily add the following rule:
- -
	DROP    net    fw    udp    10619
- -

6c. All day long I get a steady flow - of these DROP messages from port 53 to some high numbered port. -They get dropped, but what the heck are they?

- -
Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00
                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00
                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33
- Answer: There are two possibilities:
- -
    -
  1. They are late-arriving replies to DNS queries.
    2. -
  2. They are corrupted reply packets.
    3. - -
- You can distinguish the difference by setting the logunclean - option (/etc/shorewall/interfaces) - on your external interface (eth0 in the above example). If they get - logged twice, they are corrupted. I solve this problem by using an -/etc/shorewall/common file like this:
- -
- 
#
# Include the standard common.def file
#
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
-
- The above file is also include in all of my sample configurations - available in the Quick Start - Guides and in the common.def file in Shorewall 1.4.0 and later.
- -

6d. Why is the MAC address in - Shorewall log messages so long? I thought MAC addresses were only 6 -bytes in length.

- What is labeled as the MAC address in a Shorewall log message is actually - the Ethernet frame header. IT contains:
- -
    -
  • the destination MAC address (6 bytes)
    • -
  • the source MAC address (6 bytes)
    • -
  • the ethernet frame type (2 bytes)
    • - -
- Example:
-
- MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
- -
    -
  • Destination MAC address = 00:04:4c:dc:e2:28
    • -
  • Source MAC address = 00:b0:8e:cf:3c:4c
    • -
  • Ethernet Frame Type = 08:00 (IP Version 4)
    • - -
- -

7. When I stop Shorewall using 'shorewall - stop', I can't connect to anything. Why doesn't that - command work?

- - -

The 'stop' command is intended to place your firewall into - a safe state whereby only those hosts listed in /etc/shorewall/routestopped' - are activated. If you want to totally open up your firewall, - you must use the 'shorewall clear' command.

- - -

8. When I try to start Shorewall on RedHat, - I get messages about insmod failing -- what's wrong?

- - -

Answer: The output you will see looks something like - this:

- - -
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
     Perhaps iptables or your kernel needs to be upgraded.
- - -

This is usually cured by the following sequence of commands: -

- - -
-
     service ipchains stop
     chkconfig --delete ipchains
     rmmod ipchains
-
- - -
-

Also, be sure to check the errata - for problems concerning the version of iptables (v1.2.3) - shipped with RH7.2.
-

- -

8a. When I try to start Shorewall on RedHat -I get a message referring me to FAQ #8

- Answer: This is usually cured by the sequence of commands shown above -in FAQ #8 - -

-
- - -

+ http://www.logwatch.org
+ http://gege.org/iptables
+

+ + I personnaly use Logwatch. It emails me +a report each day from my various systems with each report +summarizing the logged activity on the corresponding system. +

6b. DROP messages on port 10619 + are flooding the logs with their connect requests. Can i +exclude these error messages for this port temporarily from logging +in Shorewall?

+ Temporarily add the following rule:
+ +
	DROP    net    fw    udp    10619
+ +

6c. All day long I get a steady flow + of these DROP messages from port 53 to some high numbered port. + They get dropped, but what the heck are they?

+ +
Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00
                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00
                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33
+ Answer: There are two possibilities:
+ +
    +
  1. They are late-arriving replies to DNS queries.
    2. +
  2. They are corrupted reply packets.
    3. + +
+ You can distinguish the difference by setting the logunclean + option (/etc/shorewall/interfaces) + on your external interface (eth0 in the above example). If they +get logged twice, they are corrupted. I solve this problem by using +an /etc/shorewall/common file like this:
+ +
+ 
#
# Include the standard common.def file
#
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
+
+ The above file is also include in all of my sample configurations + available in the Quick Start + Guides and in the common.def file in Shorewall 1.4.0 and later.
+ +

6d. Why is the MAC address in + Shorewall log messages so long? I thought MAC addresses were only +6 bytes in length.

+ What is labeled as the MAC address in a Shorewall log message is +actually the Ethernet frame header. IT contains:
+ +
    +
  • the destination MAC address (6 bytes)
    • +
  • the source MAC address (6 bytes)
    • +
  • the ethernet frame type (2 bytes)
    • + +
+ Example:
+
+ MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
+ +
    +
  • Destination MAC address = 00:04:4c:dc:e2:28
    • +
  • Source MAC address = 00:b0:8e:cf:3c:4c
    • +
  • Ethernet Frame Type = 08:00 (IP Version 4)
    • + +
+ +

7. When I stop Shorewall using 'shorewall + stop', I can't connect to anything. Why doesn't +that command work?

+ + +

The 'stop' command is intended to place your firewall into + a safe state whereby only those hosts listed in /etc/shorewall/routestopped' + are activated. If you want to totally open up your + firewall, you must use the 'shorewall clear' command. +

+ + +

8. When I try to start Shorewall on RedHat, + I get messages about insmod failing -- what's wrong?

+ + +

Answer: The output you will see looks something like + this:

+ + +
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
     Perhaps iptables or your kernel needs to be upgraded.
+ + +

This is usually cured by the following sequence of commands: +

+ + +
+
     service ipchains stop
     chkconfig --delete ipchains
     rmmod ipchains
+
+ + +
+

Also, be sure to check the errata + for problems concerning the version of iptables +(v1.2.3) shipped with RH7.2.
+

+ +

8a. When I try to start Shorewall on RedHat + I get a message referring me to FAQ #8

+ Answer: This is usually cured by the sequence of commands shown + above in FAQ #8 +
+

9. Why can't Shorewall detect my interfaces - properly?

+ properly at startup? - +

I just installed Shorewall and when I issue the start command, - I see the following:

+ I see the following:

- -
-
     Processing /etc/shorewall/shorewall.conf ...
     Processing /etc/shorewall/params ...
     Starting Shorewall...
     Loading Modules...
     Initializing...
     Determining Zones...
     Zones: net loc
     Validating interfaces file...
     Validating hosts file...
     Determining Hosts in Zones...
     Net Zone: eth0:0.0.0.0/0
     Local Zone: eth1:0.0.0.0/0
     Deleting user chains...
     Creating input Chains...
     ...
-
+ +
+
     Processing /etc/shorewall/params ...
     Processing /etc/shorewall/shorewall.conf ...
     Starting Shorewall...
     Loading Modules...
     Initializing...
     Determining Zones...
     Zones: net loc
     Validating interfaces file...
     Validating hosts file...
     Determining Hosts in Zones...
     Net Zone: eth0:0.0.0.0/0
     Local Zone: eth1:0.0.0.0/0
     Deleting user chains...
     Creating input Chains...
     ...
+
- -
+ +

Why can't Shorewall detect my interfaces properly?

-
+
- -
+ +

Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local zone is defined as all hosts connected through eth1

-
+
- +

10. What Distributions does it work with?

- +

Shorewall works with any GNU/Linux distribution that includes - the proper - prerequisites.

+ the proper + prerequisites.

- +

11. What Features does it have?

- +

Answer: See the Shorewall - Feature List.

+ Feature List.

- +

12. Is there a GUI?

- +

Answer: Yes. Shorewall support is included in Webmin - 1.060 and later versions. See http://www.webmin.com -

+ 1.060 and later versions. See http://www.webmin.com +

- +

13. Why do you call it "Shorewall"?

- +

Answer: Shorewall is a concatenation of "Shoreline" - (the -city where I live) and "Firewall". The full -name of the product is actually "Shoreline Firewall" but "Shorewall" -is must more commonly used.

+ (the + city where I live) and "Firewall". The full + name of the product is actually "Shoreline Firewall" but "Shorewall" + is must more commonly used.

- +

14. I'm connected via a cable modem - and it has an internal web server that allows me to - configure/monitor it but as expected if I enable rfc1918 - blocking for my eth0 interface (the internet one), it also - blocks the cable modems web server.

+ and it has an internal web server that allows me + to configure/monitor it but as expected if I enable + rfc1918 blocking for my eth0 interface (the internet one), + it also blocks the cable modems web server. - +

Is there any way it can add a rule before the rfc1918 blocking - that will let all traffic to and from the 192.168.100.1 - address of the modem in/out but still block all other rfc1918 - addresses?

+ that will let all traffic to and from the 192.168.100.1 + address of the modem in/out but still block all other + rfc1918 addresses?

- +

Answer: If you are running a version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and in it, place the following:

- -
+ +
     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT
-
+
- -
+ +

If you are running version 1.3.1 or later, simply add the - following to /etc/shorewall/rfc1918:

-
+
- -
+ +
- + - - - - - - - - - + + + + + + + + + - + + - +
SUBNET - TARGET
192.168.100.1RETURN
SUBNET + TARGET
192.168.100.1RETURN
-
-
+ +
+ + +
+

Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
+

-
-

Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
-

- -

Note: If you add a second IP address to your external firewall - interface to correspond to the modem address, you must - also make an entry in /etc/shorewall/rfc1918 for that address. - For example, if you configure the address 192.168.100.2 on - your firewall, then you would add two entries to /etc/shorewall/rfc1918: -
-

+ interface to correspond to the modem address, you +must also make an entry in /etc/shorewall/rfc1918 for that +address. For example, if you configure the address 192.168.100.2 +on your firewall, then you would add two entries to /etc/shorewall/rfc1918: +
+

- +
+ - - - - - - - - - - - - - + + + + + + + + + + + + + - + + +
SUBNET
- 		TARGET
-
192.168.100.1
- 		RETURN
-
192.168.100.2
- 		RETURN
-
SUBNET
+ 		TARGET
+
192.168.100.1
+ 		RETURN
+
192.168.100.2
+ 		RETURN
+
-
-
+ +
- -
+ +

14a. Even though it assigns public IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my external interface, my DHCP client cannot renew its lease.

-
+
- -
+ +

The solution is the same as FAQ 14 above. Simply substitute - the IP address of your ISPs DHCP server.

-
+ the IP address of your ISPs DHCP server.

+
- +

15. My local systems can't see out to - the net

+ the net - +

Answer: Every time I read "systems can't see out to - the net", I wonder where the poster bought computers - with eyes and what those computers will "see" when things - are working properly. That aside, the most common causes - of this problem are:

+ the net", I wonder where the poster bought computers + with eyes and what those computers will "see" when things + are working properly. That aside, the most common causes + of this problem are:

- +
    -
  1. +
  2. - + +

    The default gateway on each local system isn't set to - the IP address of the local firewall interface.

    -
    3. -
  3. + the IP address of the local firewall interface.

    +
    4. +
  4. - + +

    The entry for the local network in the /etc/shorewall/masq - file is wrong or missing.

    -
    5. -
  5. + file is wrong or missing.

    +
    6. +
  6. - + +

    The DNS settings on the local systems are wrong or the - user is running a DNS server on the firewall and - hasn't enabled UDP and TCP port 53 from the firewall - to the internet.

    -
    7. + user is running a DNS server on the firewall and + hasn't enabled UDP and TCP port 53 from the firewall + to the internet.

    + - +
- +

16. Shorewall is writing log messages - all over my console making it unusable!

+ all over my console making it unusable! - +

Answer: "man dmesg" -- add a suitable 'dmesg' command - to your startup scripts or place it in /etc/shorewall/start. - Under RedHat, the max log level that is sent to the - console is specified in /etc/sysconfig/init in the LOGLEVEL - variable.
-

+ to your startup scripts or place it in /etc/shorewall/start. + Under RedHat, the max log level that is sent to +the console is specified in /etc/sysconfig/init in the + LOGLEVEL variable.
+

- +

17. How do I find out why this traffic is getting - logged?

- Answer: Logging occurs -out of a number of chains (as indicated in the log message) - in Shorewall:
+ logged? + Answer: Logging occurs + out of a number of chains (as indicated in the log message) + in Shorewall:
- +
    -
  1. man1918 - The destination - address is listed in /etc/shorewall/rfc1918 with a logdrop - target -- see /etc/shorewall/rfc1918.
    2. -
  2. rfc1918 - The source - address is listed in /etc/shorewall/rfc1918 with a logdrop - target -- see /etc/shorewall/rfc1918.
    3. -
  3. all2<zone>, - <zone>2all or all2all - - You have a policy that specifies -a log level and this packet is being logged under that policy. - If you intend to ACCEPT this traffic then you need a man1918 - The +destination address is listed in /etc/shorewall/rfc1918 + with a logdrop target -- see /etc/shorewall/rfc1918.
    4. +
  4. rfc1918 - The +source address is listed in /etc/shorewall/rfc1918 with +a logdrop target -- see /etc/shorewall/rfc1918.
    5. +
  5. all2<zone>, + <zone>2all or all2all - + You have a policy that specifies + a log level and this packet is being logged under that policy. + If you intend to ACCEPT this traffic then you need a rule to that effect.
    -
    6. -
  6. <zone1>2<zone2> - - Either you have a +
  7. <zone1>2<zone2> + - Either you have a policy for <zone1> to <zone2> that specifies a log level and this packet is being logged under that policy or this packet - matches a rule that includes - a log level.
    8. -
  8. <interface>_mac - -The packet is being logged under the maclist interface option.
    -
    9. -
  9. logpkt - The packet - is being logged under the logunclean interface option.
    10. -
  10. badpkt - The packet - is being logged under the dropunclean - interface option as specified - in the LOGUNCLEAN setting in rule that includes + a log level.
    11. +
  11. <interface>_mac + - The packet is being logged under the maclist + interface option.
    +
    12. +
  12. logpkt - The +packet is being logged under the logunclean + interface option.
    13. +
  13. badpkt - The +packet is being logged under the dropunclean + interface option +as specified in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
    14. -
  14. blacklst - The packet - is being logged because the source IP is blacklisted in - the /etc/shorewall/blacklist - file.
    15. -
  15. newnotsyn - The packet - is being logged because it is a TCP packet that is not -part of any current connection yet it is not a syn packet. - Options affecting the logging of such packets include NEWNOTSYN - and LOGNEWNOTSYN in blacklst - The + packet is being logged because the source IP is blacklisted + in the /etc/shorewall/blacklist + file.
    16. +
  16. newnotsyn - The + packet is being logged because it is a TCP packet that + is not part of any current connection yet it is not a syn packet. + Options affecting the logging of such packets include NEWNOTSYN + and LOGNEWNOTSYN in /etc/shorewall/shorewall.conf.
    17. -
  17. INPUT or FORWARD - - The packet has a source IP address that isn't in any -of your defined zones ("shorewall check" and look at the - printed zone definitions) or the chain is FORWARD and the destination - IP isn't in any of your defined zones.
    18. -
  18. logflags - The packet is being - logged because it failed the checks implemented by the tcpflags - interface option.
    -
    19. +
  19. INPUT or FORWARD + - The packet has a source IP address that isn't in any + of your defined zones ("shorewall check" and look at the + printed zone definitions) or the chain is FORWARD and the destination + IP isn't in any of your defined zones.
    20. +
  20. logflags - The packet is + being logged because it failed the checks implemented by +the tcpflags interface + option.
    +
    21. - +
- +

18. Is there any way to use aliased ip addresses - with Shorewall, and maintain separate rulesets for different - IPs?

- Answer: Yes. See + Answer: Yes. See Shorewall and Aliased Interfaces. - +

19. I have added entries to /etc/shorewall/tcrules - but they don't seem to do anything. Why?

- You probably haven't set TC_ENABLED=Yes - in /etc/shorewall/shorewall.conf so the contents of the -tcrules file are simply being ignored.
- + but they don't seem to do anything. Why? + You probably haven't set TC_ENABLED=Yes + in /etc/shorewall/shorewall.conf so the contents of the + tcrules file are simply being ignored.
+ +

20. I have just set up a server. Do I have - to change Shorewall to allow access to my server from the - internet?
-

- Yes. Consult the
+ + Yes. Consult the QuickStart guide that you used during your initial setup for information about how to set up rules for your server.
- +

21. I see these strange log entries occasionally; - what are they?
-

- + what are they?
+ + +
- + 
Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00
     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 
     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]
-
- 192.0.2.3 is external on my firewall... 172.16.0.0/24 - is my internal LAN
-
- Answer: While most people associate - the Internet Control Message Protocol (ICMP) with 'ping', -ICMP is a key piece of the internet. ICMP is used to report -problems back to the sender of a packet; this is what is happening - here. Unfortunately, where NAT is involved (including SNAT, DNAT -and Masquerade), there are a lot of broken implementations. That is - what you are seeing with these messages.
-
- Here is my interpretation of what is happening - -- to confirm this analysis, one would have to have packet sniffers - placed a both ends of the connection.
-
- Host 172.16.1.10 behind NAT gateway 206.124.146.179 - sent a UDP DNS query to 192.0.2.3 and your DNS server tried - to send a response (the response information is in the brackets --- note source port 53 which marks this as a DNS reply). When the -response was returned to to 206.124.146.179, it rewrote the destination - IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer - had a connection on UDP port 2857. This causes a port unreachable - (type 3, code 3) to be generated back to 192.0.2.3. As this packet + + 192.0.2.3 is external on my firewall... + 172.16.0.0/24 is my internal LAN
+
+ Answer: While most people associate + the Internet Control Message Protocol (ICMP) with 'ping', + ICMP is a key piece of the internet. ICMP is used to report + problems back to the sender of a packet; this is what is happening + here. Unfortunately, where NAT is involved (including SNAT, DNAT + and Masquerade), there are a lot of broken implementations. That is + what you are seeing with these messages.
+
+ Here is my interpretation of what is happening + -- to confirm this analysis, one would have to have packet +sniffers placed a both ends of the connection.
+
+ Host 172.16.1.10 behind NAT gateway 206.124.146.179 + sent a UDP DNS query to 192.0.2.3 and your DNS server tried + to send a response (the response information is in the brackets + -- note source port 53 which marks this as a DNS reply). When the + response was returned to to 206.124.146.179, it rewrote the destination + IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no +longer had a connection on UDP port 2857. This causes a port unreachable + (type 3, code 3) to be generated back to 192.0.2.3. As this packet is sent back through 206.124.146.179, that box correctly changes the source address in the packet to 206.124.146.179 but doesn't reset the DST IP in the original DNS response similarly. When the ICMP @@ -1277,54 +1403,58 @@ where the source IP in the ICMP itself isn't set back to the external IP of the remote NAT gateway; that causes your firewall to log and drop the packet out of the rfc1918 chain because the source IP is reserved by RFC 1918.
- +

22. I have some iptables commands that - I want to run when Shorewall starts. Which file do I put - them in?

- You can place these commands in one of the - Shorewall Extension Scripts. - Be sure that you look at the contents of the chain(s) that you will be modifying - with your commands to be sure that the commands will do what -they are intended. Many iptables commands published in HOWTOs and -other instructional material use the -A command which adds the rules -to the end of the chain. Most chains that Shorewall constructs end -with an unconditional DROP, ACCEPT or REJECT rule and any rules that -you add after that will be ignored. Check "man iptables" and look at -the -I (--insert) command.
- + I want to run when Shorewall starts. Which file do I +put them in? + You can place these commands in one of + the Shorewall Extension Scripts. + Be sure that you look at the contents of the chain(s) that you will be +modifying with your commands to be sure that the commands will +do what they are intended. Many iptables commands published in +HOWTOs and other instructional material use the -A command which +adds the rules to the end of the chain. Most chains that Shorewall +constructs end with an unconditional DROP, ACCEPT or REJECT rule and +any rules that you add after that will be ignored. Check "man iptables" + and look at the -I (--insert) command.
+

23. Why do you use such ugly fonts on your - web site?

- The Shorewall web site is almost font neutral (it doesn't - explicitly specify fonts except on a few pages) so the fonts you -see are largely the default fonts configured in your browser. If you -don't like them then reconfigure your browser.
- + web site? + The Shorewall web site is almost font neutral (it + doesn't explicitly specify fonts except on a few pages) so the +fonts you see are largely the default fonts configured in your browser. + If you don't like them then reconfigure your browser.
+

24. How can I allow conections to let's say - the ssh port only from specific IP Addresses on the internet?

- In the SOURCE column of the rule, follow "net" by a colon - and a list of the host/subnet addresses as a comma-separated list.
- + the ssh port only from specific IP Addresses on the internet? + In the SOURCE column of the rule, follow "net" by +a colon and a list of the host/subnet addresses as a comma-separated + list.
+ 
    net:<ip1>,<ip2>,...
- Example:
- + Example:
+ 
    ACCEPT	net:192.0.2.16/28,192.0.2.44	fw	tcp	22
- -
+
+

25. How to I tell which version of Shorewall - I am running?
-

- At the shell prompt, type:
-
-     /sbin/shorewall version
-
- Last updated 3/11/2003 - Tom - Eastep - + I am running?
+ + At the shell prompt, type:
+
+ /sbin/shorewall version
+
+ Last updated 3/22/2003 - Tom + Eastep +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-

+

+
+
+

diff --git a/STABLE/documentation/Install.htm b/STABLE/documentation/Install.htm index d636696ca..073c631de 100644 --- a/STABLE/documentation/Install.htm +++ b/STABLE/documentation/Install.htm @@ -1,190 +1,213 @@ - + Shorewall Installation - + - + - + - - - + + - - - + + + +
-

Shorewall Installation and +

+

Shorewall Installation and Upgrade

-
- +

Before upgrading, be sure to review the Upgrade Issues

- +

Install using RPM
- Install using tarball
- Install the .lrp
- Upgrade using RPM
- Upgrade using tarball
- Upgrade the .lrp
- Configuring Shorewall
- Uninstall/Fallback

- + Install using tarball
+ Install the .lrp
+ Upgrade using RPM
+ Upgrade using tarball
+ Upgrade the .lrp
+ Configuring Shorewall
+ Uninstall/Fallback

+

To install Shorewall using the RPM:

- -

If you have RedHat 7.2 and are running iptables version 1.2.3 (at a - shell prompt, type "/sbin/iptables --version"), you must upgrade to version + +

If you have RedHat 7.2 and are running iptables version 1.2.3 (at a + shell prompt, type "/sbin/iptables --version"), you must upgrade to version 1.2.4 either from the RedHat update - site or from the Shorewall Errata page before + href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update + site or from the Shorewall Errata page before attempting to start Shorewall.

- +
    -
  • Install the RPM (rpm -ivh <shorewall rpm>).
    -
    - Note: Some SuSE users have encountered a problem whereby rpm - reports a conflict with kernel <= 2.2 even though a 2.4 kernel is -installed. If this happens, simply use the --nodeps option to rpm (rpm --ivh --nodeps <shorewall rpm>).
    • -
  • Edit the configuration files to match - your configuration. WARNING - YOU CAN NOT - SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION - IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND - AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY -NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO -RESTORE NETWORK CONNECTIVITY.
    • -
  • Start the firewall by typing "shorewall start"
    • - +
  • Install the RPM (rpm -ivh <shorewall rpm>).
    +
    + Note1: Some SuSE users have encountered a problem whereby +rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel +is installed. If this happens, simply use the --nodeps option to rpm +(rpm -ivh --nodeps <shorewall rpm>).
    +
    + Note2: Beginning with Shorewall 1.4.0, Shorewall is dependent +on the iproute package. Unfortunately, some distributions call this package +iproute2 which will cause the installation of Shorewall to fail with the +diagnostic:
    +
    +     error: failed dependencies:iproute is needed by shorewall-1.4.0-1 +
    +
    +This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps +<shorewall rpm>).
    +
    +
    • +
  • Edit the configuration files to +match your configuration. WARNING - YOU CAN NOT + SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION + IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND + AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY +NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE +NETWORK CONNECTIVITY.
    • +
  • Start the firewall by typing "shorewall start"
    • +
- -

To install Shorewall using the tarball + +

To install Shorewall using the tarball and install script:

- + - -

To install my version of Shorewall on a fresh Bering - disk, simply replace the "shorwall.lrp" file on the image with the file -that you downloaded. See the two-interface QuickStart + +

To install my version of Shorewall on a fresh Bering + disk, simply replace the "shorwall.lrp" file on the image with the file that + you downloaded. See the two-interface QuickStart Guide for information about further steps required.

- -

If you already have the Shorewall RPM installed - and are upgrading to a new version:

- -

If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or -and you have entries in the /etc/shorewall/hosts file then please check - your /etc/shorewall/interfaces file to be sure that it contains an entry - for each interface mentioned in the hosts file. Also, there are certain -1.2 rule forms that are no longer supported under 1.4 (you must use the -new 1.4 syntax). See the upgrade issues for -details.

- -
    -
  • Upgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: - If you are installing version 1.2.0 and have one of the 1.2.0 -Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., -"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). -

    Note: Some SuSE users have encountered a problem whereby - rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel - is installed. If this happens, simply use the --nodeps option to rpm -(rpm -Uvh --nodeps <shorewall rpm>).
    -  

    -
    • -
  • See if there are any incompatibilities between your configuration -and the new Shorewall version (type "shorewall check") and correct as necessary.
    • -
  • Restart the firewall (shorewall restart).
    • - -
- -

If you already have Shorewall installed -and are upgrading to a new version using the tarball:

- +

If you already have the Shorewall RPM installed + and are upgrading to a new version:

+

If you are upgrading from a 1.2 version of Shorewall to a 1.4 version -and you have entries in the /etc/shorewall/hosts file then please check -your /etc/shorewall/interfaces file to be sure that it contains an entry -for each interface mentioned in the hosts file.  Also, there are certain -1.2 rule forms that are no longer supported under 1.4 (you must use the -new 1.4 syntax). See the upgrade issues -for details.

- +or and you have entries in the /etc/shorewall/hosts file then please check + your /etc/shorewall/interfaces file to be sure that it contains an entry + for each interface mentioned in the hosts file. Also, there are certain +1.2 rule forms that are no longer supported under 1.4 (you must use the new +1.4 syntax). See the upgrade issues for details.

+ + +

If you already have Shorewall installed and +are upgrading to a new version using the tarball:

+ +

If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and +you have entries in the /etc/shorewall/hosts file then please check your + /etc/shorewall/interfaces file to be sure that it contains an entry for +each interface mentioned in the hosts file.  Also, there are certain 1.2 +rule forms that are no longer supported under 1.4 (you must use the new +1.4 syntax). See the upgrade issues for +details.

+ +
    +
  • unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
    • +
  • cd to the shorewall directory (the version is encoded in the + directory name as in "shorewall-3.0.1").
    • +
  • If you are using Caldera, RedHat, Mandrake, Corel, Slackware or Debian then type "./install.sh"
    • -
  • If you are using SuSe then type - "./install.sh /etc/init.d"
    • -
  • If your distribution has directory /etc/rc.d/init.d +
  • If you are using SuSe then +type "./install.sh /etc/init.d"
    • +
  • If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh"
    • -
  • For other distributions, determine where your distribution - installs init scripts and type "./install.sh <init script +
  • For other distributions, determine where your distribution + installs init scripts and type "./install.sh <init script directory>
    • -
  • See if there are any incompatibilities between your configuration -and the new Shorewall version (type "shorewall check") and correct as necessary.
    • -
  • Restart the firewall by typing "shorewall restart"
    • - +
  • See if there are any incompatibilities between your configuration + and the new Shorewall version (type "shorewall check") and correct as +necessary.
    • +
  • Restart the firewall by typing "shorewall restart"
    • +
- If you already have a running Bering -installation and wish to upgrade to a later version of Shorewall:
-
-     UNDER CONSTRUCTION...
- + If you already have a running Bering + installation and wish to upgrade to a later version of Shorewall:
+
+     UNDER CONSTRUCTION...
+

Configuring Shorewall

- -

You will need to edit some or all of the configuration files to match - your setup. In most cases, the Shorewall QuickStart Guides -contain all of the information you need.

- + +

You will need to edit some or all of the configuration files to match +your setup. In most cases, the Shorewall + QuickStart Guides contain all of the information you need.

+
    - +
- -

Updated 2/27/2003 - Tom Eastep + +

Updated 3/18/2003 - Tom Eastep

- +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.

-
+
+



diff --git a/STABLE/documentation/News.htm b/STABLE/documentation/News.htm index 9e62e68e9..e527b6be9 100644 --- a/STABLE/documentation/News.htm +++ b/STABLE/documentation/News.htm @@ -3,7 +3,7 @@ - + Shorewall News @@ -12,2622 +12,2743 @@ + - + - + - - - + - + + - - + +
+
- +

Shorewall News Archive

-
- -

3/17/2003 - Shorewall 1.4.0

- Shorewall 1.4 represents -the next step in the evolution of Shorewall. The main thrust of the initial - release is simply to remove the cruft that has accumulated in Shorewall -over time.
-
- IMPORTANT: Shorewall 1.4.0 requires the iproute package ('ip' - utility).
-
- Function from 1.3 that has been omitted from this version include:
- -
    -
  1. The MERGE_HOSTS variable in shorewall.conf is no longer supported. - Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
    -
    -
    2. -
  2. Interface names of the form <device>:<integer> in - /etc/shorewall/interfaces now generate an error.
    -
    -
    3. -
  3. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. - OLD_PING_HANDLING=Yes will generate an error at startup as will specification - of the 'noping' or 'filterping' interface options.
    -
    -
    4. -
  4. The 'routestopped' option in the /etc/shorewall/interfaces and - /etc/shorewall/hosts files is no longer supported and will generate an -error at startup if specified.
    -
    -
    5. -
  5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer - accepted.
    -
    -
    6. -
  6. The ALLOWRELATED variable in shorewall.conf is no longer supported. - Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
    -
    -
    7. -
  7. The icmp.def file has been removed.
    -
    8. - -
- Changes for 1.4 include:
- -
    -
  1. The /etc/shorewall/shorewall.conf file has been completely reorganized - into logical sections.
    -
    -
    2. -
  2. LOG is now a valid action for a rule (/etc/shorewall/rules).
    -
    -
    3. -
  3. The firewall script and version file are now installed in /usr/share/shorewall.
    -
    -
    4. -
  4. Late arriving DNS replies are now silently dropped in the common - chain by default.
    -
    -
    5. -
  5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall -1.4 no longer unconditionally accepts outbound ICMP packets. So if you -want to 'ping' from the firewall, you will need the appropriate rule or -policy.
    -
    -
    6. -
  6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
    -
    -
    7. -
  7. 802.11b devices with names of the form wlan<n> now support the -'maclist' option.
    -
    -
    8. -
  8. Explicit Congestion Notification (ECN - RFC 3168) may now be turned -off on a host or network basis using the new /etc/shorewall/ecn file. To use -this facility:
    -
    -    a) You must be running kernel 2.4.20
    -    b) You must have applied the patch in
    -    http://www.shorewall/net/pub/shorewall/ecn/patch.
    -    c) You must have iptables 1.2.7a installed.
    -
    -
    9. -
  9. The /etc/shorewall/params file is now processed first so that variables -may be used in the /etc/shorewall/shorewall.conf file.
    -
    -
    10. -
  10. Shorewall now gives a more helpful diagnostic when the -'ipchains' compatibility kernel module is loaded and a 'shorewall start' - command is issued.
    -
    -
    11. -
  11. The SHARED_DIR variable has been removed from shorewall.conf. This -variable was for use by package maintainers and was not documented for general -use.
    -
    -
    12. -
  12. Shorewall now ignores 'default' routes when detecting masq'd networks.
    13. - -
- -

2/8/2003 - Shoreawall 1.3.14

- -

New features include

- -
    -
  1. An OLD_PING_HANDLING option has been added to shorewall.conf. - When set to Yes, Shorewall ping handling is as it has always been -(see http://www.shorewall.net/ping.html).
    -
    - When OLD_PING_HANDLING=No, icmp echo (ping) is handled via - rules and policies just like any other connection request. The FORWARDPING=Yes - option in shorewall.conf and the 'noping' and 'filterping' options - in /etc/shorewall/interfaces will all generate an error.
    -
    -
    2. -
  2. It is now possible to direct Shorewall to create a "label" - such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes - and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead - of just the interface name:
    -  
    -    a) In the INTERFACE column of /etc/shorewall/masq
    -    b) In the INTERFACE column of /etc/shorewall/nat
    -  
    3. -
  3. Support for OpenVPN Tunnels.
    -
    -
    4. -
  4. Support for VLAN devices with names of the form $DEV.$VID - (e.g., eth0.0)
    -
    -
    5. -
  5. In /etc/shorewall/tcrules, the MARK value may be optionally - followed by ":" and either 'F' or 'P' to designate that the marking will - occur in the FORWARD or PREROUTING chains respectively. If this additional - specification is omitted, the chain used to mark packets will be determined - by the setting of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
    -
    -
    6. -
  6. When an interface name is entered in the SUBNET column of - the /etc/shorewall/masq file, Shorewall previously masqueraded traffic - from only the first subnet defined on that interface. It did not masquerade - traffic from:
    -  
    -    a) The subnets associated with other addresses on the -interface.
    -    b) Subnets accessed through local routers.
    -  
    - Beginning with Shorewall 1.3.14, if you enter an interface - name in the SUBNET column, shorewall will use the firewall's routing - table to construct the masquerading/SNAT rules.
    -  
    - Example 1 -- This is how it works in 1.3.14.
    -   
    + +

    3/24/2003 - Shorewall 1.4.1

    + - + + + + + + + + + + + + + + + + + + +

    This release follows up on 1.4.0. It corrects a problem introduced in +1.4.0 and removes additional warts.
    +
    + Problems Corrected:
    +

    + +
      +
    1. When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), +it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file +is empty. That problem has been corrected so that ECN disabling rules are +only added if there are entries in /etc/shorewall/ecn.
      2. +
    + New Features:
    + +
    Note: In the list that follows, the term group refers to +a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a +host address) accessed through a particular interface. Examples:
    + +
    eth0:0.0.0.0/0
    + eth2:192.168.1.0/24
    + eth3:192.0.2.123
    +
    + You can use the "shorewall check" command to see the groups associated with +each of your zones.
    +
    + +
      +
    1. Beginning with Shorewall 1.4.1, if a zone Z comprises more than one +group then if there is no explicit Z to Z policy and there are no +rules governing traffic from Z to Z then Shorewall will permit all traffic +between the groups in the zone.
      2. +
    2. Beginning with Shorewall 1.4.1, Shorewall will never create rules to +handle traffic from a group to itself.
      3. +
    3. A NONE policy is introduced in 1.4.1. When a policy of NONE is specified +from Z1 to Z2:
      4. +
    + +
      +
    • There may be no rules created that govern connections from Z1 to Z2.
      • +
    • Shorewall will not create any infrastructure to handle traffic from +Z1 to Z2.
      • +
    + See the upgrade issues for a discussion +of how these changes may affect your configuration. +

    3/17/2003 - Shorewall 1.4.0

    + Shorewall 1.4 represents + the next step in the evolution of Shorewall. The main thrust of the initial + release is simply to remove the cruft that has accumulated in Shorewall + over time.
    +
    + IMPORTANT: Shorewall 1.4.0 requires the iproute package +('ip' utility).
    +
    + Function from 1.3 that has been omitted from this version include:
    + +
      +
    1. The MERGE_HOSTS variable in shorewall.conf is no longer +supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
      +
      +
      2. +
    2. Interface names of the form <device>:<integer> +in /etc/shorewall/interfaces now generate an error.
      +
      +
      3. +
    3. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. + OLD_PING_HANDLING=Yes will generate an error at startup as will specification + of the 'noping' or 'filterping' interface options.
      +
      +
      4. +
    4. The 'routestopped' option in the /etc/shorewall/interfaces +and /etc/shorewall/hosts files is no longer supported and will generate +an error at startup if specified.
      +
      +
      5. +
    5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no +longer accepted.
      +
      +
      6. +
    6. The ALLOWRELATED variable in shorewall.conf is no longer supported. + Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
      +
      +
      7. +
    7. The icmp.def file has been removed.
      +
      8. + +
    + Changes for 1.4 include:
    + +
      +
    1. The /etc/shorewall/shorewall.conf file has been completely +reorganized into logical sections.
      +
      +
      2. +
    2. LOG is now a valid action for a rule (/etc/shorewall/rules).
      +
      +
      3. +
    3. The firewall script and version file are now installed in +/usr/share/shorewall.
      +
      +
      4. +
    4. Late arriving DNS replies are now silently dropped in the +common chain by default.
      +
      +
      5. +
    5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall + 1.4 no longer unconditionally accepts outbound ICMP packets. So if you + want to 'ping' from the firewall, you will need the appropriate rule or + policy.
      +
      +
      6. +
    6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
      +
      +
      7. +
    7. 802.11b devices with names of the form wlan<n> now support +the 'maclist' option.
      +
      +
      8. +
    8. Explicit Congestion Notification (ECN - RFC 3168) may now be turned + off on a host or network basis using the new /etc/shorewall/ecn file. To +use this facility:
      +
      +    a) You must be running kernel 2.4.20
      +    b) You must have applied the patch in
      +    http://www.shorewall/net/pub/shorewall/ecn/patch.
      +    c) You must have iptables 1.2.7a installed.
      +
      +
      9. +
    9. The /etc/shorewall/params file is now processed first so that variables + may be used in the /etc/shorewall/shorewall.conf file.
      +
      +
      10. +
    10. Shorewall now gives a more helpful diagnostic when the + 'ipchains' compatibility kernel module is loaded and a 'shorewall start' + command is issued.
      +
      +
      11. +
    11. The SHARED_DIR variable has been removed from shorewall.conf. This + variable was for use by package maintainers and was not documented for +general use.
      +
      +
      12. +
    12. Shorewall now ignores 'default' routes when detecting masq'd networks.
      13. + +
    + +

    3/10/2003 - Shoreall 1.3.14a

    + +

    A roleup of the following bug fixes and other updates:

    + +
      +
    • There is an updated rfc1918 file that reflects the resent allocation + of 222.0.0.0/8 and 223.0.0.0/8.
      • + +
    + +
      +
    • The documentation for the routestopped file claimed that a comma-separated + list could appear in the second column while the code only supported a + single host or network address.
      • +
    • Log messages produced by 'logunclean' and 'dropunclean' were not +rate-limited.
      • +
    • 802.11b devices with names of the form wlan<n> don't + support the 'maclist' interface option.
      • +
    • Log messages generated by RFC 1918 filtering are not rate limited.
      • +
    • The firewall fails to start in the case where you have "eth0 eth1" +in /etc/shorewall/masq and the default route is through eth1
      • + +
    + +

    2/8/2003 - Shoreawall 1.3.14

    + +

    New features include

    + +
      +
    1. An OLD_PING_HANDLING option has been added to shorewall.conf. + When set to Yes, Shorewall ping handling is as it has always been +(see http://www.shorewall.net/ping.html).
      +
      + When OLD_PING_HANDLING=No, icmp echo (ping) is handled +via rules and policies just like any other connection request. The +FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping' +options in /etc/shorewall/interfaces will all generate an error.
      +
      +
      2. +
    2. It is now possible to direct Shorewall to create a "label" + such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes + and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead + of just the interface name:
      +  
      +    a) In the INTERFACE column of /etc/shorewall/masq
      +    b) In the INTERFACE column of /etc/shorewall/nat
      +  
      3. +
    3. Support for OpenVPN Tunnels.
      +
      +
      4. +
    4. Support for VLAN devices with names of the form $DEV.$VID + (e.g., eth0.0)
      +
      +
      5. +
    5. In /etc/shorewall/tcrules, the MARK value may be optionally + followed by ":" and either 'F' or 'P' to designate that the marking +will occur in the FORWARD or PREROUTING chains respectively. If this +additional specification is omitted, the chain used to mark packets +will be determined by the setting of the MARK_IN_FORWARD_CHAIN option +in shorewall.conf.
      +
      +
      6. +
    6. When an interface name is entered in the SUBNET column +of the /etc/shorewall/masq file, Shorewall previously masqueraded +traffic from only the first subnet defined on that interface. It did +not masquerade traffic from:
      +  
      +    a) The subnets associated with other addresses on the + interface.
      +    b) Subnets accessed through local routers.
      +  
      + Beginning with Shorewall 1.3.14, if you enter an interface + name in the SUBNET column, shorewall will use the firewall's routing + table to construct the masquerading/SNAT rules.
      +  
      + Example 1 -- This is how it works in 1.3.14.
      +   
      + + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
      - + 
         [root@gateway test]# shorewall start
         ...
         Masqueraded Subnets and Hosts:
             To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
             To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
         Processing /etc/shorewall/tos...
      -  
      - When upgrading to Shorewall 1.3.14, if you have multiple -local subnets connected to an interface that is specified in the +  
      + When upgrading to Shorewall 1.3.14, if you have multiple + local subnets connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing. In most cases, you will simply be able to remove redundant entries. In some cases though, you might want to change from using the interface name to listing specific subnetworks if the change described above will cause masquerading to occur on subnetworks that you don't wish to masquerade.
      -  
      - Example 2 -- Suppose that your current config is as follows:
      -   
      +  
      + Example 2 -- Suppose that your current config is as follows:
      +   
      - + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         eth0                    192.168.10.0/24         206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
      -  
      -    In this case, the second entry in /etc/shorewall/masq -is no longer required.
      -  
      - Example 3 -- What if your current configuration is like this?
      -  
      +  
      +    In this case, the second entry in /etc/shorewall/masq + is no longer required.
      +  
      + Example 3 -- What if your current configuration is like +this?
      +  
      - + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
      -  
      -    In this case, you would want to change the entry in  /etc/shorewall/masq - to:
      +  
      +    In this case, you would want to change the entry in  +/etc/shorewall/masq to:
      - + 
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    192.168.1.0/24          206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      -
      7. - + +
    - +


    - 2/5/2003 - Shorewall Support included in Webmin 1.060

    - + 2/5/2003 - Shorewall Support included in Webmin 1.060

    +

    Webmin version 1.060 now has Shorewall support included as standard. See - http://www.webmin.com.
    -
    - 2/4/2003 - Shorewall 1.3.14-RC1

    - + http://www.webmin.com.
    +
    + 2/4/2003 - Shorewall 1.3.14-RC1

    +

    Includes the Beta 2 content plus support for OpenVPN tunnels.

    - +

    1/28/2003 - Shorewall 1.3.14-Beta2

    - +

    Includes the Beta 1 content plus restores VLAN device names of the form - $dev.$vid (e.g., eth0.1)

    - + $dev.$vid (e.g., eth0.1)

    +

    1/25/2003 - Shorewall 1.3.14-Beta1
    -

    - +

    +

    The Beta includes the following changes:
    -

    - +

    +
      -
    1. An OLD_PING_HANDLING option has been added to shorewall.conf. - When set to Yes, Shorewall ping handling is as it has always been (see - http://www.shorewall.net/ping.html).
      -
      - When OLD_PING_HANDLING=No, icmp echo (ping) is handled via - rules and policies just like any other connection request. The FORWARDPING=Yes - option in shorewall.conf and the 'noping' and 'filterping' options - in /etc/shorewall/interfaces will all generate an error.
      -
      -
      2. -
    2. It is now possible to direct Shorewall to create a -"label" such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes - and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead - of just the interface name:
      -  
      -    a) In the INTERFACE column of /etc/shorewall/masq
      -    b) In the INTERFACE column of /etc/shorewall/nat
      -  
      3. -
    3. When an interface name is entered in the SUBNET column - of the /etc/shorewall/masq file, Shorewall previously masqueraded +
    4. An OLD_PING_HANDLING option has been added to shorewall.conf. + When set to Yes, Shorewall ping handling is as it has always been +(see http://www.shorewall.net/ping.html).
      +
      + When OLD_PING_HANDLING=No, icmp echo (ping) is handled +via rules and policies just like any other connection request. The +FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping' +options in /etc/shorewall/interfaces will all generate an error.
      +
      +
      5. +
    5. It is now possible to direct Shorewall to create +a "label" such as  "eth0:0" for IP addresses that it creates under +ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying +the label instead of just the interface name:
      +  
      +    a) In the INTERFACE column of /etc/shorewall/masq
      +    b) In the INTERFACE column of /etc/shorewall/nat
      +  
      6. +
    6. When an interface name is entered in the SUBNET column + of the /etc/shorewall/masq file, Shorewall previously masqueraded traffic from only the first subnet defined on that interface. It did not masquerade traffic from:
      -  
      -    a) The subnets associated with other addresses on the -interface.
      -    b) Subnets accessed through local routers.
      -  
      - Beginning with Shorewall 1.3.14, if you enter an interface - name in the SUBNET column, shorewall will use the firewall's routing - table to construct the masquerading/SNAT rules.
      -  
      - Example 1 -- This is how it works in 1.3.14.
      -   
      +  
      +    a) The subnets associated with other addresses on the + interface.
      +    b) Subnets accessed through local routers.
      +  
      + Beginning with Shorewall 1.3.14, if you enter an interface + name in the SUBNET column, shorewall will use the firewall's routing + table to construct the masquerading/SNAT rules.
      +  
      + Example 1 -- This is how it works in 1.3.14.
      +   
      - + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
      - + 
         [root@gateway test]# shorewall start
         ...
         Masqueraded Subnets and Hosts:
             To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
             To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
         Processing /etc/shorewall/tos...
      -  
      - When upgrading to Shorewall 1.3.14, if you have multiple -local subnets connected to an interface that is specified in the +  
      + When upgrading to Shorewall 1.3.14, if you have multiple + local subnets connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq file will need changing. In most cases, you will simply be able to remove redundant entries. In some cases though, you might want to change from using the interface name to listing specific subnetworks if the change described above will cause masquerading to occur on subnetworks that you don't wish to masquerade.
      -  
      - Example 2 -- Suppose that your current config is as follows:
      -   
      +  
      + Example 2 -- Suppose that your current config is as follows:
      +   
      - + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         eth0                    192.168.10.0/24         206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
      -  
      -    In this case, the second entry in /etc/shorewall/masq -is no longer required.
      -  
      - Example 3 -- What if your current configuration is like this?
      -  
      +  
      +    In this case, the second entry in /etc/shorewall/masq + is no longer required.
      +  
      + Example 3 -- What if your current configuration is like +this?
      +  
      - + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
      -  
      -    In this case, you would want to change the entry in  /etc/shorewall/masq - to:
      +  
      +    In this case, you would want to change the entry in  +/etc/shorewall/masq to:
      - + 
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    192.168.1.0/24          206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      -
      7. - + +
    - +

    1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format

    - + +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. - the PDF may be downloaded from

    -     +     ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    -     http://slovakia.shorewall.net/pub/shorewall/pdf/ - +

    1/17/2003 - shorewall.net has MOVED 

    - +

    Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A big thanks to Alex for making this happen.
    -

    - -

    1/13/2003 - Shorewall 1.3.13
    -

    - -

    Just includes a few things that I had on the burner:
    -

    - -
      -
    1. A new 'DNAT-' action has been added for entries -in the /etc/shorewall/rules file. DNAT- is intended for advanced -users who wish to minimize the number of rules that connection requests - must traverse.
      -
      - A Shorewall DNAT rule actually generates two iptables -rules: a header rewriting rule in the 'nat' table and an ACCEPT rule -in the 'filter' table. A DNAT- rule only generates the first of these - rules. This is handy when you have several DNAT rules that would -generate the same ACCEPT rule.
      -
      -    Here are three rules from my previous rules file:
      -
      -         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.178
      -         DNAT   net  dmz:206.124.146.177 tcp smtp - 206.124.146.179
      -         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
      -
      -    These three rules ended up generating _three_ copies - of
      -
      -          ACCEPT net  dmz:206.124.146.177 tcp smtp
      -
      -    By writing the rules this way, I end up with only -one copy of the ACCEPT rule.
      -
      -         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
      -         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
      -         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....
      -
      -
      2. -
    2. The 'shorewall check' command now prints out the - applicable policy between each pair of zones.
      -
      -
      3. -
    3. A new CLEAR_TC option has been added to shorewall.conf. - If this option is set to 'No' then Shorewall won't clear the current - traffic control rules during [re]start. This setting is intended for - use by people that prefer to configure traffic shaping when the network - interfaces come up rather than when the firewall is started. If that -is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not -supply an /etc/shorewall/tcstart file. That way, your traffic shaping -rules can still use the 'fwmark' classifier based on packet marking defined -in /etc/shorewall/tcrules.
      -
      -
      4. -
    4. A new SHARED_DIR variable has been added that allows - distribution packagers to easily move the shared directory (default - /usr/lib/shorewall). Users should never have a need to change the - value of this shorewall.conf setting.
      -
      5. - -
    - -

    1/6/2003 - BURNOUT -

    - -

    Until further notice, I will not be involved in either Shorewall Development - or Shorewall Support

    - -

    -Tom Eastep

    +

    1/13/2003 - Shorewall 1.3.13
    +

    + +

    Just includes a few things that I had on the burner:
    +

    + +
      +
    1. A new 'DNAT-' action has been added for entries + in the /etc/shorewall/rules file. DNAT- is intended for advanced + users who wish to minimize the number of rules that connection requests + must traverse.
      +
      + A Shorewall DNAT rule actually generates two iptables + rules: a header rewriting rule in the 'nat' table and an ACCEPT rule + in the 'filter' table. A DNAT- rule only generates the first of +these rules. This is handy when you have several DNAT rules that would +generate the same ACCEPT rule.
      +
      +    Here are three rules from my previous rules file:
      +
      +         DNAT   net  dmz:206.124.146.177 tcp smtp - +206.124.146.178
      +         DNAT   net  dmz:206.124.146.177 tcp smtp - +206.124.146.179
      +         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...
      +
      +    These three rules ended up generating _three_ copies + of
      +
      +          ACCEPT net  dmz:206.124.146.177 tcp smtp
      +
      +    By writing the rules this way, I end up with only + one copy of the ACCEPT rule.
      +
      +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  +206.124.146.178
      +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  +206.124.146.179
      +         ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....
      +
      +
      2. +
    2. The 'shorewall check' command now prints out +the applicable policy between each pair of zones.
      +
      +
      3. +
    3. A new CLEAR_TC option has been added to shorewall.conf. + If this option is set to 'No' then Shorewall won't clear the current + traffic control rules during [re]start. This setting is intended for + use by people that prefer to configure traffic shaping when the network + interfaces come up rather than when the firewall is started. If that + is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not + supply an /etc/shorewall/tcstart file. That way, your traffic shaping + rules can still use the 'fwmark' classifier based on packet marking defined + in /etc/shorewall/tcrules.
      +
      +
      4. +
    4. A new SHARED_DIR variable has been added that +allows distribution packagers to easily move the shared directory +(default /usr/lib/shorewall). Users should never have a need to change +the value of this shorewall.conf setting.
      +
      5. + +
    + +

    1/6/2003 - BURNOUT +

    + +

    Until further notice, I will not be involved in either Shorewall Development + or Shorewall Support

    + +

    -Tom Eastep
    +

    +

    12/30/2002 - Shorewall Documentation in PDF Format

    - + +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. - the PDF may be downloaded from

    - + the PDF may be downloaded from

    + +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    -     http://slovakia.shorewall.net/pub/shorewall/pdf/
    -

    - +

    + +

    12/27/2002 - Shorewall 1.3.12 Released

    - +

    Features include:
    -

    - +

    +
      -
    1. "shorewall refresh" now reloads the traffic -shaping rules (tcrules and tcstart).
      2. -
    2. "shorewall debug [re]start" now turns off debugging - after an error occurs. This places the point of the failure near - the end of the trace rather than up in the middle of it.
      3. -
    3. "shorewall [re]start" has been speeded up by -more than 40% with my configuration. Your milage may vary.
      4. -
    4. A "shorewall show classifiers" command has been - added which shows the current packet classification filters. -The output from this command is also added as a separate page -in "shorewall monitor"
      5. -
    5. ULOG (must be all caps) is now accepted as a -valid syslog level and causes the subject packets to be logged -using the ULOG target rather than the LOG target. This allows you -to run ulogd (available from "shorewall refresh" now reloads the traffic + shaping rules (tcrules and tcstart).
      6. +
    6. "shorewall debug [re]start" now turns off +debugging after an error occurs. This places the point of the +failure near the end of the trace rather than up in the middle +of it.
      7. +
    7. "shorewall [re]start" has been speeded up +by more than 40% with my configuration. Your milage may vary.
      8. +
    8. A "shorewall show classifiers" command has +been added which shows the current packet classification filters. + The output from this command is also added as a separate page + in "shorewall monitor"
      9. +
    9. ULOG (must be all caps) is now accepted as +a valid syslog level and causes the subject packets to be logged + using the ULOG target rather than the LOG target. This allows you + to run ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to a separate log file.
      10. -
    10. If you are running a kernel that has a FORWARD - chain in the mangle table ("shorewall show mangle" will show you - the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes - in shorewall.conf. This allows for - marking input packets based on their destination even when you - are using Masquerading or SNAT.
      11. -
    11. I have cluttered up the /etc/shorewall directory - with empty 'init', 'start', 'stop' and 'stopped' files. If you - already have a file with one of these names, don't worry -- the upgrade - process won't overwrite your file.
      12. -
    12. I have added a new RFC1918_LOG_LEVEL variable - to shorewall.conf. This variable - specifies the syslog level at which packets are logged as a result - of entries in the /etc/shorewall/rfc1918 file. Previously, these -packets were always logged at the 'info' level.
      -
      13. - +
    13. If you are running a kernel that has a FORWARD + chain in the mangle table ("shorewall show mangle" will show +you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes + in shorewall.conf. This allows +for marking input packets based on their destination even when +you are using Masquerading or SNAT.
      14. +
    14. I have cluttered up the /etc/shorewall directory + with empty 'init', 'start', 'stop' and 'stopped' files. If you + already have a file with one of these names, don't worry -- the +upgrade process won't overwrite your file.
      15. +
    15. I have added a new RFC1918_LOG_LEVEL variable + to shorewall.conf. This variable + specifies the syslog level at which packets are logged as a result + of entries in the /etc/shorewall/rfc1918 file. Previously, these + packets were always logged at the 'info' level.
      +
      16. +
    - +

    12/20/2002 - Shorewall 1.3.12 Beta 3
    -

    - This version corrects a problem with Blacklist logging. - In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the - firewall would fail to start and "shorewall refresh" would also fail.
    - +

    + This version corrects a problem with Blacklist +logging. In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything +but ULOG, the firewall would fail to start and "shorewall refresh" +would also fail.
    +

    12/20/2002 - Shorewall 1.3.12 Beta 2

    - +

    The first public Beta version of Shorewall 1.3.12 is now available (Beta - 1 was made available only to a limited audience).
    -

    - Features include:
    - + 1 was made available only to a limited audience).
    +

    + Features include:
    +
      -
    1. "shorewall refresh" now reloads the traffic - shaping rules (tcrules and tcstart).
      2. -
    2. "shorewall debug [re]start" now turns off - debugging after an error occurs. This places the point of the - failure near the end of the trace rather than up in the middle of - it.
      3. -
    3. "shorewall [re]start" has been speeded -up by more than 40% with my configuration. Your milage may vary.
      4. -
    4. A "shorewall show classifiers" command -has been added which shows the current packet classification -filters. The output from this command is also added as a separate -page in "shorewall monitor"
      5. -
    5. ULOG (must be all caps) is now accepted -as a valid syslog level and causes the subject packets to be logged - using the ULOG target rather than the LOG target. This allows +
    6. "shorewall refresh" now reloads the traffic + shaping rules (tcrules and tcstart).
      7. +
    7. "shorewall debug [re]start" now turns +off debugging after an error occurs. This places the point of +the failure near the end of the trace rather than up in the middle +of it.
      8. +
    8. "shorewall [re]start" has been speeded + up by more than 40% with my configuration. Your milage may vary.
      9. +
    9. A "shorewall show classifiers" command + has been added which shows the current packet classification + filters. The output from this command is also added as a separate + page in "shorewall monitor"
      10. +
    10. ULOG (must be all caps) is now accepted + as a valid syslog level and causes the subject packets to be +logged using the ULOG target rather than the LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) - and log all Shorewall messages to a separate log file.
      11. -
    11. If you are running a kernel that has a -FORWARD chain in the mangle table ("shorewall show mangle" will -show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes - in shorewall.conf. This allows for marking input packets based -on their destination even when you are using Masquerading or SNAT.
      12. -
    12. I have cluttered up the /etc/shorewall -directory with empty 'init', 'start', 'stop' and 'stopped' files. -If you already have a file with one of these names, don't worry --- the upgrade process won't overwrite your file.
      13. - +
    13. If you are running a kernel that has +a FORWARD chain in the mangle table ("shorewall show mangle" +will show you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes + in shorewall.conf. This allows for marking input packets based + on their destination even when you are using Masquerading or SNAT.
      14. +
    14. I have cluttered up the /etc/shorewall + directory with empty 'init', 'start', 'stop' and 'stopped' +files. If you already have a file with one of these names, don't +worry -- the upgrade process won't overwrite your file.
      15. +
    - You may download the Beta from:
    - + You may download the Beta from:
    +
    http://www.shorewall.net/pub/shorewall/Beta
    - ftp://ftp.shorewall.net/pub/shorewall/Beta
    -
    - + +

    12/12/2002 - Mandrake Multi Network Firewall Powered by Mandrake Linux -

    - Shorewall is at the center of MandrakeSoft's - recently-announced

    + Shorewall is at the center of MandrakeSoft's + recently-announced     Multi - Network Firewall (MNF) product. Here is the product. Here is the press - release.
    - + release.
    +

    12/7/2002 - Shorewall Support for Mandrake 9.0

    - +

    Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. - I have installed 9.0 on one of my systems and I am now in -a position to support Shorewall users who run Mandrake 9.0.

    - + I have installed 9.0 on one of my systems and I am now in + a position to support Shorewall users who run Mandrake 9.0.

    +

    12/6/2002 - Debian 1.3.11a Packages Available
    -

    +

    - +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    12/3/2002 - Shorewall 1.3.11a

    - +

    This is a bug-fix roll up which includes Roger Aich's fix for DNAT with - excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 - users who don't need rules of this type need not upgrade to -1.3.11.

    - + excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 + users who don't need rules of this type need not upgrade to + 1.3.11.

    +

    11/24/2002 - Shorewall 1.3.11

    - +

    In this version:

    - +
      -
    • A 'tcpflags' option has been added - to entries in /etc/shorewall/interfaces. - This option causes Shorewall to make a set of sanity check on TCP -packet header flags.
      • -
    • It is now allowed to use 'all' in - the SOURCE or DEST column in a A 'tcpflags' option has been added + to entries in /etc/shorewall/interfaces. + This option causes Shorewall to make a set of sanity check on TCP + packet header flags.
      • +
    • It is now allowed to use 'all' +in the SOURCE or DEST column in a rule. When used, 'all' must appear by itself (in may not be qualified) and it does not enable intra-zone traffic. For example, the rule
      -
      -     ACCEPT loc all tcp 80
      -
      - does not enable http traffic from 'loc' - to 'loc'.
      • -
    • Shorewall's use of the 'echo' command - is now compatible with bash clones such as ash and dash.
      • -
    • fw->fw policies now generate -a startup error. fw->fw rules generate a warning and +
      +     ACCEPT loc all tcp 80
      +
      + does not enable http traffic from 'loc' + to 'loc'.
      • +
    • Shorewall's use of the 'echo' +command is now compatible with bash clones such as ash and +dash.
      • +
    • fw->fw policies now generate + a startup error. fw->fw rules generate a warning and are ignored
      • - +
    - +

    11/14/2002 - Shorewall Documentation in PDF Format

    - + +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. - the PDF may be downloaded from

    - + the PDF may be downloaded from

    + +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    -     http://slovakia.shorewall.net/pub/shorewall/pdf/
    -

    - +

    + +

    11/09/2002 - Shorewall is Back at SourceForge

    - +

    The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.
    -

    +

    - +

    11/09/2002 - Shorewall 1.3.10

    - +

    In this version:

    - + - +

    10/24/2002 - Shorewall is now in Gentoo Linux
    -

    - Alexandru Hartmann reports that his - Shorewall package is now a part of

    + Alexandru Hartmann reports that +his Shorewall package is now a part of     the Gentoo Linux distribution. Thanks Alex!
    - +

    10/23/2002 - Shorewall 1.3.10 Beta 1

    - In this version:
    + In this version:
    - + - You may download the Beta from:
    + You may download the Beta from:
    - + - +

    10/10/2002 -  Debian 1.3.9b Packages Available
    -

    +

    - +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    10/9/2002 - Shorewall 1.3.9b

    - This release rolls up fixes to the - installer and to the firewall script.
    - - -

    10/6/2002 - Shorewall.net now running on RH8.0
    -
    - The firewall and server here at - shorewall.net are now running RedHat release 8.0.
    -
    - 9/30/2002 - Shorewall 1.3.9a

    - Roles up the fix for broken tunnels.
    + This release rolls up fixes to +the installer and to the firewall script.
    +

    10/6/2002 - Shorewall.net now running on RH8.0
    +
    + The firewall and server here +at shorewall.net are now running RedHat release 8.0.
    +
    + 9/30/2002 - Shorewall 1.3.9a

    + Roles up the fix for broken +tunnels.
    + +

    9/30/2002 - TUNNELS Broken in 1.3.9!!!

    - There is an updated firewall script - at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - -- copy that file to /usr/lib/shorewall/firewall.
    + -- copy that file to /usr/lib/shorewall/firewall.
    - +

    9/28/2002 - Shorewall 1.3.9

    - +

    In this version:
    -

    +

    - +
      -
    • DNS Names are now allowed in Shorewall config files (although I recommend against using them).
      • -
    • The connection SOURCE - may now be qualified by both interface and IP address - in a Shorewall rule.
      • -
    • Shorewall startup is - now disabled after initial installation until the -file /etc/shorewall/startup_disabled is removed. This avoids - nasty surprises during reboot for users who install Shorewall - but don't configure it.
      • -
    • The 'functions' and 'version' - files and the 'firewall' symbolic link have been moved - from /var/lib/shorewall to /usr/lib/shorewall to appease - the LFS police at Debian.
      -
      • - - -
    - - -

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
    -

    - Brown Paper Bag - A couple of recent configuration - changes at www.shorewall.net broke the Search facility:
    - - -
    - - -
      -
    1. Mailing List Archive - Search was not available.
      2. -
    2. The Site Search index - was incomplete
      3. -
    3. Only one page of -matches was presented.
      4. - - - -
    -
    - Hopefully these problems - are now corrected. - -

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability - Restored
    -

    - A couple of recent configuration - changes at www.shorewall.net had the negative effect - of breaking the Search facility:
    - - -
      -
    1. Mailing List Archive - Search was not available.
      2. -
    2. The Site Search index - was incomplete
      3. -
    3. Only one page of matches - was presented.
      4. - - -
    - Hopefully these problems -are now corrected.
    - - -

    9/18/2002 -  Debian 1.3.8 Packages Available
    -

    +
  7. The connection SOURCE + may now be qualified by both interface and IP address + in a Shorewall rule.
    8. +
  8. Shorewall startup +is now disabled after initial installation until the + file /etc/shorewall/startup_disabled is removed. This avoids + nasty surprises during reboot for users who install Shorewall + but don't configure it.
    9. +
  9. The 'functions' and +'version' files and the 'firewall' symbolic link have +been moved from /var/lib/shorewall to /usr/lib/shorewall + to appease the LFS police at Debian.
    +
    10. + + + +

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
    +

    + Brown Paper Bag + A couple of recent configuration + changes at www.shorewall.net broke the Search facility:
    + + +
    + + +
      +
    1. Mailing List Archive + Search was not available.
      2. +
    2. The Site Search +index was incomplete
      3. +
    3. Only one page of + matches was presented.
      4. + + + +
    +
    + Hopefully these problems + are now corrected. + +

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + Restored
    +

    + A couple of recent configuration + changes at www.shorewall.net had the negative effect + of breaking the Search facility:
    + + +
      +
    1. Mailing List Archive + Search was not available.
      2. +
    2. The Site Search +index was incomplete
      3. +
    3. Only one page of +matches was presented.
      4. + + +
    + Hopefully these problems + are now corrected.
    + + +

    9/18/2002 -  Debian 1.3.8 Packages Available
    +

    + +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    9/16/2002 - Shorewall 1.3.8

    - +

    In this version:
    -

    +

    - +
      -
    • A A NEWNOTSYN option has been added to shorewall.conf. This option determines whether Shorewall - accepts TCP packets which are not part of an established - connection and that are not 'SYN' packets (SYN flag on and - ACK flag off).
      • -
    • The need for the - 'multi' option to communicate between zones za and - zb on the same interface is removed in the case where the -chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
      • + accepts TCP packets which are not part of an established + connection and that are not 'SYN' packets (SYN flag on and + ACK flag off). +
    • The need for +the 'multi' option to communicate between zones za + and zb on the same interface is removed in the case where + the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist +if:
      • - +
        -
      • There -is a policy for za to zb; or
        • -
      • There is at - least one rule for za to zb.
        • +
      • There + is a policy for za to zb; or
        • +
      • There is +at least one rule for za to zb.
        • - +
      - +
    - +
      -
    • The /etc/shorewall/blacklist - file now contains three columns. In addition to the - SUBNET/ADDRESS column, there are optional PROTOCOL and - PORT columns to block only certain applications from the - blacklisted addresses.
      -
      • +
    • The /etc/shorewall/blacklist + file now contains three columns. In addition to +the SUBNET/ADDRESS column, there are optional PROTOCOL + and PORT columns to block only certain applications from +the blacklisted addresses.
      +
      • - +
    - +

    9/11/2002 - Debian 1.3.7c Packages Available

    - +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    9/2/2002 - Shorewall 1.3.7c

    - +

    This is a role up of a fix for "DNAT" rules where the source zone is $FW - (fw).

    + (fw).

    - +

    8/31/2002 - I'm not available

    - +

    I'm currently on vacation  -- please respect my need for a couple of weeks free of Shorewall problem reports.

    - +

    -Tom

    - +

    8/26/2002 - Shorewall 1.3.7b

    - +

    This is a role up of the "shorewall refresh" bug fix and the change which - reverses the order of "dhcp" and "norfc1918" + reverses the order of "dhcp" and "norfc1918" checking.

    - +

    8/26/2002 - French FTP Mirror is Operational

    - +

    ftp://france.shorewall.net/pub/mirrors/shorewall - is now available.

    + is now available.

    - +

    8/25/2002 - Shorewall Mirror in France

    - +

    Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored - at http://france.shorewall.net.

    - +

    8/25/2002 - Shorewall 1.3.7a Debian Packages Available

    - +

    Lorenzo Martignoni reports that the packages for version 1.3.7a are available - at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author - -- Shorewall 1.3.7a released -

    +

    - +

    1.3.7a corrects problems occurring in rules file processing when starting - Shorewall 1.3.7.

    + Shorewall 1.3.7.

    - +

    8/22/2002 - Shorewall 1.3.7 Released 8/13/2002

    - +

    Features in this release include:

    - + - +

    I would like to thank John Distler for his valuable input regarding TCP - SYN and ICMP treatment in Shorewall. That input - has led to marked improvement in Shorewall in the + SYN and ICMP treatment in Shorewall. That input + has led to marked improvement in Shorewall in the last two releases.

    - +

    8/13/2002 - Documentation in the CVS Repository

    - +

    The Shorewall-docs project now contains just the HTML and image files - the Frontpage files have been removed.

    - +

    8/7/2002 - STABLE branch added to CVS Repository

    - +

    This branch will only be updated after I release a new version of Shorewall - so you can always update from this branch to + so you can always update from this branch to get the latest stable tree.

    - +

    8/7/2002 - Upgrade Issues section added to the Errata Page

    - +

    Now there is one place to go to look for issues involved with upgrading - to recent versions of Shorewall.

    + to recent versions of Shorewall.

    - +

    8/7/2002 - Shorewall 1.3.6

    - +

    This is primarily a bug-fix rollup with a couple of new features:

    - +
      -
    • The latest QuickStart Guides - including the Shorewall Setup - Guide.
      • -
    • Shorewall will - now DROP TCP packets that are not part of or related - to an existing connection and that are not SYN packets. -These "New not SYN" packets may be optionally logged by -setting the LOGNEWNOTSYN option in The latest + QuickStart Guides + including the Shorewall +Setup Guide.
      • +
    • Shorewall will + now DROP TCP packets that are not part of or related + to an existing connection and that are not SYN packets. + These "New not SYN" packets may be optionally logged +by setting the LOGNEWNOTSYN option in /etc/shorewall/shorewall.conf.
      • -
    • The processing - of "New not SYN" packets may be extended by commands +
    • The processing + of "New not SYN" packets may be extended by commands in the new newnotsyn - extension script.
      • + extension script. - +
    - +

    7/30/2002 - Shorewall 1.3.5b Released

    - +

    This interim release:

    - + - +

    7/29/2002 - New Shorewall Setup Guide Available

    - +

    The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. - The guide is intended for use by people who are - setting up Shorewall to manage multiple public IP - addresses and by people who want to learn more about Shorewall -than is described in the single-address guides. Feedback - on the new guide is welcome.

    + The guide is intended for use by people who +are setting up Shorewall to manage multiple public +IP addresses and by people who want to learn more about +Shorewall than is described in the single-address guides. + Feedback on the new guide is welcome.

    - +

    7/28/2002 - Shorewall 1.3.5 Debian Package Available

    - +

    Lorenzo Martignoni reports that the packages are version 1.3.5a and are - available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    7/27/2002 - Shorewall 1.3.5a Released

    - +

    This interim release restores correct handling of REDIRECT rules.

    - +

    7/26/2002 - Shorewall 1.3.5 Released

    - +

    This will be the last Shorewall release for a while. I'm going to be focusing on rewriting a lot of the documentation.

    - +

     In this version:

    - + - +

    7/16/2002 - New Mirror in Argentina

    - +

    Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in - Argentina. Thanks Buanzo!!!

    + Argentina. Thanks Buanzo!!!

    - +

    7/16/2002 - Shorewall 1.3.4 Released

    - +

    In this version:

    - + - +

    7/8/2002 - Shorewall 1.3.3 Debian Package Available

    - +

    Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    7/6/2002 - Shorewall 1.3.3 Released

    - +

    In this version:

    - +
      -
    • Entries in /etc/shorewall/interface - that use the wildcard character ("+") now have - the "multi" option assumed.
      • -
    • The 'rfc1918' -chain in the mangle table has been renamed 'man1918' - to make log messages generated from that chain distinguishable - from those generated by the 'rfc1918' chain in the - filter table.
      • -
    • Interface names - appearing in the hosts file are now validated against - the interfaces file.
      • -
    • The TARGET column - in the rfc1918 file is now checked for correctness.
      • -
    • The chain structure - in the nat table has been changed to reduce the - number of rules that a packet must traverse and to correct -problems with NAT_BEFORE_RULES=No
      • -
    • The "hits" command - has been enhanced.
      • +
    • Entries in +/etc/shorewall/interface that use the wildcard character + ("+") now have the "multi" option assumed.
      • +
    • The 'rfc1918' + chain in the mangle table has been renamed 'man1918' + to make log messages generated from that chain distinguishable + from those generated by the 'rfc1918' chain in the + filter table.
      • +
    • Interface names + appearing in the hosts file are now validated against + the interfaces file.
      • +
    • The TARGET +column in the rfc1918 file is now checked for correctness.
      • +
    • The chain structure + in the nat table has been changed to reduce the + number of rules that a packet must traverse and to correct + problems with NAT_BEFORE_RULES=No
      • +
    • The "hits" +command has been enhanced.
      • - +
    - +

    6/25/2002 - Samples Updated for 1.3.2

    - +

    The comments in the sample configuration files have been updated to reflect - new features introduced in Shorewall 1.3.2.

    + new features introduced in Shorewall 1.3.2.

    - +

    6/25/2002 - Shorewall 1.3.1 Debian Package Available

    - +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    6/19/2002 - Documentation Available in PDF Format

    - +

    Thanks to Mike Martinez, the Shorewall Documentation is now available for download in Adobe PDF format.

    - +

    6/16/2002 - Shorewall 1.3.2 Released

    - +

    In this version:

    - + - +

    6/6/2002 - Why CVS Web access is Password Protected

    - +

    Last weekend, I installed the CVS Web package to provide brower-based access to the Shorewall CVS repository. Since then, I have had several instances where my server was almost unusable due to the high load generated by website copying tools like HTTrack and WebStripper. These mindless tools:

    - +
      -
    • Ignore robot.txt - files.
      • -
    • Recursively copy - everything that they find.
      • -
    • Should be classified - as weapons rather than tools.
      • +
    • Ignore robot.txt + files.
      • +
    • Recursively +copy everything that they find.
      • +
    • Should be classified + as weapons rather than tools.
      • - +
    - +

    These tools/weapons are particularly damaging when combined with CVS Web - because they doggedly follow every link in the - cgi-generated HTML resulting in 1000s of executions - of the cvsweb.cgi script. Yesterday, I spend several - hours implementing measures to block these tools but unfortunately, - these measures resulted in my server OOM-ing under even - moderate load.

    + because they doggedly follow every link in the + cgi-generated HTML resulting in 1000s of executions + of the cvsweb.cgi script. Yesterday, I spend several + hours implementing measures to block these tools but unfortunately, + these measures resulted in my server OOM-ing under even + moderate load.

    - +

    Until I have the time to understand the cause of the OOM (or until I buy - more RAM if that is what is required), CVS Web - access will remain Password Protected.

    + more RAM if that is what is required), CVS Web + access will remain Password Protected.

    - +

    6/5/2002 - Shorewall 1.3.1 Debian Package Available

    - +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - +

    6/2/2002 - Samples Corrected

    - +

    The 1.3.0 samples configurations had several serious problems that prevented - DNS and SSH from working properly. These problems - have been corrected in the 1.3.1 samples.

    - +

    6/1/2002 - Shorewall 1.3.1 Released

    - +

    Hot on the heels of 1.3.0, this release:

    - +
      -
    • Corrects a serious - problem with "all <zone> CONTINUE" +
    • Corrects a +serious problem with "all <zone> CONTINUE" policies. This problem is present in all versions of Shorewall that support the CONTINUE policy. These previous versions optimized away the "all2<zone>" chain and replaced it with the "all2all" chain with the usual result that a policy of REJECT was enforced rather than the intended CONTINUE policy.
      • -
    • Adds an Adds an /etc/shorewall/rfc1918 file for defining the exact behavior of the 'norfc1918' interface option.
      • - +
    - +

    5/29/2002 - Shorewall 1.3.0 Released

    - +

    In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 includes:

    - +
      -
    • A 'filterping' - interface option that allows ICMP echo-request (ping) - requests addressed to the firewall to be handled by entries - in /etc/shorewall/rules and /etc/shorewall/policy.
      • +
    • A 'filterping' + interface option that allows ICMP echo-request (ping) + requests addressed to the firewall to be handled by entries + in /etc/shorewall/rules and /etc/shorewall/policy.
      • - +
    - +

    5/23/2002 - Shorewall 1.3 RC1 Available

    - +

    In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) incorporates the following:

    - + - +

    5/19/2002 - Shorewall 1.3 Beta 2 Available

    - +

    In addition to the changes in Beta 1, this release which carries the designation 1.2.91 adds:

    - + - +

    5/17/2002 - Shorewall 1.3 Beta 1 Available

    - +

    Beta 1 carries the version designation 1.2.90 and implements the following - features:

    + features:

    - +
      -
    • Simplified rule - syntax which makes the intent of each rule clearer -and hopefully makes Shorewall easier to learn.
      • -
    • Upward compatibility - with 1.2 configuration files has been maintained - so that current users can migrate to the new syntax - at their convenience.
      • -
    • Simplified +rule syntax which makes the intent of each rule clearer + and hopefully makes Shorewall easier to learn.
      • +
    • Upward compatibility + with 1.2 configuration files has been maintained + so that current users can migrate to the new syntax + at their convenience.
      • +
    • WARNING:  Compatibility with the old parameterized sample configurations has NOT been maintained. Users still running those configurations should migrate - to the new sample configurations before upgrading to - 1.3 Beta 1.
      • + to the new sample configurations before upgrading to + 1.3 Beta 1.       - +
    - +

    5/4/2002 - Shorewall 1.2.13 is Available

    - +

    In this version:

    - + - +

    4/30/2002 - Shorewall Debian News

    - +

    Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the Debian Testing Branch and the Debian Unstable Branch.

    - +

    4/20/2002 - Shorewall 1.2.12 is Available

    - +
      -
    • The 'try' command - works again
      • -
    • There is now -a single RPM that also works with SuSE.
      • +
    • The 'try' command + works again
      • +
    • There is now + a single RPM that also works with SuSE.
      • - +
    - +

    4/17/2002 - Shorewall Debian News

    - +

    Lorenzo Marignoni reports that:

    - + - +

    Thanks, Lorenzo!

    - +

    4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE

    - +

    Thanks to Stefan Mohr, there - is now a Shorewall 1.2.11 - SuSE RPM available.

    + SuSE RPM available.

    - +

    4/13/2002 - Shorewall 1.2.11 Available

    - +

    In this version:

    - + - +

    4/13/2002 - Hamburg Mirror now has FTP

    - +

    Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.  - Thanks Stefan!

    + Thanks Stefan!

    - +

    4/12/2002 - New Mirror in Hamburg

    - +

    Thanks to Stefan Mohr, there - is now a mirror of the Shorewall website at - http://germany.shorewall.net. -

    + is now a mirror of the Shorewall website at + http://germany.shorewall.net. +

    - +

    4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available

    - +

    Version 1.1 of the QuickStart - Guide is now available. Thanks to those who - have read version 1.0 and offered their suggestions. - Corrections have also been made to the sample scripts.

    + Guide is now available. Thanks to those +who have read version 1.0 and offered their suggestions. + Corrections have also been made to the sample scripts.

    - +

    4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available

    - +

    Version 1.0 of the QuickStart - Guide is now available. This Guide and its - accompanying sample configurations are expected + Guide is now available. This Guide and its + accompanying sample configurations are expected to provide a replacement for the recently withdrawn parameterized - samples.

    + samples.

    - +

    4/8/2002 - Parameterized Samples Withdrawn

    - +

    Although the parameterized - samples have allowed people to get a firewall - up and running quickly, they have unfortunately set - the wrong level of expectation among those who have used - them. I am therefore withdrawing support for the samples + samples have allowed people to get a firewall + up and running quickly, they have unfortunately +set the wrong level of expectation among those who have +used them. I am therefore withdrawing support for the samples and I am recommending that they not be used in new Shorewall - installations.

    + installations.

    - +

    4/2/2002 - Updated Log Parser

    - +

    John Lodge has provided an updated - version of his CGI-based log parser with corrected date handling.

    - +

    3/30/2002 - Shorewall Website Search Improvements

    - +

    The quick search on the home page now excludes the mailing list archives. - The Extended Search - allows excluding the archives or restricting the -search to just the archives. An archive search form -is also available on the Extended Search + allows excluding the archives or restricting the + search to just the archives. An archive search form + is also available on the mailing list information - page.

    + page.

    - +

    3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

    - + - +

    3/25/2002 - Log Parser Available

    - +

    John Lodge has provided a CGI-based log parser for Shorewall. Thanks - John.

    + John.

    - +

    3/20/2002 - Shorewall 1.2.10 Released

    - +

    In this version:

    - +
      -
    • A "shorewall -try" command has been added (syntax: shorewall try +
    • A "shorewall + try" command has been added (syntax: shorewall try <configuration directory>). This command attempts "shorewall -c <configuration directory> - start" and if that results in the firewall being stopped - due to an error, a "shorewall start" command is executed. The - 'try' command allows you to create a new configuration and attempt - to start it; if there is an error that leaves your firewall - in the stopped state, it will automatically be restarted using - the default configuration (in /etc/shorewall).
      • -
    • A new variable - ADD_SNAT_ALIASES has been added to +
    • A new variable + ADD_SNAT_ALIASES has been added to /etc/shorewall/shorewall.conf. If this variable is set to "Yes", Shorewall will automatically add IP addresses listed in the third column of the /etc/shorewall/masq file.
      • -
    • Copyright notices - have been added to the documenation.
      • +
    • Copyright notices + have been added to the documenation.
      • - +
    - +

    3/11/2002 - Shorewall 1.2.9 Released

    - +

    In this version:

    - + - +

    3/1/2002 - 1.2.8 Debian Package is Available

    - +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/25/2002 - New Two-interface Sample

    - +

    I've enhanced the two interface sample to allow access from the firewall - to servers in the local zone - - http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    + http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    - +

    2/23/2002 - Shorewall 1.2.8 Released

    - +

    Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects problems associated with the lock file used to prevent multiple state-changing - operations from occuring simultaneously. My apologies - for any inconvenience my carelessness may have caused.

    + operations from occuring simultaneously. My +apologies for any inconvenience my carelessness +may have caused.

    - +

    2/22/2002 - Shorewall 1.2.7 Released

    - +

    In this version:

    - +
      -
    • UPnP probes (UDP - destination port 1900) are now silently dropped -in the common chain
      • -
    • RFC 1918 checking - in the mangle table has been streamlined to no longer - require packet marking. RFC 1918 checking in the filter - table has been changed to require half as many rules as previously.
      • -
    • A 'shorewall -check' command has been added that does a cursory -validation of the zones, interfaces, hosts, rules and +
    • UPnP probes +(UDP destination port 1900) are now silently dropped + in the common chain
      • +
    • RFC 1918 checking + in the mangle table has been streamlined to no longer + require packet marking. RFC 1918 checking in the filter + table has been changed to require half as many rules as previously.
      • +
    • A 'shorewall + check' command has been added that does a cursory + validation of the zones, interfaces, hosts, rules and policy files.
      • - +
    - +

    2/18/2002 - 1.2.6 Debian Package is Available

    - +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/8/2002 - Shorewall 1.2.6 Released

    - +

    In this version:

    - +
      -
    • $-variables may - now be used anywhere in the configuration files except - /etc/shorewall/zones.
      • -
    • The interfaces - and hosts files now have their contents validated - before any changes are made to the existing Netfilter +
    • $-variables +may now be used anywhere in the configuration files + except /etc/shorewall/zones.
      • +
    • The interfaces + and hosts files now have their contents validated + before any changes are made to the existing Netfilter configuration. The appearance of a zone name that isn't defined in /etc/shorewall/zones causes "shorewall start" - and "shorewall restart" to abort without changing the Shorewall - state. Unknown options in either file cause a warning to be - issued.
      • -
    • A problem occurring - when BLACKLIST_LOGLEVEL was not set has been corrected.
      • + and "shorewall restart" to abort without changing the Shorewall + state. Unknown options in either file cause a warning to +be issued. +
    • A problem occurring + when BLACKLIST_LOGLEVEL was not set has been +corrected.
      • - +
    - +

    2/4/2002 - Shorewall 1.2.5 Debian Package Available

    - +

    see http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    2/1/2002 - Shorewall 1.2.5 Released

    - +

    Due to installation problems with Shorewall 1.2.4, I have released Shorewall - 1.2.5. Sorry for the rapid-fire development.

    + 1.2.5. Sorry for the rapid-fire development.

    - +

    In version 1.2.5:

    - +
      -
    • The installation - problems have been corrected.
      • -
    • The installation + problems have been corrected.
      • +
    • SNAT is now supported.
      • -
    • A "shorewall version" - command has been added
      • -
    • The default value - of the STATEDIR variable in /etc/shorewall/shorewall.conf - has been changed to /var/lib/shorewall in order - to conform to the GNU/Linux File Hierarchy Standard, Version - 2.2.
      • +
    • A "shorewall +version" command has been added
      • +
    • The default +value of the STATEDIR variable in /etc/shorewall/shorewall.conf + has been changed to /var/lib/shorewall in order + to conform to the GNU/Linux File Hierarchy Standard, Version + 2.2.
      • - +
    - +

    1/28/2002 - Shorewall 1.2.4 Released

    - +
      -
    • The "fw" zone - may now be given a different -name.
      • -
    • You may now place - end-of-line comments (preceded by '#') in any of -the configuration files
      • -
    • There is now protection - against against two state changing operations - occuring concurrently. This is implemented using the 'lockfile' - utility if it is available (lockfile is part of procmail); - otherwise, a less robust technique is used. The lockfile - is created in the STATEDIR defined in /etc/shorewall/shorewall.conf - and has the name "lock".
      • -
    • "shorewall start" - no longer fails if "detect" is specified in - /etc/shorewall/interfaces +
    • The "fw" zone + may now be given a different + name.
      • +
    • You may now +place end-of-line comments (preceded by '#') in any + of the configuration files
      • +
    • There is now +protection against against two state changing operations + occuring concurrently. This is implemented using the + 'lockfile' utility if it is available (lockfile is part + of procmail); otherwise, a less robust technique is used. + The lockfile is created in the STATEDIR defined in /etc/shorewall/shorewall.conf + and has the name "lock".
      • +
    • "shorewall start" + no longer fails if "detect" is specified in + /etc/shorewall/interfaces for an interface with subnet mask 255.255.255.255.
      • - +
    - +

    1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

    - +

    1/20/2002 - Corrected firewall script available 

    - +

    Corrects a problem with BLACKLIST_LOGLEVEL. See the - errata for details.

    + errata for details.

    - +

    1/19/2002 - Shorewall 1.2.3 Released

    - +

    This is a minor feature and bugfix release. The single new feature is:

    - + - +

    The following problems were corrected:

    - +
      -
    • The "shorewall -status" command no longer hangs.
      • -
    • The "shorewall -monitor" command now displays the icmpdef chain
      • -
    • The CLIENT PORT(S) - column in tcrules is no longer ignored
      • +
    • The "shorewall + status" command no longer hangs.
      • +
    • The "shorewall + monitor" command now displays the icmpdef chain
      • +
    • The CLIENT PORT(S) + column in tcrules is no longer ignored
      • - +
    - +

    1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release

    - +

    Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution - that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo - for details.

    + for details.

    - +

    1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 - Shorewall Debian package is now available. There - is a link to Lorenzo's site from the Shorewall download page.

    - +

    1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores - the "shorewall status" command to health.

    + the "shorewall status" command to health.

    - +

    1/8/2002 - Shorewall 1.2.2 Released

    - +

    In version 1.2.2

    - +
      -
    • Support for IP -blacklisting has been added +
    • Support for +IP blacklisting has been added - + -
      • -
    • Use of TCP RST -replies has been expanded  +
      • +
    • Use of TCP RST + replies has been expanded  - - + +
        -
      • TCP connection - requests rejected because of a REJECT policy are now - replied with a TCP RST packet.
        • -
      • TCP connection - requests rejected because of a protocol=all rule in - /etc/shorewall/rules are now replied with a TCP RST - packet.
        • +
      • TCP connection + requests rejected because of a REJECT policy are now + replied with a TCP RST packet.
        • +
      • TCP connection + requests rejected because of a protocol=all rule in + /etc/shorewall/rules are now replied with a TCP RST + packet.
        • - +
      -
      • -
    • A +
    • A LOGFILE specification has been added to /etc/shorewall/shorewall.conf. LOGFILE is used to tell the /sbin/shorewall program where to look for Shorewall - messages.
      • + messages. - +
    - +

    1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates - to the previously-released samples. There are two - new rules added:

    + to the previously-released samples. There are +two new rules added:

    - +
      -
    • Unless you have - explicitly enabled Auth connections (tcp port 113) +
    • Unless you have + explicitly enabled Auth connections (tcp port 113) to your firewall, these connections will be REJECTED rather than DROPPED. This speeds up connection establishment to some servers.
      • -
    • Orphan DNS replies - are now silently dropped.
      • +
    • Orphan DNS replies + are now silently dropped.
      • - +
    - +

    See the README file for upgrade instructions.

    - +

    1/1/2002 - Shorewall Mailing List Moving

    - +

    The Shorewall mailing list hosted at - Sourceforge is moving to Shorewall.net. If -you are a current subscriber to the list at Sourceforge, - please see these instructions. - If you would like to subscribe to the new list, -visit is moving to Shorewall.net. If + you are a current subscriber to the list at Sourceforge, + please see these instructions. + If you would like to subscribe to the new list, + visit http://www.shorewall.net/mailman/listinfo/shorewall-users.

    - +

    12/31/2001 - Shorewall 1.2.1 Released

    - +

    In version 1.2.1:

    - + - +

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing 1.2 on 12/21/2001

    - +

    Version 1.2 contains the following new features:

    - + - +

    For the next month or so, I will continue to provide corrections to version - 1.1.18 as necessary so that current version 1.1.x - users will not be forced into a quick upgrade to 1.2.0 - just to have access to bug fixes.

    + 1.1.18 as necessary so that current version 1.1.x + users will not be forced into a quick upgrade to 1.2.0 + just to have access to bug fixes.

    - +

    For those of you who have installed one of the Beta RPMS, you will need - to use the "--oldpackage" option when upgrading - to 1.2.0:

    + to use the "--oldpackage" option when upgrading + to 1.2.0:

    - +
    - +

    rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

    -
    + - +

    12/19/2001 - Thanks to Steve - Cowles, there is now a Shorewall mirror in Texas. - This web site is mirrored at , there is now a Shorewall mirror in +Texas. This web site is mirrored at http://www.infohiiway.com/shorewall - and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

    - +

    11/30/2001 - A new set of the parameterized Sample Configurations has been released. In this version:

    - +
      -
    • Ping is now allowed - between the zones.
      • -
    • In the three-interface - configuration, it is now possible to configure the - internet services that are to be available to servers in - the DMZ. 
      • +
    • Ping is now +allowed between the zones.
      • +
    • In the three-interface + configuration, it is now possible to configure the + internet services that are to be available to servers in + the DMZ. 
      • - +
    - +

    11/20/2001 - The current version of Shorewall is 1.1.18. 

    - +

    In this version:

    - +
      -
    • The spelling of - ADD_IP_ALIASES has been corrected in the shorewall.conf - file
      • -
    • The logic for -deleting user-defined chains has been simplified so - that it avoids a bug in the LRP version of the 'cut' utility.
      • -
    • The /var/lib/lrpkg/shorwall.conf - file has been corrected to properly display the - NAT entry in that file.
      • +
    • The spelling +of ADD_IP_ALIASES has been corrected in the shorewall.conf + file
      • +
    • The logic for + deleting user-defined chains has been simplified so + that it avoids a bug in the LRP version of the 'cut' utility.
      • +
    • The /var/lib/lrpkg/shorwall.conf + file has been corrected to properly display the + NAT entry in that file.
      • - +
    - +

    11/19/2001 - Thanks to Juraj - Ontkanin, there is now a Shorewall mirror - in the Slovak Republic. The website is now mirrored - at http://www.nrg.sk/mirror/shorewall - and the FTP site is mirrored at , there is now a Shorewall mirror + in the Slovak Republic. The website is now mirrored + at http://www.nrg.sk/mirror/shorewall + and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

    - +

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. - There are three sample configurations:

    + There are three sample configurations:

    - +
      -
    • One Interface --- for a standalone system.
      • -
    • Two Interfaces --- A masquerading firewall.
      • -
    • Three Interfaces - -- A masquerading firewall with DMZ.
      • +
    • One Interface + -- for a standalone system.
      • +
    • Two Interfaces + -- A masquerading firewall.
      • +
    • Three Interfaces + -- A masquerading firewall with DMZ.
      • - +
    - +

    Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 - . See the README file for instructions.

    + . See the README file for instructions.

    - + +

    11/1/2001 - The current version of Shorewall is 1.1.17.  I intend - this to be the last of the 1.1 Shorewall - releases.

    + this to be the last of the 1.1 Shorewall + releases.

    - + +

    In this version:

    - + - +

    10/22/2001 - The current version of Shorewall is 1.1.16. In this - version:

    - - -
      -
    • A new "shorewall - show connections" command has been added.
      • -
    • In the "shorewall - monitor" output, the currently tracked connections - are now shown on a separate page.
      • -
    • Prior to this -release, Shorewall unconditionally added the external - IP adddress(es) specified in /etc/shorewall/nat. Beginning - with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be - set to "no" (or "No") to inhibit this behavior. - This allows IP aliases created using your distribution's - network configuration tools to be used in static -NAT. 
      • - - -
    + version:

    -

    10/15/2001 - The current version of Shorewall is 1.1.15. In this - version:

    - -
      -
    • Support for nested - zones has been improved. See the documentation for details
      • -
    • Shorewall now -correctly checks the alternate configuration directory - for the 'zones' file.
      • +
    • A new "shorewall + show connections" command has been added.
      • +
    • In the "shorewall + monitor" output, the currently tracked connections + are now shown on a separate page.
      • +
    • Prior to this + release, Shorewall unconditionally added the external + IP adddress(es) specified in /etc/shorewall/nat. Beginning + with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be + set to "no" (or "No") to inhibit this behavior. + This allows IP aliases created using your distribution's + network configuration tools to be used in static + NAT. 
      • - +
    - -

    10/4/2001 - The current version of Shorewall is 1.1.14. In this - version

    + +

    10/15/2001 - The current version of Shorewall is 1.1.15. In this + version:

    - +
      -
    • Shorewall now -supports alternate configuration directories. When +
    • Support for +nested zones has been improved. See the documentation for details
      • +
    • Shorewall now + correctly checks the alternate configuration directory + for the 'zones' file.
      • + + +
    + + +

    10/4/2001 - The current version of Shorewall is 1.1.14. In this + version

    + + +
      +
    • Shorewall now + supports alternate configuration directories. When an alternate directory is specified when starting or restarting Shorewall (e.g., "shorewall -c /etc/testconf restart"), Shorewall will first look for configuration files in the alternate directory then in /etc/shorewall. To create an alternate configuration simply:
      - 1. Create a New -Directory
      - 2. Copy to that -directory any of your configuration files that you + 1. Create a New + Directory
      + 2. Copy to that + directory any of your configuration files that you want to change.
      - 3. Modify the copied - files as needed.
      - 4. Restart Shorewall - specifying the new directory.
      • -
    • The rules for -allowing/disallowing icmp echo-requests (pings) are - now moved after rules created when processing the rules - file. This allows you to add rules that selectively allow/deny - ping based on source or destination address.
      • -
    • Rules that specify - multiple client ip addresses or subnets no longer cause - startup failures.
      • -
    • Zone names in -the policy file are now validated against the zones - file.
      • -
    • If you have packet mangling support - enabled, the "norfc1918" - interface option now logs and drops any incoming packets - on the interface that have an RFC 1918 destination - address.
      • + 3. Modify the +copied files as needed.
      + 4. Restart Shorewall + specifying the new directory. +
    • The rules for + allowing/disallowing icmp echo-requests (pings) are + now moved after rules created when processing the rules + file. This allows you to add rules that selectively allow/deny + ping based on source or destination address.
      • +
    • Rules that specify + multiple client ip addresses or subnets no longer +cause startup failures.
      • +
    • Zone names in + the policy file are now validated against the zones + file.
      • +
    • If you have + packet mangling + support enabled, the "norfc1918" +interface option now logs and drops any incoming packets on +the interface that have an RFC 1918 destination address.
      • - +
    - +

    9/12/2001 - The current version of Shorewall is 1.1.13. In this - version

    + version

    - +
      -
    • Shell variables - can now be used to parameterize Shorewall rules.
      • -
    • The second column - in the hosts file may now contain a comma-separated - list.
      -
      - Example:
      -     sea    eth0:130.252.100.0/24,206.191.149.0/24
      • -
    • Handling of multi-zone - interfaces has been improved. See the documentation for the /etc/shorewall/interfaces - file.
      • +
    • Shell variables + can now be used to parameterize Shorewall rules.
      • +
    • The second column + in the hosts file may now contain a comma-separated + list.
      +
      + Example:
      +     sea    + eth0:130.252.100.0/24,206.191.149.0/24
      • +
    • Handling of +multi-zone interfaces has been improved. See the + documentation for the /etc/shorewall/interfaces + file.
      • - +
    - +

    8/28/2001 - The current version of Shorewall is 1.1.12. In this - version

    + version

    - +
      -
    • Several columns - in the rules file may now contain comma-separated - lists.
      • -
    • Shorewall is now - more rigorous in parsing the options in /etc/shorewall/interfaces.
      • -
    • Complementation - using "!" is now supported in rules.
      • +
    • Several columns + in the rules file may now contain comma-separated + lists.
      • +
    • Shorewall is +now more rigorous in parsing the options in /etc/shorewall/interfaces.
      • +
    • Complementation + using "!" is now supported in rules.
      • - +
    - +

    7/28/2001 - The current version of Shorewall is 1.1.11. In this - version

    + version

    - +
      -
    • A "shorewall refresh" - command has been added to allow for refreshing - the rules associated with the broadcast address on a dynamic - interface. This command should be used in place of "shorewall - restart" when the internet interface's IP address changes.
      • -
    • The /etc/shorewall/start - file (if any) is now processed after all temporary - rules have been deleted. This change prevents the accidental - removal of rules added during the processing of that - file.
      • -
    • The "dhcp" interface - option is now applicable to firewall interfaces used - by a DHCP server running on the firewall.
      • -
    • The RPM can now - be built from the .tgz file using "rpm -tb" 
      • +
    • A "shorewall +refresh" command has been added to allow for refreshing + the rules associated with the broadcast address on a dynamic + interface. This command should be used in place of "shorewall + restart" when the internet interface's IP address changes.
      • +
    • The /etc/shorewall/start + file (if any) is now processed after all temporary + rules have been deleted. This change prevents the accidental + removal of rules added during the processing of that + file.
      • +
    • The "dhcp" interface + option is now applicable to firewall interfaces +used by a DHCP server running on the firewall.
      • +
    • The RPM can +now be built from the .tgz file using "rpm -tb" 
      • - +
    - +

    7/6/2001 - The current version of Shorewall is 1.1.10. In this version

    - +
      -
    • Shorewall now -enables Ipv4 Packet Forwarding by default. Packet forwarding - may be disabled by specifying IP_FORWARD=Off in /etc/shorewall/shorewall.conf. - If you don't want Shorewall to enable or disable - packet forwarding, add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf +
    • Shorewall now + enables Ipv4 Packet Forwarding by default. Packet +forwarding may be disabled by specifying IP_FORWARD=Off + in /etc/shorewall/shorewall.conf. If you don't +want Shorewall to enable or disable packet forwarding, + add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf file.
      • -
    • The "shorewall -hits" command no longer lists extraneous service - names in its last report.
      • -
    • Erroneous instructions - in the comments at the head of the firewall script - have been corrected.
      • +
    • The "shorewall + hits" command no longer lists extraneous service + names in its last report.
      • +
    • Erroneous instructions + in the comments at the head of the firewall script + have been corrected.
      • - +
    - +

    6/23/2001 - The current version of Shorewall is 1.1.9. In this version

    - +
      -
    • The "tunnels" -file really is in the RPM now.
      • -
    • SNAT can now be - applied to port-forwarded connections.
      • -
    • A bug which would - cause firewall start failures in some dhcp configurations - has been fixed.
      • -
    • The firewall script - now issues a message if you have the name of an - interface in the second column in an entry in /etc/shorewall/masq - and that interface is not up.
      • -
    • You can now configure - Shorewall so that it doesn't - require the NAT and/or mangle netfilter modules.
      • -
    • Thanks to Alex  - Polishchuk, the "hits" command from seawall is +
    • The "tunnels" + file really is in the RPM now.
      • +
    • SNAT can now +be applied to port-forwarded connections.
      • +
    • A bug which +would cause firewall start failures in some dhcp configurations + has been fixed.
      • +
    • The firewall +script now issues a message if you have the name of + an interface in the second column in an entry in /etc/shorewall/masq + and that interface is not up.
      • +
    • You can now +configure Shorewall so that it doesn't require the NAT and/or + mangle netfilter modules.
      • +
    • Thanks to Alex  + Polishchuk, the "hits" command from seawall is now in shorewall.
      • -
    • Support for IPIP tunnels has been added.
      • +
    • Support for + IPIP tunnels has been added.
      • - +
    - +

    6/18/2001 - The current version of Shorewall is 1.1.8. In this version

    - + - +

    6/2/2001 - The current version of Shorewall is 1.1.7. In this version

    - +
      -
    • The TOS rules -are now deleted when the firewall is stopped.
      • -
    • The .rpm will -now install regardless of which version of iptables - is installed.
      • -
    • The .rpm will -now install without iproute2 being installed.
      • -
    • The documentation - has been cleaned up.
      • -
    • The sample configuration - files included in Shorewall have been formatted - to 80 columns for ease of editing on a VGA console.
      • +
    • The TOS rules + are now deleted when the firewall is stopped.
      • +
    • The .rpm will + now install regardless of which version of iptables + is installed.
      • +
    • The .rpm will + now install without iproute2 being installed.
      • +
    • The documentation + has been cleaned up.
      • +
    • The sample configuration + files included in Shorewall have been formatted + to 80 columns for ease of editing on a VGA console.
      • - +
    - +

    5/25/2001 - The current version of Shorewall is 1.1.6. In this version

    - +
      -
    • You may now rate-limit the packet log.
      • -
    • Previous - versions of Shorewall have an implementation of Static NAT - which violates the principle of least surprise.  -NAT only occurs for packets arriving at (DNAT) or send -from (SNAT) the interface named in the INTERFACE column of - /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective - regardless of which interface packets come from or are destined -to. To get compatibility with prior versions, I have added - a new "ALL "ALL INTERFACES"  column - to /etc/shorewall/nat. By placing "no" or "No" in -the new column, the NAT behavior of prior versions may be -retained. 
      • -
    • The treatment -of IPSEC Tunnels where the remote - gateway is a standalone system has been improved. Previously, - it was necessary to include an additional rule allowing UDP -port 500 traffic to pass through the tunnel. Shorewall will now - create this rule automatically when you place the name of the -remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. 
      • +
    • Previous + versions of Shorewall have an implementation of Static +NAT which violates the principle of least surprise.  + NAT only occurs for packets arriving at (DNAT) or send + from (SNAT) the interface named in the INTERFACE column of + /etc/shorewall/nat. Beginning with version 1.1.6, NAT effective + regardless of which interface packets come from or are destined + to. To get compatibility with prior versions, I have added + a new "ALL "ALL INTERFACES"  +column to /etc/shorewall/nat. By placing "no" or "No" +in the new column, the NAT behavior of prior versions may +be retained. 
      • +
    • The treatment + of IPSEC Tunnels where the +remote gateway is a standalone system has been improved. + Previously, it was necessary to include an additional rule allowing + UDP port 500 traffic to pass through the tunnel. Shorewall will +now create this rule automatically when you place the name of +the remote peer's zone in a new GATEWAY ZONE column in /etc/shorewall/tunnels. 
      • - +
    - +

    5/20/2001 - The current version of Shorewall is 1.1.5. In this version

    - + - +

    5/10/2001 - The current version of Shorewall is 1.1.4. In this version

    - +
      -
    • Accepting RELATED connections is now optional.
      • -
    • Corrected problem - where if "shorewall start" aborted early (due +
    • Corrected problem + where if "shorewall start" aborted early (due to kernel configuration errors for example), superfluous 'sed' error messages were reported.
      • -
    • Corrected rules - generated for port redirection.
      • -
    • The order in which - iptables kernel modules are loaded has been corrected - (Thanks to Mark Pavlidis). 
      • +
    • Corrected rules + generated for port redirection.
      • +
    • The order in +which iptables kernel modules are loaded has been + corrected (Thanks to Mark Pavlidis). 
      • - +
    - +

    4/28/2001 - The current version of Shorewall is 1.1.3. In this version

    - +
      -
    • Correct message - issued when Proxy ARP address added (Thanks to Jason - Kirtland).
      • -
    • /tmp/shorewallpolicy-$$ - is now removed if there is an error while starting - the firewall.
      • -
    • /etc/shorewall/icmp.def - and /etc/shorewall/common.def are now used to -define the icmpdef and common chains unless overridden -by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
      • -
    • In the .lrp, the - file /var/lib/lrpkg/shorwall.conf has been corrected. - An extra space after "/etc/shorwall/policy" has been - removed and "/etc/shorwall/rules" has been added.
      • -
    • When a sub-shell - encounters a fatal error and has stopped the firewall, - it now kills the main shell so that the main shell will - not continue.
      • -
    • A problem has -been corrected where a sub-shell stopped the firewall - and main shell continued resulting in a perplexing error - message referring to "common.so" resulted.
      • -
    • Previously, placing - "-" in the PORT(S) column in /etc/shorewall/rules - resulted in an error message during start. This has been -corrected.
      • -
    • The first line -of "install.sh" has been corrected -- I had inadvertently - deleted the initial "#".
      • +
    • Correct message + issued when Proxy ARP address added (Thanks to Jason + Kirtland).
      • +
    • /tmp/shorewallpolicy-$$ + is now removed if there is an error while starting + the firewall.
      • +
    • /etc/shorewall/icmp.def + and /etc/shorewall/common.def are now used to + define the icmpdef and common chains unless overridden + by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
      • +
    • In the .lrp, +the file /var/lib/lrpkg/shorwall.conf has been corrected. + An extra space after "/etc/shorwall/policy" has been + removed and "/etc/shorwall/rules" has been added.
      • +
    • When a sub-shell + encounters a fatal error and has stopped the firewall, + it now kills the main shell so that the main shell will + not continue.
      • +
    • A problem has + been corrected where a sub-shell stopped the firewall + and main shell continued resulting in a perplexing error + message referring to "common.so" resulted.
      • +
    • Previously, +placing "-" in the PORT(S) column in /etc/shorewall/rules + resulted in an error message during start. This has +been corrected.
      • +
    • The first line + of "install.sh" has been corrected -- I had inadvertently + deleted the initial "#".
      • - +
    - +

    4/12/2001 - The current version of Shorewall is 1.1.2. In this version

    - +
      -
    • Port redirection - now works again.
      • -
    • The icmpdef and - common chains may now - be user-defined.
      • -
    • The firewall no - longer fails to start if "routefilter" is specified - for an interface that isn't started. A warning message -is now issued in this case.
      • -
    • The LRP Version - is renamed "shorwall" for 8,3 MSDOS file system - compatibility.
      • -
    • A couple of LRP-specific - problems were corrected.
      • +
    • Port redirection + now works again.
      • +
    • The icmpdef +and common chains may + now be user-defined.
      • +
    • The firewall +no longer fails to start if "routefilter" is specified + for an interface that isn't started. A warning message + is now issued in this case.
      • +
    • The LRP Version + is renamed "shorwall" for 8,3 MSDOS file system + compatibility.
      • +
    • A couple of +LRP-specific problems were corrected.
      • - +
    - +

    4/8/2001 - Shorewall is now affiliated with the Leaf Project -

    +

    - +

    4/5/2001 - The current version of Shorewall is 1.1.1. In this version:

    - +
      -
    • The common chain - is traversed from INPUT, OUTPUT and FORWARD before - logging occurs
      • -
    • The source has -been cleaned up dramatically
      • -
    • DHCP DISCOVER -packets with RFC1918 source addresses no longer - generate log messages. Linux DHCP clients generate such +
    • The common chain + is traversed from INPUT, OUTPUT and FORWARD before + logging occurs
      • +
    • The source has + been cleaned up dramatically
      • +
    • DHCP DISCOVER + packets with RFC1918 source addresses no longer + generate log messages. Linux DHCP clients generate such packets and it's annoying to see them logged. 
      • - +
    - +

    3/25/2001 - The current version of Shorewall is 1.1.0. In this version:

    - +
      -
    • Log messages now - indicate the packet disposition.
      • -
    • Error messages -have been improved.
      • -
    • The ability to -define zones consisting of an enumerated set of hosts - and/or subnetworks has been added.
      • -
    • The zone-to-zone - chain matrix is now sparse so that only those chains - that contain meaningful rules are defined.
      • -
    • 240.0.0.0/4 and - 169.254.0.0/16 have been added to the source subnetworks - whose packets are dropped under the norfc1918 -interface option.
      • -
    • Exits are now -provided for executing an user-defined script when - a chain is defined, when the firewall is initialized, - when the firewall is started, when the firewall is -stopped and when the firewall is cleared.
      • -
    • The Linux kernel's - route filtering facility can now be specified - selectively on network interfaces.
      • +
    • Log messages +now indicate the packet disposition.
      • +
    • Error messages + have been improved.
      • +
    • The ability +to define zones consisting of an enumerated set of +hosts and/or subnetworks has been added.
      • +
    • The zone-to-zone + chain matrix is now sparse so that only those chains + that contain meaningful rules are defined.
      • +
    • 240.0.0.0/4 +and 169.254.0.0/16 have been added to the source + subnetworks whose packets are dropped under the norfc1918 + interface option.
      • +
    • Exits are now + provided for executing an user-defined script when + a chain is defined, when the firewall is initialized, + when the firewall is started, when the firewall +is stopped and when the firewall is cleared.
      • +
    • The Linux kernel's + route filtering facility can now be specified + selectively on network interfaces.
      • - +
    - +

    3/19/2001 - The current version of Shorewall is 1.0.4. This version:

    - +
      -
    • Allows user-defined - zones. Shorewall now has only one pre-defined - zone (fw) with the remaining zones being defined in the +
    • Allows user-defined + zones. Shorewall now has only one pre-defined + zone (fw) with the remaining zones being defined in the new configuration file /etc/shorewall/zones. The /etc/shorewall/zones file released in this version provides behavior that is compatible with Shorewall 1.0.3. 
      • -
    • Adds the ability - to specify logging in entries in the /etc/shorewall/rules - file.
      • -
    • Correct handling - of the icmp-def chain so that only ICMP packets are - sent through the chain.
      • -
    • Compresses the -output of "shorewall monitor" if awk is installed. - Allows the command to work if awk isn't installed (although - it's not pretty).
      • +
    • Adds the ability + to specify logging in entries in the /etc/shorewall/rules + file.
      • +
    • Correct handling + of the icmp-def chain so that only ICMP packets are + sent through the chain.
      • +
    • Compresses the + output of "shorewall monitor" if awk is installed. + Allows the command to work if awk isn't installed (although + it's not pretty).
      • - +
    - +

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix - release with no new features.

    + release with no new features.

    - +
      -
    • The PATH variable - in the firewall script now includes /usr/local/bin - and /usr/local/sbin.
      • -
    • DMZ-related chains - are now correctly deleted if the DMZ is deleted.
      • -
    • The interface -OPTIONS for "gw" interfaces are no longer ignored.
      • +
    • The PATH variable + in the firewall script now includes /usr/local/bin + and /usr/local/sbin.
      • +
    • DMZ-related +chains are now correctly deleted if the DMZ is deleted.
      • +
    • The interface + OPTIONS for "gw" interfaces are no longer ignored.
      • - +
    - +

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an - additional "gw" (gateway) zone for tunnels and - it supports IPSEC tunnels with end-points on the firewall. - There is also a .lrp available now.

    + additional "gw" (gateway) zone for tunnels and + it supports IPSEC tunnels with end-points on the firewall. + There is also a .lrp available now.

    - -

    Updated 3/17/2003 - Tom Eastep -

    + +

    Updated 3/21/2003 - Tom Eastep +

    - +

    Copyright © 2001, 2002 Thomas M. Eastep.
    -

    +

    +
    +
    diff --git a/STABLE/documentation/ProxyARP.htm b/STABLE/documentation/ProxyARP.htm index 58390156a..faba6583a 100644 --- a/STABLE/documentation/ProxyARP.htm +++ b/STABLE/documentation/ProxyARP.htm @@ -1,179 +1,190 @@ - + Shorewall Proxy ARP - + - + - + - + - - - + + - - - + + + +
    +

    Proxy ARP

    -
    - +

    Proxy ARP allows you to insert a firewall in front of a set of servers - without changing their IP addresses and without having to re-subnet. -Before you try to use this technique, I strongly recommend that you read the -Shorewall Setup Guide.

    - + without changing their IP addresses and without having to re-subnet. + Before you try to use this technique, I strongly recommend that you read +the Shorewall Setup Guide.

    +

    The following figure represents a Proxy ARP environment.

    - -
    + +

    -

    - +

    +
    -
    - +
    +

    Proxy ARP can be used to make the systems with addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) - subnet.  Assuming that the upper firewall interface is eth0 and the - lower interface is eth1, this is accomplished using the following entries -in /etc/shorewall/proxyarp:

    - -
    - - - - - - - - - - - - - - - - - - - - - - -
    ADDRESSINTERFACEEXTERNALHAVEROUTE
    130.252.100.18eth1eth0no
    130.252.100.19eth1eth0no
    -
    + subnet.  Assuming that the upper firewall interface is eth0 and the + lower interface is eth1, this is accomplished using the following entries + in /etc/shorewall/proxyarp:

    +
    + + + + + + + + + + + + + + + + + + + + + + +
    ADDRESSINTERFACEEXTERNALHAVEROUTE
    130.252.100.18eth1eth0no
    130.252.100.19eth1eth0no
    +
    +

    Be sure that the internal systems (130.242.100.18 and 130.252.100.19  in the above example) are not included in any specification in /etc/shorewall/masq or /etc/shorewall/nat.

    - +

    Note that I've used an RFC1918 IP address for eth1 - that IP address is - irrelevant.

    - + irrelevant.

    +

    The lower systems (130.252.100.18 and 130.252.100.19) should have their - subnet mask and default gateway configured exactly the same way that -the Firewall system's eth0 is configured.

    - -
    -

    A word of warning is in order here. ISPs typically configure - their routers with a long ARP cache timeout. If you move a system from - parallel to your firewall to behind your firewall with Proxy ARP, it will - probably be HOURS before that system can communicate with the internet. -There are a couple of things that you can try:
    + subnet mask and default gateway configured exactly the same way that + the Firewall system's eth0 is configured. In other words, they should +be configured just like they would be if they were parallel to the firewall +rather than behind it.

    +

    NOTE: Do not add the Proxy ARP'ed address(es) +(130.252.100.18 and 130.252.100.19 in the above example)  to the external +interface (eth0 in this example) of the firewall.
    +

    +
    + +
    +

    A word of warning is in order here. ISPs typically configure + their routers with a long ARP cache timeout. If you move a system from + parallel to your firewall to behind your firewall with Proxy ARP, it will + probably be HOURS before that system can communicate with the internet. + There are a couple of things that you can try:
    +

    +
      -
    1. (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP Illustrated, -Vol 1 reveals that a
      -
      - "gratuitous" ARP packet should cause the ISP's router to refresh their ARP -cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC -address for its own IP; in addition to ensuring that the IP address isn't -a duplicate...
      -
      - "if the host sending the gratuitous ARP has just changed its hardware address..., -this packet causes any other host...that has an entry in its cache for the -old hardware address to update its ARP cache entry accordingly."
      -
      - Which is, of course, exactly what you want to do when you switch a host -from being exposed to the Internet to behind Shorewall using proxy ARP (or -static NAT for that matter). Happily enough, recent versions of Redhat's +
    2. (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP Illustrated, + Vol 1 reveals that a
      +
      + "gratuitous" ARP packet should cause the ISP's router to refresh their +ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the +MAC address for its own IP; in addition to ensuring that the IP address isn't + a duplicate...
      +
      + "if the host sending the gratuitous ARP has just changed its hardware +address..., this packet causes any other host...that has an entry in its +cache for the old hardware address to update its ARP cache entry accordingly."
      +
      + Which is, of course, exactly what you want to do when you switch a host + from being exposed to the Internet to behind Shorewall using proxy ARP (or + static NAT for that matter). Happily enough, recent versions of Redhat's iputils package include "arping", whose "-U" flag does just that:
      -
      -     arping -U -I <net if> <newly proxied -IP>
      -     arping -U -I eth0 66.58.99.83 # for example
      -
      - Stevens goes on to mention that not all systems respond correctly to gratuitous -ARPs, but googling for "arping -U" seems to support the idea that it works -most of the time.
      -
      -To use arping with Proxy ARP in the above example, you would have to:
      -
      -     shorewall clear
      -           ip addr add 130.252.100.18 dev -eth0
      -    ip addr add 130.252.100.19 dev eth0
      -     arping -U -I eth0 130.252.100.18
      -    arping -U -I eth0 130.252.100.19
      -    ip addr del 130.252.100.18 dev eth0
      -    ip addr del 130.252.100.19 dev eth0
      -    shorewall start
      -
      -
      3. -
    3. You can call your ISP and ask them to purge the stale ARP cache -entry but many either can't or won't purge individual entries.
      4. - +
      +     arping -U -I <net if> <newly +proxied IP>
      +     arping -U -I eth0 66.58.99.83 # for example
      +
      + Stevens goes on to mention that not all systems respond correctly to gratuitous + ARPs, but googling for "arping -U" seems to support the idea that it works + most of the time.
      +
      + To use arping with Proxy ARP in the above example, you would have to:
      +
      +     shorewall clear
      +           ip addr add 130.252.100.18 +dev eth0
      +     ip addr add 130.252.100.19 dev eth0
      +     arping -U -I eth0 130.252.100.18
      +     arping -U -I eth0 130.252.100.19
      +     ip addr del 130.252.100.18 dev eth0
      +     ip addr del 130.252.100.19 dev eth0
      +     shorewall start
      +
      + +
    4. You can call your ISP and ask them to purge the stale ARP cache + entry but many either can't or won't purge individual entries.
      5. +
    - You can determine if your ISP's gateway ARP cache is stale using ping -and tcpdump. Suppose that we suspect that the gateway router has a stale -ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:
    - -
    + You can determine if your ISP's gateway ARP cache is stale using ping + and tcpdump. Suppose that we suspect that the gateway router has a stale + ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:
    + +
    	tcpdump -nei eth0 icmp
    -
    - -
    +
    + +

    Now from 130.252.100.19, ping the ISP's gateway (which we -will assume is 130.252.100.254):

    -
    - -
    + will assume is 130.252.100.254):

    +
    + +
    	ping 130.252.100.254
    -
    - -
    +
    + +

    We can now observe the tcpdump output:

    -
    - -
    +
    + +
    	13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)
    	13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply
    -
    - -
    +
    + +

    Notice that the source MAC address in the echo request is - different from the destination MAC address in the echo reply!! In this -case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 - was the MAC address of the system on the lower left. In other words, the -gateway's ARP cache still associates 130.252.100.19 with the NIC in that -system rather than with the firewall's eth0.

    -
    - -

    Last updated 1/26/2003 - +

    + +

    Last updated 3/21/2003 - Tom Eastep

    - Copyright © Copyright © 2001, 2002, 2003 Thomas M. Eastep.
    +
    +

    diff --git a/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html b/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html index 63b6b92fa..6187cec87 100755 --- a/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html +++ b/STABLE/documentation/Shorewall_and_Aliased_Interfaces.html @@ -2,195 +2,167 @@ Shorewall and Aliased Interfaces - + - + - + - - - + + - + + - - + +
    +
    - +

    Shorewall and Aliased Interfaces

    -
    -
    - -

    Background

    - The traditional net-tools contain a program called ifconfig which - is used to configure network devices. ifconfig introduced the concept of -aliased or virtial interfaces. These virtual interfaces have -names of the form interface:integer (e.g., eth0:0) and ifconfig -treats them more or less like real interfaces.
    -
    - Example:
    - -
    [root@gateway root]# ifconfig eth0:0
    eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55
              inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Interrupt:11 Base address:0x2000
    [root@gateway root]#
    - The ifconfig utility is being gradually phased out in favor of the ip - utility which is part of the iproute package. The ip utility does -not use the concept of aliases or virtual interfaces but rather treats additional - addresses on an interface as addresses. The ip utility does provide for interaction - with ifconfig in that it allows addresses to be labeled.
    -
    - Example:
    -
    - -
    [root@gateway root]# ip addr show dev eth0
    2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
        link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
        inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
        inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
    [root@gateway root]#
    - Note that one cannot type "ip addr show dev eth0:0"
    - -
    [root@gateway root]# ip addr show dev eth0:0
    Device "eth0:0" does not exist.
    [root@gateway root]#
    - The iptables program doesn't support virtual interfaces in either it's -"-i" or "-o" command options; as a consequence, Shorewall does not allow -them to be used in the /etc/shorewall/interfaces file.
    -
    - -

    So how do I handle more than one address on an interface?

    - Depends on what you are trying to do with the interfaces. In the sub-sections - that follow, we'll take a look at common scenarios.
    - -

    Separate Rules

    - If you need to make a rule for traffic to/from the firewall itself only -apply to a particular IP address, simply qualify the $FW zone with the IP -address.
    -
    - Example (allow SSH from net to eth0:0 above):
    -
    - -
    - - - - - - - - - - - - - - - - - - - - - - -
    ACTION
    -     		SOURCE
    -     		DESTINATION
    -     		PROTOCOL
    -     		PORT(S)
    -     		SOURCE PORT(S)
    -     		ORIGINAL DESTINATION
    -
    DNAT
    -     		net
    -     		fw:206.124.146.178
    -     		tcp
    -     		22
    -
    -
    -

    -
    - -

    DNAT

    - Suppose that I had set up eth0:0 as above and I wanted to port forward -from that virtual interface to a web server running in my local zone at 192.168.1.3. - That is accomplised by a single rule in the /etc/shorewall/rules file:
    + +

    Background

    + The traditional net-tools contain a program called ifconfig which + is used to configure network devices. ifconfig introduced the concept of + aliased or virtial interfaces. These virtual interfaces have + names of the form interface:integer (e.g., eth0:0) and ifconfig + treats them more or less like real interfaces.
    +
    + Example:
    + +
    [root@gateway root]# ifconfig eth0:0
    eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55
              inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              Interrupt:11 Base address:0x2000
    [root@gateway root]#
    + The ifconfig utility is being gradually phased out in favor of the ip + utility which is part of the iproute package. The ip utility does + not use the concept of aliases or virtual interfaces but rather treats additional + addresses on an interface as objects. The ip utility does provide for interaction + with ifconfig in that it allows addresses to be labeled and labels +may take the form of ipconfig virtual interfaces.
    +
    + Example:
    +
    + +
    [root@gateway root]# ip addr show dev eth0
    2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
        link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
        inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
        inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
    [root@gateway root]#
    + Note that one cannot type "ip addr show dev eth0:0" because "eth0:0" +is a label for a particular address rather than a device name.
    + +
    [root@gateway root]# ip addr show dev eth0:0
    Device "eth0:0" does not exist.
    [root@gateway root]#
    + The iptables program doesn't support virtual interfaces in either it's + "-i" or "-o" command options; as a consequence, Shorewall does not allow + them to be used in the /etc/shorewall/interfaces file.
    +
    + +

    So how do I handle more than one address on an interface?

    + The answer depends on what you are trying to do with the interfaces. +In the sub-sections that follow, we'll take a look at common scenarios.
    + +

    Separate Rules

    + If you need to make a rule for traffic to/from the firewall itself that +only applies to a particular IP address, simply qualify the $FW zone with +the IP address.
    +
    + Example (allow SSH from net to eth0:0 above):

    -
    +
    - - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - + + +
    ACTION
    -     		SOURCE
    -     		DESTINATION
    -     		PROTOCOL
    -     		PORT(S)
    -     		SOURCE PORT(S)
    -     		ORIGINAL DESTINATION
    -
    DNAT
    +
    ACTION
    +     		SOURCE
    +     		DESTINATION
    +     		PROTOCOL
    +     		PORT(S)
    +     		SOURCE PORT(S)
    +     		ORIGINAL DESTINATION
    +
    DNAT
    +     		net
    +     		fw:206.124.146.178
    +     		tcp
    +     		22
    +
    		net
    +
    		loc:192.168.1.3
    -     		tcp
    -     		80
    -     		-
    -     		206.124.146.178
    -

    +

    DNAT

    + Suppose that I had set up eth0:0 as above and I wanted to port forward + from that virtual interface to a web server running in my local zone at +192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules +file:
    +
    + +
    + + + + + + + + + + + + + + + + + + + + + + +
    ACTION
    +     		SOURCE
    +     		DESTINATION
    +     		PROTOCOL
    +     		PORT(S)
    +     		SOURCE PORT(S)
    +     		ORIGINAL DESTINATION
    +
    DNAT
    +     		net
    +     		loc:192.168.1.3
    +     		tcp
    +     		80
    +     		-
    +     		206.124.146.178
    +
    +
    +
    +

    SNAT

    - If you wanted to use eth0:0 as the IP address for outbound connections -from your local zone (eth1), then in /etc/shorewall/masq:
    -
    - -
    - - - - - - - - - - - - - - -
    INTERFACE
    -     		SUBNET
    -     		ADDRESS
    -
    eth0
    -     		eth1
    -     		206.124.146.178
    -
    -
    -
    - Shorewall can create the alias (additional address) for you if you set -ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall -1.3.14, Shorewall can actually create the "label" (virtual interface) so -that you can see the created address using ifconfig. In addition to setting -ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE -column as follows:
    - + If you wanted to use eth0:0 as the IP address for outbound connections + from your local zone (eth1), then in /etc/shorewall/masq:
    +
    +
    @@ -203,7 +175,7 @@ column as follows:
    - @@ -215,52 +187,43 @@ column as follows:
    eth0:0
    +     		eth0
    		 eth1

    - -

    STATIC NAT

    - If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, - you would have the following in /etc/shorewall/nat:
    -
    - -
    + Shorewall can create the alias (additional address) for you if you set + ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall + 1.3.14, Shorewall can actually create the "label" (virtual interface) so + that you can see the created address using ifconfig. In addition to setting + ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE + column as follows:
    + +
    - - - - - - - - - - - - - - - - - + + + + + + + + + + + + +
    EXTERNAL
    -     		INTERFACE
    -     		INTERNAL
    -     		ALL INTERFACES
    -     		LOCAL
    -
    206.124.146.178
    -     		eth0
    -     		192.168.1.3
    -     		no
    -     		no
    -
    INTERFACE
    +     		SUBNET
    +     		ADDRESS
    +
    eth0:0
    +     		eth1
    +     		206.124.146.178
    +
    -
    -
    - Shorewall can create the alias (additional address) for you if you set -ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall -1.3.14, Shorewall can actually create the "label" (virtual interface) so -that you can see the created address using ifconfig. In addition to setting -ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE -column as follows:
    -
    - +
    +
    + +

    STATIC NAT

    + If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, + you would have the following in /etc/shorewall/nat:
    +
    +
    @@ -279,7 +242,7 @@ column as follows:
    - @@ -292,184 +255,114 @@ column as follows:
    206.124.146.178
    		eth0:0
    +     		eth0
    		 192.168.1.3

    -
    - In either case, to create rules that pertain only to this NAT pair, you -simply qualify the local zone with the internal IP address.
    -
    - Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.
    -
    - -
    - - - - - - - - - - - - - - - - - - - - - - -
    ACTION
    -     		SOURCE
    -     		DESTINATION
    -     		PROTOCOL
    -     		PORT(S)
    -     		SOURCE PORT(S)
    -     		ORIGINAL DESTINATION
    -
    ACCEPT
    -     		net
    -     		loc:192.168.1.3
    -     		tcp
    -     		22
    -
    -
    -
    +
    + Shorewall can create the alias (additional address) for you if you set + ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall + 1.3.14, Shorewall can actually create the "label" (virtual interface) so + that you can see the created address using ifconfig. In addition to setting + ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE + column as follows:

    -
    -

    MULTIPLE SUBNETS

    - Sometimes multiple IP addresses are used because there are multiple subnetworks - configured on a LAN segment. This technique does not provide for any security - between the subnetworks if the users of the systems have administrative privileges - because in that case, the users can simply manipulate their system's routing - table to bypass your firewall/router. Nevertheless, there are cases where - you simply want to consider the LAN segment itself as a zone and allow your - firewall/router to route between the two subnetworks.
    -
    - Example 1:  Local interface eth1 interfaces to 192.168.1.0/24 and -192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 -is 192.168.20.254. You want to simply route all requests between the two -subnetworks.
    -
    - In /etc/shorewall/interfaces:
    -
    - -
    +
    - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +
    ZONE
    -     		INTERFACE
    -     		BROADCAST
    -     		OPTIONS
    -
    loc
    -     		eth1
    -     		192.168.1.255,192.168.20.255
    -     		Note 1:
    -
    EXTERNAL
    +     		INTERFACE
    +     		INTERNAL
    +     		ALL INTERFACES
    +     		LOCAL
    +
    206.124.146.178
    +     		eth0:0
    +     		192.168.1.3
    +     		no
    +     		no
    +
    -
    +
    - Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify - the multi option.
    + In either case, to create rules that pertain only to this NAT pair, you + simply qualify the local zone with the internal IP address.

    - In /etc/shorewall/policy:
    -
    - -
    - - - - - - - - - - - - - - - - - - -
    SOURCE
    -     		DESTINATION
    -     		POLICY
    -     		LOG LEVEL
    -     		BURST:LIMIT
    -
    loc
    -     		loc
    -     		ACCEPT
    -
    -
    -
    -
    -
    - Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. - The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. - You want to make these subnetworks into separate zones and control the -access between them (the users of the systems do not have administrative -privileges).
    -
    - In /etc/shorewall/zones:
    -
    - -
    - - - - - - - - - - - - - - - - - - - -
    ZONE
    -     		DISPLAY
    -     		DESCRIPTION
    -
    loc
    -     		Local
    -     		Local Zone 1
    -
    loc2
    -     		Local2
    -     		Local Zone 2
    -
    -
    -
    - In /etc/shorewall/interfaces:
    + Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. +192.168.1.3.

    - +
    + + + + + + + + + + + + + + + + + + + + +
    ACTION
    +     		SOURCE
    +     		DESTINATION
    +     		PROTOCOL
    +     		PORT(S)
    +     		SOURCE PORT(S)
    +     		ORIGINAL DESTINATION
    +
    ACCEPT
    +     		net
    +     		loc:192.168.1.3
    +     		tcp
    +     		22
    +
    +
    +
    +
    +
    + +

    MULTIPLE SUBNETS

    + Sometimes multiple IP addresses are used because there are multiple subnetworks + configured on a LAN segment. This technique does not provide for any security + between the subnetworks if the users of the systems have administrative +privileges because in that case, the users can simply manipulate their system's +routing table to bypass your firewall/router. Nevertheless, there are cases +where you simply want to consider the LAN segment itself as a zone and allow +your firewall/router to route between the two subnetworks.
    +
    + Example 1:  Local interface eth1 interfaces to 192.168.1.0/24 and + 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 + is 192.168.20.254. You want to simply route all requests between the two + subnetworks.
    + +

    If you are running Shorewall 1.4.1 or Later

    +In /etc/shorewall/interfaces:
    +
    + + @@ -487,26 +380,64 @@ privileges).
    - - +
    ZONE
    		 192.168.1.255,192.168.20.255
    		Note 1:
    +
    +
    +
    + In /etc/shorewall/hosts:
    + +
    + + + + + + + + + + + + + + + + + + + +
    ZONE
    +     		HOSTS
    +     		OPTIONS
    +
    loc
    +     		eth0:192.168.1.0/24
    +
    +
    loc
    +     		eth0:192.168.20.0/24
    +
    +
    +
    +
    +Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall +1.4.1 and later releases default to allowing intra-zone traffic.
    +

    If you are running Shorewall 1.4.0 or earlier
    +

    +In /etc/shorewall/interfaces:

    -
    - Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify - the multi option.
    -
    - In /etc/shorewall/hosts:
    - +
    - + @@ -514,15 +445,47 @@ privileges).
    - - + + + +
    ZONE
    		HOSTS
    +     		INTERFACE
    +     		BROADCAST
    		 OPTIONS
    loc
    		eth0:192.168.1.0/24
    +     		eth1

    +     		192.168.1.255,192.168.20.255
    +     		Note 1:
    +
    +
    + Note 1: If you are running Shorewall 1.3.10 or earlier then you must +specify the multi option.
    +
    + In /etc/shorewall/policy:
    +
    + +
    + + - + + + + + + + - + + @@ -530,20 +493,129 @@ privileges).
    loc2
    +     		SOURCE
    +     		DESTINATION
    +     		POLICY
    +     		LOG LEVEL
    +     		BURST:LIMIT
    +
    loc
    		eth0:192.168.20.0/24
    +     		loc
    +     		ACCEPT
    +

    -
    -
    - In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that - you want to permit.
    -
    - -

    Last Updated 3/5/2003 A - Tom Eastep

    - -

    Copyright © - 2001, 2002, 2003 Thomas M. Eastep.
    -
    -


    -
    + + Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. + The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. + You want to make these subnetworks into separate zones and control the access + between them (the users of the systems do not have administrative privileges).
    +
    + In /etc/shorewall/zones:
    +
    + +
    + + + + + + + + + + + + + + + + + + + +
    ZONE
    +     		DISPLAY
    +     		DESCRIPTION
    +
    loc
    +     		Local
    +     		Local Zone 1
    +
    loc2
    +     		Local2
    +     		Local Zone 2
    +
    +
    +
    + In /etc/shorewall/interfaces:
    +
    + +
    + + + + + + + + + + + + + + + + +
    ZONE
    +     		INTERFACE
    +     		BROADCAST
    +     		OPTIONS
    +
    -
    +     		eth1
    +     		192.168.1.255,192.168.20.255
    +     		Note 1:
    +
    +
    +
    + Note 1: If you are running Shorewall 1.3.10 or earlier then you must +specify the multi option.
    +
    + In /etc/shorewall/hosts:
    + +
    + + + + + + + + + + + + + + + + + + + +
    ZONE
    +     		HOSTS
    +     		OPTIONS
    +
    loc
    +     		eth0:192.168.1.0/24
    +
    +
    loc2
    +     		eth0:192.168.20.0/24
    +
    +
    +
    +
    + In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic +that you want to permit.
    +
    + +

    Last Updated 3/22/2003 A - Tom Eastep

    + +

    Copyright © + 2001, 2002, 2003 Thomas M. Eastep.
    +
    +

    +
    +
    +
    diff --git a/STABLE/documentation/errata.htm b/STABLE/documentation/errata.htm index 628748a58..a39b6c83f 100644 --- a/STABLE/documentation/errata.htm +++ b/STABLE/documentation/errata.htm @@ -2,244 +2,263 @@ - + Shorewall 1.4 Errata - + - + - + - + - + - - - + + - + + - - + +
    +
    - +

    Shorewall Errata/Upgrade Issues

    -
    - +

    IMPORTANT

    - +
      -
    1. - -

      If you use a Windows system to download - a corrected script, be sure to run the script through - dos2unix after you have moved +

    2. + + +

      If you use a Windows system to download + a corrected script, be sure to run the script through + dos2unix after you have moved it to your Linux system.

      -
      3. -
    3. - -

      If you are installing Shorewall for the -first time and plan to use the .tgz and install.sh script, you can -untar the archive, replace the 'firewall' script in the untarred directory +

      4. +
    4. + + +

      If you are installing Shorewall for the first +time and plan to use the .tgz and install.sh script, you can untar +the archive, replace the 'firewall' script in the untarred directory with the one you downloaded below, and then run install.sh.

      -
      5. -
    5. - -

      When the instructions say to install a corrected - firewall script in /usr/share/shorewall/firewall, you may -rename the existing file before copying in the new file.

      -
      6. -
    6. - -

      DO NOT INSTALL CORRECTED COMPONENTS - ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. - For example, do NOT install the 1.3.9a firewall script if you are running +

      7. +
    7. + + +

      When the instructions say to install a corrected + firewall script in /usr/share/shorewall/firewall, you may + rename the existing file before copying in the new file.

      +
      8. +
    8. + +

      DO NOT INSTALL CORRECTED COMPONENTS + ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. + For example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.
      -

      -
      9. - +

      + +
    - + - -
    + +

    Problems in Version 1.4

    - +

    - None. -
    + +

    1.4.0

    +
      +
    • When running under certain shells Shorewall will attempt to create +ECN rules even when /etc/shorewall/ecn is empty. You may either just remove +/etc/shorewall/ecn or you can install this +correct script in /usr/share/shorewall/firewall as described above.
      +
      • +
    +

    Upgrade Issues

    - +

    The upgrade issues have moved to a separate page.

    - -
    -

    Problem with + +
    +

    Problem with iptables version 1.2.3

    - -
    - -

    There are a couple of serious bugs in iptables 1.2.3 that - prevent it from working with Shorewall. Regrettably, RedHat - released this buggy iptables in RedHat 7.2. 

    - - -

    I have built a - corrected 1.2.3 rpm which you can download here  and I have - also built an -iptables-1.2.4 rpm which you can download here. If you are currently - running RedHat 7.1, you can install either of these RPMs - before you upgrade to RedHat 7.2.

    - + +
    -

    Update 11/9/2001: RedHat - has released an iptables-1.2.4 RPM of their own which you can -download from http://www.redhat.com/support/errata/RHSA-2001-144.html. - I have installed this RPM on my firewall and it works - fine.

    - - -

    If you would like to patch iptables 1.2.3 yourself, - the patches are available for download. This patch - which corrects a problem with parsing of the --log-level specification - while this patch - corrects a problem in handling the  TOS target.

    - - -

    To install one of the above patches:

    - - -
      -
    • cd iptables-1.2.3/extensions
      • -
    • patch -p0 < the-patch-file
      • - - -
    -
    - - -

    Problems with kernels >= 2.4.18 - and RedHat iptables

    - -
    - -

    Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 - may experience the following:

    - - -
    - - 
    # shorewall start
    Processing /etc/shorewall/shorewall.conf ...
    Processing /etc/shorewall/params ...
    Starting Shorewall...
    Loading Modules...
    Initializing...
    Determining Zones...
    Zones: net
    Validating interfaces file...
    Validating hosts file...
    Determining Hosts in Zones...
    Net Zone: eth0:0.0.0.0/0
    iptables: libiptc/libip4tc.c:380: do_check: Assertion
    `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
    Aborted (core dumped)
    iptables: libiptc/libip4tc.c:380: do_check: Assertion
    `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
    Aborted (core dumped)
    -
    - - -

    The RedHat iptables RPM is compiled with debugging enabled but the - user-space debugging code was not updated to reflect recent changes in - the Netfilter 'mangle' table. You can correct the problem by - installing - this iptables RPM. If you are already running a 1.2.5 version - of iptables, you will need to specify the --oldpackage option to - rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

    -
    +

    There are a couple of serious bugs in iptables 1.2.3 that + prevent it from working with Shorewall. Regrettably, +RedHat released this buggy iptables in RedHat 7.2. 

    -

    Problems installing/upgrading +

    I have built a + corrected 1.2.3 rpm which you can download here  and I have + also built an + iptables-1.2.4 rpm which you can download here. If you are currently + running RedHat 7.1, you can install either of these RPMs + before you upgrade to RedHat 7.2.

    + + +

    Update 11/9/2001: RedHat + has released an iptables-1.2.4 RPM of their own which you can +download from http://www.redhat.com/support/errata/RHSA-2001-144.html. + I have installed this RPM on my firewall and it works + fine.

    + + +

    If you would like to patch iptables 1.2.3 yourself, + the patches are available for download. This patch + which corrects a problem with parsing of the --log-level specification + while this patch + corrects a problem in handling the  TOS target.

    + + +

    To install one of the above patches:

    + + +
      +
    • cd iptables-1.2.3/extensions
      • +
    • patch -p0 < the-patch-file
      • + + +
    +

    + + +

    Problems with kernels >= 2.4.18 + and RedHat iptables

    + +
    + +

    Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 + may experience the following:

    + + +
    + + 
    # shorewall start
    Processing /etc/shorewall/shorewall.conf ...
    Processing /etc/shorewall/params ...
    Starting Shorewall...
    Loading Modules...
    Initializing...
    Determining Zones...
    Zones: net
    Validating interfaces file...
    Validating hosts file...
    Determining Hosts in Zones...
    Net Zone: eth0:0.0.0.0/0
    iptables: libiptc/libip4tc.c:380: do_check: Assertion
    `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
    Aborted (core dumped)
    iptables: libiptc/libip4tc.c:380: do_check: Assertion
    `h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
    Aborted (core dumped)
    +
    + + +

    The RedHat iptables RPM is compiled with debugging enabled but the + user-space debugging code was not updated to reflect recent changes in + the Netfilter 'mangle' table. You can correct the problem by + installing + this iptables RPM. If you are already running a 1.2.5 version + of iptables, you will need to specify the --oldpackage option +to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

    +
    + + +

    Problems installing/upgrading RPM on SuSE

    -

    If you find that rpm complains about a conflict - with kernel <= 2.2 yet you have a 2.4 kernel - installed, simply use the "--nodeps" option to - rpm.

    + +

    If you find that rpm complains about a conflict + with kernel <= 2.2 yet you have a 2.4 kernel + installed, simply use the "--nodeps" option to + rpm.

    +

    Installing: rpm -ivh --nodeps <shorewall rpm>

    +

    Upgrading: rpm -Uvh --nodeps <shorewall rpm>

    -

    Problems with - iptables version 1.2.7 and MULTIPORT=Yes

    + +

    Problems with + iptables version 1.2.7 and MULTIPORT=Yes

    -

    The iptables 1.2.7 release of iptables has made - an incompatible change to the syntax used to - specify multiport match rules; as a consequence, - if you install iptables 1.2.7 you must be running - Shorewall 1.3.7a or later or:

    + +

    The iptables 1.2.7 release of iptables has made + an incompatible change to the syntax used to + specify multiport match rules; as a consequence, + if you install iptables 1.2.7 you must be running + Shorewall 1.3.7a or later or:

    +
      -
    • set MULTIPORT=No -in /etc/shorewall/shorewall.conf; or
      • -
    • if you are running - Shorewall 1.3.6 you may install - - this firewall script in /var/lib/shorewall/firewall +
    • set MULTIPORT=No + in /etc/shorewall/shorewall.conf; or
      • +
    • if you are running + Shorewall 1.3.6 you may install + + this firewall script in /var/lib/shorewall/firewall as described above.
      • - +
    - +

    Problems with RH Kernel 2.4.18-10 and NAT
    -

    - /etc/shorewall/nat entries of the following form will result +

    + /etc/shorewall/nat entries of the following form will result in Shorewall being unable to start:
    -
    - +
    + 
    #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
    192.0.2.22      eth0            192.168.9.22    yes                     yes
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - Error message is:
    - + Error message is:
    + 
    Setting up NAT...
    iptables: Invalid argument
    Terminated

    - The solution is to put "no" in the LOCAL column. Kernel support - for LOCAL=yes has never worked properly and 2.4.18-10 has disabled -it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton - option; see http://www.shorewall.net/Documentation.htm#NAT
    - -

    Last updated 2/8/2003 - - Tom Eastep

    - + The solution is to put "no" in the LOCAL column. Kernel +support for LOCAL=yes has never worked properly and 2.4.18-10 has +disabled it. The 2.4.19 kernel contains corrected support under a new +kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT
    + +

    Last updated 3/21/2003 - + Tom Eastep

    +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.
    -

    +

    +

    diff --git a/STABLE/documentation/myfiles.htm b/STABLE/documentation/myfiles.htm index e12951d5e..beaaaf83e 100644 --- a/STABLE/documentation/myfiles.htm +++ b/STABLE/documentation/myfiles.htm @@ -1,224 +1,229 @@ - + My Shorewall Configuration - + - - + + - + - - - + + - - - + + + +
    - +
    +

    About My Network

    -
    - -
    - -

    My Current Network

    -
    -

    Warning: I - use a combination of Static NAT and Proxy ARP, neither of which are relevant - to a simple configuration with a single public IP address. - If you have just a single public IP address, most of what you see here won't - apply to your setup so beware of copying parts of this configuration and -expecting them to work for you. What you copy may or may not work in your -configuration.
    -

    - -

    I have DSL service and have 5 static IP addresses (206.124.146.176-180). - My DSL "modem" (Fujitsu Speedport) - is connected to eth0. I have a local network connected to eth2 (subnet +

    + +

    My Current Network

    + +
    +

    Warning 1: I + use a combination of Static NAT and Proxy ARP, neither of which are relevant + to a simple configuration with a single public IP address. + If you have just a single public IP address, most of what you see here +won't apply to your setup so beware of copying parts of this configuration +and expecting them to work for you. What you copy may or may not work in +your configuration.
    +

    +

    Warning 2: My +configuration uses features introduced in Shorewall version 1.4.1.
    +

    + +

    I have DSL service and have 5 static IP addresses (206.124.146.176-180). + My DSL "modem" (Fujitsu Speedport) + is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). 

    - +

    I use:
    -

    - +

    +
      -
    • Static NAT for Ursa (my XP System) - Internal address 192.168.1.5 - and external address 206.124.146.178.
      • -
    • Static NAT for Wookie (my Linux System). Internal address -192.168.1.3 and external address 206.124.146.179.
      • -
    • SNAT through the primary gateway address (206.124.146.176) - for  my Wife's system (Tarry) and the laptop when connected through -the Wireless Access Point (wap)
      • - +
    • Static NAT for Ursa (my XP System) - Internal address +192.168.1.5 and external address 206.124.146.178.
      • +
    • Static NAT for Wookie (my Linux System). Internal address + 192.168.1.3 and external address 206.124.146.179.
      • +
    • SNAT through the primary gateway address (206.124.146.176) + for  my Wife's system (Tarry) and the laptop when connected through the +Wireless Access Point (wap)
      • +
    - +

    The firewall runs on a 256MB PII/233 with RH8.0.

    - -

    Wookie runs Samba and acts as the a WINS server.  Wookie is in its + +

    Wookie runs Samba and acts as the a WINS server.  Wookie is in its own 'whitelist' zone called 'me'.

    - -

    My laptop (eastept1) is connected to eth3 using a cross-over cable. - It runs its own Sygate firewall -software and is managed by Proxy ARP. It connects to the local network + +

    My laptop (eastept1) is connected to eth3 using a cross-over cable. + It runs its own Sygate firewall +software and is managed by Proxy ARP. It connects to the local network through a PPTP server running on Ursa.

    - -

    The single system in the DMZ (address 206.124.146.177) runs postfix, - Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP - server (Pure-ftpd). The system also runs fetchmail to fetch our email + +

    The single system in the DMZ (address 206.124.146.177) runs postfix, + Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP + server (Pure-ftpd). The system also runs fetchmail to fetch our email from our old and current ISPs. That server is managed through Proxy ARP.

    - -

    The firewall system itself runs a DHCP server that serves the local + +

    The firewall system itself runs a DHCP server that serves the local network.

    - -

    All administration and publishing is done using ssh/scp. I have X installed -on both the firewall and the server but no X server or desktop is installed. -X applications tunnel through SSH to XWin.exe running on Ursa.

    - + +

    All administration and publishing is done using ssh/scp. I have X installed + on both the firewall and the server but no X server or desktop is installed. + X applications tunnel through SSH to XWin.exe running on Ursa.

    +

    I run an SNMP server on my firewall to serve MRTG running + href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG running in the DMZ.

    - +

    -

    - +

    +

     

    - -

    The ethernet interface in the Server is configured - with IP address 206.124.146.177, netmask - 255.255.255.0. The server's default gateway is - 206.124.146.254 (Router at my ISP. This is the same - default gateway used by the firewall itself). On the firewall, - Shorewall automatically adds a host route to - 206.124.146.177 through eth1 (192.168.2.1) because - of the entry in /etc/shorewall/proxyarp (see - below).

    - -

    A similar setup is used on eth3 (192.168.3.1) which - interfaces to my laptop (206.124.146.180).
    -

    - -

    Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior - access.
    -

    - + +

    The ethernet interface in the Server is configured + with IP address 206.124.146.177, netmask + 255.255.255.0. The server's default gateway is + 206.124.146.254 (Router at my ISP. This is the same + default gateway used by the firewall itself). On the firewall, + Shorewall automatically adds a host route +to 206.124.146.177 through eth1 (192.168.2.1) +because of the entry in /etc/shorewall/proxyarp +(see below).

    + +

    A similar setup is used on eth3 (192.168.3.1) which + interfaces to my laptop (206.124.146.180).
    +

    + +

    Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior + access.
    +

    +

    -
    - +
    +

    Shorewall.conf

    - -
    + +
    SHARED_DIR=/usr/share/shorewall
    LOGFILE=/var/log/firewall
    LOGRATE=
    LOGBURST=
    LOGUNCLEAN=info
    BLACKLIST_LOGLEVEL=
    LOGNEWNOTSYN=
    MACLIST_LOG_LEVEL=$LOG
    TCP_FLAGS_LOG_LEVEL=$LOG
    RFC1918_LOG_LEVEL=$LOG
    PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
    SUBSYSLOCK=/var/lock/subsys/shorewall
    STATEDIR=/var/state/shorewall
    MODULESDIR=
    FW=fw
    NAT_ENABLED=Yes
    MANGLE_ENABLED=Yes
    IP_FORWARDING=On
    ADD_IP_ALIASES=Yes
    ADD_SNAT_ALIASES=Yes
    TC_ENABLED=Yes
    CLEAR_TC=No
    MARK_IN_FORWARD_CHAIN=No
    CLAMPMSS=Yes
    ROUTE_FILTER=No
    NAT_BEFORE_RULES=No
    MULTIPORT=Yes
    DETECT_DNAT_IPADDRS=Yes
    MUTEX_TIMEOUT=60
    NEWNOTSYN=Yes
    BLACKLIST_DISPOSITION=DROP
    MACLIST_DISPOSITION=REJECT
    TCP_FLAGS_DISPOSITION=DROP
    -
    - -

    -

    Params File (Edited):

    - -
    MIRRORS=<list of shorewall mirror ip addresses>
    - NTPSERVERS=<list of the NTP servers I sync with>
    - LOG=ULOG
    - TEXAS=<ip address of gateway in Dallas>
    - + +

    + +

    Params File (Edited):

    + +
    MIRRORS=<list of shorewall mirror ip addresses>
    + NTPSERVERS=<list of the NTP servers I sync with>
    + LOG=ULOG
    + TEXAS=<ip address of gateway in Dallas>
    +
    +

    Zones File

    - -
    + +
    #ZONE	DISPLAY		COMMENTS
    net     Internet        Internet
    me      Wookie          My Linux Workstation
    dmz     DMZ             Demilitarized zone
    loc     Local           Local networks
    tx      Texas           Peer Network in Dallas
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    -
    - -

    Interfaces File:

    - -
    - -

    This is set up so that I can start the firewall before bringing up -my Ethernet interfaces.

    -
    +
    -
    +

    Interfaces File:

    + +
    + +

    This is set up so that I can start the firewall before bringing up my +Ethernet interfaces.

    +
    + +
    #ZONE	INERFACE	BROADCAST	OPTIONS
    net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
    loc     eth2            192.168.1.255   dhcp,maclist
    dmz     eth1            192.168.2.255
    net     eth3            206.124.146.255
    -       texas           192.168.9.255
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    -
    - +
    +

    Hosts File:

    - -
    + +
    #ZONE		HOST(S)			OPTIONS
    me              eth2:192.168.1.3
    tx              texas:192.168.8.0/22
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    -
    - +
    +

    Routestopped File:

    - -
    + +
    #INTERFACQ	HOST(S)
    eth1            206.124.146.177
    eth2            -
    eth3            206.124.146.180
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    -
    - +
    +

    Policy File:

    - -
    - 
    #SOURCE		DESTINATION	POLICY		LOG LEVEL	BURST:LIMIT
    me              all             ACCEPT
    tx              me              ACCEPT
    all             me              CONTINUE        -               2/sec:5
    loc             net             ACCEPT
    $FW             loc             ACCEPT
    $FW             tx              ACCEPT
    loc             tx              ACCEPT
    loc             fw              REJECT          $LOG
    net             net             ACCEPT
    net             all             DROP            $LOG            10/sec:40
    all             all             REJECT          $LOG
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    -
    - + +
    + 
    #SOURCE		DESTINATION	POLICY		LOG LEVEL	BURST:LIMIT
    me		loc		NONE
    loc		me		NONE
    me              all             ACCEPT
    tx              me              ACCEPT
    all             me              CONTINUE        -               2/sec:5
    loc             net             ACCEPT
    $FW             loc             ACCEPT
    $FW             tx              ACCEPT
    loc             tx              ACCEPT
    loc             fw              REJECT          $LOG
    net             all             DROP            $LOG            10/sec:40
    all             all             REJECT          $LOG
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
    +
    +

    Masq File:

    - -
    - -

    Although most of our internal systems use static NAT, my wife's system - (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with + +

    + +

    Although most of our internal systems use static NAT, my wife's system + (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops. Also, I masquerade wookie to the peer subnet in Texas.

    -
    - -
    +
    + +
    #INTERFACE              SUBNET          ADDRESS
    eth0:0.0.0.0/0          eth2            206.124.146.176
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
    - +
    +

    NAT File:

    - -
    + +
    #EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
    206.124.146.178 eth0:0          192.168.1.5     No                      No
    206.124.146.179 eth0:1          192.168.1.3     No                      No
    192.168.1.193   eth2:0          206.124.146.177 No                      No
    #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    -
    - +
    +

    Proxy ARP File:

    - -
    + +
    #ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE
    206.124.146.177         eth1            eth0            No
    206.124.146.180         eth3            eth0            No
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    -
    - +
    +

    Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):

    - -
    + +
    #TYPE			ZONE    GATEWAY         GATEWAY ZONE    PORT
    gre                     net     $TEXAS
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    -
    - +
    +

    Common File:

    - -
    + +
    . /etc/shorewall/common.def
    run_iptables -A common -p tcp --dport auth -j REJECT
    -
    - -

    Rules File (The shell variables - are set in /etc/shorewall/params):

    - -
    +
    + +

    Rules File (The shell variables + are set in /etc/shorewall/params):

    + +
    ################################################################################################################################################################
    #RESULT         CLIENT(S)                       SERVER(S)               PROTO   PORT(S)                                 CLIENT          ORIGINAL DEST:SNAT
    ################################################################################################################################################################
    # Local Network to Internet - Reject attempts by Trojans to call home
    #
    REJECT:$LOG     loc                             net                     tcp     6667
    #
    # Stop NETBIOS crap since our policy is ACCEPT
    #
    REJECT          loc                             net                     tcp     137,445
    REJECT          loc                             net                     udp     137:139
    LOG:$LOG        loc                             net                     tcp     137:139
    ################################################################################################################################################################
    # Local Network to Firewall
    #
    ACCEPT          loc                             fw                      tcp     ssh,time,10000
    ACCEPT          loc                             fw                      udp     snmp
    ACCEPT          loc                             fw                      udp     ntp
    ################################################################################################################################################################
    # Local Network to DMZ (10027 is our SMTP backdoor that bypasses virus/spam filtering)
    #
    ACCEPT          loc                             dmz                     udp     domain
    ACCEPT          loc                             dmz                     tcp     smtp,domain,ssh,imap,https,imaps,cvspserver,www,ftp,10027,10000,8080    -
    ################################################################################################################################################################
    # Internet to DMZ
    #
    ACCEPT          net                             dmz                     tcp     www,smtp,ftp,imaps,domain,cvspserver,https,imap -
    ACCEPT          net                             dmz                     udp     domain
    ACCEPT          net:$MIRRORS                    dmz                     tcp     rsync
    ACCEPT:$LOG     net                             dmz                     tcp     32768:61000                             20
    DROP            net                             dmz                     tcp     1433
    ################################################################################################################################################################
    #
    # Net to Local
    #
    # My laptop isn't NATTED when in its docking station. To allow access to the local lan, I need a VPN to Ursa which is enabled by the following "half"-rules.
    #
    DNAT-           net                             loc:192.168.1.5         tcp     1723                                    -               206.124.146.178
    DNAT-           net                             loc:192.168.1.5         gre     -                                       -               206.124.146.178
    #
    # When I'm "on the road", the following two rules allow me VPN access back home.
    #
    ACCEPT          net                             loc:192.168.1.5         tcp     1723
    ACCEPT          net                             loc:192.168.1.5         gre
    #
    # ICQ to Ursa
    #
    ACCEPT          net                             loc:192.168.1.5         tcp     4000:4100
    ################################################################################################################################################################
    # Net to me
    #
    ACCEPT          net                             me:192.168.1.3          tcp     4000:4100
    ################################################################################################################################################################
    # DMZ to Internet
    #
    ACCEPT          dmz                             net                     tcp     smtp,domain,www,https,whois,echo,2702,21,2703,ssh
    ACCEPT          dmz                             net                     udp     domain
    ACCEPT          dmz                             net:206.124.128.8       tcp     pop3
    ACCEPT          dmz                             net:66.216.26.115       tcp     pop3
    #
    # Something is wrong with the FTP connection tracking code or there is some client out there
    # that is sending a PORT command which that code doesn't understand. Either way,
    # the following works around the problem.
    #
    ACCEPT:$LOG     dmz                             net                     tcp     1024:                                   20
    ################################################################################################################################################################
    # DMZ to Firewall -- ntp & snmp
    #
    ACCEPT          dmz                             fw                      udp     ntp                                     ntp
    ACCEPT          dmz                             fw                      tcp     snmp
    ACCEPT          dmz                             fw                      udp     snmp
    ################################################################################################################################################################
    #
    # DMZ to Local Network
    #
    ACCEPT          dmz                             loc                     tcp     smtp
    ################################################################################################################################################################
    #
    # DMZ to Me -- NFS
    #
    ACCEPT          dmz                             me                      tcp     111
    ACCEPT          dmz                             me                      udp     111
    ACCEPT          dmz                             me                      udp     2049
    ACCEPT          dmz                             me                      udp     32700:
    ################################################################################################################################################################
    # Internet to Firewall
    #
    ACCEPT          net:eth3:206.124.146.180        fw                      udp     ntp                                     ntp
    REJECT          net                             fw                      tcp     www
    DROP            net                             fw                      tcp     1433
    DROP            net:eth3:!206.124.146.180       fw                      all
    ################################################################################################################################################################
    # Firewall to Internet
    #
    ACCEPT          fw                              net:$NTPSERVERS         udp     ntp                                     ntp
    ACCEPT          fw                              net                     udp     domain
    ACCEPT          fw                              net                     tcp     domain,www,https,ssh,1723,whois,1863
    ACCEPT          fw                              net                     udp     33435:33535
    ACCEPT          fw                              net                     icmp    8
    ################################################################################################################################################################
    # Firewall to DMZ
    #
    ACCEPT          fw                              dmz                     tcp     www,ftp,ssh,smtp
    ACCEPT          fw                              dmz                     udp     domain
    ACCEPT          fw                              dmz                     icmp    8
    REJECT          fw                              dmz                     udp     137:139
    #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
    -
    - +
    +

    Tom Eastep

    - Copyright - © 2001, 2002, 2003 Thomas M. Eastep.
    + Copyright + © 2001, 2002, 2003 Thomas M. Eastep.
    +



    diff --git a/STABLE/documentation/quotes.htm b/STABLE/documentation/quotes.htm index 452dd5537..87c826166 100644 --- a/STABLE/documentation/quotes.htm +++ b/STABLE/documentation/quotes.htm @@ -1,104 +1,109 @@ - + - + - + - + Quotes from Shorewall Users - + - - - + + - - - + + + +
    +

    Quotes from Shorewall Users

    -
    - -

    "I just installed Shorewall after weeks of messing with ipchains/iptables -and I had it up and running in under 20 minutes!" -- JL, Ohio
    -

    - "My case was almost like [the one above]. Well. instead of 'weeks' it was -'months' for me, and I think I needed two minutes more:
    - + +

    "The configuration is intuitive and flexible, and much easier than any +of the other iptables-based firewall programs out there. After sifting through +many other scripts, it is obvious that yours is the most well thought-out +and complete one available." -- BC, USA

    +

    "I just installed Shorewall after weeks of messing with ipchains/iptables + and I had it up and running in under 20 minutes!" -- JL, Ohio
    +

    + "My case was almost like [the one above]. Well. instead of 'weeks' it was + 'months' for me, and I think I needed two minutes more:
    +
      -
    • One to see that I had no Internet access from the firewall itself.
      • -
    • Other to see that this was the default configuration, and it was enough -to uncomment a line in /etc/shorewall/policy.
      -
      • - +
    • One to see that I had no Internet access from the firewall itself.
      • +
    • Other to see that this was the default configuration, and it was +enough to uncomment a line in /etc/shorewall/policy.
      +
      • +
    - Minutes instead of months! Congratulations and thanks for such a simple -and well documented thing for something as huge as iptables." -- JV, Spain. - -

    "I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without -any problems. Your documentation is great and I really appreciate your -network configuration info. That really helped me out alot. THANKS!!!" --- MM.

    - -

    "[Shorewall is a] great, great project. I've used/tested may firewall -scripts but this one is till now the best." -- B.R, Netherlands -

    - -

    "Never in my +12 year career as a sys admin have I witnessed someone -so relentless in developing a secure, state of the art, safe and useful -product as the Shorewall firewall package for no cost or obligation -involved." -- Mario Kerecki, Toronto

    - -

    "one time more to report, that your great shorewall in the latest - release 1.2.9 is working fine for me with SuSE Linux 7.3! I now have -7 machines up and running with shorewall on several versions - starting -with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!" --- SM, Germany

    - -

    "You have the best support of any other package I've ever used." --- SE, US

    - -

    "Because our company has information which has been classified by the -national government as secret, our security doesn't stop by putting a fence - around our company. Information security is a hot issue. We also make use -of checkpoint firewalls, but not all of the internet servers are guarded -by checkpoint, some of them are running....Shorewall." -- Name withheld by -request, Europe

    - -

    "thanx for all your efforts you put into shorewall - this product stands -out against a lot of commercial stuff i´ve been working with in terms of - flexibillity, quality & support" -- RM, Austria

    - -

    "I have never seen such a complete firewall package that is so easy to - configure. I searched the Debian package system for firewall scripts and - Shorewall won hands down." -- RG, Toronto

    - -

    "My respects... I've just found and installed Shorewall 1.3.3-1 and it -is a wonderful piece of software. I've just sent out an email to about 30 -people recommending it. :-)
    - While I had previously taken the time (maybe 40 hours) to really understand - ipchains, then spent at least an hour per server customizing and carefully - scrutinizing firewall rules, I've got shorewall running on my home firewall, - with rulesets and policies that I know make sense, in under 20 minutes." --- RP, Guatamala
    -
    -  

    - -

    Updated 10/9/2002 -- Tom Eastep -

    - -

    Copyright - © 2001, 2002 Thomas M. Eastep.

    + Minutes instead of months! Congratulations and thanks for such a simple +and well documented thing for something as huge as iptables." -- JV, Spain. + +

    "I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without + any problems. Your documentation is great and I really appreciate +your network configuration info. That really helped me out alot. THANKS!!!" + -- MM.

    + +

    "[Shorewall is a] great, great project. I've used/tested may firewall + scripts but this one is till now the best." -- B.R, Netherlands +

    + +

    "Never in my +12 year career as a sys admin have I witnessed someone + so relentless in developing a secure, state of the art, safe and useful + product as the Shorewall firewall package for no cost or obligation + involved." -- Mario Kerecki, Toronto

    + +

    "one time more to report, that your great shorewall in the latest + release 1.2.9 is working fine for me with SuSE Linux 7.3! I now +have 7 machines up and running with shorewall on several versions - +starting with 1.2.2 up to the new 1.2.9 and I never have encountered +any problems!" -- SM, Germany

    + +

    "You have the best support of any other package I've ever used." + -- SE, US

    + +

    "Because our company has information which has been classified by the + national government as secret, our security doesn't stop by putting a fence + around our company. Information security is a hot issue. We also make use + of checkpoint firewalls, but not all of the internet servers are guarded + by checkpoint, some of them are running....Shorewall." -- Name withheld +by request, Europe

    + +

    "thanx for all your efforts you put into shorewall - this product stands + out against a lot of commercial stuff i´ve been working with in terms of + flexibillity, quality & support" -- RM, Austria

    + +

    "I have never seen such a complete firewall package that is so easy to + configure. I searched the Debian package system for firewall scripts and + Shorewall won hands down." -- RG, Toronto

    + +

    "My respects... I've just found and installed Shorewall 1.3.3-1 and it + is a wonderful piece of software. I've just sent out an email to about +30 people recommending it. :-)
    + While I had previously taken the time (maybe 40 hours) to really understand + ipchains, then spent at least an hour per server customizing and carefully + scrutinizing firewall rules, I've got shorewall running on my home firewall, + with rulesets and policies that I know make sense, in under 20 minutes." + -- RP, Guatamala

    +  

    + +

    Updated 3/18/2003 + - Tom Eastep +

    + +

    Copyright + © 2001, 2002, 2003 Thomas M. Eastep.

    +
    +

    diff --git a/STABLE/documentation/seattlefirewall_index.htm b/STABLE/documentation/seattlefirewall_index.htm index 7f3b37a5e..42a8a48c3 100644 --- a/STABLE/documentation/seattlefirewall_index.htm +++ b/STABLE/documentation/seattlefirewall_index.htm @@ -7,7 +7,7 @@ - + Shoreline Firewall (Shorewall) 1.4 @@ -17,22 +17,22 @@ - + - + - + - + - + + + + - - - +
    @@ -43,26 +43,27 @@ - +

    Shorwall Logo - (Shorewall Logo) -

    - + - -
    + +

    Shorewall 1.4 "iptables made easy" 

    -
    +
    - + +

    @@ -76,41 +77,41 @@ - - -
    Shorewall 1.3 Site is here                   -           
    +            
    -
    -
    - +
    - +
    - + - + - + - + - - + - + + - +
    + @@ -121,7 +122,7 @@ - +

    What is it?

    @@ -135,7 +136,7 @@ - +

    The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function @@ -152,28 +153,28 @@ firewall that can be used on a dedicated firewall system, a multi-functio - +

    This program is free software; you can redistribute it and/or modify - it under the + it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.
    -
    +
    - This program is distributed - in the hope that it will be useful, but + This program is distributed + in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied - warranty of MERCHANTABILITY or FITNESS FOR -A PARTICULAR PURPOSE. See the GNU General Public License - for more details.
    + warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public License + for more details.
    -
    +
    - You should have received - a copy of the GNU General Public License - along with this program; if not, write -to the Free Software Foundation, Inc., 675 + You should have received + a copy of the GNU General Public License + along with this program; if not, write + to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    @@ -187,7 +188,7 @@ to the Free Software Foundation, Inc., 675 - +

    Copyright 2001, 2002, 2003 Thomas M. Eastep

    @@ -201,336 +202,115 @@ to the Free Software Foundation, Inc., 675 - +

    - Jacques Nilo - and Eric Wolzak have a LEAF (router/firewall/gateway - on a floppy, CD or compact flash) distribution - called Bering that features + Jacques Nilo + and Eric Wolzak have a LEAF (router/firewall/gateway + on a floppy, CD or compact flash) distribution + called Bering that features Shorewall-1.3.14 and Kernel-2.4.20. You can find - their work at: http://leaf.sourceforge.net/devel/jnilo
    -

    +

    - + +

    Congratulations to Jacques and Eric on the recent release of Bering 1.1!!!
    -

    - +

    +

    This is a mirror of the main Shorewall web site at SourceForge (http://shorewall.sf.net)

    - +

    News

    - -

    3/17/2003 - Shorewall 1.4.0 (New) -

    - Shorewall 1.4 represents - the next step in the evolution of Shorewall. The main thrust of the - initial release is simply to remove the cruft that has accumulated in - Shorewall over time.
    -
    - IMPORTANT: Shorewall 1.4.0 requires the iproute package - ('ip' utility).
    -
    - Function from 1.3 that has been omitted from this version - include:
    - - -
      -
    1. The MERGE_HOSTS variable in shorewall.conf is no longer supported. - Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
      -
      -
      2. -
    2. Interface names of the form <device>:<integer> - in /etc/shorewall/interfaces now generate an error.
      -
      -
      3. -
    3. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. - OLD_PING_HANDLING=Yes will generate an error at startup as will specification - of the 'noping' or 'filterping' interface options.
      -
      -
      4. -
    4. The 'routestopped' option in the /etc/shorewall/interfaces - and /etc/shorewall/hosts files is no longer supported and will generate - an error at startup if specified.
      -
      -
      5. -
    5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no - longer accepted.
      -
      -
      6. -
    6. The ALLOWRELATED variable in shorewall.conf is no longer -supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
      -
      -
      7. -
    7. The icmp.def file has been removed.
      -
      8. - -
    - Changes for 1.4 include:
    - - -
      -
    1. The /etc/shorewall/shorewall.conf file has been completely - reorganized into logical sections.
      -
      -
      2. -
    2. LOG is now a valid action for a rule (/etc/shorewall/rules).
      -
      -
      3. -
    3. The firewall script, common functions file and version file - are now installed in /usr/share/shorewall.
      -
      -
      4. -
    4. Late arriving DNS replies are now silently dropped in the - common chain by default.
      -
      -
      5. -
    5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall - 1.4 no longer unconditionally accepts outbound ICMP packets. So if -you want to 'ping' from the firewall, you will need the appropriate rule -or policy.
      -
      -
      6. -
    6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
      -
      -
      7. -
    7. 802.11b devices with names of the form wlan<n> - now support the 'maclist' option.
      -
      -
      8. -
    8. Explicit Congestion Notification (ECN - RFC 3168) - may now be turned off on a host or network basis using the new /etc/shorewall/ecn - file. To use this facility:
      -
      - a) You must be running kernel 2.4.20
      - b) You must have applied the patch in
      - http://www.shorewall/net/pub/shorewall/ecn/patch.
      - c) You must have iptables 1.2.7a installed.
      -
      -
      9. -
    9. The /etc/shorewall/params file is now processed first so that - variables may be used in the /etc/shorewall/shorewall.conf file.
      -
      -
      10. -
    10. Shorewall now gives a more helpful diagnostic when - the 'ipchains' compatibility kernel module is loaded and a 'shorewall start' - command is issued.
      -
      -
      11. -
    11. The SHARED_DIR variable has been removed from shorewall.conf. - This variable was for use by package maintainers and was not documented -for general use.
      -
      -
      12. -
    12. Shorewall now ignores 'default' routes when detecting masq'd - networks.
      -
      13. - -
    - -

    3/11/2003 - Shoreall 1.3.14a (New) -

    - -

    A roleup of the following bug fixes and other updates:

    - -
      -
    • There is an updated rfc1918 file that reflects the resent - allocation of 222.0.0.0/8 and 223.0.0.0/8.
      • -
    • The documentation for the routestopped file claimed that a -comma-separated list could appear in the second column while the code -only supported a single host or network address.
      • -
    • Log messages produced by 'logunclean' and 'dropunclean' were - not rate-limited. 802.11b devices with names of the form wlan<n> - don't support the 'maclist' interface option.
      • -
    • Log messages generated by RFC 1918 filtering are not rate -limited.
      • -
    • The firewall fails to start in the case -where you have "eth0 eth1" in /etc/shorewall/masq and the default route -is through eth1.
      • -
    - - -

    2/8/2003 - Shorewall 1.3.14

    - - -

    New features include

    - - +

    3/24/2003 - Shorewall 1.4.1 (New) +

    +This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0 +and removes additional warts.
    +
    + Problems Corrected:
      -
    1. An OLD_PING_HANDLING option has been added -to shorewall.conf. When set to Yes, Shorewall ping handling is -as it has always been (see http://www.shorewall.net/ping.html).
      -
      - When OLD_PING_HANDLING=No, icmp echo (ping) is handled - via rules and policies just like any other connection request. -The FORWARDPING=Yes option in shorewall.conf and the 'noping' and -'filterping' options in /etc/shorewall/interfaces will all generate -an error.
      -
      -
      2. -
    2. It is now possible to direct Shorewall to create - a "label" such as "eth0:0" for IP addresses that it creates under - ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying - the label instead of just the interface name:
      -
      - a) In the INTERFACE column of /etc/shorewall/masq
      - b) In the INTERFACE column of /etc/shorewall/nat
      -
      3. -
    3. Support for OpenVPN Tunnels.
      -
      -
      4. -
    4. Support for VLAN devices with names of the -form $DEV.$VID (e.g., eth0.0)
      -
      -
      5. -
    5. In /etc/shorewall/tcrules, the MARK value may -be optionally followed by ":" and either 'F' or 'P' to designate that -the marking will occur in the FORWARD or PREROUTING chains respectively. -If this additional specification is omitted, the chain used to mark packets - will be determined by the setting of the MARK_IN_FORWARD_CHAIN option - in shorewall.conf.
      -
      -
      6. -
    6. When an interface name is entered in the SUBNET - column of the /etc/shorewall/masq file, Shorewall previously masqueraded - traffic from only the first subnet defined on that interface. It - did not masquerade traffic from:
      -
      - a) The subnets associated with other addresses -on the interface.
      - b) Subnets accessed through local routers.
      -
      - Beginning with Shorewall 1.3.14, if you enter an interface - name in the SUBNET column, shorewall will use the firewall's routing - table to construct the masquerading/SNAT rules.
      -
      - Example 1 -- This is how it works in 1.3.14.
      -
      - - - - - 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - - - - 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
      - - - - - 
         [root@gateway test]# shorewall start
         ...
         Masqueraded Subnets and Hosts:
             To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
             To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
         Processing /etc/shorewall/tos...
      -
      - When upgrading to Shorewall 1.3.14, if you have multiple - local subnets connected to an interface that is specified in the - SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq - file will need changing. In most cases, you will simply be able to remove - redundant entries. In some cases though, you might want to change from - using the interface name to listing specific subnetworks if the change - described above will cause masquerading to occur on subnetworks that you - don't wish to masquerade.
      -
      - Example 2 -- Suppose that your current config is as - follows:
      -
      - - - - - 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         eth0                    192.168.10.0/24         206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - - - - 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
      -
      - In this case, the second entry in /etc/shorewall/masq - is no longer required.
      -
      - Example 3 -- What if your current configuration is -like this?
      -
      - - - - - 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - - - - 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
      -
      - In this case, you would want to change the entry - in /etc/shorewall/masq to:
      - - - - - 
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    192.168.1.0/24          206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      -
      7. - - +
    7. When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), +it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn +file is empty. That problem has been corrected so that ECN disabling rules +are only added if there are entries in /etc/shorewall/ecn.
    -
    - - -

    2/5/2003 - Shorewall Support included in Webmin 1.060 -

    - Webmin version 1.060 now has Shorewall support included - as standard. See http://www.webmin.com. - - + New Features:
    +
    Note: In the list that follows, the term group refers +to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be +a host address) accessed through a particular interface. Examples:
    +
    eth0:0.0.0.0/0
    +eth2:192.168.1.0/24
    +eth3:192.0.2.123
    +
    +You can use the "shorewall check" command to see the groups associated with +each of your zones.
    +
    +
      +
    1. Beginning with Shorewall 1.4.1, if a zone Z comprises more than +one group then if there is no explicit Z to Z policy and there are +no rules governing traffic from Z to Z then Shorewall will permit all traffic +between the groups in the zone.
      2. +
    2. Beginning with Shorewall 1.4.1, Shorewall will never create rules +to handle traffic from a group to itself.
      3. +
    3. A NONE policy is introduced in 1.4.1. When a policy of NONE is +specified from Z1 to Z2:
      4. +
    +
      +
    • There may be no rules created that govern connections from Z1 +to Z2.
      • +
    • Shorewall will not create any infrastructure to handle traffic +from Z1 to Z2.
      • +
    +See the upgrade issues for a discussion +of how these changes may affect your configuration.

    More News

    - +

    Donations

    -     		M
    -
    + -
    + - + - + - + - + - + - + - +
    @@ -541,12 +321,12 @@ like this?
    - +

    -

    +

    @@ -558,32 +338,34 @@ like this?
    - +

    Shorewall is free but if you try it and find it useful, please consider making a donation - to Starlight Children's Foundation. Thanks!

    -
    - -

    Updated 3/17/2003 - Tom Eastep + +

    Updated 3/21/2003 - Tom Eastep -
    -

    +
    +

    +
    +
    diff --git a/STABLE/documentation/shoreline.htm b/STABLE/documentation/shoreline.htm index ee7d09311..2ccc58089 100644 --- a/STABLE/documentation/shoreline.htm +++ b/STABLE/documentation/shoreline.htm @@ -1,128 +1,129 @@ - + About the Shorewall Author - + - - + + - + - - - + + - - - + + + +
    - +
    +

    Tom Eastep

    -
    - +

    Tom on the PCT - 1991 -

    - +

    +

    Tarry & Tom -- August 2002
    -
    -

    - +
    +

    + - -

    I am currently a member of the design team for the next-generation - operating system from the NonStop Enterprise Division of HP.

    - -

    I became interested in Internet Security when I established a home office - in 1999 and had DSL service installed in our home. I investigated - ipchains and developed the scripts which are now collectively known -as Seattle Firewall. -Expanding on what I learned from Seattle Firewall, I then designed -and wrote Shorewall.

    - + +

    I am currently a member of the design team for the next-generation + operating system from the NonStop Enterprise Division of HP.

    + +

    I became interested in Internet Security when I established a home office + in 1999 and had DSL service installed in our home. I investigated + ipchains and developed the scripts which are now collectively known as + Seattle Firewall. Expanding + on what I learned from Seattle Firewall, I then designed and +wrote Shorewall.

    +

    I telework from our home in Shoreline, Washington -where I live with my wife Tarry. 

    - + href="http://www.cityofshoreline.com">Shoreline, Washington where +I live with my wife Tarry. 

    +

    Our current home network consists of:

    - +
      -
    • 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & -20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. +
    • 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & +20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Serves as a PPTP server for Road Warrior access. Dual boots Mandrake 9.0.
      • -
    • Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) - NIC - My personal Linux System which runs Samba configured as -a WINS server. This system also has VMware installed and can run -both Debian Woody and Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) + NIC - My personal Linux System which runs Samba configured as a + WINS server. This system also has VMware installed and can run both + Debian Woody and SuSE 8.1 in virtual machines.
      • -
    • K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), +
    • K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  + - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind 9).
      • -
    • PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 -LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.14  +
    • PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 + LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0  and a DHCP server.
      • -
    • Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - -My wife's personal system.
      • -
    • PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard - EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main - work system.
      • - +
    • Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC +- My wife's personal system.
      • +
    • PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard + EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My +main work system.
      • +
    - +

    For more about our network see my Shorewall Configuration.

    - +

    All of our other systems are made by Compaq (part of the new HP).. All of our Tulip NICs are Netgear FA310TXs.

    - +

    - - - - Powered by Mandrake - Protected by ShorewallProtected by Shorewall -

    - -

    Last updated 3/7/2003 -

    + +

    Last updated 3/17/2003 - Tom Eastep

    - Copyright © 2001, 2002, 2003 Thomas + Copyright © 2001, 2002, 2003 Thomas M. Eastep.
    +


    diff --git a/STABLE/documentation/shorewall_prerequisites.htm b/STABLE/documentation/shorewall_prerequisites.htm index b66ccc400..efe2c6189 100644 --- a/STABLE/documentation/shorewall_prerequisites.htm +++ b/STABLE/documentation/shorewall_prerequisites.htm @@ -1,67 +1,69 @@ - + - + - + - + Shorewall Prerequisites - + - - - + + - - - + + + +
    +

    Shorewall Requirements

    -
    -
    - Shorewall Requires:
    - +
    + Shorewall Requires:
    +
      -
    • A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6. - Check here for kernel configuration information. - If you are looking for a firewall for use with 2.2 kernels, see the Seattle Firewall site - .
      • -
    • iptables 1.2 or later but beware version 1.2.3 -- see the Errata. WARNING: The - buggy iptables version 1.2.3 is included in RedHat 7.2 and you should -upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4 -is available from RedHat - and in the Shorewall Errata.
      • -
    • Iproute ("ip" utility). The iproute package is included with -most distributions but may not be installed by default. The official +
    • A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20. +With current releases of Shorewall, Traffic Shaping/Control requires at least +2.4.18.  Check here for kernel configuration + information. If you are looking for a firewall for use with +2.2 kernels, see the Seattle Firewall + site .
      • +
    • iptables 1.2 or later but beware version 1.2.3 -- see the Errata. WARNING: The + buggy iptables version 1.2.3 is included in RedHat 7.2 and you should + upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4 + is available from RedHat + and in the Shorewall Errata.
      • +
    • Iproute ("ip" utility). The iproute package is included with +most distributions but may not be installed by default. The official download site is ftp://ftp.inr.ac.ru/ip-routing. + target="_blank"> ftp://ftp.inr.ac.ru/ip-routing.
      • -
    • A Bourne shell or derivative such as bash or ash. This shell must - have correct support for variable expansion formats ${variable%pattern - }, ${variable%%pattern}, ${variable#pattern +
    • A Bourne shell or derivative such as bash or ash. This shell must + have correct support for variable expansion formats ${variable%pattern + }, ${variable%%pattern}, ${variable#pattern } and ${variable##pattern}.
      • -
    • The firewall monitoring display is greatly improved if you have -awk (gawk) installed.
      • - +
    • The firewall monitoring display is greatly improved if you have + awk (gawk) installed.
      • +
    - -

    Last updated 2/21/2003 - Last updated 3/19/2003 - Tom Eastep

    - +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.

    -
    +
    +



    diff --git a/STABLE/documentation/shorewall_setup_guide.htm b/STABLE/documentation/shorewall_setup_guide.htm index bb9699d0d..c9b333464 100644 --- a/STABLE/documentation/shorewall_setup_guide.htm +++ b/STABLE/documentation/shorewall_setup_guide.htm @@ -1,429 +1,209 @@ - + - + - + - + Shorewall Setup Guide - + - +

    Shorewall Setup Guide

    - +

    1.0 Introduction
    - 2.0 Shorewall Concepts
    - 3.0 Network Interfaces
    - 4.0 Addressing, Subnets and Routing

    - -
    + 2.0 Shorewall Concepts
    + 3.0 Network Interfaces
    + 4.0 Addressing, Subnets and Routing

    + +

    4.1 IP Addresses
    - 4.2 Subnets
    - 4.3 Routing
    - 4.4 Address Resolution Protocol
    - 4.5 RFC 1918

    -
    - -

    5.0 Setting up your Network

    - -
    -

    5.1 Routed
    - 5.2 Non-routed

    - -
    -

    5.2.1 SNAT
    - 5.2.2 DNAT
    - 5.2.3 Proxy ARP
    - 5.2.4 Static NAT

    + 4.2 Subnets
    + 4.3 Routing
    + 4.4 Address Resolution Protocol
    + 4.5 RFC 1918

    - + +

    5.0 Setting up your Network

    + +
    +

    5.1 Routed
    + 5.2 Non-routed

    + +
    +

    5.2.1 SNAT
    + 5.2.2 DNAT
    + 5.2.3 Proxy ARP
    + 5.2.4 Static NAT

    +
    +

    5.3 Rules
    - 5.4 Odds and Ends

    -
    - + 5.4 Odds and Ends

    +
    +

    6.0 DNS
    - 7.0 Starting and Stopping the Firewall

    - + 7.0 Starting and Stopping the Firewall

    +

    1.0 Introduction

    - +

    This guide is intended for users who are setting up Shorewall in an environment - where a set of public IP addresses must be managed or who want to know - more about Shorewall than is contained in the single-address guides. Because - the range of possible applications is so broad, the Guide will give you - general guidelines and will point you to other resources as necessary.

    - + the range of possible applications is so broad, the Guide will give you + general guidelines and will point you to other resources as necessary.

    +

    -     If you run LEAF Bering, your Shorewall configuration is NOT what - I release -- I suggest that you consider installing a stock Shorewall -lrp from the shorewall.net site before you proceed.

    - +     If you run LEAF Bering, your Shorewall configuration is NOT +what I release -- I suggest that you consider installing a stock Shorewall + lrp from the shorewall.net site before you proceed.

    +

    Shorewall requires that the iproute/iproute2 package be installed (on - RedHat, the package is called iproute). You can tell if -this package is installed by the presence of an ip program on your + RedHat, the package is called iproute). You can tell if + this package is installed by the presence of an ip program on your firewall system. As root, you can use the 'which' command to check for this program:

    - + 
         [root@gateway root]# which ip
         /sbin/ip
         [root@gateway root]#
    - +

    I recommend that you first read through the guide to familiarize yourself - with what's involved then go back through it again making your configuration - changes. Points at which configuration changes are recommended are flagged - with - .

    - + with what's involved then go back through it again making your configuration + changes. Points at which configuration changes are recommended are flagged + with + .

    +

    -     If you edit your configuration files on a Windows system, you -must save them as Unix files if your editor supports that option or you -must run them through dos2unix before trying to use them with Shorewall. -Similarly, if you copy a configuration file from your Windows hard drive -to a floppy disk, you must run dos2unix against the copy before using it -with Shorewall.

    - +     If you edit your configuration files on a Windows system, you + must save them as Unix files if your editor supports that option or you + must run them through dos2unix before trying to use them with Shorewall. + Similarly, if you copy a configuration file from your Windows hard drive + to a floppy disk, you must run dos2unix against the copy before using +it with Shorewall.

    + - +

    2.0 Shorewall Concepts

    - +

    The configuration files for Shorewall are contained in the directory /etc/shorewall -- for most setups, you will only need to deal with a few of these as described in this guide. Skeleton files are created during the Shorewall Installation Process.

    - +

    As each file is introduced, I suggest that you look through the actual - file on your system -- each file contains detailed configuration instructions - and some contain default entries.

    - + file on your system -- each file contains detailed configuration instructions + and some contain default entries.

    +

    Shorewall views the network where it is running as being composed of a - set of zones. In the default installation, the following zone names - are used:

    - + set of zones. In the default installation, the following zone +names are used:

    + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
    NameDescription
    netThe Internet
    locYour Local Network
    dmzDemilitarized Zone
    NameDescription
    netThe Internet
    locYour Local Network
    dmzDemilitarized Zone
    - +

    Zones are defined in the /etc/shorewall/zones - file.

    - + file.

    +

    Shorewall also recognizes the firewall system as its own zone - by default, - the firewall itself is known as fw but that may be changed in the - /etc/shorewall/shorewall.conf - file. In this guide, the default name (fw) will be used.

    - + the firewall itself is known as fw but that may be changed in +the /etc/shorewall/shorewall.conf + file. In this guide, the default name (fw) will be used.

    +

    With the exception of fw, Shorewall attaches absolutely no meaning - to zone names. Zones are entirely what YOU make of them. That means that - you should not expect Shorewall to do something special "because this -is the internet zone" or "because that is the DMZ".

    - + to zone names. Zones are entirely what YOU make of them. That means that + you should not expect Shorewall to do something special "because this + is the internet zone" or "because that is the DMZ".

    +

    -     Edit the /etc/shorewall/zones file and make any changes necessary.

    - +     Edit the /etc/shorewall/zones file and make any changes necessary.

    +

    Rules about what traffic to allow and what traffic to deny are expressed - in terms of zones.

    - + in terms of zones.

    + - +

    Shorewall is built on top of the Netfilter - kernel facility. Netfilter implements a connection - tracking function that allows what is often referred to as stateful - inspection of packets. This stateful property allows firewall rules - to be defined in terms of connections rather than in terms of - packets. With Shorewall, you:

    - + tracking function that allows what is often referred to as stateful + inspection of packets. This stateful property allows firewall rules + to be defined in terms of connections rather than in terms of + packets. With Shorewall, you:

    +
      -
    1. Identify the source zone.
      2. -
    2. Identify the destination zone.
      3. -
    3. If the POLICY from the client's zone to the server's - zone is what you want for this client/server pair, you need do nothing - further.
      4. -
    4. If the POLICY is not what you want, then you must add - a rule. That rule is expressed in terms of the client's zone and -the server's zone.
      5. - +
    5. Identify the source zone.
      6. +
    6. Identify the destination zone.
      7. +
    7. If the POLICY from the client's zone to the server's + zone is what you want for this client/server pair, you need do +nothing further.
      8. +
    8. If the POLICY is not what you want, then you must +add a rule. That rule is expressed in terms of the client's zone +and the server's zone.
      9. +
    - +

    Just because connections of a particular type are allowed from zone A to the firewall and are also allowed from the firewall to zone B DOES NOT mean that these connections are allowed - from zone A to zone B. It rather means that you can have - a proxy running on the firewall that accepts a connection from zone + from zone A to zone B. It rather means that you can +have a proxy running on the firewall that accepts a connection from zone A and then establishes its own separate connection from the firewall to zone B.

    - +

    For each connection request entering the firewall, the request is first - checked against the /etc/shorewall/rules file. If no rule in that file - matches the connection request then the first policy in /etc/shorewall/policy - that matches the request is applied. If that policy is REJECT or DROP  -the request is first checked against the rules in /etc/shorewall/common.def.

    - + checked against the /etc/shorewall/rules file. If no rule in that file + matches the connection request then the first policy in /etc/shorewall/policy + that matches the request is applied. If that policy is REJECT or DROP  + the request is first checked against the rules in /etc/shorewall/common.def.

    +

    The default /etc/shorewall/policy file has the following policies:

    - -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    locnetACCEPT  
    netallDROPinfo 
    allallREJECTinfo 
    -
    - -

    The above policy will:

    - -
      -
    1. allow all connection requests from your local network to the - internet
      2. -
    2. drop (ignore) all connection requests from the internet to -your firewall or local network and log a message at the info -level (here is a description of log -levels).
      3. -
    3. reject all other connection requests and log a message at the - info level. When a request is rejected, the firewall will - return an RST (if the protocol is TCP) or an ICMP port-unreachable packet - for other protocols.
      4. - -
    - -

    -     At this point, edit your /etc/shorewall/policy and make any changes - that you wish.

    - -

    3.0 Network Interfaces

    - -

    For the remainder of this guide, we'll refer to the following - diagram. While it may not look like your own network, it can be used to - illustrate the important aspects of Shorewall configuration.

    - -

    In this diagram:

    - -
      -
    • The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is -used to isolate your internet-accessible servers from your local systems -so that if one of those servers is compromised, you still have the firewall - between the compromised system and your local systems.
      • -
    • The Local Zone consists of systems Local 1, Local 2 and Local - 3.
      • -
    • All systems from the ISP outward comprise the Internet Zone. -
      • - -
    - -

    -

    - -

    The simplest way to define zones is to simply associate the - zone name (previously defined in /etc/shorewall/zones) with a network -interface. This is done in the /etc/shorewall/interfaces - file.

    - -

    The firewall illustrated above has three network interfaces. - Where Internet connectivity is through a cable or DSL "Modem", the External - Interface will be the Ethernet adapter that is connected to that "Modem" - (e.g., eth0unless you connect via Point-to-Point - Protocol over Ethernet (PPPoE) or Point-to-Point - Tunneling Protocol (PPTP) in which case the External -Interface will be a ppp interface (e.g., ppp0). If you connect via -a regular modem, your External Interface will also be ppp0. If -you connect using ISDN, you external interface will be ippp0.

    - -

    -     If your external interface is ppp0 or ippp0 then - you will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf.

    - -

    Your Local Interface will be an Ethernet adapter (eth0, - eth1 or eth2) and will be connected to a hub or switch. Your local computers - will be connected to the same switch (note: If you have only a single -local system, you can connect the firewall directly to the computer using -a cross-over cable).

    - -

    Your DMZ Interface will also be an Ethernet adapter - (eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ - computers will be connected to the same switch (note: If you have only -a single DMZ system, you can connect the firewall directly to the computer - using a cross-over cable).

    - -

    - Do not connect more than one interface to the same hub or -switch (even for testing). It won't work the way that you expect it to -and you will end up confused and believing that Linux networking doesn't -work at all.

    - -

    For the remainder of this Guide, we will assume that:

    - -
      -
    • -

      The external interface is eth0.

      -
      • -
    • -

      The Local interface is eth1.

      -
      • -
    • -

      The DMZ interface is eth2.

      -
      • - -
    - -

    The Shorewall default configuration does not define the contents - of any zone. To define the above configuration using the /etc/shorewall/interfaces - file, that file would might contain:

    - -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918
    loceth1detect 
    dmzeth2detect 
    -
    - -

    -     Edit the /etc/shorewall/interfaces file and define the network - interfaces on your firewall and associate each interface with a zone. -If you have a zone that is interfaced through more than one interface, -simply include one entry for each interface and repeat the zone name as -many times as necessary.

    - -

    Example:

    - -
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918
    loceth1detect 
    loceth2detectdhcp
    -
    - -
    -

    When you have more than one interface to a zone, you will - usually want a policy that permits intra-zone traffic:

    -
    - -
    -
    + +
    - + @@ -432,80 +212,302 @@ many times as necessary.

    - + - - + + + + + + + + + + + + + + + +
    Source Zone Destination Zone Policy
    loclocnet ACCEPT    
    netallDROPinfo 
    allallREJECTinfo 
    -
    - + +

    The above policy will:

    + +
      +
    1. allow all connection requests from your local network to +the internet
      2. +
    2. drop (ignore) all connection requests from the internet to + your firewall or local network and log a message at the info + level (here is a description of log + levels).
      3. +
    3. reject all other connection requests and log a message at +the info level. When a request is rejected, the firewall +will return an RST (if the protocol is TCP) or an ICMP port-unreachable +packet for other protocols.
      4. + +
    + +

    +     At this point, edit your /etc/shorewall/policy and make any +changes that you wish.

    + +

    3.0 Network Interfaces

    + +

    For the remainder of this guide, we'll refer to the following + diagram. While it may not look like your own network, it can be used +to illustrate the important aspects of Shorewall configuration.

    + +

    In this diagram:

    + +
      +
    • The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is + used to isolate your internet-accessible servers from your local systems + so that if one of those servers is compromised, you still have the firewall + between the compromised system and your local systems.
      • +
    • The Local Zone consists of systems Local 1, Local 2 and Local + 3.
      • +
    • All systems from the ISP outward comprise the Internet Zone. +
      • + +
    + +

    +

    + +

    The simplest way to define zones is to simply associate the + zone name (previously defined in /etc/shorewall/zones) with a network + interface. This is done in the /etc/shorewall/interfaces file.

    + +

    The firewall illustrated above has three network interfaces. + Where Internet connectivity is through a cable or DSL "Modem", the External + Interface will be the Ethernet adapter that is connected to that +"Modem" (e.g., eth0unless you connect via Point-to-Point + Protocol over Ethernet (PPPoE) or Point-to-Point + Tunneling Protocol (PPTP) in which case the External + Interface will be a ppp interface (e.g., ppp0). If you connect +via a regular modem, your External Interface will also be ppp0. +If you connect using ISDN, you external interface will be ippp0.

    + +

    +     If your external interface is ppp0 or ippp0 then + you will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf.

    + +

    Your Local Interface will be an Ethernet adapter (eth0, + eth1 or eth2) and will be connected to a hub or switch. Your local computers + will be connected to the same switch (note: If you have only a single + local system, you can connect the firewall directly to the computer using + a cross-over cable).

    + +

    Your DMZ Interface will also be an Ethernet adapter + (eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ + computers will be connected to the same switch (note: If you have only + a single DMZ system, you can connect the firewall directly to the computer + using a cross-over cable).

    + +

    + Do not connect more than one interface to the same hub +or switch (even for testing). It won't work the way that you expect +it to and you will end up confused and believing that Linux networking +doesn't work at all.

    + +

    For the remainder of this Guide, we will assume that:

    + +
      +
    • +

      The external interface is eth0.

      +
      • +
    • +

      The Local interface is eth1.

      +
      • +
    • +

      The DMZ interface is eth2.

      +
      • + +
    + +

    The Shorewall default configuration does not define the contents + of any zone. To define the above configuration using the /etc/shorewall/interfaces + file, that file would might contain:

    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918
    loceth1detect 
    dmzeth2detect 
    +
    +

    -     You may define more complicated zones using the + +

    Example:

    + +
    + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918
    loceth1detect 
    loceth2detectdhcp
    +
    + +
    +

    When you have more than one interface to a zone, you will + usually want a policy that permits intra-zone traffic:

    +
    + +
    +
    + + + + + + + + + + + + + + + + + + +
    Source ZoneDestination ZonePolicyLog LevelLimit:Burst
    loclocACCEPT  
    +
    +
    + +

    +     You may define more complicated zones using the /etc/shorewall/hosts file but in most - cases, that isn't necessary.

    - + cases, that isn't necessary.

    +

    4.0 Addressing, Subnets and Routing

    - +

    Normally, your ISP will assign you a set of Public - IP addresses. You will configure your firewall's external interface to -use one of those addresses permanently and you will then have to decide -how you are going to use the rest of your addresses. Before we tackle that -question though, some background is in order.

    - + IP addresses. You will configure your firewall's external interface to + use one of those addresses permanently and you will then have to decide + how you are going to use the rest of your addresses. Before we tackle that + question though, some background is in order.

    +

    If you are thoroughly familiar with IP addressing and routing, - you may go to the next section.

    - + you may go to the next section.

    +

    The following discussion barely scratches the surface of addressing and routing. If you are interested in learning more about this subject, I highly recommend "IP Fundamentals: What Everyone Needs to Know about Addressing & Routing", Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.

    - +

    4.1 IP Addresses

    - +

    IP version 4 (IPv4) addresses are 32-bit numbers. - The notation w.x.y.z refers to an address where the high-order byte has - value "w", the next byte has value "x", etc. If we take the address 192.0.2.14 - and express it in hexadecimal, we get:

    - -
    + The notation w.x.y.z refers to an address where the high-order byte has + value "w", the next byte has value "x", etc. If we take the address 192.0.2.14 + and express it in hexadecimal, we get:

    + +

    C0.00.02.0E

    -
    - +
    +

    or looking at it as a 32-bit integer

    - -
    + +

    C000020E

    -
    - +
    +

    4.2 Subnets

    - +

    You will still hear the terms "Class A network", "Class B - network" and "Class C network". In the early days of IP, networks only - came in three sizes (there were also Class D networks but they were used - differently):

    - -
    + network" and "Class C network". In the early days of IP, networks only + came in three sizes (there were also Class D networks but they were used + differently):

    + +

    Class A - netmask 255.0.0.0, size = 2 ** 24

    - +

    Class B - netmask 255.255.0.0, size = 2 ** 16

    - +

    Class C - netmask 255.255.255.0, size = 256

    -
    - +
    +

    The class of a network was uniquely determined by the value - of the high order byte of its address so you could look at an IP address - and immediately determine the associated netmask. The netmask is - a number that when logically ANDed with an address isolates the network - number; the remainder of the address is the host number. For - example, in the Class C address 192.0.2.14, the network number is hex C00002 - and the host number is hex 0E.

    - + of the high order byte of its address so you could look at an IP address + and immediately determine the associated netmask. The netmask +is a number that when logically ANDed with an address isolates the network + number; the remainder of the address is the host number. For + example, in the Class C address 192.0.2.14, the network number is hex +C00002 and the host number is hex 0E.

    +

    As the internet grew, it became clear that such a gross partitioning of the 32-bit address space was going to be very limiting (early on, large corporations and universities were assigned their own class A @@ -513,2005 +515,2019 @@ partitioning of the 32-bit address space was going to be very limiting (early these networks into smaller subnetworks evolved; that technique is referred to as Classless InterDomain Routing (CIDR). Today, any system that you are likely to work with will understand CIDR and Class-based networking - is largely a thing of the past.

    - + is largely a thing of the past.

    +

    A subnetwork (often referred to as a subnet) is - a contiguous set of IP addresses such that:

    - + a contiguous set of IP addresses such that:

    +
      -
    1. +

    2. The number of addresses in the set is a power of 2; and

      -
      3. -
    3. +
      4. +

    4. The first address in the set is a multiple of the set - size.

      -
      5. -
    5. + size.

      +
      6. +

    6. The first address in the subnet is reserved and is referred - to as the subnet address.

      -
      7. -
    7. + to as the subnet address.

      +
      8. +

    8. The last address in the subnet is reserved as the subnet's - broadcast address.

      -
      9. - + broadcast address.

      + +
    - +

    As you can see by this definition, in each subnet of size - n there are (n - 2) usable addresses (addresses that can - be assigned to hosts). The first and last address in the subnet are -used for the subnet address and subnet broadcast address respectively. -Consequently, small subnetworks are more wasteful of IP addresses than -are large ones.

    - + n there are (n - 2) usable addresses (addresses that +can be assigned to hosts). The first and last address in the subnet +are used for the subnet address and subnet broadcast address respectively. + Consequently, small subnetworks are more wasteful of IP addresses than + are large ones.

    +

    Since n is a power of two, we can easily calculate - the Natural Logarithm (log2) of n. For the more -common subnet sizes, the size and its natural logarithm are given in the - following table:

    - -
    + the Natural Logarithm (log2) of n. For the more + common subnet sizes, the size and its natural logarithm are given in the + following table:

    + +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    nlog2 n(32 - log2 n)
    8329
    16428
    32527
    64626
    128725
    256824
    512923
    10241022
    20481121
    40961220
    81921319
    163841418
    327681517
    655361616
    nlog2 n(32 - log2 n)
    8329
    16428
    32527
    64626
    128725
    256824
    512923
    10241022
    20481121
    40961220
    81921319
    163841418
    327681517
    655361616
    -
    - +
    +

    You will notice that the above table also contains a column - for (32 - log2 n). That number is the Variable Length Subnet - Mask for a network of size n. From the above table, we can - derive the following one which is a little easier to use.

    - -
    + for (32 - log2 n). That number is the Variable Length Subnet + Mask for a network of size n. From the above table, we can + derive the following one which is a little easier to use.

    + +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    Size of SubnetVLSMSubnet Mask
    8/29255.255.255.248
    16/28255.255.255.240
    32/27255.255.255.224
    64/26255.255.255.192
    128/25255.255.255.128
    256/24255.255.255.0
    512/23255.255.254.0
    1024/22255.255.252.0
    2048/21255.255.248.0
    4096/20255.255.240.0
    8192/19255.255.224.0
    16384/18255.255.192.0
    32768/17255.255.128.0
    65536/16255.255.0.0
    2 ** 24/8255.0.0.0
    Size of SubnetVLSMSubnet Mask
    8/29255.255.255.248
    16/28255.255.255.240
    32/27255.255.255.224
    64/26255.255.255.192
    128/25255.255.255.128
    256/24255.255.255.0
    512/23255.255.254.0
    1024/22255.255.252.0
    2048/21255.255.248.0
    4096/20255.255.240.0
    8192/19255.255.224.0
    16384/18255.255.192.0
    32768/17255.255.128.0
    65536/16255.255.0.0
    2 ** 24/8255.0.0.0
    -
    - +
    +

    Notice that the VLSM is written with a slash ("/") -- you - will often hear a subnet of size 64 referred to as a "slash 26" subnet - and one of size 8 referred to as a "slash 29".

    - + will often hear a subnet of size 64 referred to as a "slash 26" subnet + and one of size 8 referred to as a "slash 29".

    +

    The subnet's mask (also referred to as its netmask) is - simply a 32-bit number with the first "VLSM" bits set to one and the - remaining bits set to zero. For example, for a subnet of size 64, the - subnet mask has 26 leading one bits:

    - -
    + simply a 32-bit number with the first "VLSM" bits set to one and the + remaining bits set to zero. For example, for a subnet of size 64, the + subnet mask has 26 leading one bits:

    + +

    11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0 - = 255.255.255.192

    -
    - + = 255.255.255.192

    +
    +

    The subnet mask has the property that if you logically AND - the subnet mask with an address in the subnet, the result is the subnet - address. Just as important, if you logically AND the subnet mask with - an address outside the subnet, the result is NOT the subnet address. -As we will see below, this property of subnet masks is very useful in -routing.

    - + the subnet mask with an address in the subnet, the result is the subnet + address. Just as important, if you logically AND the subnet mask with + an address outside the subnet, the result is NOT the subnet address. + As we will see below, this property of subnet masks is very useful in + routing.

    +

    For a subnetwork whose address is a.b.c.d and whose - Variable Length Subnet Mask is /v, we denote the subnetwork as - "a.b.c.d/v" using CIDR Notation

    - + Variable Length Subnet Mask is /v, we denote the subnetwork +as "a.b.c.d/v" using CIDR Notation

    +

    Example:

    - -
    + +
    - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + +
    Subnet:10.10.10.0 - 10.10.10.127
    Subnet Size:128
    Subnet Address:10.10.10.0
    Broadcast Address:10.10.10.127
    CIDR Notation:10.10.10.0/25
    Subnet:10.10.10.0 - 10.10.10.127
    Subnet Size:128
    Subnet Address:10.10.10.0
    Broadcast Address:10.10.10.127
    CIDR Notation:10.10.10.0/25
    -
    - +
    +

    There are two degenerate subnets that need mentioning; namely, - the subnet with one member and the subnet with 2 ** 32 members.

    - -
    + the subnet with one member and the subnet with 2 ** 32 members.

    + +
    - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
    Size of SubnetworkVLSM LengthSubnet MaskCIDR Notation
    132255.255.255.255a.b.c.d/32
    2 ** 3200.0.0.00.0.0.0/0
    Size of SubnetworkVLSM LengthSubnet MaskCIDR Notation
    132255.255.255.255a.b.c.d/32
    2 ** 3200.0.0.00.0.0.0/0
    -
    - -

    So any address a.b.c.d may also be written a.b.c.d/32 - and the set of all possible IP addresses is written 0.0.0.0/0.

    - -

    Later in this guide, you will see the notation a.b.c.d/v - used to describe the ip configuration of a network interface (the 'ip' - utility also uses this syntax). This simply means that the interface is - configured with ip address a.b.c.d and with the netmask that corresponds - to VLSM /v.

    - -

    Example: 192.0.2.65/29

    - -

        The interface is configured with IP address 192.0.2.65 - and netmask 255.255.255.248.

    - -

    4.3 Routing

    - -

    One of the purposes of subnetting is that it forms the basis - for routing. Here's the routing table on my firewall:

    - -
    -
    - 
    [root@gateway root]# netstat -nr
    Kernel IP routing table
    Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface
    192.168.9.1 	0.0.0.0 	255.255.255.255 UH    40  0         0 texas
    206.124.146.177 0.0.0.0 	255.255.255.255 UH    40  0         0 eth1
    206.124.146.180 0.0.0.0 	255.255.255.255 UH    40  0         0 eth3
    192.168.3.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth3
    192.168.2.0 	0.0.0.0 	255.255.255.0   U     40  0         0 eth1
    192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2
    206.124.146.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth0
    192.168.9.0     192.0.2.223 	255.255.255.0 	UG    40  0         0 texas
    127.0.0.0 	0.0.0.0 	255.0.0.0 	U     40  0         0 lo
    0.0.0.0 	206.124.146.254 0.0.0.0 	UG    40  0         0 eth0
    [root@gateway root]#
    -
    - + +

    So any address a.b.c.d may also be written a.b.c.d/32 + and the set of all possible IP addresses is written 0.0.0.0/0.

    + +

    Later in this guide, you will see the notation a.b.c.d/v + used to describe the ip configuration of a network interface (the 'ip' + utility also uses this syntax). This simply means that the interface is + configured with ip address a.b.c.d and with the netmask that corresponds + to VLSM /v.

    + +

    Example: 192.0.2.65/29

    + +

        The interface is configured with IP address 192.0.2.65 + and netmask 255.255.255.248.

    + +

    4.3 Routing

    + +

    One of the purposes of subnetting is that it forms the basis + for routing. Here's the routing table on my firewall:

    + +
    +
    + 
    [root@gateway root]# netstat -nr
    Kernel IP routing table
    Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface
    192.168.9.1 	0.0.0.0 	255.255.255.255 UH    40  0         0 texas
    206.124.146.177 0.0.0.0 	255.255.255.255 UH    40  0         0 eth1
    206.124.146.180 0.0.0.0 	255.255.255.255 UH    40  0         0 eth3
    192.168.3.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth3
    192.168.2.0 	0.0.0.0 	255.255.255.0   U     40  0         0 eth1
    192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2
    206.124.146.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth0
    192.168.9.0     192.0.2.223 	255.255.255.0 	UG    40  0         0 texas
    127.0.0.0 	0.0.0.0 	255.0.0.0 	U     40  0         0 lo
    0.0.0.0 	206.124.146.254 0.0.0.0 	UG    40  0         0 eth0
    [root@gateway root]#
    +
    +
    +

    The device texas is a GRE tunnel to a peer site in - the Dallas, Texas area.
    -
    - The first three routes are host routes since they indicate -how to get to a single host. In the 'netstat' output this can be seen -by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the Flags -column. The remainder are 'net' routes since they tell the kernel how -to route packets to a subnetwork. The last route is the default route -and the gateway mentioned in that route is called the default gateway.

    - + the Dallas, Texas area.
    +
    + The first three routes are host routes since they indicate + how to get to a single host. In the 'netstat' output this can be seen + by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the +Flags column. The remainder are 'net' routes since they tell the kernel +how to route packets to a subnetwork. The last route is the default +route and the gateway mentioned in that route is called the default + gateway.

    +

    When the kernel is trying to send a packet to IP address A, it starts at the top of the routing table and:

    - +
      -
    • +

    • A is logically ANDed with the 'Genmask' value in the table entry.

      -
      • -
    • +
      • +

    • The result is compared with the 'Destination' value in - the table entry.

      -
      • -
    • + the table entry.

      +
      • +

    • If the result and the 'Destination' value are the same, - then:

      - + then:

      +
        -
      • - +
      • +

        If the 'Gateway' column is non-zero, the packet is - sent to the gateway over the interface named in the 'Iface' column.

        -
        • -
      • - + sent to the gateway over the interface named in the 'Iface' column.

        +
        • +
      • +

        Otherwise, the packet is sent directly to A over - the interface named in the 'iface' column.

        -
        • - + the interface named in the 'iface' column.

        + +
      -
      • -
    • +
      • +

    • Otherwise, the above steps are repeated on the next entry - in the table.

      -
      • - + in the table.

      + +
    - +

    Since the default route matches any IP address (A land 0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table entries are sent to the default gateway which is usually a router at your ISP.

    - +

    Lets take an example. Suppose that we want to route a packet - to 192.168.1.5. That address clearly doesn't match any of the host routes - in the table but if we logically and that address with 255.255.255.0, -the result is 192.168.1.0 which matches this routing table entry:

    - -
    -
    + to 192.168.1.5. That address clearly doesn't match any of the host routes + in the table but if we logically and that address with 255.255.255.0, + the result is 192.168.1.0 which matches this routing table entry:

    + +
    +
    192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2
    -
    - +
    +

    So to route a packet to 192.168.1.5, the packet is sent directly over eth2.

    -
    - + +

    One more thing needs to be emphasized -- all outgoing packet - are sent using the routing table and reply packets are not a special case. - There seems to be a common mis-conception whereby people think that request - packets are like salmon and contain a genetic code that is magically + are sent using the routing table and reply packets are not a special +case. There seems to be a common mis-conception whereby people think that +request packets are like salmon and contain a genetic code that is magically transferred to reply packets so that the replies follow the reverse route taken by the request. That isn't the case; the replies may take a totally different route back to the client than was taken by the requests -- they are totally independent.

    - +

    4.4 Address Resolution Protocol

    - +

    When sending packets over Ethernet, IP addresses aren't used. - Rather Ethernet addressing is based on Media Access Control (MAC) - addresses. Each Ethernet device has it's own unique  MAC address which - is burned into a PROM on the device during manufacture. You can obtain -the MAC of an Ethernet device using the 'ip' utility:

    - -
    -
    + Rather Ethernet addressing is based on Media Access Control (MAC) + addresses. Each Ethernet device has it's own unique  MAC address which + is burned into a PROM on the device during manufacture. You can obtain + the MAC of an Ethernet device using the 'ip' utility:

    + +
    + 
    [root@gateway root]# ip addr show eth0
    2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
    link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
    inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0
    inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0
    [root@gateway root]#
    -
    -
    - -
    +
    +
    + +

    As you can see from the above output, the MAC is 6 bytes (48 bits) wide. A card's MAC is usually also printed on a label attached to the card itself.

    -
    - -
    +
    + +

    Because IP uses IP addresses and Ethernet uses MAC addresses, - a mechanism is required to translate an IP address into a MAC address; - that is the purpose of the Address Resolution Protocol (ARP). - Here is ARP in action:

    -
    - -
    -
    -
    + a mechanism is required to translate an IP address into a MAC address; + that is the purpose of the Address Resolution Protocol (ARP). + Here is ARP in action:

    +
    + +
    +
    + 
    [root@gateway root]# tcpdump -nei eth2 arp
    tcpdump: listening on eth2
    09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42: arp who-has 192.168.1.19 tell 192.168.1.254
    09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60: arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0

    2 packets received by filter
    0 packets dropped by kernel
    [root@gateway root]#
    +
    +
    +
    + +

    In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants + to know the MAC of the device with IP address 192.168.1.19. The system + having that IP address is responding that the MAC address of the device + with IP address 192.168.1.19 is 0:6:25:aa:8a:f0.

    + +

    In order to avoid having to exchange ARP information each + time that an IP packet is to be sent, systems maintain an ARP cache + of IP<->MAC correspondences. You can see the ARP cache on your +system (including your Windows system) using the 'arp' command:

    + +
    +
    + 
    [root@gateway root]# arp -na
    ? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1
    ? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
    ? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
    ? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
    ? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
    -
    - -

    In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants - to know the MAC of the device with IP address 192.168.1.19. The system - having that IP address is responding that the MAC address of the device - with IP address 192.168.1.19 is 0:6:25:aa:8a:f0.

    - -

    In order to avoid having to exchange ARP information each - time that an IP packet is to be sent, systems maintain an ARP cache - of IP<->MAC correspondences. You can see the ARP cache on your system - (including your Windows system) using the 'arp' command:

    - -
    -
    - 
    [root@gateway root]# arp -na
    ? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1
    ? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
    ? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
    ? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
    ? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
    -
    -
    - +

    The leading question marks are a result of my having specified - the 'n' option (Windows 'arp' doesn't allow that option) which causes -the 'arp' program to forego IP->DNS name translation. Had I not given -that option, the question marks would have been replaced with the FQDN -corresponding to each IP address. Notice that the last entry in the table -records the information we saw using tcpdump above.

    - + the 'n' option (Windows 'arp' doesn't allow that option) which causes + the 'arp' program to forego IP->DNS name translation. Had I not given + that option, the question marks would have been replaced with the FQDN + corresponding to each IP address. Notice that the last entry in the table + records the information we saw using tcpdump above.

    +

    4.5 RFC 1918

    - +

    IP addresses are allocated by the Internet Assigned Number Authority (IANA) - who delegates allocations on a geographic basis to Regional Internet - Registries (RIRs). For example, allocation for the Americas and for - sub-Sahara Africa is delegated to the American - Registry for Internet Numbers (ARIN). These RIRs may in turn delegate - to national registries. Most of us don't deal with these registrars but - rather get our IP addresses from our ISP.

    - + who delegates allocations on a geographic basis to Regional Internet + Registries (RIRs). For example, allocation for the Americas and for + sub-Sahara Africa is delegated to the American Registry for Internet Numbers +(ARIN). These RIRs may in turn delegate to national registries. Most +of us don't deal with these registrars but rather get our IP addresses +from our ISP.

    +

    It's a fact of life that most of us can't afford as many Public IP addresses as we have devices to assign them to so we end up making use of Private IP addresses. RFC 1918 reserves several IP address ranges for this purpose:

    - -
    + +
         10.0.0.0    - 10.255.255.255
         172.16.0.0  - 172.31.255.255
         192.168.0.0 - 192.168.255.255
    -
    - -
    +
    + +

    The addresses reserved by RFC 1918 are sometimes referred - to as non-routable because the Internet backbone routers don't - forward packets which have an RFC-1918 destination address. This is understandable - given that anyone can select any of these addresses for their private - use.

    -
    - -
    + to as non-routable because the Internet backbone routers don't + forward packets which have an RFC-1918 destination address. This is +understandable given that anyone can select any of these addresses for +their private use.

    +
    + +

    When selecting addresses from these ranges, there's a couple - of things to keep in mind:

    -
    - -
    + of things to keep in mind:

    +
    + +
      -
    • +

    • As the IPv4 address space becomes depleted, more and more organizations (including ISPs) are beginning to use RFC 1918 addresses - in their infrastructure.

      -
      • -
    • + in their infrastructure.

      +
      • +

    • You don't want to use addresses that are being used by - your ISP or by another organization with whom you want to establish - a VPN relationship.

      -
      • - + your ISP or by another organization with whom you want to establish + a VPN relationship.

      + +
    -
    - -
    +
    + +

    So it's a good idea to check with your ISP to see if they - are using (or are planning to use) private addresses before you decide - the addresses that you are going to use.

    -
    - -
    + are using (or are planning to use) private addresses before you decide + the addresses that you are going to use.

    +
    + +

    5.0 Setting up your Network

    -
    - -
    +
    + +

    The choice of how to set up your network depends primarily - on how many Public IP addresses you have vs. how many addressable entities - you have in your network. Regardless of how many addresses you have, - your ISP will handle that set of addresses in one of two ways:

    -
    - -
    + on how many Public IP addresses you have vs. how many addressable entities + you have in your network. Regardless of how many addresses you have, + your ISP will handle that set of addresses in one of two ways:

    +
    + +
      -
    1. +

    2. Routed - Traffic to any of your addresses will - be routed through a single gateway address. This will generally - only be done if your ISP has assigned you a complete subnet (/29 or -larger). In this case, you will assign the gateway address as the IP -address of your firewall/router's external interface.

      -
      3. -
    3. + be routed through a single gateway address. This will generally + only be done if your ISP has assigned you a complete subnet (/29 or + larger). In this case, you will assign the gateway address as the IP + address of your firewall/router's external interface.

      +
      4. +

    4. Non-routed - Your ISP will send traffic to each - of your addresses directly.

      -
      5. - + of your addresses directly.

      + +
    -
    - -
    +
    + +

    In the subsections that follow, we'll look at each of these - separately.
    -

    - + separately.
    +

    +

    Before we begin, there is one thing for you to check:

    - +

    -     If you are using the Debian package, please check your shorewall.conf - file to ensure that the following are set correctly; if they are not, +     If you are using the Debian package, please check your shorewall.conf + file to ensure that the following are set correctly; if they are not, change them appropriately:
    -

    - +

    +
      -
    • NAT_ENABLED=Yes
      • -
    • IP_FORWARDING=On
      -
      • - +
    • NAT_ENABLED=Yes
      • +
    • IP_FORWARDING=On
      +
      • +
    -
    - -
    +
    + +

    5.1 Routed

    -
    - -
    +
    + +

    Let's assume that your ISP has assigned you the subnet 192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses - 192.0.2.64 - 192.0.2.79 and that your firewall's external IP address - is 192.0.2.65. Your ISP has also told you that you should use a netmask - of 255.255.255.0 (so your /28 is part of a larger /24). With this many - IP addresses, you are able to subnet your /28 into two /29's and set -up your network as shown in the following diagram.

    -
    - -
    + 192.0.2.64 - 192.0.2.79 and that your firewall's external IP address + is 192.0.2.65. Your ISP has also told you that you should use a netmask + of 255.255.255.0 (so your /28 is part of a larger /24). With this many + IP addresses, you are able to subnet your /28 into two /29's and set + up your network as shown in the following diagram.

    +
    + +

    -

    -
    - -
    +

    +
    + +

    Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local network is 192.0.2.72/29. The default gateway for hosts in the DMZ would be configured to 192.0.2.66 and the default gateway for hosts in the local network would be 192.0.2.73.

    -
    - -
    +
    + +

    Notice that this arrangement is rather wasteful of public - IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet -addresses, 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses and -192.0.2.66 and 168.0.2.73 for internal addresses on the firewall/router. -Nevertheless, it shows how subnetting can work and if we were dealing -with a /24 rather than a /28 network, the use of 6 IP addresses out of -256 would be justified because of the simplicity of the setup.

    -
    - -
    + IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet + addresses, 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses +and 192.0.2.66 and 168.0.2.73 for internal addresses on the firewall/router. + Nevertheless, it shows how subnetting can work and if we were dealing + with a /24 rather than a /28 network, the use of 6 IP addresses out +of 256 would be justified because of the simplicity of the setup.

    +
    + +

    The astute reader may have noticed that the Firewall/Router's - external interface is actually part of the DMZ subnet (192.0.2.64/29). - What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The - routing table on DMZ 1 will look like this:

    -
    - -
    -
    + external interface is actually part of the DMZ subnet (192.0.2.64/29). + What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The + routing table on DMZ 1 will look like this:

    +
    + +
    +
    Kernel IP routing table
    Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface
    192.0.2.64 	0.0.0.0 	255.255.255.248 U     40  0         0 eth0
    0.0.0.0 	192.0.2.66	0.0.0.0 	UG    40  0         0 eth0
    -
    -
    - -
    +
    + + +

    This means that DMZ 1 will send an ARP "who-has 192.0.2.65" - request and no device on the DMZ Ethernet segment has that IP address. - Oddly enough, the firewall will respond to the request with the MAC -address of its DMZ Interface!! DMZ 1 can then send Ethernet frames -addressed to that MAC address and the frames will be received (correctly) -by the firewall/router.

    -
    - -
    + request and no device on the DMZ Ethernet segment has that IP address. + Oddly enough, the firewall will respond to the request with the MAC + address of its DMZ Interface!! DMZ 1 can then send Ethernet frames + addressed to that MAC address and the frames will be received (correctly) + by the firewall/router.

    +
    + +

    It is this rather unexpected ARP behavior on the part of the Linux Kernel that prompts the warning earlier in this guide regarding the connecting of multiple firewall/router interfaces to the same hub or switch. When an ARP request for one of the firewall/router's IP addresses is sent by another system connected to the hub/switch, all of the firewall's - interfaces that connect to the hub/switch can respond! It is then a -race as to which "here-is" response reaches the sender first.

    -
    - -
    + interfaces that connect to the hub/switch can respond! It is then a + race as to which "here-is" response reaches the sender first.

    +
    + +

    5.2 Non-routed

    -
    - -
    +
    + +

    If you have the above situation but it is non-routed, you can configure your network exactly as described above with one additional - twist; simply specify the "proxyarp" option on all three firewall interfaces - in the /etc/shorewall/interfaces file.

    -
    - -
    + twist; simply specify the "proxyarp" option on all three firewall interfaces + in the /etc/shorewall/interfaces file.

    +
    + +

    Most of us don't have the luxury of having enough public IP addresses to set up our networks as shown in the preceding example (even if the setup is routed).

    -
    - -
    +
    + +

    For the remainder of this section, assume that your ISP - has assigned you IP addresses 192.0.2.176-180 and has told you to use - netmask 255.255.255.0 and default gateway 192.0.2.254.

    -
    - -
    + has assigned you IP addresses 192.0.2.176-180 and has told you to use + netmask 255.255.255.0 and default gateway 192.0.2.254.

    +
    + +

    Clearly, that set of addresses doesn't comprise a subnetwork - and there aren't enough addresses for all of the network interfaces. - There are four different techniques that can be used to work around this - problem.

    -
    - -
    + and there aren't enough addresses for all of the network interfaces. + There are four different techniques that can be used to work around +this problem.

    +
    + +
      -
    • +

    • Source Network Address Translation (SNAT).

      -
      • -
    • +
      • +

    • Destination Network Address Translation (DNAT) - also known as Port Forwarding.

      -
      • -
    • + also known as Port Forwarding.

      +
      • +

    • Proxy ARP.

      -
      • -
    • +
      • +

    • Network Address Translation (NAT) also referred - to as Static NAT.

      -
      • - + to as Static NAT.

      + +
    -
    - -
    +
    + +

    Often a combination of these techniques is used. Each of these will be discussed in the sections that follow.

    -
    - -
    +
    + +

     5.2.1 SNAT

    -
    - -
    +
    + +

    With SNAT, an internal LAN segment is configured using RFC - 1918 addresses. When a host A on this internal segment initiates - a connection to host B on the internet, the firewall/router rewrites - the IP header in the request to use one of your public IP addresses + 1918 addresses. When a host A on this internal segment initiates + a connection to host B on the internet, the firewall/router +rewrites the IP header in the request to use one of your public IP addresses as the source address. When B responds and the response is received by the firewall, the firewall changes the destination address back to the RFC 1918 address of A and forwards the response back to A.

    -
    - -
    +
    + +

    Let's suppose that you decide to use SNAT on your local zone - and use public address 192.0.2.176 as both your firewall's external -IP address and the source IP address of internet requests sent from that - zone.

    -
    - -
    + and use public address 192.0.2.176 as both your firewall's external + IP address and the source IP address of internet requests sent from +that zone.

    +
    + +

    -

    -
    - + + +
    The local zone has been subnetted as 192.168.201.0/29 - (netmask 255.255.255.248).
    - + (netmask 255.255.255.248). +
     
    - +
    -     The systems in the local zone would be configured with a default - gateway of 192.168.201.1 (the IP address of the firewall's local interface).
    - +     The systems in the local zone would be configured with a +default gateway of 192.168.201.1 (the IP address of the firewall's +local interface). +
     
    - +
    -     SNAT is configured in Shorewall using the /etc/shorewall/masq file.
    - -
    -
    + +
    +
    - - - - - - - - - - - - - + + + + + + + + + + + + +
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    -
    -
    - -
    +
    +
    + +

    This example used the normal technique of assigning the same - public IP address for the firewall external interface and for SNAT. -If you wanted to use a different IP address, you would either have to -use your distributions network configuration tools to add that IP address - to the external interface or you could set ADD_SNAT_ALIASES=Yes in - /etc/shorewall/shorewall.conf and Shorewall will add the address for you.

    -
    - -
    + public IP address for the firewall external interface and for SNAT. + If you wanted to use a different IP address, you would either have to + use your distributions network configuration tools to add that IP address + to the external interface or you could set ADD_SNAT_ALIASES=Yes in + /etc/shorewall/shorewall.conf and Shorewall will add the address for you.

    +
    + +

    5.2.2 DNAT

    -
    - -
    +
    + +

    When SNAT is used, it is impossible for hosts on the internet - to initiate a connection to one of the internal systems since those -systems do not have a public IP address. DNAT provides a way to allow -selected connections from the internet.

    -
    - -
    + to initiate a connection to one of the internal systems since those + systems do not have a public IP address. DNAT provides a way to allow + selected connections from the internet.

    +
    + +

    -      Suppose that your daughter wants to run a web server on her - system "Local 3". You could allow connections to the internet to her - server by adding the following entry in /etc/shorewall/rules:

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
    DNATnetloc:192.168.201.4tcpwww-192.0.2.176
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
    DNATnetloc:192.168.201.4tcpwww-192.0.2.176
    -
    -
    - -
    +
    + + +

    If one of your daughter's friends at address A wants - to access your daughter's server, she can connect to http://192.0.2.176 (the firewall's external - IP address) and the firewall will rewrite the destination IP address - to 192.168.201.4 (your daughter's system) and forward the request. When - your daughter's server responds, the firewall will rewrite the source - address back to 192.0.2.176 and send the response back to A.

    -
    - -
    + IP address) and the firewall will rewrite the destination IP address + to 192.168.201.4 (your daughter's system) and forward the request. When + your daughter's server responds, the firewall will rewrite the source + address back to 192.0.2.176 and send the response back to A.

    +
    + +

    This example used the firewall's external IP address for DNAT. You can use another of your public IP addresses but Shorewall will not add that address to the firewall's external interface for you.

    -
    - -
    +
    + +

    5.2.3 Proxy ARP

    -
    - -
    +
    + +

    The idea behind proxy ARP is that:

    -
    - -
    +
    + +
      -
    • +

    • A host H behind your firewall is assigned one of your public IP addresses (A) and is assigned the same netmask (M) as the firewall's external interface.

      -
      • -
    • +
      • +

    • The firewall responds to ARP "who has" requests for A. -

      -
      • -
    • +

      +
      • +

    • When H issues an ARP "who has" request for an address in the subnetwork defined by A and M, the firewall will respond (with the MAC if the firewall interface to H).

      -
      • - + +
    -
    - -
    +
    + +

    Let suppose that we decide to use Proxy ARP on the DMZ in - our example network.

    -
    - -
    + our example network.

    +
    + +

    -

    -
    - +

    + +
    Here, we've assigned the IP addresses 192.0.2.177 to - system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned - an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface - on the firewall. That address and netmask isn't relevant - just be sure - it doesn't overlap another subnet that you've defined.
    - + system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned + an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface + on the firewall. That address and netmask isn't relevant - just be sure + it doesn't overlap another subnet that you've defined. +
     
    - +
    -     The Shorewall configuration of Proxy ARP is done using the - /etc/shorewall/proxyarp file.
    - -
    -
    +     The Shorewall configuration of Proxy ARP is done using the + /etc/shorewall/proxyarp file.
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
    ADDRESSINTERFACEEXTERNALHAVE ROUTE
    192.0.2.177eth2eth0No
    192.0.2.178eth2eth0No
    ADDRESSINTERFACEEXTERNALHAVE ROUTE
    192.0.2.177eth2eth0No
    192.0.2.178eth2eth0No
    -
    -
    - -
    +
    + + +

    Because the HAVE ROUTE column contains No, Shorewall will - add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.
    -

    - -

    The ethernet interfaces on DMZ 1 and DMZ 2 should be configured - to have the IP addresses shown but should have the same default gateway as - the firewall itself -- namely 192.0.2.254.
    -

    -
    - -
    -

    -
    - -
    -
    -

    A word of warning is in order here. ISPs typically configure - their routers with a long ARP cache timeout. If you move a system from - parallel to your firewall to behind your firewall with Proxy ARP, it -will probably be HOURS before that system can communicate with the internet. - There are a couple of things that you can try:
    + add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.

    +

    The ethernet interfaces on DMZ 1 and DMZ 2 should be configured + to have the IP addresses shown but should have the same default gateway +as the firewall itself -- namely 192.0.2.254. In other words, they should +be configured just like they would be if they were parallel to the firewall +rather than behind it.
    +

    + +

    NOTE: Do not add the Proxy ARP'ed address(es) +(192.0.2.177 and 192.0.2.178 in the above example)  to the external interface +(eth0 in this example) of the firewall.
    +

    +
    +
    + +
    +

    +
    + +
    +
    +

    A word of warning is in order here. ISPs typically configure + their routers with a long ARP cache timeout. If you move a system from + parallel to your firewall to behind your firewall with Proxy ARP, it + will probably be HOURS before that system can communicate with the internet. + There are a couple of things that you can try:
    +

    +
      -
    1. (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP -Illustrated, Vol 1 reveals that a
      -
      - "gratuitous" ARP packet should cause the ISP's router to refresh their - ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the - MAC address for its own IP; in addition to ensuring that the IP address -isn't a duplicate,...
      -
      - "if the host sending the gratuitous ARP has just changed its hardware - address..., this packet causes any other host...that has an entry in its - cache for the old hardware address to update its ARP cache entry accordingly."
      -
      - Which is, of course, exactly what you want to do when you switch a host - from being exposed to the Internet to behind Shorewall using proxy ARP - (or static NAT for that matter). Happily enough, recent versions of Redhat's - iputils package include "arping", whose "-U" flag does just that:
      -
      -     arping -U -I <net if> <newly proxied - IP>
      -     arping -U -I eth0 66.58.99.83 # for example
      -
      - Stevens goes on to mention that not all systems respond correctly to -gratuitous ARPs, but googling for "arping -U" seems to support the idea -that it works most of the time.
      -
      -
      2. -
    2. You can call your ISP and ask them to purge the stale ARP cache - entry but many either can't or won't purge individual entries.
      3. - +
    3. (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP + Illustrated, Vol 1 reveals that a
      +
      + "gratuitous" ARP packet should cause the ISP's router to refresh their + ARP cache (section 4.7). A gratuitous ARP is simply a host requesting +the MAC address for its own IP; in addition to ensuring that the IP address + isn't a duplicate,...
      +
      + "if the host sending the gratuitous ARP has just changed its hardware + address..., this packet causes any other host...that has an entry in its + cache for the old hardware address to update its ARP cache entry accordingly."
      +
      + Which is, of course, exactly what you want to do when you switch a +host from being exposed to the Internet to behind Shorewall using proxy +ARP (or static NAT for that matter). Happily enough, recent versions of +Redhat's iputils package include "arping", whose "-U" flag does just that:
      +
      +     arping -U -I <net if> <newly +proxied IP>
      +     arping -U -I eth0 66.58.99.83 # for example
      +
      + Stevens goes on to mention that not all systems respond correctly +to gratuitous ARPs, but googling for "arping -U" seems to support the +idea that it works most of the time.
      +
      +
      4. +
    4. You can call your ISP and ask them to purge the stale ARP +cache entry but many either can't or won't purge individual entries.
      5. +
    - You can determine if your ISP's gateway ARP cache is stale using -ping and tcpdump. Suppose that we suspect that the gateway router has -a stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump -as follows:
    - -
    + You can determine if your ISP's gateway ARP cache is stale using + ping and tcpdump. Suppose that we suspect that the gateway router has + a stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump + as follows:
    + +
    	tcpdump -nei eth0 icmp
    -
    - -
    +
    + +

    Now from 130.252.100.19, ping the ISP's gateway (which we - will assume is 130.252.100.254):

    -
    - -
    + will assume is 130.252.100.254):

    +
    + +
    	ping 130.252.100.254
    -
    -
    - -
    +
    +
    + +

    We can now observe the tcpdump output:

    -
    - -
    +
    + +
    	13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 192.0.2.177 > 192.0.2.254: icmp: echo request (DF)
    	13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 192.0.2.254 > 192.0.2.177 : icmp: echo reply
    -
    - -
    +
    + +

    Notice that the source MAC address in the echo request is - different from the destination MAC address in the echo reply!! In this - case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 - was the MAC address of DMZ 1. In other words, the gateway's ARP cache - still associates 192.0.2.177 with the NIC in DMZ 1 rather than with the - firewall's eth0.

    -
    - -
    + different from the destination MAC address in the echo reply!! In this + case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 + was the MAC address of DMZ 1. In other words, the gateway's ARP cache + still associates 192.0.2.177 with the NIC in DMZ 1 rather than with +the firewall's eth0.

    +
    + +

    5.2.4 Static NAT

    -
    - -
    +
    + +

    With static NAT, you assign local systems RFC 1918 addresses - then establish a one-to-one mapping between those addresses and public - IP addresses. For outgoing connections SNAT (Source Network Address - Translation) occurs and on incoming connections DNAT (Destination Network - Address Translation) occurs. Let's go back to our earlier example involving - your daughter's web server running on system Local 3.

    -
    - -
    + then establish a one-to-one mapping between those addresses and public + IP addresses. For outgoing connections SNAT (Source Network Address + Translation) occurs and on incoming connections DNAT (Destination +Network Address Translation) occurs. Let's go back to our earlier example +involving your daughter's web server running on system Local 3.

    +
    + +

    -

    -
    - -
    +

    +
    + +

    Recall that in this setup, the local network is using SNAT - and is sharing the firewall external IP (192.0.2.176) for outbound connections. - This is done with the following entry in /etc/shorewall/masq:

    -
    - -
    -
    + and is sharing the firewall external IP (192.0.2.176) for outbound +connections. This is done with the following entry in /etc/shorewall/masq:

    +
    + +
    +
    - - - - - - - - - - - - - + + + + + + + + + + + + +
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    -
    -
    - -
    + +
    + +

    -     Suppose now that you have decided to give your daughter her -own IP address (192.0.2.179) for both inbound and outbound connections. -You would do that by adding an entry in /etc/shorewall/nat.

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +
    EXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
    192.0.2.179eth0192.168.201.4NoNo
    EXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
    192.0.2.179eth0192.168.201.4NoNo
    -
    -
    - -
    + +
    + +

    With this entry in place, you daughter has her own IP address - and the other two local systems share the firewall's IP address.

    -
    - -
    + and the other two local systems share the firewall's IP address.

    +
    + +

    -     Once the relationship between 192.0.2.179 and 192.168.201.4 -is established by the nat file entry above, it is no longer appropriate - to use a DNAT rule for you daughter's web server -- you would rather - just use an ACCEPT rule:

    -
    - -
    -
    +     Once the relationship between 192.0.2.179 and 192.168.201.4 + is established by the nat file entry above, it is no longer appropriate + to use a DNAT rule for you daughter's web server -- you would rather + just use an ACCEPT rule:

    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
    ACCEPTnetloc:192.168.201.4tcpwww  
    ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIGINAL DESTINATION
    ACCEPTnetloc:192.168.201.4tcpwww  
    -
    -
    - -
    + +
    + +

    5.3 Rules

    -
    - -
    +
    + +

    -     With the default policies, your local systems (Local 1-3) can - access any servers on the internet and the DMZ can't access any other - host (including the firewall). With the exception of DNAT rules which cause address translation and allow - the translated connection request to pass through the firewall, the way - to allow connection requests through your firewall is to use ACCEPT -rules.

    -
    - -
    + the translated connection request to pass through the firewall, the +way to allow connection requests through your firewall is to use ACCEPT + rules.

    +
    + +

    NOTE: Since the SOURCE PORT and ORIG. DEST. Columns aren't - used in this section, they won't be shown

    -
    - -
    + used in this section, they won't be shown

    +
    + +

    You probably want to allow ping between your zones:

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORT
    ACCEPTnetdmzicmpecho-request
    ACCEPTnetlocicmpecho-request
    ACCEPTdmzlocicmpecho-request
    ACCEPTlocdmzicmpecho-request
    ACTIONSOURCEDESTINATIONPROTOCOLPORT
    ACCEPTnetdmzicmpecho-request
    ACCEPTnetlocicmpecho-request
    ACCEPTdmzlocicmpecho-request
    ACCEPTlocdmzicmpecho-request
    -
    -
    - -
    + +
    + +

    Let's suppose that you run mail and pop3 servers on DMZ 2 - and a Web Server on DMZ 1. The rules that you would need are:

    -
    - -
    -
    + and a Web Server on DMZ 1. The rules that you would need are:

    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
    ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
    ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
    ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
    ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
    ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
    ACCEPTnetdmz:192.0.2.177tcphttp# WWW from the Net
    ACCEPTnetdmz:192.0.2.177tcphttps# Secure HTTP from the Net
    ACCEPTlocdmz:192.0.2.177tcphttps# Secure HTTP from the Local Net
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
    ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
    ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
    ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
    ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
    ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
    ACCEPTnetdmz:192.0.2.177tcphttp# WWW from the Net
    ACCEPTnetdmz:192.0.2.177tcphttps# Secure HTTP from the Net
    ACCEPTlocdmz:192.0.2.177tcphttps# Secure HTTP from the Local Net
    -
    -
    - -
    + +
    + +

    If you run a public DNS server on 192.0.2.177, you would need to add the following rules:

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
    ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
    ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
    ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
    ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
    ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
    ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
    ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
    ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
    ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
    ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
    ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
    ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
    ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
    ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
    -
    -
    - -
    + +
    + +

    You probably want some way to communicate with your firewall - and DMZ systems from the local network -- I recommend SSH which through - its scp utility can also do publishing and software update distribution.

    -
    - -
    -
    + and DMZ systems from the local network -- I recommend SSH which through + its scp utility can also do publishing and software update distribution.

    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTlocdmztcpssh# SSH to the DMZ
    ACCEPTlocfwtcpssh# SSH to the Firewall
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTlocdmztcpssh# SSH to the DMZ
    ACCEPTlocfwtcpssh# SSH to the Firewall
    -
    -
    - -
    + +
    + +

    5.4 Odds and Ends

    -
    - -
    +
    + +

    The above discussion reflects my personal preference for using Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I prefer to use NAT only in cases where a system that is part of an RFC 1918 subnet needs to have it's own public IP. 

    -
    - -
    +
    + +

    -     If you haven't already, it would be a good idea to browse through - /etc/shorewall/shorewall.conf just - to see if there is anything there that might be of interest. You might - also want to look at the other configuration files that you haven't -touched yet just to get a feel for the other things that Shorewall can -do.

    -
    - -
    +     If you haven't already, it would be a good idea to browse +through /etc/shorewall/shorewall.conf +just to see if there is anything there that might be of interest. You +might also want to look at the other configuration files that you +haven't touched yet just to get a feel for the other things that Shorewall +can do.

    +
    + +

    In case you haven't been keeping score, here's the final set of configuration files for our sample network. Only those that were modified from the original installation are shown.

    -
    - -
    +
    + +

    /etc/shorewall/interfaces (The "options" will be very site-specific).

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918,routefilter
    loceth1detect 
    dmzeth2detect 
    ZoneInterfaceBroadcastOptions
    neteth0detectnorfc1918,routefilter
    loceth1detect 
    dmzeth2detect 
    -
    -
    - -
    + +
    + +

    The setup described here requires that your network interfaces - be brought up before Shorewall can start. This opens a short window -during which you have no firewall protection. If you replace 'detect' -with the actual broadcast addresses in the entries above, you can bring -up Shorewall before you bring up your network interfaces.

    -
    - -
    -
    + be brought up before Shorewall can start. This opens a short window + during which you have no firewall protection. If you replace 'detect' + with the actual broadcast addresses in the entries above, you can bring + up Shorewall before you bring up your network interfaces.

    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ZoneInterfaceBroadcastOptions
    neteth0192.0.2.255norfc1918,routefilter
    loceth1192.168.201.7 
    dmzeth2192.168.202.7 
    ZoneInterfaceBroadcastOptions
    neteth0192.0.2.255norfc1918,routefilter
    loceth1192.168.201.7 
    dmzeth2192.168.202.7 
    -
    -
    - -
    + +
    + +

    /etc/shorewall/masq - Local subnet

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - + + + + + + + + + + + + +
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    INTERFACESUBNETADDRESS
    eth0192.168.201.0/29192.0.2.176
    -
    -
    - -
    + +
    + +

    /etc/shorewall/proxyarp - DMZ

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
    ADDRESSINTERFACEEXTERNALHAVE ROUTE
    192.0.2.177eth2eth0No
    192.0.2.178eth2eth0No
    ADDRESSINTERFACEEXTERNALHAVE ROUTE
    192.0.2.177eth2eth0No
    192.0.2.178eth2eth0No
    -
    -
    - -
    + +
    + +

    /etc/shorewall/nat- Daughter's System

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +
    EXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
    192.0.2.179eth0192.168.201.4NoNo
    EXTERNALINTERFACEINTERNALALL INTERFACES LOCAL
    192.0.2.179eth0192.168.201.4NoNo
    -
    -
    - -
    + +
    + +

    /etc/shorewall/rules

    -
    - -
    -
    +
    + +
    +
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
    ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
    ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
    ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
    ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
    ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
    ACCEPTnetdmz:192.0.2.178tcphttp# WWW from the Net
    ACCEPTnetdmz:192.0.2.178tcphttps# Secure HTTP from the Net
    ACCEPTlocdmz:192.0.2.178tcphttps# Secure HTTP from the Local Net
    ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
    ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
    ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
    ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
    ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
    ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
    ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
    ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
    ACCEPTnetdmzicmpecho-request# Ping
    ACCEPTnetlocicmpecho-request#  "
    ACCEPTdmzlocicmpecho-request# "
    ACCEPTlocdmzicmpecho-request# "
    ACCEPTlocdmztcpssh# SSH to the DMZ
    ACCEPTlocfwtcpssh# SSH to the Firewall
    ACTIONSOURCEDESTINATIONPROTOCOLPORTCOMMENTS
    ACCEPTnetdmz:192.0.2.178tcpsmtp# Mail from the Internet
    ACCEPTnetdmz:192.0.2.178tcppop3# Pop3 from the Internet
    ACCEPTlocdmz:192.0.2.178tcpsmtp# Mail from the Local Network
    ACCEPTlocdmz:192.0.2.178tcppop3# Pop3 from the Local Network
    ACCEPTfwdmz:192.0.2.178tcpsmtp# Mail from the Firewall
    ACCEPTdmz:192.0.2.178nettcpsmtp# Mail to the Internet
    ACCEPTnetdmz:192.0.2.178tcphttp# WWW from the Net
    ACCEPTnetdmz:192.0.2.178tcphttps# Secure HTTP from the Net
    ACCEPTlocdmz:192.0.2.178tcphttps# Secure HTTP from the Local Net
    ACCEPTnetdmz:192.0.2.177udpdomain# UDP DNS from the Internet
    ACCEPTnetdmz:192.0.2.177tcpdomain# TCP DNS from the internet
    ACCEPTfwdmz:192.0.2.177udpdomain# UDP DNS from firewall
    ACCEPTfwdmz:192.0.2.177tcpdomain# TCP DNS from firewall
    ACCEPTlocdmz:192.0.2.177udpdomain# UDP DNS from the local Net
    ACCEPTlocdmz:192.0.2.177tcpdomain# TCP DNS from the local Net
    ACCEPTdmz:192.0.2.177netudpdomain# UDP DNS to the Internet
    ACCEPTdmz:192.0.2.177nettcpdomain# TCP DNS to the Internet
    ACCEPTnetdmzicmpecho-request# Ping
    ACCEPTnetlocicmpecho-request#  "
    ACCEPTdmzlocicmpecho-request# "
    ACCEPTlocdmzicmpecho-request# "
    ACCEPTlocdmztcpssh# SSH to the DMZ
    ACCEPTlocfwtcpssh# SSH to the Firewall
    -
    -
    - -
    + +
    + +

    6.0 DNS

    -
    - -
    +
    + +

    Given the collection of RFC 1918 and public addresses in this setup, it only makes sense to have separate internal and external DNS servers. You can combine the two into a single BIND 9 server using Views. If you are not interested in Bind 9 views, you can go to the next section.

    -
    - -
    +
    + +

    Suppose that your domain is foobar.net and you want the two - DMZ systems named www.foobar.net and mail.foobar.net and you want the - three local systems named "winken.foobar.net, blinken.foobar.net and -nod.foobar.net. You want your firewall to be known as firewall.foobar.net -externally and it's interface to the local network to be know as gateway.foobar.net - and its interface to the dmz as dmz.foobar.net. Let's have the DNS server - on 192.0.2.177 which will also be known by the name ns1.foobar.net.

    -
    - -
    + DMZ systems named www.foobar.net and mail.foobar.net and you want the + three local systems named "winken.foobar.net, blinken.foobar.net and + nod.foobar.net. You want your firewall to be known as firewall.foobar.net + externally and it's interface to the local network to be know as gateway.foobar.net + and its interface to the dmz as dmz.foobar.net. Let's have the DNS server + on 192.0.2.177 which will also be known by the name ns1.foobar.net.

    +
    + +

    The /etc/named.conf file would look like this:

    -
    - -
    -
    -
    +
    + +
    +
    + 
    options {
    	directory "/var/named";
    	listen-on { 127.0.0.1 ; 192.0.2.177; };
    };

    logging {
    	channel xfer-log {
    		file "/var/log/named/bind-xfer.log";
    		print-category yes;
    		print-severity yes;
    		print-time yes;
    		severity info;
    	};
    	category xfer-in { xfer-log; };
    	category xfer-out { xfer-log; };
    	category notify { xfer-log; };
    };
    -
    - -
    +
    + + 
    #
    # This is the view presented to our internal systems
    #

    view "internal" {
    	#
    	# These are the clients that see this view
    	#
    	match-clients { 192.168.201.0/29;
    			192.168.202.0/29;
    			127.0.0/24;
    			192.0.2.176/32; 
    			192.0.2.178/32;
    			192.0.2.179/32;
    			192.0.2.180/32; };
    	#
    	# If this server can't complete the request, it should use outside
    	# servers to do so
    	#
    	recursion yes;

    	zone "." in {
    		type hint;
    		file "int/root.cache";
    	};

    	zone "foobar.net" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "int/db.foobar";
    	};

    	zone "0.0.127.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "int/db.127.0.0";	
    	};

    	zone "201.168.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "int/db.192.168.201";
    	};

    	zone "202.168.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "int/db.192.168.202";
    	};

    	zone "176.2.0.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "db.192.0.2.176";
    	};
     (or status NAT for that matter)
    	zone "177.2.0.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "db.192.0.2.177";
    	};

    	zone "178.2.0.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "db.192.0.2.178";
    	};

    	zone "179.2.0.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "db.206.124.146.179";
    	};

    };
    #
    # This is the view that we present to the outside world
    #
    view "external" {
    	match-clients { any; };
    	#
    	# If we can't answer the query, we tell the client so
    	#
    	recursion no;

    	zone "foobar.net" in {
    		type master;
    		notify yes;
    		allow-update {none; };
    		allow-transfer { <secondary NS IP>; };
    		file "ext/db.foobar";
    	};

    	zone "176.2.0.192.in-addr.arpa" in {
     		type master;
    		notify yes;
    		allow-update { none; };
    		allow-transfer { <secondary NS IP>; };
    		file "db.192.0.2.176";
    	};

    	zone "177.2.0.192.in-addr.arpa" in {
    		type master;
    		notify yes;
    		allow-update { none; };
    		allow-transfer { <secondary NS IP>; };
    		file "db.192.0.2.177";
    	};

    	zone "178.2.0.192.in-addr.arpa" in {
    		type master;
    		notify yes;
    		allow-update { none; };
    		allow-transfer { <secondary NS IP>; };
    		file "db.192.0.2.178";
    	};

    	zone "179.2.0.192.in-addr.arpa" in {
    		type master;
    		notify yes;
    		allow-update { none; };
    		allow-transfer { <secondary NS IP>; };
    		file "db.192.0.2.179";
    	};
    };
    -
    -
    -
    - -
    +
    +
    +
    + +

    Here are the files in /var/named (those not shown are usually - included in your bind disbribution).

    - + included in your bind disbribution).

    +

    db.192.0.2.176 - This is the reverse zone for the firewall's - external interface

    - -
    + external interface

    + +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32
    ; Filename: db.192.0.2.176
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2001102303 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800	IN NS	ns1.foobar.net.
    @	604800	IN NS	<name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's) 
    ; ############################################################
    176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.
    -
    -
    - -
    + +
    + +
    db.192.0.2.177 - This is the reverse zone for the www/DNS - server -
    + server +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32
    ; Filename: db.192.0.2.177
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2001102303 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800	IN NS	ns1.foobar.net.
    @	604800	IN NS	<name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's) 
    ; ############################################################
    177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.
    -
    -
    -
    - -
    + +
    + + +
    db.192.0.2.178 - This is the reverse zone for the mail - server -
    + server +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32
    ; Filename: db.192.0.2.178
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2001102303 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800	IN NS	ns1.foobar.net.
    @	604800	IN NS	<name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's) 
    ; ############################################################
    178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.
    -
    -
    -
    - -
    + +
    + + +
    db.192.0.2.179 - This is the reverse zone for daughter's - web server's public IP -
    + web server's public IP +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32
    ; Filename: db.192.0.2.179
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2001102303 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800	IN NS	ns1.foobar.net.
    @	604800	IN NS	<name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's) 
    ; ############################################################
    179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.
    -
    -
    -
    - -
    + +
    + + +

    int/db.127.0.0 - The reverse zone for localhost

    -
    - -
    -
    +
    + +
    +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8
    ; Filename: db.127.0.0
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    				2001092901 ; serial
    				10800 ; refresh (3 hour)
    				3600 ; retry (1 hour)
    				604800 ; expire (7 days)
    				86400 ) ; minimum (1 day)
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800		IN NS	ns1.foobar.net.

    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    1	86400		IN PTR	localhost.foobar.net.
    -
    -
    - -
    + +
    + +

    int/db.192.168.201 - Reverse zone for the local net. This - is only shown to internal clients

    -
    - -
    -
    + is only shown to internal clients

    +
    + +
    +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29
    ; Filename: db.192.168.201
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
    				2002032501 ; serial
    				10800 ; refresh (3 hour)
    				3600 ; retry (1 hour)
    				604800 ; expire (7 days)
    				86400 ) ; minimum (1 day)

    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800		IN NS	ns1.foobar.net.

    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    1	86400		IN PTR 	gateway.foobar.net.
    2	86400		IN PTR	winken.foobar.net.
    3	86400		IN PTR	blinken.foobar.net.
    4	86400		IN PTR	nod.foobar.net.
    -
    -
    - -
    + +
    + +

    int/db.192.168.202 - Reverse zone for the firewall's DMZ interface

    -
    - -
    -
    -
    +
    + +
    +
    + 
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29
    ; Filename: db.192.168.202
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
    				2002032501 ; serial
    				10800 ; refresh (3 hour)
    				3600 ; retry (1 hour)
    				604800 ; expire (7 days)
    				86400 ) ; minimum (1 day)

    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @		604800	IN NS	ns1.foobar.net.

    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    1 		86400 IN PTR	dmz.foobar.net.
    -
    -
    -
    - -
    +
    +
    +
    + +

    int/db.foobar - Forward zone for use by internal clients.

    -
    - -
    -
    +
    + +
    +
    ;##############################################################
    ; Start of Authority for foobar.net.
    ; Filename: db.foobar
    ;##############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2002071501 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ); minimum (1 day)
    ;############################################################
    ; foobar.net Nameserver Records (NS)
    ;############################################################
    @ 		604800	IN NS	ns1.foobar.net.

    ;############################################################
    ; Foobar.net Office Records (ADDRESS)
    ;############################################################
    localhost	86400 	IN A 	127.0.0.1

    firewall	86400	IN A	192.0.2.176
    www		86400	IN A	192.0.2.177
    ns1 		86400	IN A 	192.0.2.177
    www		86400	IN A	192.0.2.177

    gateway		86400	IN A 	192.168.201.1
    winken		86400	IN A 	192.168.201.2
    blinken		86400	IN A	192.168.201.3
    nod		86400	IN A	192.168.201.4
    -
    -
    - -
    + +
    + +

    ext/db.foobar - Forward zone for external clients

    -
    - -
    -
    -
    +
    + +
    +
    + 
    ;##############################################################
    ; Start of Authority for foobar.net.
    ; Filename: db.foobar
    ;##############################################################
    @ 86400 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2002052901 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ); minimum (1 day)
    ;############################################################
    ; Foobar.net Nameserver Records (NS)
    ;############################################################
    @		86400	IN NS	ns1.foobar.net.
    @		86400	IN NS	<secondary NS>.
    ;############################################################
    ; Foobar.net 	Foobar Wa Office Records (ADDRESS)
    ;############################################################
    localhost	86400	IN A	127.0.0.1
    ;
    ; The firewall itself
    ;
    firewall	86400	IN A	192.0.2.176
    ;
    ; The DMZ
    ;
    ns1		86400	IN A	192.0.2.177
    www		86400	IN A	192.0.2.177
    mail		86400	IN A	192.0.2.178
    ;
    ; The Local Network
    ;
    nod		86400	IN A	192.0.2.179

    ;############################################################
    ; Current Aliases for foobar.net (CNAME)
    ;############################################################

    ;############################################################
    ; foobar.net MX Records (MAIL EXCHANGER)
    ;############################################################
    foobar.net.	86400	IN A	192.0.2.177
    		86400 	IN MX 0 mail.foobar.net.
    		86400	IN MX 1 <backup MX>.
    -
    -
    -
    - -
    +
    +
    +
    + +

    7.0 Starting and Stopping - Your Firewall

    -
    - -
    + Your Firewall +
    + +

    The installation procedure configures - your system to start Shorewall at system boot.

    -
    - -
    + your system to start Shorewall at system boot.

    +
    + +

    The firewall is started using the "shorewall start" command - and stopped using "shorewall stop". When the firewall is stopped, routing - is enabled on those hosts that have an entry in /etc/shorewall/routestopped. A - running firewall may be restarted using the "shorewall restart" command. - If you want to totally remove any trace of Shorewall from your Netfilter - configuration, use "shorewall clear".

    -
    - -
    + running firewall may be restarted using the "shorewall restart" command. + If you want to totally remove any trace of Shorewall from your Netfilter + configuration, use "shorewall clear".

    +
    + +

    -     Edit the /etc/shorewall/routestopped file and configure those - systems that you want to be able to access the firewall when it is stopped.

    -
    - -
    +     Edit the /etc/shorewall/routestopped file and configure those + systems that you want to be able to access the firewall when it is +stopped.

    +
    + +

    WARNING: If you are connected to your firewall from - the internet, do not issue a "shorewall stop" command unless you have - added an entry for the IP address that you are connected from to /etc/shorewall/routestopped. Also, I don't recommend using "shorewall restart"; it is better to create - an alternate configuration - and test it using the "shorewall - try" command.

    -
    - -

    Last updated 2/21/2003 - alternate configuration + and test it using the "shorewall + try" command.

    + + +

    Last updated 3/21/2003 - Tom Eastep

    - +

    Copyright 2002, 2003 - Thomas M. Eastep

    -
    + Thomas M. Eastep

    +
    +
    +



    diff --git a/STABLE/documentation/sourceforge_index.htm b/STABLE/documentation/sourceforge_index.htm index cf7699c5a..be7961910 100644 --- a/STABLE/documentation/sourceforge_index.htm +++ b/STABLE/documentation/sourceforge_index.htm @@ -7,7 +7,7 @@ - + Shoreline Firewall (Shorewall) 1.3 @@ -17,23 +17,23 @@ - + - + - + - + - - + + - - - + + +
    + @@ -43,13 +43,13 @@ - +

    Shorwall Logo - Shorewall 1.4 - "iptables made easy"

    @@ -64,36 +64,36 @@ - + -
    - -
    + +
    -
    +
    - + - + - + - - + + + - - - + + +
    + @@ -105,7 +105,7 @@ - +

    What is it?

    @@ -119,12 +119,12 @@ - -

    The Shoreline Firewall, more commonly known as  "Shorewall", is - a Netfilter (iptables) - based firewall that can be used on a dedicated firewall system, - a multi-function gateway/router/server or on a standalone - GNU/Linux system.

    + +

    The Shoreline Firewall, more commonly known as  "Shorewall", is + a Netfilter (iptables) + based firewall that can be used on a dedicated firewall +system, a multi-function gateway/router/server or on a standalone + GNU/Linux system.

    @@ -137,29 +137,29 @@ - -

    This program is free software; you can redistribute it and/or modify - it under the -terms of Version - 2 of the GNU General Public License as published by the Free Software - Foundation.
    + +

    This program is free software; you can redistribute it and/or modify + it under the + terms of Version + 2 of the GNU General Public License as published by the Free +Software Foundation.
    -
    +
    - This program is distributed - in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied - warranty of MERCHANTABILITY or FITNESS FOR -A PARTICULAR PURPOSE. See the GNU General Public License - for more details.
    + This program is distributed + in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public +License for more details.
    -
    +
    - You should have received - a copy of the GNU General Public License - along with this program; if not, write -to the Free Software Foundation, Inc., 675 - Mass Ave, Cambridge, MA 02139, USA

    + You should have received + a copy of the GNU General Public License + along with this program; if not, write + to the Free Software Foundation, Inc., 675 + Mass Ave, Cambridge, MA 02139, USA

    @@ -172,7 +172,7 @@ to the Free Software Foundation, Inc., 675 - +

    Copyright 2001, 2002, 2003 Thomas M. Eastep

    @@ -186,26 +186,26 @@ to the Free Software Foundation, Inc., 675 - +

    - Jacques -Nilo and Eric Wolzak have a LEAF (router/firewall/gateway - on a floppy, CD or compact flash) distribution - called Bering that features - Shorewall-1.3.14 and Kernel-2.4.20. You can find - their work at: Jacques + Nilo and Eric Wolzak have a LEAF (router/firewall/gateway + on a floppy, CD or compact flash) distribution + called Bering that features + Shorewall-1.3.14 and Kernel-2.4.20. You can find + their work at: http://leaf.sourceforge.net/devel/jnilo

    - Congratulations - to Jacques and Eric on the recent release of Bering - 1.1!!!
    -     + Congratulations + to Jacques and Eric on the recent release of Bering +1.1!!!
    +     - +

    News

    @@ -221,278 +221,23 @@ Nilo and Eric Wolzak have a LEAF (router/firewall/gatew - -

    3/17/2003 - Shorewall 1.4.0  3/24/2003 - Shorewall 1.4.1 (New) -  

    - Shorewall 1.4 represents - the next step in the evolution of Shorewall. The main thrust of the -initial release is simply to remove the cruft that has accumulated in -Shorewall over time.
    -
    - IMPORTANT: Shorewall 1.4.0 requires the iproute package - ('ip' utility).
    -
    - Function from 1.3 that has been omitted from this version -include:
    +  

    + - -
      -
    1. The MERGE_HOSTS variable in shorewall.conf is no longer supported. - Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.
      -
      -
      2. -
    2. Interface names of the form <device>:<integer> - in /etc/shorewall/interfaces now generate an error.
      -
      -
      3. -
    3. Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No. - OLD_PING_HANDLING=Yes will generate an error at startup as will specification - of the 'noping' or 'filterping' interface options.
      -
      -
      4. -
    4. The 'routestopped' option in the /etc/shorewall/interfaces - and /etc/shorewall/hosts files is no longer supported and will generate - an error at startup if specified.
      -
      -
      5. -
    5. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no -longer accepted.
      -
      -
      6. -
    6. The ALLOWRELATED variable in shorewall.conf is no longer supported. - Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
      -
      -
      7. -
    7. The icmp.def file has been removed.
      -
      8. -
    - Changes for 1.4 include:
    - -
      -
    1. The /etc/shorewall/shorewall.conf file has been completely - reorganized into logical sections.
      -
      -
      2. -
    2. LOG is now a valid action for a rule (/etc/shorewall/rules).
      -
      -
      3. -
    3. The firewall script, common functions file and version file - are now installed in /usr/share/shorewall.
      -
      -
      4. -
    4. Late arriving DNS replies are now silently dropped in the -common chain by default.
      -
      -
      5. -
    5. In addition to behaving like OLD_PING_HANDLING=No, Shorewall - 1.4 no longer unconditionally accepts outbound ICMP packets. So if you - want to 'ping' from the firewall, you will need the appropriate rule or - policy.
      -
      -
      6. -
    6. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
      -
      -
      7. -
    7. 802.11b devices with names of the form wlan<n> - now support the 'maclist' option.
      -
      -
      8. -
    8. Explicit Congestion Notification (ECN - RFC 3168) - may now be turned off on a host or network basis using the new /etc/shorewall/ecn - file. To use this facility:
      -
      -    a) You must be running kernel 2.4.20
      -    b) You must have applied the patch in
      -    http://www.shorewall/net/pub/shorewall/ecn/patch.
      -    c) You must have iptables 1.2.7a installed.
      -
      -
      9. -
    9. The /etc/shorewall/params file is now processed first so that - variables may be used in the /etc/shorewall/shorewall.conf file.
      -
      -
      10. -
    10. Shorewall now gives a more helpful diagnostic when - the 'ipchains' compatibility kernel module is loaded and a 'shorewall start' - command is issued.
      -
      -
      11. -
    11. The SHARED_DIR variable has been removed from shorewall.conf. - This variable was for use by package maintainers and was not documented -for general use.
      -
      -
      12. -
    12. Shorewall now ignores 'default' routes when detecting masq'd - networks.
      -
      13. -
    - -

    3/11/2003 - Shoreall 1.3.14a (New) -  

    - -

    A roleup of the following bug fixes and other updates:

    - + + + + + + + + +
      -
    • There is an updated rfc1918 file that reflects the resent -allocation of 222.0.0.0/8 and 223.0.0.0/8. 
      • -
    • The documentation for the routestopped file claimed that a comma-separated - list could appear in the second column while the code only supported a - single host or network address. 
      • -
    • Log messages produced by 'logunclean' and 'dropunclean' were - not rate-limited. 
      • -
    • 802.11b devices with names of the form wlan<n> -don't support the 'maclist' interface option. 
      • -
    • Log messages generated by RFC 1918 filtering are not rate limited. 
      • -
    • The firewall fails to start in the case where you have "eth0 - eth1" in /etc/shorewall/masq and the default route is through eth1 -
      • - -
    - - -

    2/8/2003 - Shorewall 1.3.14

    - - -

    New features include

    - - -
      -
    1. An OLD_PING_HANDLING option has been added to shorewall.conf. - When set to Yes, Shorewall ping handling is as it has always been - (see http://www.shorewall.net/ping.html).
      -
      - When OLD_PING_HANDLING=No, icmp echo (ping) is handled -via rules and policies just like any other connection request. The -FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping' -options in /etc/shorewall/interfaces will all generate an error.
      -
      -
      2. -
    2. It is now possible to direct Shorewall to create - a "label" such as  "eth0:0" for IP addresses that it creates under - ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying - the label instead of just the interface name:
      -  
      -    a) In the INTERFACE column of /etc/shorewall/masq
      -    b) In the INTERFACE column of /etc/shorewall/nat
      -  
      3. -
    3. Support for OpenVPN Tunnels.
      -
      -
      4. -
    4. Support for VLAN devices with names of the form -$DEV.$VID (e.g., eth0.0)
      -
      -
      5. -
    5. In /etc/shorewall/tcrules, the MARK value may be -optionally followed by ":" and either 'F' or 'P' to designate that the -marking will occur in the FORWARD or PREROUTING chains respectively. -If this additional specification is omitted, the chain used to mark packets -will be determined by the setting of the MARK_IN_FORWARD_CHAIN option -in shorewall.conf.
      -
      -
      6. -
    6. When an interface name is entered in the SUBNET -column of the /etc/shorewall/masq file, Shorewall previously masqueraded - traffic from only the first subnet defined on that interface. It -did not masquerade traffic from:
      -  
      -    a) The subnets associated with other addresses on the - interface.
      -    b) Subnets accessed through local routers.
      -  
      - Beginning with Shorewall 1.3.14, if you enter an interface - name in the SUBNET column, shorewall will use the firewall's routing - table to construct the masquerading/SNAT rules.
      -  
      - Example 1 -- This is how it works in 1.3.14.
      -   
      - - - - 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - - - 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
      - - - - 
         [root@gateway test]# shorewall start
         ...
         Masqueraded Subnets and Hosts:
             To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
             To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
         Processing /etc/shorewall/tos...
      -  
      - When upgrading to Shorewall 1.3.14, if you have multiple - local subnets connected to an interface that is specified in the -SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq -file will need changing. In most cases, you will simply be able to remove -redundant entries. In some cases though, you might want to change from -using the interface name to listing specific subnetworks if the change described -above will cause masquerading to occur on subnetworks that you don't wish -to masquerade.
      -  
      - Example 2 -- Suppose that your current config is as follows:
      -   
      - - - - 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         eth0                    192.168.10.0/24         206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - - - 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
      -  
      -    In this case, the second entry in /etc/shorewall/masq - is no longer required.
      -  
      - Example 3 -- What if your current configuration is like - this?
      -  
      - - - - 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - - - 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
      -  
      -    In this case, you would want to change the entry in  - /etc/shorewall/masq to:
      - - - - 
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    192.168.1.0/24          206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      -
      7. - - -
    - - -

    2/5/2003 - Shorewall Support included in Webmin 1.060 -

    - Webmin version 1.060 now has Shorewall support included -as standard. See http://www.webmin.com - - - - - - - - - - - -
      - - - - - - - - - -
    @@ -502,6 +247,60 @@ as standard. See http://www.webmin. + + + + + + + + + + +

    This release follows up on 1.4.0. It corrects a problem introduced +in 1.4.0 and removes additional warts.
    +
    + Problems Corrected:
    +

    +
      +
    1. When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), +it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file +is empty. That problem has been corrected so that ECN disabling rules are +only added if there are entries in /etc/shorewall/ecn.
      2. +
    + New Features:
    + +
    Note: In the list that follows, the term group refers +to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be +a host address) accessed through a particular interface. Examples:
    + +
    eth0:0.0.0.0/0
    + eth2:192.168.1.0/24
    + eth3:192.0.2.123
    +
    + You can use the "shorewall check" command to see the groups associated with +each of your zones.
    +
    + +
      +
    1. Beginning with Shorewall 1.4.1, if a zone Z comprises more than +one group then if there is no explicit Z to Z policy and there are +no rules governing traffic from Z to Z then Shorewall will permit all traffic +between the groups in the zone.
      2. +
    2. Beginning with Shorewall 1.4.1, Shorewall will never create rules +to handle traffic from a group to itself.
      3. +
    3. A NONE policy is introduced in 1.4.1. When a policy of NONE is +specified from Z1 to Z2:
      4. +
    + +
      +
    • There may be no rules created that govern connections from Z1 +to Z2.
      • +
    • Shorewall will not create any infrastructure to handle traffic +from Z1 to Z2.
      • +
    + See the     upgrade issues for a discussion +of how these changes may affect your configuration.

    More News

    @@ -515,7 +314,7 @@ as standard. See http://www.webmin. - +

    @@ -523,18 +322,18 @@ as standard. See     http://www.webmin. - +

    SourceForge Logo -

    + - +

    @@ -542,7 +341,7 @@ as standard. See http://www.webmin. - +

    This site is hosted by the generous folks at SourceForge.net

    @@ -551,45 +350,47 @@ as standard. See http://www.webmin. - +

    Donations

    -
    -
    -
    +
    -
    +
    - + - + - + + + + + + + + + + + -

    Shorewall is free but -if you try it and find it useful, please consider making a donation - to Starlight Children's -Foundation. Thanks!

    - - - - - - - - - - - - + +
    - @@ -599,12 +400,11 @@ as standard. See http://www.webmin. -

    -

    +

    @@ -617,33 +417,35 @@ as standard. See http://www.webmin. + +

    Shorewall is free +but if you try it and find it useful, please consider making a donation + to Starlight +Children's Foundation. Thanks!

    + +
    - -

    Updated 3/17/2003 - Tom Eastep - -
    -

    + +

    Updated 3/21/2003 - Tom Eastep + +
    +

    +

    diff --git a/STABLE/documentation/support.htm b/STABLE/documentation/support.htm index 0f85ded95..203d346b4 100644 --- a/STABLE/documentation/support.htm +++ b/STABLE/documentation/support.htm @@ -3,89 +3,89 @@ - + - + Shorewall Support Guide - + - - - + + - + + + - - + +
    +
    + - - +

    Shorewall Support Guide -

    -
    - +

    Before Reporting a Problem or Asking a Question
    -

    - There are a number -of sources of Shorewall information. Please try these before you post. - - + + There are a number + of sources of Shorewall information. Please try these before you post. + + - +

    Site and Mailing List Archive Search

    - -
    + +
    Match: - + - Format: + Format: - Sort by: + Sort by: - Include Mailing - List Archives: + List Archives: -
    - Search:
    + Search:
    -
    -
    - + +
    +

    Problem Reporting Guidelines
    -

    + - +
      -
    • Please remember we only know what is posted -in your message. Do not leave out any information that appears to -be correct, or was mentioned in a previous post. There have been +
    • Please remember we only know what is posted + in your message. Do not leave out any information that appears +to be correct, or was mentioned in a previous post. There have been countless posts by people who were sure that some part of their - configuration was correct when it actually contained a small error. - We tend to be skeptics where detail is lacking.
      -
      -
      • -
    • Please keep in mind that you're asking for - free technical support. Any help we offer -is an act of generosity, not an obligation. Try to make it easy + configuration was correct when it actually contained a small error. + We tend to be skeptics where detail is lacking.
      +
      +
      • +
    • Please keep in mind that you're asking for + free technical support. Any help we offer + is an act of generosity, not an obligation. Try to make it easy for us to help you. Follow good, courteous practices in writing and formatting your e-mail. Provide details that we need if you expect good answers. Exact quoting of error messages, log entries, command output, and other output is better than a paraphrase or summary.
      -
      -
      • -
    • Please don't - describe your environment and then ask us to send you - custom configuration files. We're here to answer your -questions but we can't do your job for you.
      -
      -
      • -
    • When reporting a problem, ALWAYS - include this information:
      • - +
      + +
    • Please +don't describe your environment and then ask us to send you + custom configuration files. We're here to answer your + questions but we can't do your job for you.
      +
      +
      • +
    • When reporting a problem, ALWAYS + include this information:
      • +
    - +
      - +
        -
      • the exact version of Shorewall you are running.
        -
        - shorewall version
        -
        -
        • +
      • the exact version of Shorewall you are +running.
        +
        + shorewall version
        +
        +
        • - +
      - +
        -
      • the exact kernel version you are running
        -
        - uname -a
        -
        -
        • +
      • the exact kernel version you are running
        +
        + uname -a
        +
        +
        • - +
      - +
        -
      • the complete, exact output of
        -
        - ip addr show
        -
        -
        • +
      • the complete, exact output of
        +
        + ip addr show
        +
        +
        • - +
      - +
        -
      • the complete, exact output of
        -
        - ip route show
        -
        -
        • +
      • the complete, exact output of
        +
        + ip route show
        +
        +
        • - +
      - +
        -
      • If your kernel is modularized, the exact -output from
        -
        - lsmod
        -
        -
        • -
      • the exact wording of any If your kernel is modularized, the exact + output from
        +
        + lsmod
        +
        +
        • +
      • the exact wording of any ping failure responses
        -
        -
        • -
      • If you installed Shorewall using one of the QuickStart - Guides, please indicate which one.
        -
        -
        • -
      • If you are running Shorewall under Mandrake using - the Mandrake installation of Shorewall, please say so.
        +
        +
        • +
      • If you installed Shorewall using one of the QuickStart + Guides, please indicate which one.
        +
        +
        • +
      • If you are running Shorewall under Mandrake +using the Mandrake installation of Shorewall, please say so.
        +
        • + + +
      + +
    + +
      + +
        +
      • If you are having connection + problems of any kind then:
        +
        + 1. /sbin/shorewall/reset
        +
        + 2. Try the connection that is failing.
        +
        + 3. /sbin/shorewall status > /tmp/status.txt
        +
        + 4. Post the /tmp/status.txt file as an attachment.

        • - -
      - -
    - -
      -
    • NEVER include the output of "iptables -L". Instead, if you are having connection problems of - any kind then:
      -
      - 1. /sbin/shorewall/reset
      -
      - 2. Try the connection that is failing.
      -
      - 3. /sbin/shorewall status > /tmp/status.txt
      -
      - 4. Post the /tmp/status.txt file as an attachment.
      -
      -
      • -
    • As a general - matter, please do not edit the diagnostic information - in an attempt to conceal your IP address, netmask, nameserver addresses, - domain name, etc. These aren't secrets, and concealing them often - misleads us (and 80% of the time, a hacker could derive them anyway - from information contained in the SMTP headers of your post).
      -
      -
      • -
    • Do you see any "Shorewall" messages ("As a general + matter, please do not edit the diagnostic information + in an attempt to conceal your IP address, netmask, nameserver +addresses, domain name, etc. These aren't secrets, and concealing + them often misleads us (and 80% of the time, a hacker could derive them + anyway from information contained in the SMTP headers of your post).
      +
      +
      • +
    • Do you see any "Shorewall" messages ("/sbin/shorewall show log") when - you exercise the function that is giving you problems? If so, include - the message(s) in your post along with a copy of your /etc/shorewall/interfaces - file.
      -
      -
      • -
    • Please include any of the Shorewall configuration files - (especially the /etc/shorewall/hosts file if you have - modified that file) that you think are relevant. If you + you exercise the function that is giving you problems? If so, +include the message(s) in your post along with a copy of your /etc/shorewall/interfaces + file.
      +
      +
      • +
    • Please include any of the Shorewall configuration files + (especially the /etc/shorewall/hosts file if you have + modified that file) that you think are relevant. If you include /etc/shorewall/rules, please include /etc/shorewall/policy - as well (rules are meaningless unless one also knows the policies).
      -
      -
      • -
    • If an error occurs when you try to " +
      +
      • +
    • If an error occurs when you try to "shorewall start", include a trace (See the Troubleshooting section for instructions).
      -
      -
      • -
    • The list server limits posts to 120kb so don't post GIFs - of your network layout, etc. to the Mailing +
      +
      • +
    • The list server limits posts to 120kb so don't post GIFs + of your network layout, etc. to the Mailing List -- your post will be rejected.
      • - +
    - +
    The author gratefully acknowleges that the above list was heavily plagiarized from the excellent LEAF document by Ray Olszewski - found at http://leaf-project.org/pub/doc/docmanager/docid_1891.html.
    -
    - + +

    When using the mailing list, please post in plain text

    - +
    A growing number of MTAs serving list subscribers are rejecting all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net "for continuous abuse" because it has been my policy - to allow HTML in list posts!!
    -
    - I think that blocking all HTML is a Draconian - way to control spam and that the ultimate losers here are not -the spammers but the list subscribers whose MTAs are bouncing + to allow HTML in list posts!!
    +
    + I think that blocking all HTML is a Draconian + way to control spam and that the ultimate losers here are not + the spammers but the list subscribers whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote to me privately - "These e-mail admin's need to get a (expletive deleted) life - instead of trying to rid the planet of HTML based e-mail". Nevertheless, - to allow subscribers to receive list posts as must as possible, I have - now configured the list server at shorewall.net to strip all HTML -from outgoing posts.
    -
    + "These e-mail admin's need to get a (expletive deleted) life + instead of trying to rid the planet of HTML based e-mail". Nevertheless, + to allow subscribers to receive list posts as must as possible, I +have now configured the list server at shorewall.net to strip all HTML + from outgoing posts.
    + - +

    Where to Send your Problem Report or to Ask for Help

    - +
    - +

    If you run Shorewall under Bering -- please post your question or problem - to the LEAF - Users mailing list.

    - If you run Shorewall under MandrakeSoft Multi - Network Firewall (MNF) and you have not purchased an MNF license - from MandrakeSoft then you can post non MNF-specific Shorewall questions - to the Shorewall - users mailing list. Do not expect to get free MNF support -on the list or forum.
    + to the LEAF + Users mailing list. + If you run Shorewall under MandrakeSoft +Multi Network Firewall (MNF) and you have not purchased an MNF +license from MandrakeSoft then you can post non MNF-specific Shorewall +questions to the Shorewall users mailing + list or to the Shorewall Support +Forum. Do not expect to get free MNF support on the list or forum.
    - +

    Otherwise, please post your question or problem to the Shorewall users mailing - list.

    -
    - - - - - -

    To Subscribe to the mailing list go to or to the Shorewall Support +Forum.
    + To Subscribe to the mailing list go to http://lists.shorewall.net/mailman/listinfo/shorewall-users - .
    -

    - + .
    +

    + + + + + +

    For information on other Shorewall mailing lists, go to http://lists.shorewall.net/mailing_list.htm
    -

    +

    - -

    Last Updated 3/14/2003 - Tom Eastep

    + +

    Last Updated 3/17/2003 - Tom Eastep

    - +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.
    -

    -
    +

    +
    +
    +

    diff --git a/STABLE/documentation/traffic_shaping.htm b/STABLE/documentation/traffic_shaping.htm index cbc5ea160..4efe4fa46 100644 --- a/STABLE/documentation/traffic_shaping.htm +++ b/STABLE/documentation/traffic_shaping.htm @@ -1,336 +1,338 @@ - + - + - + - + Traffic Shaping - + - - - + + - - - + + + +
    +
    - +

    Traffic Shaping/Control

    -
    - -

    Shorewall has limited support for traffic shaping/control. - In order to use traffic shaping under Shorewall, it is essential that - you get a copy of the Linux Advanced Routing - and Shaping HOWTO, version 0.3.0 or later.

    - + +

    Shorewall has limited support for traffic shaping/control. + In order to use traffic shaping under Shorewall, it is essential that + you get a copy of the Linux Advanced Routing + and Shaping HOWTO, version 0.3.0 or later. It is also necessary +to be running Linux Kernel 2.4.18 or later.

    +

    Shorewall traffic shaping support consists of the following:

    - +
      -
    • A new TC_ENABLED parameter in /etc/shorewall.conf. - Traffic Shaping also requires that you enable packet mangling.
      • -
    • A new CLEAR_TC parameter in /etc/shorewall.conf (Added -in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), -the setting of this variable determines whether Shorewall clears the traffic +
    • A new TC_ENABLED parameter in /etc/shorewall.conf. + Traffic Shaping also requires that you enable packet mangling.
      • +
    • A new CLEAR_TC parameter in /etc/shorewall.conf (Added + in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), + the setting of this variable determines whether Shorewall clears the traffic shaping configuration during Shorewall [re]start and Shorewall stop.
      -
      • -
    • /etc/shorewall/tcrules - A file where you can - specify firewall marking of packets. The firewall mark value may +
      • +
    • /etc/shorewall/tcrules - A file where you can + specify firewall marking of packets. The firewall mark value may be used to classify packets for traffic shaping/control.
      -
      • -
    • /etc/shorewall/tcstart - A user-supplied file - that is sourced by Shorewall during "shorewall start" and which - you can use to define your traffic shaping disciplines and classes. - I have provided a sample that does - table-driven CBQ shaping but if you read the traffic shaping sections - of the HOWTO mentioned above, you can probably code your own faster - than you can learn how to use my sample. I personally use HTB (see below). -HTB support may eventually become an integral part of Shorewall -since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20, - HTB is a standard part of the kernel but iproute2 must be patched in - order to use it.
      -
      - In tcstart, when you want to run the 'tc' utility, use - the run_tc function supplied by shorewall if you want tc errors +
      • +
    • /etc/shorewall/tcstart - A user-supplied file + that is sourced by Shorewall during "shorewall start" and which + you can use to define your traffic shaping disciplines and classes. + I have provided a sample that does + table-driven CBQ shaping but if you read the traffic shaping sections + of the HOWTO mentioned above, you can probably code your own +faster than you can learn how to use my sample. I personally use + HTB (see below). + HTB support may eventually become an integral part of Shorewall + since HTB is a lot simpler and better-documented than CBQ. As of +2.4.20, HTB is a standard part of the kernel but iproute2 must be patched + in order to use it.
      +
      + In tcstart, when you want to run the 'tc' utility, use + the run_tc function supplied by shorewall if you want tc errors to stop the firewall.
      -
      - You can generally use off-the-shelf traffic shaping scripts by +
      + You can generally use off-the-shelf traffic shaping scripts by simply copying them to /etc/shorewall/tcstart. I use The Wonder Shaper (HTB version) - that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart -and modified it according to the Wonder Shaper README). WARNING: If - you use use Masquerading or SNAT (i.e., you only have one external IP address) - then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] - script won't work. Traffic shaping occurs after SNAT has already been -applied so when traffic shaping happens, all outbound traffic will have -as a source address the IP addresss of your firewall's external interface.
      -
      • -
    • /etc/shorewall/tcclear - A user-supplied file - that is sourced by Shorewall when it is clearing traffic shaping. - This file is normally not required as Shorewall's method of clearing - qdisc and filter definitions is pretty general.
      • - + href="http://lartc.org/wondershaper/">The Wonder Shaper (HTB version) + that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and + modified it according to the Wonder Shaper README). WARNING: If + you use use Masquerading or SNAT (i.e., you only have one external IP address) + then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] + script won't work. Traffic shaping occurs after SNAT has already been applied + so when traffic shaping happens, all outbound traffic will have as a source + address the IP addresss of your firewall's external interface.
      + +
    • /etc/shorewall/tcclear - A user-supplied file + that is sourced by Shorewall when it is clearing traffic shaping. + This file is normally not required as Shorewall's method of clearing + qdisc and filter definitions is pretty general.
      • +
    - Shorewall allows you to start traffic shaping when Shorewall itself -starts or it allows you to bring up traffic shaping when you bring up your -interfaces.
    -
    - To start traffic shaping when Shorewall starts:
    - + Shorewall allows you to start traffic shaping when Shorewall itself + starts or it allows you to bring up traffic shaping when you bring up +your interfaces.
    +
    + To start traffic shaping when Shorewall starts:
    +
      -
    1. Set TC_ENABLED=Yes and CLEAR_TC=Yes
      2. -
    2. Supply an /etc/shorewall/tcstart script to configure your traffic - shaping rules.
      3. -
    3. Optionally supply an /etc/shorewall/tcclear script to stop traffic +
    4. Set TC_ENABLED=Yes and CLEAR_TC=Yes
      5. +
    5. Supply an /etc/shorewall/tcstart script to configure your traffic + shaping rules.
      6. +
    6. Optionally supply an /etc/shorewall/tcclear script to stop traffic shaping. That is usually unnecessary.
      7. -
    7. If your tcstart script uses the 'fwmark' classifier, you can +
    8. If your tcstart script uses the 'fwmark' classifier, you can mark packets using entries in /etc/shorewall/tcrules.
      9. - +
    - To start traffic shaping when you bring up your network interfaces, -you will have to arrange for your traffic shaping configuration script to -be run at that time. How you do that is distribution dependent and will not -be covered here. You then should:
    - + To start traffic shaping when you bring up your network interfaces, + you will have to arrange for your traffic shaping configuration script +to be run at that time. How you do that is distribution dependent and will +not be covered here. You then should:
    +
      -
    1. Set TC_ENABLED=Yes and CLEAR_TC=No
      2. -
    2. Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear +
    3. Set TC_ENABLED=Yes and CLEAR_TC=No
      4. +
    4. Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.
      5. -
    5. If your tcstart script uses the 'fwmark' classifier, +
    6. If your tcstart script uses the 'fwmark' classifier, you can mark packets using entries in /etc/shorewall/tcrules.
      7. - +
    - +

    Kernel Configuration

    - +

    This screen shot show how I've configured QoS in my Kernel:

    - +

    -

    - +

    +

    /etc/shorewall/tcrules

    - -

    The fwmark classifier provides a convenient way to classify - packets for traffic shaping. The /etc/shorewall/tcrules file provides + +

    The fwmark classifier provides a convenient way to classify + packets for traffic shaping. The /etc/shorewall/tcrules file provides a means for specifying these marks in a tabular fashion.
    -

    - -

    Normally, packet marking occurs in the PREROUTING chain before - any address rewriting takes place. This makes it impossible to mark inbound - packets based on their destination address when SNAT or Masquerading -are being used. Beginning with Shorewall 1.3.12, you can cause packet -marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN -option in shorewall.conf.
    -

    - +

    + +

    Normally, packet marking occurs in the PREROUTING chain before + any address rewriting takes place. This makes it impossible to mark inbound + packets based on their destination address when SNAT or Masquerading are + being used. Beginning with Shorewall 1.3.12, you can cause packet marking + to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option + in shorewall.conf.
    +

    +

    Columns in the file are as follows:

    - +
      -
    • MARK - Specifies the mark value is to be assigned in - case of a match. This is an integer in the range 1-255. Beginning -with Shorewall version 1.3.14, this value may be optionally followed by -":" and either 'F' or 'P' to designate that the marking will occur in the -FORWARD or PREROUTING chains respectively. If this additional specification -is omitted, the chain used to mark packets will be determined by the setting -of the MARK_IN_FORWARD_CHAIN option in shorewall.conf.
      -
      - Example - 5
      -
      • -
    • SOURCE - The source of the packet. If the packet originates - on the firewall, place "fw" in this column. Otherwise, this is a - comma-separated list of interface names, IP addresses, MAC addresses - in Shorewall Format and/or Subnets.
      -
      - Examples
      -     eth0
      -     192.168.2.4,192.168.1.0/24
      -
      • -
    • DEST -- Destination of the packet. Comma-separated +
    • MARK - Specifies the mark value is to be assigned +in case of a match. This is an integer in the range 1-255. Beginning +with Shorewall version 1.3.14, this value may be optionally followed by ":" +and either 'F' or 'P' to designate that the marking will occur in the FORWARD +or PREROUTING chains respectively. If this additional specification is omitted, +the chain used to mark packets will be determined by the setting of the +MARK_IN_FORWARD_CHAIN option in shorewall.conf.
      +
      + Example - 5
      +
      • +
    • SOURCE - The source of the packet. If the packet originates + on the firewall, place "fw" in this column. Otherwise, this is +a comma-separated list of interface names, IP addresses, MAC addresses + in Shorewall Format and/or Subnets.
      +
      + Examples
      +     eth0
      +     192.168.2.4,192.168.1.0/24
      +
      • +
    • DEST -- Destination of the packet. Comma-separated list of IP addresses and/or subnets.
      -
      • -
    • PROTO - Protocol - Must be the name of a protocol from - /etc/protocol, a number or "all"
      -
      • -
    • PORT(S) - Destination Ports. A comma-separated list -of Port names (from /etc/services), port numbers or port ranges (e.g., - 21:22); if the protocol is "icmp", this column is interpreted +
      • +
    • PROTO - Protocol - Must be the name of a protocol +from /etc/protocol, a number or "all"
      +
      • +
    • PORT(S) - Destination Ports. A comma-separated list + of Port names (from /etc/services), port numbers or port ranges +(e.g., 21:22); if the protocol is "icmp", this column is interpreted as the destination icmp type(s).
      -
      • -
    • CLIENT PORT(S) - (Optional) Port(s) used by the client. - If omitted, any source port is acceptable. Specified as a comma-separate +
      • +
    • CLIENT PORT(S) - (Optional) Port(s) used by the client. + If omitted, any source port is acceptable. Specified as a comma-separate list of port names, port numbers or port ranges.
      • - +
    - -

    Example 1 - All packets arriving on eth1 should be marked - with 1. All packets arriving on eth2 and eth3 should be marked with - 2. All packets originating on the firewall itself should be marked with - 3.

    - + +

    Example 1 - All packets arriving on eth1 should be marked + with 1. All packets arriving on eth2 and eth3 should be marked with + 2. All packets originating on the firewall itself should be marked +with 3.

    + - + + + + + + + + + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    1eth10.0.0.0/0all  
    2eth20.0.0.0/0all  
    2
    -     		eth3
    -     		0.0.0.0/0
    -     		all
    -
    -
    -
    3fw0.0.0.0/0all  
    1eth10.0.0.0/0all  
    2eth20.0.0.0/0all  
    2
    +     		eth3
    +     		0.0.0.0/0
    +     		all
    +
    +
    +
    3fw0.0.0.0/0all  
    - -

    Example 2 - All GRE (protocol 47) packets not originating - on the firewall and destined for 155.186.235.151 should be marked with - 12.

    - + +

    Example 2 - All GRE (protocol 47) packets not originating + on the firewall and destined for 155.186.235.151 should be marked +with 12.

    + - + + + + + + + + + - - - - - - - - - - - - - - - - - + + + + + + + + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    120.0.0.0/0155.186.235.15147  
    120.0.0.0/0155.186.235.15147  
    - -

    Example 3 - All SSH packets originating in 192.168.1.0/24 - and destined for 155.186.235.151 should be marked with 22.

    - + +

    Example 3 - All SSH packets originating in 192.168.1.0/24 + and destined for 155.186.235.151 should be marked with 22.

    + - + + + + + + + + + - - - - - - - - - - - - - - - - - + + + + + + + + +
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    MARKSOURCEDESTPROTOPORT(S)CLIENT PORT(S)
    22192.168.1.0/24155.186.235.151tcp22 
    22192.168.1.0/24155.186.235.151tcp22 
    - +

    My Setup
    -

    - + +

    While I am currently using the HTB version of The Wonder Shaper (I just copied - wshaper.htb to /etc/shorewall/tcstart and modified it as shown - in the Wondershaper README), I have also run with the following set of + href="http://lartc.org/wondershaper/">The Wonder Shaper (I just copied + wshaper.htb to /etc/shorewall/tcstart and modified it as shown + in the Wondershaper README), I have also run with the following set of hand-crafted rules in my /etc/shorewall/tcstart file:
    -

    - -
    - 
    run_tc qdisc add dev eth0 root handle 1: htb default 30

    run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k

    echo "   Added Top Level Class -- rate 384kbit"
    - - 
    run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1
    run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0
    run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1
    - - 
    echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"
    - - 
    run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
    run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
    run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
    - - 
    echo "   Enabled PFIFO on Second Level Classes"
    - - 
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
    - - 
    echo "   Defined fwmark filters"
    -
    - -

    My tcrules file that went with this tcstart file is shown in Example 1 - above. You can look at my configuration to -see why I wanted shaping of this type.

    +
    + 
    run_tc qdisc add dev eth0 root handle 1: htb default 30

    run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k

    echo "   Added Top Level Class -- rate 384kbit"
    + + 
    run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1
    run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0
    run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit  ceil 384kbit burst 15k quantum 1500 prio 1
    + + 
    echo "   Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"
    + + 
    run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
    run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
    run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
    + + 
    echo "   Enabled PFIFO on Second Level Classes"
    + + 
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20
    run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30
    + + 
    echo "   Defined fwmark filters"
    +
    + +

    My tcrules file that went with this tcstart file is shown in Example 1 + above. You can look at my configuration to +see why I wanted shaping of this type.
    +

    +
      -
    1. I wanted to allow up to 140kbits/second for traffic outbound - from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic - can use all available bandwidth if there is no traffic from the local -systems or from my laptop or firewall).
      2. -
    2. My laptop and local systems could use up to 224kbits/second.
      3. -
    3. My firewall could use up to 20kbits/second.
      4. - +
    4. I wanted to allow up to 140kbits/second for traffic outbound + from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ +traffic can use all available bandwidth if there is no traffic from the +local systems or from my laptop or firewall).
      5. +
    5. My laptop and local systems could use up to 224kbits/second.
      6. +
    6. My firewall could use up to 20kbits/second.
      7. +
    - You see the rest of my Shorewall configuration -to see how this fit in.
    - -

    Last Updated 3/5/2003 - Tom Eastep

    - -

    Copyright - © 2001, 2002, 2003 Thomas M. Eastep.
    -

    + You see the rest of my Shorewall configuration + to see how this fit in.
    + +

    Last Updated 3/19/2003 - Tom Eastep

    + +

    Copyright + © 2001, 2002, 2003 Thomas M. Eastep.
    +

    +



    diff --git a/STABLE/documentation/upgrade_issues.htm b/STABLE/documentation/upgrade_issues.htm index 79d1c7aa7..406fa17e1 100644 --- a/STABLE/documentation/upgrade_issues.htm +++ b/STABLE/documentation/upgrade_issues.htm @@ -1,309 +1,424 @@ - + Upgrade Issues - + - + - + + - + - - - + + - - - -
    - +
    + +

    Upgrade Issues

    -
    + + + + + +

    For upgrade instructions see the Install/Upgrade page.

    - + href="Install.htm">Install/Upgrade page.
    +

    + +

    It is important that you read all of the sections on this page where the + version number mentioned in the section title is later than what you are + currently running.
    +

    +

    - -

    Version >= 1.4.0

    - IMPORTANT: Shorewall >=1.4.0 REQUIRES the iproute package -('ip' utility).
    -
    - If you are upgrading from a version < 1.4.0, then:
    + +

    Version >= 1.4.1

    +In the description that follows, the term group refers to a particular +network or subnetwork (which may be 0.0.0.0/0 or it may be a host address) +accessed through a particular interface. Examples:
    +
    eth0:0.0.0.0/0
    + eth2:192.168.1.0/24
    + eth3:192.0.2.123
    +
    + You can use the "shorewall check" command to see the groups associated with +each of your zones.
    +
    +
      -
    • The noping and forwardping interface options are -no longer supported nor is the FORWARDPING option in shorewall.conf. -ICMP echo-request (ping) packets are treated just like any other connection -request and are subject to rules and policies.
      • -
    • Interface names of the form <device>:<integer> in -/etc/shorewall/interfaces now generate a Shorewall error at startup (they -always have produced warnings in iptables).
      • -
    • The MERGE_HOSTS variable has been removed from shorewall.conf. -Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents -are determined by BOTH the interfaces and hosts files when there are entries -for the zone in both files.
      • -
    • The routestopped option in the interfaces and hosts file -has been eliminated; use entries in the routestopped file instead.
      • -
    • The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer - accepted; you must convert to using the new syntax.
      • -
    • The ALLOWRELATED variable in shorewall.conf is no longer - supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
      • -
    • Late-arriving DNS replies are not dropped by default; -there is no need for your own /etc/shorewall/common file simply to avoid -logging these packets.
      • -
    • The 'firewall', 'functions' and 'version' file have been - moved to /usr/share/shorewall.
      • -
    • The icmp.def file has been removed. If you include it -from /etc/shorewall/icmpdef, you will need to modify that file.
      • -
    • The 'multi' interface option is no longer supported.  Shorewall - will generate rules for sending packets back out the same interface that -they arrived on in two cases:
      • +
    • Beginning with Version 1.4.1, traffic between groups in the same +zone is accepted by default. Previously, traffic from a zone to itself was +treated just like any other traffic; any matching rules were applied followed +by enforcement of the appropriate policy. With 1.4.1 and later versions, +unless you have explicit rules for traffic from Z to Z or you have an explicit +Z to Z policy (where "Z" is some zone) then traffic between the groups in +zone Z will be accepted. If you do have one or more explicit rules for Z +to Z or if you have an explicit Z to Z policy then the behavior is as it +was in prior versions.
    - -
      + +
      +
        +
      1. If you have a Z Z ACCEPT policy for a zone to allow traffic between + two interfaces to the same zone, that policy can be removed and traffic +between the interfaces will traverse fewer rules than previously.
        2. +
      2. If you have a Z Z DROP or Z Z REJECT policy or you have Z->Z +rules then your configuration should not require any change.
        3. +
      3. If you are currently relying on a implicit policy (one that has +"all" in either the SOURCE or DESTINATION column) to prevent traffic between +two interfaces to a zone Z and you have no rules for Z->Z then you should +add an explicit DROP or REJECT policy for Z to Z.
        +
        4. +
      +
      + +
        +
      • Beginning with Version 1.4.1, Shorewall will never create rules to + deal with traffic from a given group back to itself. The multi interface +option is no longer available so if you want to route traffic between two +subnetworks on the same interface then either:
        • + +
      + +
      +
        +
      1. The subnetworks must be in different zones; or
        2. +
      2. You must use the /etc/shorewall/hosts file to define the subnetworks + as two groups in a single zone.
        3. + +
      +
      + Example 1 -- Two zones:
      + +
      + 
      /etc/shorewall/zones

      z1	Zone1	The first Zone
      z2	Zone2	The secont Zone

      /etc/shorewall/policy

      z1	z2	ACCEPT
      z2	z1	ACCEPT

      /etc/shorewall/interfaces

      -	eth1	192.168.1.255,192.168.2.255

      /etc/shorewall/hosts

      z1	eth1:192.168.1.0/24
      z2	eth1:192.168.2.0/24
      +
      + Example 2 -- One zone: +
      + 

      /etc/shorewall/zones

      z	Zone	The Zone

      /etc/shorewall/interfaces

      -	eth1	192.168.1.255,192.168.2.255

      /etc/shorewall/hosts

      z	eth1:192.168.1.0/24
      z	eth1:192.168.2.0/24
      +
      + Note that in the second example, we don't need any policy since z->z +traffic is accepted by default. The second technique is preferable if you +want unlimited access between the two subnetworks.
      +
      + Sometimes, you want two separate zones on one interface but you don't want +Shorewall to set up any infrastructure to handle traffic between them.
      +
      + Example:
      + +
      + 
      /etc/shorewall/zones

      z1	Zone1	The first Zone
      z2	Zone2	The secont Zone

      /etc/shorewall/interfaces

      z2	eth1	192.168.1.255

      /etc/shorewall/hosts

      z1	eth1:192.168.1.3
      +
      + Here, zone z1 is nested in zone z2 and the firewall is not going to be involved +in any traffic between these two zones. Beginning with Shorewall 1.4.1, you +can prevent Shorewall from setting up any infrastructure to handle traffic +between z1 and z2 by using the new NONE policy:
      + +
      + 
      /etc/shorewall/policy
      z1	z2	NONE
      z2	z1	NONE
      +
      + Note that NONE policies are generally used in pairs unless there is asymetric +routing where only the traffic on one direction flows through the firewall +and you are using a NONE polciy in the other direction.  +

      Version >= 1.4.0

      + IMPORTANT: Shorewall >=1.4.0 requires the iproute + package ('ip' utility).
      +
      + Note: Unfortunately, some distributions call this package iproute2 + which will cause the upgrade of Shorewall to fail with the diagnostic:
      +
      +      error: failed dependencies:iproute is needed by shorewall-1.4.0-1 +
      +
      + This may be worked around by using the --nodeps option of rpm (rpm -Uvh + --nodeps <shorewall rpm>).
      +
      + If you are upgrading from a version < 1.4.0, then:
      + +
        +
      • The noping and forwardping interface options +are no longer supported nor is the FORWARDPING option in shorewall.conf. + ICMP echo-request (ping) packets are treated just like any other connection + request and are subject to rules and policies.
        • +
      • Interface names of the form <device>:<integer> +in /etc/shorewall/interfaces now generate a Shorewall error at startup +(they always have produced warnings in iptables).
        • +
      • The MERGE_HOSTS variable has been removed from shorewall.conf. + Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents + are determined by BOTH the interfaces and hosts files when there are entries + for the zone in both files.
        • +
      • The routestopped option in the interfaces and hosts +file has been eliminated; use entries in the routestopped file instead.
        • +
      • The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no +longer accepted; you must convert to using the new syntax.
        • +
      • The ALLOWRELATED variable in shorewall.conf is no + longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.
        • +
      • Late-arriving DNS replies are now dropped by default; + there is no need for your own /etc/shorewall/common file simply to avoid + logging these packets.
        • +
      • The 'firewall', 'functions' and 'version' file have + been moved to /usr/share/shorewall.
        • +
      • The icmp.def file has been removed. If you include + it from /etc/shorewall/icmpdef, you will need to modify that file.
        • + +
          + +
        +
      • If you followed the advice in FAQ #2 and call find_interface_address + in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.
        +
        • + +
      + +
        + +
      + +

      Version 1.4.0

      + +
        +
      • The 'multi' interface option is no longer supported.  Shorewall + will generate rules for sending packets back out the same interface that + they arrived on in two cases:
        • + +
      + +
      • There is an explicit policy for the source zone to or from - the destination zone. An explicit policy names both zones and does not use - the 'all' reserved word.
        • + the destination zone. An explicit policy names both zones and does not +use the 'all' reserved word.
      • There are one or more rules for traffic for the source zone to -or from the destination zone including rules that use the 'all' reserved -word. Exception: if the source zone and destination zone are the same then -the rule must be explicit - it must name the zone in both the SOURCE and + or from the destination zone including rules that use the 'all' reserved + word. Exception: if the source zone and destination zone are the same then + the rule must be explicit - it must name the zone in both the SOURCE and DESTINATION columns.
      -
    • If you followed the advice in FAQ #2 and call find_interface_address -in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.
      -
      • - -
    - -
      - -
    - + +

    Version >= 1.3.14

    - -      Beginning in version 1.3.14, Shorewall treats entries in /etc/shorewall/masq differently. The change - involves entries with an interface name in the SUBNET (second) - column:
    - + +      Beginning in version 1.3.14, Shorewall treats entries in /etc/shorewall/masq differently. The change + involves entries with an interface name in the SUBNET (second) + column:
    +
      -
    • Prior to 1.3.14, Shorewall would detect the FIRST subnet on the - interface (as shown by "ip addr show interface") and would masquerade - traffic from that subnet. Any other subnets that routed through eth1 needed - their own entry in /etc/shorewall/masq to be masqueraded or to have SNAT - applied.
      • -
    • Beginning with Shorewall 1.3.14, Shorewall uses the firewall's - routing table to determine ALL subnets routed through the named interface. - Traffic originating in ANY of those subnets is masqueraded or has SNAT -applied.
      • - +
    • Prior to 1.3.14, Shorewall would detect the FIRST subnet +on the interface (as shown by "ip addr show interface") and would + masquerade traffic from that subnet. Any other subnets that routed through + eth1 needed their own entry in /etc/shorewall/masq to be masqueraded +or to have SNAT applied.
      • +
    • Beginning with Shorewall 1.3.14, Shorewall uses the firewall's + routing table to determine ALL subnets routed through the named interface. + Traffic originating in ANY of those subnets is masqueraded or has SNAT + applied.
      • +
    - You will need to make a change to your configuration if:
    - + You will need to make a change to your configuration if:
    +
      -
    1. You have one or more entries in /etc/shorewall/masq with an interface - name in the SUBNET (second) column; and
      2. -
    2. That interface connects to more than one subnetwork.
      3. - -
    - Two examples:
    -
    -  Example 1 -- Suppose that your current config is as follows:
    -   
    - -
    	[root@gateway test]# cat /etc/shorewall/masq
    	#INTERFACE              SUBNET                  ADDRESS
    	eth0                    eth2                    206.124.146.176
    	eth0                    192.168.10.0/24         206.124.146.176
    	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    	[root@gateway test]# ip route show dev eth2
    	192.168.1.0/24  scope link
    	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
    	[root@gateway test]#
    - -
    In this case, the second entry in /etc/shorewall/masq is no longer - required.
    -
    - Example 2-- What if your current configuration is like this?
    - -
    	[root@gateway test]# cat /etc/shorewall/masq	
    	#INTERFACE              SUBNET                  ADDRESS	
    	eth0                    eth2                    206.124.146.176
    	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE	
    	[root@gateway test]# ip route show dev eth2	
    	192.168.1.0/24  scope link
    	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254	
    	[root@gateway test]#
    - -
    In this case, you would want to change the entry in /etc/shorewall/masq - to:
    -
    - -
    	#INTERFACE              SUBNET                  ADDRESS	
    	eth0                    192.168.1.0/24          206.124.146.176
    	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    - -     Version 1.3.14 also introduced simplified ICMP echo-request (ping) - handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf - is used to specify that the old (pre-1.3.14) ping handling is to be used - (If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes - is assumed). I don't plan on supporting the old handling indefinitely so - I urge current users to migrate to using the new handling as soon as possible. - See the 'Ping' handling documentation for details.
    - -

    Version 1.3.10

    - If you have installed the 1.3.10 Beta 1 RPM and are now upgrading -to version 1.3.10, you will need to use the '--force' option:
    -
    - -
    - 
    rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm 
    -
    - -

    Version >= 1.3.9

    - The 'functions' file has moved to /usr/lib/shorewall/functions. -If you have an application that uses functions from that file, your application - will need to be changed to reflect this change of location.
    - -

    Version >= 1.3.8

    - -

    If you have a pair of firewall systems configured for failover - or if you have asymmetric routing, you will need to modify - your firewall setup slightly under Shorewall - versions >= 1.3.8. Beginning with version 1.3.8, - you must set NEWNOTSYN=Yes in your - /etc/shorewall/shorewall.conf file.

    - -

    Version >= 1.3.7

    - -

    Users specifying ALLOWRELATED=No in /etc/shorewall.conf - will need to include the following rules - in their /etc/shorewall/icmpdef file (creating - this file if necessary):

    - -
    	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
    - -

    Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" - command from that file since the icmp.def file is now empty.

    - -

    Upgrading Bering to - Shorewall >= 1.3.3

    - -

    To properly upgrade with Shorewall version - 1.3.3 and later:

    - -
      -
    1. Be sure you have a backup --- you will need to transcribe any Shorewall - configuration changes that you have -made to the new configuration.
      2. -
    2. Replace the shorwall.lrp -package provided on the Bering floppy -with the later one. If you did not obtain -the later version from Jacques's site, -see additional instructions below.
      3. -
    3. Edit the /var/lib/lrpkg/root.exclude.list - file and remove the /var/lib/shorewall - entry if present. Then do not forget -to backup root.lrp !
      4. - -
    - -

    The .lrp that I release isn't set up for a two-interface firewall like - Jacques's. You need to follow the instructions - for setting up a two-interface firewall plus you also need to add - the following two Bering-specific rules to /etc/shorewall/rules:

    - -
    - 
    # Bering specific rules:
    # allow loc to fw udp/53 for dnscache to work
    # allow loc to fw tcp/80 for weblet to work
    #
    ACCEPT loc fw udp 53
    ACCEPT loc fw tcp 80
    -
    - -

    Version 1.3.6 and 1.3.7

    - -

    If you have a pair of firewall systems configured for - failover or if you have asymmetric routing, you will need to modify - your firewall setup slightly under Shorewall versions 1.3.6 - and 1.3.7

    - -
      -
    1. - -

      Create the file /etc/shorewall/newnotsyn and in it add - the following rule
      -
      - run_iptables -A newnotsyn -j RETURN - # So that the connection tracking table can be rebuilt
      -                                     # from non-SYN -packets after takeover.
      -  

      -
      2. -
    2. - -

      Create /etc/shorewall/common (if you don't already - have that file) and include the following:
      -
      - run_iptables -A common -p tcp ---tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild -connection
      -                                                                     - #tracking table.
      - . /etc/shorewall/common.def

      -
      3. +
    3. You have one or more entries in /etc/shorewall/masq with +an interface name in the SUBNET (second) column; and
      4. +
    4. That interface connects to more than one subnetwork.
    - + Two examples:
    +
    +  Example 1 -- Suppose that your current config is as follows:
    +   
    + +
    	[root@gateway test]# cat /etc/shorewall/masq
    	#INTERFACE              SUBNET                  ADDRESS
    	eth0                    eth2                    206.124.146.176
    	eth0                    192.168.10.0/24         206.124.146.176
    	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    	[root@gateway test]# ip route show dev eth2
    	192.168.1.0/24  scope link
    	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
    	[root@gateway test]#
    + +
    In this case, the second entry in /etc/shorewall/masq is no longer + required.
    +
    + Example 2-- What if your current configuration is like +this?
    + +
    	[root@gateway test]# cat /etc/shorewall/masq	
    	#INTERFACE              SUBNET                  ADDRESS	
    	eth0                    eth2                    206.124.146.176
    	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE	
    	[root@gateway test]# ip route show dev eth2	
    	192.168.1.0/24  scope link
    	192.168.10.0/24  proto kernel  scope link  src 192.168.10.254	
    	[root@gateway test]#
    + +
    In this case, you would want to change the entry in /etc/shorewall/masq + to:
    +
    + +
    	#INTERFACE              SUBNET                  ADDRESS	
    	eth0                    192.168.1.0/24          206.124.146.176
    	#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
    + +     Version 1.3.14 also introduced simplified ICMP echo-request +(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf + is used to specify that the old (pre-1.3.14) ping handling is to be +used (If the option is not set in your /etc/shorewall/shorewall.conf +then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the +old handling indefinitely so I urge current users to migrate to using +the new handling as soon as possible. See the 'Ping' +handling documentation for details.
    + +

    Version 1.3.10

    + If you have installed the 1.3.10 Beta 1 RPM and are now upgrading + to version 1.3.10, you will need to use the '--force' option:
    +
    + +
    + 
    rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm 
    +
    + +

    Version >= 1.3.9

    + The 'functions' file has moved to /usr/lib/shorewall/functions. + If you have an application that uses functions from that file, your +application will need to be changed to reflect this change of location.
    + +

    Version >= 1.3.8

    + +

    If you have a pair of firewall systems configured for failover + or if you have asymmetric routing, you will need to modify + your firewall setup slightly under Shorewall + versions >= 1.3.8. Beginning with version +1.3.8, you must set NEWNOTSYN=Yes in +your /etc/shorewall/shorewall.conf file.

    + +

    Version >= 1.3.7

    + +

    Users specifying ALLOWRELATED=No in /etc/shorewall.conf + will need to include the following +rules in their /etc/shorewall/icmpdef + file (creating this file if necessary):

    + +
    	run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
    	run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
    + +

    Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" + command from that file since the icmp.def file is now empty.

    + +

    Upgrading Bering to + Shorewall >= 1.3.3

    + +

    To properly upgrade with Shorewall version + 1.3.3 and later:

    + +
      +
    1. Be sure you have a backup + -- you will need to transcribe any + Shorewall configuration changes that + you have made to the new configuration.
      2. +
    2. Replace the shorwall.lrp + package provided on the Bering floppy + with the later one. If you did not +obtain the later version from Jacques's + site, see additional instructions below.
      3. +
    3. Edit the /var/lib/lrpkg/root.exclude.list + file and remove the /var/lib/shorewall + entry if present. Then do not forget + to backup root.lrp !
      4. + +
    + +

    The .lrp that I release isn't set up for a two-interface firewall like + Jacques's. You need to follow the instructions + for setting up a two-interface firewall plus you also need +to add the following two Bering-specific rules to /etc/shorewall/rules:

    + +
    + 
    # Bering specific rules:
    # allow loc to fw udp/53 for dnscache to work
    # allow loc to fw tcp/80 for weblet to work
    #
    ACCEPT loc fw udp 53
    ACCEPT loc fw tcp 80
    +
    + +

    Version 1.3.6 and 1.3.7

    + +

    If you have a pair of firewall systems configured for + failover or if you have asymmetric routing, you will need to modify + your firewall setup slightly under Shorewall versions +1.3.6 and 1.3.7

    + +
      +
    1. + +

      Create the file /etc/shorewall/newnotsyn and in it add + the following rule
      +
      + run_iptables -A newnotsyn +-j RETURN # So that the connection tracking table can be +rebuilt
      +                                     # from non-SYN + packets after takeover.
      +  

      +
      2. +
    2. + +

      Create /etc/shorewall/common (if you don't already + have that file) and include the following:
      +
      + run_iptables -A common -p +tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to +rebuild connection
      +                                                                     + #tracking table.
      + . /etc/shorewall/common.def

      +
      3. + +
    +

    Versions >= 1.3.5

    - -

    Some forms of pre-1.3.0 rules file syntax are no - longer supported.

    - + +

    Some forms of pre-1.3.0 rules file syntax are no + longer supported.

    +

    Example 1:

    - -
    + +
    	ACCEPT    net    loc:192.168.1.12:22    tcp    11111    -    all
    -
    - +
    +

    Must be replaced with:

    - -
    + +
    	DNAT	net	loc:192.168.1.12:22	tcp	11111
    -
    - -
    +
    + +

    Example 2:

    -
    - -
    +
    + +
    	ACCEPT	loc	fw::3128	tcp	80	-	all
    -
    - -
    +
    + +

    Must be replaced with:

    -
    - -
    +
    + +
    	REDIRECT	loc	3128	tcp	80
    -
    - +
    +

    Version >= 1.3.2

    - -

    The functions and versions files together with the - 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. - If you have applications that access these files, those applications - should be modified accordingly.

    - -

    Last updated 3/6/2003 - -Tom Eastep

    - -

    Copyright - © 2001, 2002, 2003 Thomas M. Eastep.
    -

    -
    -
    -
    -
    + +

    The functions and versions files together with the + 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. + If you have applications that access these files, those + applications should be modified accordingly.

    + +

    Last updated 3/18/2003 - + Tom Eastep

    + +

    Copyright + © 2001, 2002, 2003 Thomas M. Eastep.
    +




    diff --git a/STABLE/fallback.sh b/STABLE/fallback.sh index 40cac8cd8..092186888 100755 --- a/STABLE/fallback.sh +++ b/STABLE/fallback.sh @@ -28,7 +28,7 @@ # shown below. Simply run this script to revert to your prior version of # Shoreline Firewall. -VERSION=1.4.0 +VERSION=1.4.1 usage() # $1 = exit status { diff --git a/STABLE/firewall b/STABLE/firewall index 03630b5fe..0fcfbb0d8 100755 --- a/STABLE/firewall +++ b/STABLE/firewall @@ -672,6 +672,7 @@ validate_policy() print_policy() # $1 = source zone, $2 = destination zone { [ $command != check ] || \ + [ $1 = $2 ] || \ [ $1 = all ] || \ [ $2 = all ] || \ echo " Policy for $1 to $2 is $policy" @@ -708,7 +709,7 @@ validate_policy() esac case $policy in - ACCEPT|REJECT|DROP|CONTINUE) + ACCEPT|REJECT|DROP|CONTINUE|NONE) ;; *) startup_error "Invalid policy $policy" @@ -728,7 +729,7 @@ validate_policy() chain=${client}2${server} - all_policy_chains="$all_policy_chains $chain" + [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain" eval ${chain}_is_policy=Yes eval ${chain}_policy=$policy @@ -743,6 +744,7 @@ validate_policy() if [ -z "$pc" ]; then eval ${zone}2${zone1}_policychain=$chain + eval ${zone}2${zone1}_policy=$policy print_policy $zone $zone1 fi done @@ -753,6 +755,7 @@ validate_policy() if [ -z "$pc" ]; then eval ${zone}2${server}_policychain=$chain + eval ${zone}2${server}_policy=$policy print_policy $zone $server fi done @@ -763,6 +766,7 @@ validate_policy() if [ -z "$pc" ]; then eval ${client}2${zone}_policychain=$chain + eval ${client}2${zone}_policy=$policy print_policy $client $zone fi done @@ -1438,7 +1442,7 @@ delete_nat() { # setup_ecn() # $1 = file name { - local interfaces + local interfaces="" local hosts local h @@ -2151,7 +2155,7 @@ process_rule() # $1 = target else serverport= [ -z "$serverzone" -o -z "$servers" ] && \ - startup_error "Empty destination zone or qualifier: rule \"$rule\"" + fatal_error "Empty destination zone or qualifier: rule \"$rule\"" fi fi @@ -2165,6 +2169,11 @@ process_rule() # $1 = target chain=${source}2${dest} + eval policy=\$${chain}_policy + + [ $policy = NONE ] && \ + fatal_error "Rules may not override a NONE policy: rule \"$rule\"" + [ $command = check ] || ensurechain $chain if [ "x$chain" = x${FW}2${FW} ]; then @@ -2683,6 +2692,8 @@ rules_chain() # $1 = source zone, $2 = destination zone havechain $chain && { echo $chain; return; } + [ "$1" = "$2" ] && { echo ACCEPT; return; } + eval chain=\$${chain}_policychain [ -n "$chain" ] && { echo $chain; return; } @@ -3670,41 +3681,27 @@ activate_rules() done for zone1 in $zones; do + + eval policy=\$${zone}2${zone1}_policy + + [ "$policy" = NONE ] && continue + eval dest_hosts=\$${zone1}_hosts chain="`rules_chain $zone $zone1`" echo "$zone $zone1 $chain" >> ${STATEDIR}/chains - if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then - have_canonical=Yes - else - have_canonical= - fi - for host in $source_hosts; do interface=${host%:*} subnet=${host#*:} chain1=`forward_chain $interface` - if [ -n "$have_canonical" ]; then - bounce=yes - else - case $interface in - *+*) - bounce=yes - ;; - *) - bounce= - ;; - esac - fi - for host1 in $dest_hosts; do interface1=${host1%:*} subnet1=${host1#*:} - if [ $interface != $interface1 -o -n "$bounce" ]; then + if [ "$host" != "$host1" ]; then run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain fi done diff --git a/STABLE/hosts b/STABLE/hosts index 3a390cc58..24bb53a9d 100644 --- a/STABLE/hosts +++ b/STABLE/hosts @@ -1,10 +1,17 @@ # # Shorewall 1.4 - /etc/shorewall/hosts # -# WARNING: 90% of Shorewall users don't need to add entries to this -# file and 80% of those who try to add such entries get it -# wrong. Unless you are ABSOLUTELY SURE that you need entries -# in this file, don't touch it! +# THERE ARE TWO CASES WHERE YOU NEED THIS FILE: +# +# 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO +# A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE +# BETWEEN THESE NETWORKS. +# +# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE +# INTERFACE. +# +# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH +# THIS FILE. # # This file is used to define zones in terms of subnets and/or # individual IP addresses. Most simple setups don't need to diff --git a/STABLE/install.sh b/STABLE/install.sh index deb3dec18..c368e21ad 100755 --- a/STABLE/install.sh +++ b/STABLE/install.sh @@ -54,7 +54,7 @@ # /etc/rc.d/rc.local file is modified to start the firewall. # -VERSION=1.4.0 +VERSION=1.4.1 usage() # $1 = exit status { diff --git a/STABLE/policy b/STABLE/policy index c90d1cdc1..e33ebfe7c 100644 --- a/STABLE/policy +++ b/STABLE/policy @@ -22,7 +22,26 @@ # Shorewall will not start! # # POLICY Policy if no match from the rules file is found. Must -# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" +# be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE". +# +# ACCEPT - Accept the connection +# DROP - Ignore the connection request +# REJECT - For TCP, send RST. For all other, send +# "port unreachable" ICMP. +# CONTINUE - Pass the connection request past +# any other rules that it might also +# match (where the source or destination +# zone in those rules is a superset of +# the SOURCE or DEST in this policy). +# NONE - Assume that there will never be any +# packets from this SOURCE +# to this DEST. Shorewall will not set up +# any infrastructure to handle such +# packets and you may not have any rules +# with this SOURCE and DEST in the +# /etc/shorewall/rules file. If such a +# packet _is_ received, the result is +# undefined. # # LOG LEVEL If supplied, each connection handled under the default # POLICY is logged at that level. If not supplied, no diff --git a/STABLE/releasenotes.txt b/STABLE/releasenotes.txt index b6e048be7..fb6bad082 100644 --- a/STABLE/releasenotes.txt +++ b/STABLE/releasenotes.txt @@ -1,94 +1,19 @@ -This is a major release of Shorewall. +This is a minor release of Shorewall. -Function from 1.3 that has been omitted from this version includes: +This release introduces incompatibilities with prior releases. See +http://www.shorewall.net/upgrade_issues.htm. -1) The MERGE_HOSTS variable in shorewall.conf is no longer - supported. Shorewall 1.4 behavior is the same as 1.3 with - MERGE_HOSTS=Yes. +Changes are: -2) Interface names of the form : in - /etc/shorewall/interfaces now generate an error. +a) There is now a new NONE policy specifiable in +/etc/shorewall/policy. This policy will cause Shorewall to assume that +there will never be any traffic between the source and destination +zones. -3) Shorewall 1.4 implements behavior consistent with - OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error - at startup as will specification of the 'noping' or 'filterping' - interface options. - -4) The 'routestopped' option in the /etc/shorewall/interfaces and - /etc/shorewall/hosts files is no longer supported and will generate - an error at startup if specified. - -5) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer - accepted. - -6) The ALLOWRELATED variable in shorewall.conf is no longer - supported. Shorewall 1.4 behavior is the same as 1.3 with - ALLOWRELATED=Yes. - -7) The 'multi' interface option is no longer supported. Shorewall will - generate rules for sending packets back out the same interface - that they arrived on in two cases: - - a) There is an _explicit_ policy for the source zone to the - destination zone. An explicit policy names both zones and does not - use the 'all' reserved word. - - b) There are one or more rules for traffic for the source zone to - or from the destination zone including rules that use the 'all' - reserved word. Exception: If the source and the destination are - the same zone then the rule must be explicit - it must name the zone - in both the SOURCE and DESTINATION columns. - -Changes for 1.4 include: - -1) shorewall.conf has been completely reorganized into logical - sections. - -2) LOG is now a valid action for a rule (/etc/shorewall/rules). - -3) The firewall script and version file are now installed in - /usr/share/shorewall. - -4. Late arriving DNS replies are now silently dropped in the common - chain by default. - -5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no - longer unconditionally accepts outbound ICMP packets. So if you want - to 'ping' from the firewall, you will need the appropriate rule or - policy. - -6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules). - -7) 802.11b devices with names of the form wlan now support the - 'maclist' option. - -8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip' - utility). - -9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned - off on a host or network basis using the new /etc/shorewall/ecn - file. To use this facility: - - a) You must be running kernel 2.4.20 - b) You must have applied the patch in - http://www.shorewall/net/pub/shorewall/ecn/patch. - c) You must have iptables 1.2.7a installed. - -10) The /etc/shorewall/params file is now processed first so that - variables may be used in the /etc/shorewall/shorewall.conf file. - -11) Packets with state INVALID are now silently dropped. - -12) Shorewall now gives a more helpful diagnostic when the 'ipchains' - compatibility kernel module is loaded and a 'shorewall start' - command is issued. - -13) The SHARED_DIR variable has been removed from shorewall.conf. This - variable was for use by package maintainers and was not documented - for general use. - -14) Shorewall now ignores 'default' routes when detecting masq'd - networks. +b) Shorewall no longer creates rules to govern traffic from an +interface:subnet to itself. +c) Intra-zone traffic is always accepted now (exception is (b) + above).. Intrazone policies and rules are no longer allowed. diff --git a/STABLE/rules b/STABLE/rules index 53bae816c..e658a9e9f 100644 --- a/STABLE/rules +++ b/STABLE/rules @@ -15,7 +15,8 @@ # Columns are: # # -# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT +# ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE +# or LOG. # # ACCEPT -- allow the connection request # DROP -- ignore the request @@ -39,6 +40,7 @@ # connection request will be passed # to the rules defined for that # (those) zone(s). +# LOG -- Simply log the packet and continue. # # May optionally be followed by ":" and a syslog log # level (e.g, REJECT:info). This causes the packet to be diff --git a/STABLE/shorewall.spec b/STABLE/shorewall.spec index ea1f9c4ed..a299bc280 100644 --- a/STABLE/shorewall.spec +++ b/STABLE/shorewall.spec @@ -1,5 +1,5 @@ %define name shorewall -%define version 1.4.0 +%define version 1.4.1 %define release 1 %define prefix /usr @@ -105,6 +105,8 @@ fi %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %changelog +* Fri Mar 21 2003 Tom Eastep +- Changed version to 1.4.1-1 * Mon Mar 17 2003 Tom Eastep - Changed version to 1.4.0-1 * Fri Mar 07 2003 Tom Eastep diff --git a/STABLE/uninstall.sh b/STABLE/uninstall.sh index b544cfd98..5ab7c63d4 100755 --- a/STABLE/uninstall.sh +++ b/STABLE/uninstall.sh @@ -26,7 +26,7 @@ # You may only use this script to uninstall the version # shown below. Simply run this script to remove Seattle Firewall -VERSION=1.4.0 +VERSION=1.4.1 usage() # $1 = exit status { diff --git a/Shorewall-docs/Documentation.htm b/Shorewall-docs/Documentation.htm index 3fff0057c..f37490147 100644 --- a/Shorewall-docs/Documentation.htm +++ b/Shorewall-docs/Documentation.htm @@ -1,93 +1,93 @@ - - + + - - + + - - + + Shorewall 1.4 Documentation - - - - + + + + - - + + - + - + - - - - + + +
    - - - + + + +

    Shorewall 1.4 Reference
    - - + +

    This documentation is intended primarily for reference. Step-by-step instructions for configuring Shorewall in common setups may be found in the QuickStart Guides.

    - - + +

    Components

    - - + +

    Shorewall consists of the following components:

    - - + +
    • params -- a parameter file installed in /etc/shorewall that can be used to establish the values of shell variables for use in other files.
      • -
    • shorewall.conf +
    • shorewall.conf -- a parameter file installed in /etc/shorewall that is used to set several firewall parameters.
      • -
    • zones - - a parameter file installed in /etc/shorewall that defines +
    • zones + - a parameter file installed in /etc/shorewall that defines a network partitioning into "zones"
      • -
    • policy - -- a parameter file installed in /etc/shorewall/ that +
    • policy + -- a parameter file installed in /etc/shorewall/ that establishes overall firewall policy.
      • -
    • rules - -- a parameter file installed in /etc/shorewall and -used to express firewall rules that are exceptions to +
    • rules + -- a parameter file installed in /etc/shorewall and +used to express firewall rules that are exceptions to the high-level policies established in /etc/shorewall/policy.
      • -
    • blacklist - -- a parameter file installed in /etc/shorewall and +
    • blacklist + -- a parameter file installed in /etc/shorewall and used to list blacklisted IP/subnet/MAC addresses.
      • -
    • ecn -- a parameter file installed in /etc/shorewall +
    • ecn -- a parameter file installed in /etc/shorewall and used to selectively disable Explicit Congestion Notification (ECN - RFC 3168).
      • -
    • functions -- a set of shell - functions used by both the firewall and shorewall shell -programs. Installed in /etc/shorewall prior to version 1.3.2, -in /var/lib/shorewall in version s 1.3.2-1.3.8 and in /usr/lib/shorewall +
    • functions -- a set of shell + functions used by both the firewall and shorewall shell +programs. Installed in /etc/shorewall prior to version 1.3.2, +in /var/lib/shorewall in version s 1.3.2-1.3.8 and in /usr/lib/shorewall in later versions.
      • -
    • modules - -- a parameter file installed in /etc/shorewall and that - specifies kernel modules and their parameters. Shorewall will +
    • modules + -- a parameter file installed in /etc/shorewall and that + specifies kernel modules and their parameters. Shorewall will automatically load the modules specified in this file.
    • tos -- a parameter file installed in @@ -98,19 +98,19 @@ in later versions.
      • -- a parameter file installed in in /etc/shorewall that defines firewall-wide rules that are applied before a DROP or REJECT policy is applied. -
    • interfaces - -- a parameter file installed in /etc/shorewall/ +
    • interfaces + -- a parameter file installed in /etc/shorewall/ and used to describe the interfaces on the firewall system.
    • hosts -- a parameter file installed in /etc/shorewall/ and used to describe individual hosts or subnetworks in zones.
      • -
    • maclist -- -a parameter file installed in /etc/shorewall and used to verify +
    • maclist -- +a parameter file installed in /etc/shorewall and used to verify the MAC address (and possibly also the IP address(es)) of devices.
      • -
    • masq - - This file also describes IP masquerading under Shorewall +
    • masq + - This file also describes IP masquerading under Shorewall and is installed in /etc/shorewall.
    • firewall -- a shell @@ -120,101 +120,101 @@ the MAC address (and possibly also the IP address(es)) of devices.
      is renamed shorewall. /etc/shorewall/firewall (/var/lib/shorewall/firewall in versions 1.3.2-1.3.8 and /usr/lib/shorewall/firewall in 1.3.9 and later) is a symbolic link to this program.
      • -
    • nat +
    • nat -- a parameter file in /etc/shorewall used to define static NAT .
      • -
    • proxyarp +
    • proxyarp -- a parameter file in /etc/shorewall used to define Proxy Arp .
      • -
    • rfc1918 +
    • rfc1918 -- a parameter file in /etc/shorewall used to define the treatment of packets under the norfc1918 interface option.
      • -
    • routestopped - -- a parameter file in /etc/shorewall used to define those +
    • routestopped + -- a parameter file in /etc/shorewall used to define those hosts that can access the firewall when Shorewall is stopped.
    • tcrules -- + href="traffic_shaping.htm#tcrules">tcrules -- a parameter file in /etc/shorewall used to define rules for classifying packets for Traffic Shaping/Control.
      • -
    • tunnels - -- a parameter file in /etc/shorewall used to define +
    • tunnels + -- a parameter file in /etc/shorewall used to define IPSec tunnels.
    • shorewall -- a shell program (requiring a Bourne shell or - derivative) used to control and monitor + derivative) used to control and monitor the firewall. This should be placed in /sbin or in /usr/sbin - (the install.sh script and the rpm install this file + (the install.sh script and the rpm install this file in /sbin).
    • version -- a file created - in /etc/shorewall/ (/var/lib/shorewall in version - 1.3.2-1.3.8 and /usr/lib/shorewall beginning in version 1.3.9) - that describes the version of Shorewall installed + in /etc/shorewall/ (/var/lib/shorewall in version + 1.3.2-1.3.8 and /usr/lib/shorewall beginning in version 1.3.9) + that describes the version of Shorewall installed on your system.
      • - +
    - - + +

    /etc/shorewall/params

    - - + +

    You may use the file /etc/shorewall/params file to set shell variables that you can then use in some of the other configuration files.

    - - + +

    It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally within the Shorewall programs

    - - + +

    Example:

    - - + + 
     	NET_IF=eth0
    	NET_BCAST=130.252.100.255
    	NET_OPTIONS=blacklist,norfc1918
    - +

    Example (/etc/shorewall/interfaces record):

    - + 
    	net $NET_IF $NET_BCAST $NET_OPTIONS
    - +

    The result will be the same as if the record had been written

    - + 
    	net eth0 130.252.100.255 blacklist,norfc1918
    - +

    Variables may be used anywhere in the other configuration files.

    - - + +

    /etc/shorewall/zones

    - - + +

    This file is used to define the network zones. There is one entry in /etc/shorewall/zones for each zone; Columns in an entry are:

    - - + +
      -
    • ZONE - short name for the - zone. The name should be 5 characters or less in length -and consist of lower-case letters or numbers. Short names must +
    • ZONE - short name for the + zone. The name should be 5 characters or less in length +and consist of lower-case letters or numbers. Short names must begin with a letter and the name assigned to the firewall is reserved for use by Shorewall itself. Note that the output produced by iptables is much easier to read if you select short names that are three characters or less in length. The name "all" may not be used as a zone name nor may the zone name assigned to the firewall itself via the FW variable in /etc/shorewall/shorewall.conf.
      • -
    • DISPLAY - The name of the +
    • DISPLAY - The name of the zone as displayed during Shorewall startup.
      • -
    • COMMENTS - Any comments -that you want to make about the zone. Shorewall ignores +
    • COMMENTS - Any comments +that you want to make about the zone. Shorewall ignores these comments.
      • - +
    - - + +

    The /etc/shorewall/zones file released with Shorewall is as follows:

    - - + + @@ -237,74 +237,74 @@ these comments. - - - - - + + + + +
    DMZ Demilitarized zone
    - - + +

    You may add, delete and modify entries in the /etc/shorewall/zones file as desired so long as you have at least one zone defined.

    - - + +

    Warning 1: If you rename or delete a zone, you should perform "shorewall stop; shorewall start" to install the change rather than "shorewall restart".

    - - + +

    Warning 2: The order of entries in the /etc/shorewall/zones file is significant in some cases.

    - - + +

    /etc/shorewall/interfaces

    - - + +

    This file is used to tell the firewall which of your firewall's network interfaces are connected to which zone. There will be one entry in /etc/shorewall/interfaces for each of your interfaces. Columns in an entry are:

    - +
    • ZONE - A zone defined in the /etc/shorewall/zones file or - "-". If you specify "-", you must use the - /etc/shorewall/hosts file to define the zones + "-". If you specify "-", you must use the + /etc/shorewall/hosts file to define the zones accessed via this interface.
      • -
    • INTERFACE - the name of -the interface (examples: eth0, ppp0, ipsec+). Each interface +
    • INTERFACE - the name of +the interface (examples: eth0, ppp0, ipsec+). Each interface can be listed on only one record in this file. DO NOT INCLUDE THE LOOPBACK INTERFACE + color="#ff0000">DO NOT INCLUDE THE LOOPBACK INTERFACE (lo) IN THIS FILE!!!
      • -
    • BROADCAST - the broadcast - address(es) for the sub-network(s) attached to the interface. - This should be left empty for P-T-P interfaces (ppp*, ippp*); +
    • BROADCAST - the broadcast + address(es) for the sub-network(s) attached to the interface. + This should be left empty for P-T-P interfaces (ppp*, ippp*); if you need to specify options for such an interface, enter "-" in this column. If you supply the special value "detect" in this -column, the firewall will automatically determine the broadcast - address. In order to use "detect": - - +column, the firewall will automatically determine the broadcast + address. In order to use "detect": + +
        -
      • the +
      • the interface must be up before you start your firewall
        • -
      • the interface must only be attached +
      • the interface must only be attached to a single sub-network (i.e., there must have a single broadcast address).
        • - - - + + +
      - +
      • -
    • OPTIONS - a comma-separated - list of options. Possible options include: - - - +
    • OPTIONS - a comma-separated + list of options. Possible options include: + + +

      tcpflags (added in version 1.3.11) - This option causes Shorewall to make sanity checks on the header flags in TCP packets arriving on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; these @@ -323,12 +323,12 @@ these checks are logged according to the TCP_FLAGS_LOG_LEVEL option innorfc1918 option + that use DHCP and you select the norfc1918 option (see below).

      - - - - + + + +

      norfc1918 - Packets arriving on this interface and that have a source address that is reserved in RFC 1918 or in other RFCs will be dropped after being optionally logged. If href="#rfc1918"> rfc1918 file include those addresses reserved by RFC1918 plus other ranges reserved by the IANA or by other RFCs.

      - - - - + + + +

      Beware that as IPv4 addresses become in increasingly short supply, ISPs are beginning to use RFC 1918 addresses within their own infrastructure. Also, many cable and DSL "modems" have an RFC 1918 address that can be used through a web browser for - management and monitoring functions. If you want to specify + management and monitoring functions. If you want to specify norfc1918 on your external interface but need to allow access to certain addresses from the above list, see FAQ 14.

      - - - - + + + +

      routefilter - Invoke the Kernel's route filtering - (anti-spoofing) facility on this interface. The kernel + (anti-spoofing) facility on this interface. The kernel will reject any packets incoming on this interface that have a source address that would be routed outbound through another interface on the firewall. Warning: If you specify this option for an interface then the interface must be up prior to starting the firewall.

      - - - - -

      dropunclean - Packets from this interface that - are selected by the 'unclean' match target in iptables will + + + + +

      dropunclean - Packets from this interface that + are selected by the 'unclean' match target in iptables will be optionally logged and then dropped. - Warning: This feature - requires that UNCLEAN match support be configured in your + Warning: This feature + requires that UNCLEAN match support be configured in your kernel, either in the kernel itself or as a module. UNCLEAN support is broken in some versions of the kernel but appears to work ok in 2.4.17-rc1.

      Update 12/17/2001:       The unclean match patch from 2.4.17-rc1 is - available - for download. I am currently running + available + for download. I am currently running this patch applied to kernel 2.4.16.

      - - - -

      Update 12/20/2001: I've - seen a number of tcp connection requests - with OPT (020405B40000080A...) being - dropped in the badpkt chain. This appears to be - a bug in the remote TCP stack whereby it is 8-byte aligning - a timestamp (TCP option 8) but rather than padding + + + +

      Update 12/20/2001: I've + seen a number of tcp connection requests + with OPT (020405B40000080A...) being + dropped in the badpkt chain. This appears to be + a bug in the remote TCP stack whereby it is 8-byte aligning + a timestamp (TCP option 8) but rather than padding with 0x01 it is padding with 0x00. It's a tough call whether to deny people access to your servers because of this rather minor bug in their networking software. If you wish to disable the check that causes these connections to be dropped, here's + href="ftp://ftp.shorewall.net/pub/shorewall/misc/unclean1.patch">here's a kernel patch against 2.4.17-rc2.

      - - - -

      logunclean - This option works like dropunclean - with the exception that packets selected - by the 'unclean' match target in iptables - are logged but not dropped. The - level at which the packets are logged is determined by - the setting of LOGUNCLEAN + + + +

      logunclean - This option works like dropunclean + with the exception that packets selected + by the 'unclean' match target in iptables + are logged but not dropped. The + level at which the packets are logged is determined by + the setting of LOGUNCLEAN and if LOGUNCLEAN has not been set, "info" is assumed.

      - - - -

      proxyarp (Added in version 1.3.5) - This option + + + +

      proxyarp (Added in version 1.3.5) - This option causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp and is used when implementing Proxy -ARP Sub-netting as described at +ARP Sub-netting as described at http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do not set this option if you are implementing @@ -426,38 +426,38 @@ Do not set this option if you are implementing interface are subject to MAC Verification. May only be specified for ethernet interfaces.

      • - +
    - +

    My recommendations concerning options:

    - +
    • External Interface -- tcpflags,blacklist,norfc1918,routefilter
    • Wireless Interface -- maclist,routefilter,tcpflags
      • -
    • Don't use dropunclean -- It's broken +
    • Don't use dropunclean -- It's broken in my opinion
    • Use logunclean only when you are trying to debug a problem
    • Use dhcp and proxyarp when needed.
      • - +
    - +

    - - + +

    Example 1: You have a conventional firewall setup in which eth0 connects to a Cable or DSL modem and eth1 connects to your local network and eth0 gets its IP address via DHCP. You want to -check all packets entering from the internet +check all packets entering from the internet against the black list. Your /etc/shorewall/interfaces file would be as follows:

    - - -
    - + + +
    + @@ -479,23 +479,23 @@ check all packets entering from the internet - - - - - - - + + + + + + +

    - - -

    Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces + + +

    Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces file would be:

    - - -
    - + + +
    + @@ -507,29 +507,29 @@ check all packets entering from the internet - + - - - - - - - + + + + + + +
    net ppp0

    - - -

    Example 3: You have local interface eth1 with two IP + + +

    Example 3: You have local interface eth1 with two IP addresses - 192.168.1.1/24 and 192.168.12.1/24

    - - -
    - + + +
    + @@ -541,31 +541,31 @@ check all packets entering from the internet - + - - - - - - + + + + + +
    loc eth1192.168.1.255,192.168.12.255
    - - + +

    /etc/shorewall/hosts Configuration

    - - + +

    For most applications, specifying zones entirely in terms of network interfaces is sufficient. There may be times though where you need to define a zone to be a more general collection of hosts. This is the purpose of the /etc/shorewall/hosts file.

    - - + +

    WARNING: The only times that you need entries in /etc/shorewall/hosts are:

    @@ -579,93 +579,93 @@ those subnetworks.
IF YOU DON'T HAVE EITHER OF THOSE SITUATIONS THEN DON'T TOUCH THIS FILE!!

Columns in this file are:

- - + +
  • ZONE - A zone defined in the /etc/shorewall/zones file.
    • -
  • HOST(S) - The name of a -network interface followed by a colon (":") followed +
  • HOST(S) - The name of a +network interface followed by a colon (":") followed by either:
    • - +
- - -
- - + + +
+ +
    - +
  1. An IP address (example - eth1:192.168.1.3)
    2. - +
  2. A subnet in CIDR notation (example - eth2:192.168.2.0/24)
    3. - - - + + +
- - - + + +

The interface name much match an entry in /etc/shorewall/interfaces.

- - + +
    -
  • OPTIONS - A comma-separated +
  • OPTIONS - A comma-separated list of option
    • - +
- - -
- - -

maclist - Added in version 1.3.10. If specified, connection + + +

+ + +

maclist - Added in version 1.3.10. If specified, connection requests from the hosts specified in this entry are subject to MAC Verification. This option is only valid for ethernet interfaces.

- - - + + +

If you don't define any hosts for a zone, the hosts in the zone default to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are the interfaces to the zone.

- - - -

Note: You probably DON'T - want to specify any hosts for your internet zone since the hosts that - you specify will be the only ones that you will be able to access without + + + +

Note: You probably DON'T + want to specify any hosts for your internet zone since the hosts that + you specify will be the only ones that you will be able to access without adding additional rules.

- - - - + + + +

Example 1:

- - - + + +

Your local interface is eth1 and you have two groups of local hosts that you want to make into separate zones:

- - + +
  • 192.168.1.0/25
  • 192.168.1.128/
    • - +
- - + +

Your /etc/shorewall/interfaces file might look like:

- - - -
- + + + +
+ @@ -688,32 +688,32 @@ are the interfaces to the zone.

- - - - - - - + + + + + + +

- - - -

The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces + + + +

The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces to multiple zones.

- - - + + +

Your /etc/shorewall/hosts file might look like:

- - - + + +
- - - + face="Century Gothic, Arial, Helvetica"> + + + @@ -733,36 +733,36 @@ are the interfaces to the zone.

- - + +

- - - - - + + + + +

Example 2:

- - - + + +

Your local interface is eth1 and you have two groups of local hosts that you want to consider as one zone and you want Shorewall to route between them:

- - + +
  • 192.168.1.0/25
  • 192.168.1.128/25
- - + +

Your /etc/shorewall/interfaces file might look like:

- - - -
- + + + +
+ @@ -786,29 +786,29 @@ them:

- - - - - - - + + + + + + +

- - - - - + + + + +

Your /etc/shorewall/hosts file might look like:

- - - + + +
- - - + face="Century Gothic, Arial, Helvetica"> + + + @@ -828,21 +828,21 @@ them:

- - + +

- - - - - + + + + +

Nested and Overlapping Zones

- - - -

The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow + + + +

The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow you to define nested or overlapping zones. Such overlapping/nested zones are allowed and Shorewall processes zones in the order that they appear in the /etc/shorewall/zones file. So if you @@ -850,127 +850,127 @@ have nested zones, you want the sub-zone to appear before the super-zone and in the case of overlapping zones, the rules that will apply to hosts that belong to both zones is determined by which zone appears first in /etc/shorewall/zones.

- - - + + +

Hosts that belong to more than one zone may be managed by the rules of all of those zones. This is done through use of the special CONTINUE policy described below.

- - - -

+ + + +

/etc/shorewall/policy Configuration.

- - + +

This file is used to describe the firewall policy regarding establishment of connections. Connection establishment is described in terms of clients who initiate connections and servers who receive those connection requests. Policies defined in /etc/shorewall/policy describe which zones are allowed to establish connections with other zones.

- - - + + +

Policies established in /etc/shorewall/policy can be viewed as default policies. If no rule in /etc/shorewall/rules applies to a particular connection request then the policy from /etc/shorewall/policy is applied.

- - - + + +

Four policies are defined:

- - + +
    -
  • ACCEPT - The connection +
  • ACCEPT - The connection is allowed.
    • -
  • DROP - The connection request +
  • DROP - The connection request is ignored.
    • -
  • REJECT - The connection +
  • REJECT - The connection request is rejected with an RST (TCP) or an ICMP destination-unreachable packet being returned to the client.
  • CONTINUE - The connection is neither ACCEPTed, DROPped nor REJECTed. CONTINUE may be used when one or both of the zones named in the entry are - sub-zones of or intersect with another zone. For more information, + sub-zones of or intersect with another zone. For more information, see below.
  • NONE - (Added in version 1.4.1) - Shorewall should not set up any infrastructure for handling traffic from the SOURCE zone to the DEST zone. When this policy is specified, the LOG LEVEL and BURST:LIMIT columns must be left blank.
    • - +
- - - + + +

For each policy specified in /etc/shorewall/policy, you can indicate that you want a message sent to your system log each time that the policy is applied.

- - - + + +

Entries in /etc/shorewall/policy have four columns as follows:

- - - + + +
    - -
  1. + +
  2. SOURCE - The name of a client zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all").
    3. - -
  3. + +
  4. DEST - The name of a destination zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all"). Shorewall -automatically allows all traffic from the firewall to itself so +automatically allows all traffic from the firewall to itself so the name of the firewall zone cannot appear in both the SOURCE and DEST columns.
    5. - -
  5. + +
  6. POLICY - The default policy for connection requests from the SOURCE zone to the DESTINATION zone.
    7. - -
  7. + +
  8. LOG LEVEL - Optional. If left empty, no log message is generated when the policy is applied. Otherwise, this column should contain an integer or name indicating a syslog level.
    9. - -
  9. LIMIT:BURST - - Optional. If left empty, TCP connection requests - from the SOURCE zone to the DEST zone will - not be rate-limited. Otherwise, this column specifies the maximum - rate at which TCP connection requests will be accepted followed + +
  10. LIMIT:BURST + - Optional. If left empty, TCP connection requests + from the SOURCE zone to the DEST zone will + not be rate-limited. Otherwise, this column specifies the maximum + rate at which TCP connection requests will be accepted followed by a colon (":") followed by the maximum burst size that will be tolerated. Example: 10/sec:40 specifies that the maximum rate of TCP connection requests allowed will be 10 per second and a burst of 40 connections will be tolerated. Connection requests in excess of these limits will be dropped.
    11. - - - + + +
- - - + + +

In the SOURCE and DEST columns, you can enter "all" to indicate all zones.

- - - + + +

The policy file installed by default is as follows:

- - - + + +
- - - + face="Century Gothic, Arial, Helvetica"> + + + @@ -986,7 +986,7 @@ should contain an integer or name indicating a ACCEPT - + @@ -1006,51 +1006,51 @@ should contain an integer or name indicating a
- - - - - - - - + + + + + + + +


- - - + + +

This table may be interpreted as follows:

- - + +
  • All connection requests from the local network to hosts on the internet are accepted.
    • -
  • All connection requests originating +
  • All connection requests originating from the internet are ignored and logged at level KERNEL.INFO.
    • -
  • All other connection requests are +
  • All other connection requests are rejected and logged.
    • - +
- - + +

WARNING:

- - + +

The firewall script processes the /etc/shorewall/policy file from top to bottom and uses the first applicable policy that it finds. For example, in the following policy file, the policy for (loc, loc) connections would be ACCEPT as specified in the first entry even though the third entry in the file specifies REJECT.

- - + +
- - + face="Century Gothic, Arial, Helvetica"> + + - + @@ -1067,7 +1067,7 @@ rejected and logged. - + @@ -1084,18 +1084,18 @@ rejected and logged. - - - - - - - - + + + + + + + +
SOURCE DEST
net all
- - + +

IntraZone Traffic

Shorewall allows a zone to be associated with more than one interface or with multiple networks that interface through a single interface. Beginning @@ -1117,24 +1117,24 @@ traffic from one ISP to the other through your firewall. to communicate between themselves using your gateway/router.
-

+

The CONTINUE policy

- - + +

Where zones are nested or overlapping , the CONTINUE policy allows hosts that are within multiple zones to be managed under the rules of all of these zones. Let's look at an example:

- - + +

/etc/shorewall/zones:

- - -
- + + +
+ - + @@ -1155,26 +1155,26 @@ to communicate between themselves using your gateway/router.
- - - - - - - - + + + + + + + +
ZONE DISPLAY Loc Local Network
- - + +

/etc/shorewall/interfaces:

- - -
- + + +
+ - + @@ -1194,29 +1194,29 @@ to communicate between themselves using your gateway/router.
- - - - - - - - - + + + + + + + + +
ZONE INTERFACE
- - + +

/etc/shorewall/hosts:

- - + +
- - + face="Century Gothic, Arial, Helvetica"> + + - + @@ -1228,43 +1228,43 @@ to communicate between themselves using your gateway/router.
- + - - - - - - - - - + + + + + + + + +
ZONE HOST(S)
sam eth0:206.191.149.197
- - + +

Note that Sam's home system is a member of both the sam zone and the net zone and as described above , that means that sam must be listed before net in /etc/shorewall/zones.

- - + +

/etc/shorewall/policy:

- - + +
- - + face="Century Gothic, Arial, Helvetica"> + + - + @@ -1278,7 +1278,7 @@ to communicate between themselves using your gateway/router.
- + @@ -1286,7 +1286,7 @@ to communicate between themselves using your gateway/router.
- + @@ -1299,38 +1299,38 @@ to communicate between themselves using your gateway/router.
- - - - - - - - - + + + + + + + + +
SOURCE DEST
sam all
net all REJECT info
- - + +

The second entry above says that when Sam is the client, connection requests should first be process under rules where the source zone is sam and if there is no match then the connection request should be treated under rules where the source zone is net. It is important that this policy be listed BEFORE the next policy (net to all).

- - + +

Partial /etc/shorewall/rules:

- - + +
- - + face="Century Gothic, Arial, Helvetica"> + + - + @@ -1342,7 +1342,7 @@ BEFORE the next policy (net to all).

PORT(S) - + @@ -1359,7 +1359,7 @@ BEFORE the next policy (net to all).

- + @@ -1395,44 +1395,44 @@ BEFORE the next policy (net to all).

- - - - - - - - - + + + + + + + + +
ACTION SOURCE ORIGINAL
DEST
...
DNAT sam
- - + +

Given these two rules, Sam can connect to the firewall's internet interface with ssh and the connection request will be forwarded to 192.168.1.3. Like all hosts in the net zone, Sam can connect to the firewall's internet interface on TCP port 80 and the connection request will be forwarded to 192.168.1.5. The order of the rules is not significant.

- - + +

Sometimes it is necessary to suppress port forwarding for a sub-zone. For example, suppose that all hosts can SSH to the firewall and be forwarded to 192.168.1.5 EXCEPT Sam. When Sam connects to the firewall's external IP, he should be connected to the firewall itself. Because of the way that Netfilter is constructed, this requires two rules as follows:

- - -
- - + + +
+ +

- + - - + face="Century Gothic, Arial, Helvetica"> + + @@ -1447,7 +1447,7 @@ be connected to the firewall itself. Because of the way that Netfilte - + @@ -1478,7 +1478,7 @@ be connected to the firewall itself. Because of the way that Netfilte - + @@ -1515,81 +1515,81 @@ be connected to the firewall itself. Because of the way that Netfilte - - - - - - - + + + + + + +
ORIGINAL
DEST


DNAT
- - -

The first rule allows Sam SSH - access to the firewall. The second - rule says that any clients from the - net zone with the exception of those - in the 'sam' zone should have their - connection port forwarded to + + +

The first rule allows Sam SSH + access to the firewall. The second + rule says that any clients from the + net zone with the exception of those + in the 'sam' zone should have their + connection port forwarded to 192.168.1.3. If you need to exclude more than one zone in this way, you can list -the zones separated by - commas (e.g., net!sam,joe,fred). - This technique also may be used when +the zones separated by + commas (e.g., net!sam,joe,fred). + This technique also may be used when the ACTION is REDIRECT.

- - - -

+ + + +

/etc/shorewall/rules

- - - + + +

The /etc/shorewall/rules file defines exceptions to the policies established in the /etc/shorewall/policy file. There is one entry in /etc/shorewall/rules for each of these rules.

- -

Shorewall automatically enables firewall->firewall traffic over the - loopback interface (lo) -- that traffic cannot be regulated using - rules and any rule that tries to regulate such traffic will generate + +

Shorewall automatically enables firewall->firewall traffic over the + loopback interface (lo) -- that traffic cannot be regulated using + rules and any rule that tries to regulate such traffic will generate a warning and will be ignored.

- - - + + +

Entries in the file have the following columns:

- +
    -
  • ACTION - - +
  • ACTION + +
      -
    • ACCEPT, DROP, REJECT, CONTINUE. -These have the same meaning here as in the policy file +
    • ACCEPT, DROP, REJECT, CONTINUE. +These have the same meaning here as in the policy file above.
      • -
    • DNAT -- Causes the connection request +
    • DNAT -- Causes the connection request to be forwarded to the system specified in the DEST column - (port forwarding). "DNAT" stands for "Destination + (port forwarding). "DNAT" stands for "Destination Network Address Translation"
    • DNAT- -- The above ACTION (DNAT) generates two iptables rules: 1) and header-rewriting rule in the Netfilter 'nat' table and; 2) an ACCEPT rule in the Netfilter 'filter' table. DNAT- works like DNAT but only generates the header-rewriting rule.
      • -
    • REDIRECT -- Causes the connection - request to be redirected to a port on the local (firewall) +
    • REDIRECT -- Causes the connection + request to be redirected to a port on the local (firewall) system.
    • LOG - Log the packet -- requires a syslog level (see below).
      • - - - + + +
    - - - + + +

    The ACTION may optionally be followed by ":" and a syslog level (example: REJECT:info). This causes the packet to be logged at the specified level prior @@ -1602,22 +1602,22 @@ that you have NAT enabled.

  • SOURCE - Describes the source hosts to which the rule applies.. The contents of this field - must begin with the name of a zone defined in /etc/shorewall/zones, + must begin with the name of a zone defined in /etc/shorewall/zones, $FW or "all". If the ACTION is DNAT or REDIRECT, sub-zones may be excluded from the rule by following the initial zone name with "!' and a comma-separated list of those sub-zones to be excluded. There is an example above.

    If the source is not 'all' then the source - may be further restricted by adding a colon (":") followed + may be further restricted by adding a colon (":") followed by a comma-separated list of qualifiers. Qualifiers are may - include: - - + include: + +
      -
    • An interface name - refers to any - connection requests arriving on the specified interface - (example loc:eth4). Beginning with Shorwall 1.3.9, the interface +
    • An interface name - refers to any + connection requests arriving on the specified interface + (example loc:eth4). Beginning with Shorwall 1.3.9, the interface name may optionally be followed by a colon (":") and an IP address or subnet (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24).
    • An IP address - refers to a connection @@ -1626,36 +1626,36 @@ that you have NAT enabled.
      not be a DNS name.
    • A MAC Address in Shorewall format.
      • -
    • A subnet - refers to a connection - request from any host in the specified subnet (example +
    • A subnet - refers to a connection + request from any host in the specified subnet (example net:155.186.235.0/24).
      • - - - + + +
    • -
  • DEST - Describes the destination - host(s) to which the rule applies. May take most of the forms - described above for SOURCE plus the following two additional - forms: - - +
  • DEST - Describes the destination + host(s) to which the rule applies. May take most of the forms + described above for SOURCE plus the following two additional + forms: + +
      -
    • An IP address followed by a colon - and the port number that the server - is listening on (service names from /etc/services are not +
    • An IP address followed by a colon + and the port number that the server + is listening on (service names from /etc/services are not allowed - example loc:192.168.1.3:80).
    • A single port number (again, service - names are not allowed) -- this form is only allowed + names are not allowed) -- this form is only allowed if the ACTION is REDIRECT and refers to a server running on the firewall itself and listening on the specified port.
      • - - - + + +
    Restrictions:
    - +
    • MAC addresses may not be specified.
    • In DNAT rules, only an IP address may be given -- DNS names are @@ -1663,22 +1663,22 @@ firewall itself and listening on the specified port.
    • You may not specify both an IP address and an interface name in the DEST column.
      • - +
  • PROTO - Protocol. Must -be a protocol name from /etc/protocols, a number or +be a protocol name from /etc/protocols, a number or "all". Specifies the protocol of the connection request.
  • DEST PORT(S) - Port -or port range (<low port>:<high port>) being connected - to. May only be specified if the protocol is tcp, udp -or icmp. For icmp, this column's contents are interpreted +or port range (<low port>:<high port>) being connected + to. May only be specified if the protocol is tcp, udp +or icmp. For icmp, this column's contents are interpreted as an icmp type. If you don't want to specify DEST PORT(S) but need to include information in one of the columns to the right, enter "-" in this column. You may give a list of ports and/or port -ranges separated by commas. Port numbers may be either integers +ranges separated by commas. Port numbers may be either integers or service names from /etc/services.
    • -
  • SOURCE PORTS(S) - +
  • SOURCE PORTS(S) - May be used to restrict the rule to a particular client port or port range (a port range is specified as <low port number>:<high port number>). If you don't want to restrict client ports but @@ -1690,25 +1690,25 @@ separate the list elements with commas (with no embedded white
  • ORIGINAL DEST - This column may only be non-empty if the ACTION is DNAT or REDIRECT.

    - If DNAT or REDIRECT is the ACTION and -the ORIGINAL DEST column is left empty, any connection request + If DNAT or REDIRECT is the ACTION and +the ORIGINAL DEST column is left empty, any connection request arriving at the firewall from the SOURCE that matches the rule - will be forwarded or redirected. This works fine for connection - requests arriving from the internet where the firewall has - only a single external IP address. When the firewall has multiple - external IP addresses or when the SOURCE is other than the internet, + will be forwarded or redirected. This works fine for connection + requests arriving from the internet where the firewall has + only a single external IP address. When the firewall has multiple + external IP addresses or when the SOURCE is other than the internet, there will usually be a desire for the rule to only apply to those connection requests directed to a particular IP address (see Example 2 below for another usage). That IP address (or a comma-separated list of such addresses) is specified in the ORIGINAL DEST column.

    - The IP address may be optionally followed + The IP address may be optionally followed by ":" and a second IP address. This latter address, if present, is used as the source address for packets forwarded to the server (This is called "Source NAT" or SNAT).
    - +
    - + Note: When using SNAT, it is a good idea to qualify the source with an IP address or subnet. Otherwise, it is likely that SNAT will occur on connections other than @@ -1716,32 +1716,32 @@ those described in the rule. The reason for this is that SNAT occurs in the Netfilter POSTROUTING hook where it is not possible to restrict the scope of a rule by incoming interface.

    -     Example: DNAT loc:192.168.1.0/24 +     Example: DNAT loc:192.168.1.0/24 loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3

    -     If SNAT is not used (no ":" -and second IP address), the original source address is -used. If you want any destination address to match the rule -but want to specify SNAT, simply use a colon followed by the SNAT +     If SNAT is not used (no ":" +and second IP address), the original source address is +used. If you want any destination address to match the rule +but want to specify SNAT, simply use a colon followed by the SNAT address.
    • - +
- - - + + +

Example 1. You wish to forward all ssh connection requests from the internet to local system 192.168.1.3.

- - + +
- - + face="Century Gothic, Arial, Helvetica"> + + - + @@ -1753,7 +1753,7 @@ but want to specify SNAT, simply use a colon followed by the SNAT PORT(S) - + @@ -1766,43 +1766,43 @@ but want to specify SNAT, simply use a colon followed by the SNAT - - - - - - - - - + + + + + + + + +
ACTION SOURCE ORIGINAL
DEST
DNAT
- - + +

Example 2. You want to redirect all local www connection requests EXCEPT those - to your own http server - (206.124.146.177) to a Squid + to your own http server + (206.124.146.177) to a Squid transparent proxy running on the firewall and listening on port 3128. Squid will of course require access -to remote web servers. This example shows yet - another use for the ORIGINAL - DEST column; here, connection - requests that were NOT +to remote web servers. This example shows yet + another use for the ORIGINAL + DEST column; here, connection + requests that were NOT -(notice the "!") originally - destined to 206.124.146.177 are + href="#GettingStarted"> +(notice the "!") originally + destined to 206.124.146.177 are redirected to local port 3128.

- - + +
- - + face="Century Gothic, Arial, Helvetica"> + + - + @@ -1814,7 +1814,7 @@ to remote web servers. This example shows yet PORT(S) - + @@ -1837,32 +1837,32 @@ to remote web servers. This example shows yet - - - - - - - - - + + + + + + + + +
ACTION SOURCE ORIGINAL
DEST
REDIRECT
- - + +

Example 3. You want to run a web server at 155.186.235.222 in your DMZ and have it accessible remotely and locally. the DMZ is managed by Proxy ARP or by classical sub-netting.

- - + +
- - + face="Century Gothic, Arial, Helvetica"> + + - + @@ -1874,7 +1874,7 @@ your DMZ and have it accessible remotely and locally. the DMZ is managed PORT(S) - + @@ -1886,7 +1886,7 @@ your DMZ and have it accessible remotely and locally. the DMZ is managed - + @@ -1898,19 +1898,19 @@ your DMZ and have it accessible remotely and locally. the DMZ is managed - - - - - - - - - + + + + + + + + +
ACTION SOURCE ORIGINAL
DEST
ACCEPT
ACCEPT loc
- - + +

Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded DMZ. Your internet interface address is 155.186.235.151 and you want the FTP server to be accessible from the internet @@ -1918,35 +1918,35 @@ your DMZ and have it accessible remotely and locally. the DMZ is managed subnetworks. Note that since the server is in the 192.168.2.0/24 subnetwork, we can assume that access to the server from that subnet will not involve the firewall (but see FAQ - 2). Note that unless you - have more than one external - IP address, you can leave - the ORIGINAL DEST column + 2). Note that unless you + have more than one external + IP address, you can leave + the ORIGINAL DEST column blank in the first rule. You cannot leave it blank in the second rule though because then all - ftp connections - originating in the local - subnet 192.168.1.0/24 would - be sent to 192.168.2.2 - regardless of the site that - the user was trying to + ftp connections + originating in the local + subnet 192.168.1.0/24 would + be sent to 192.168.2.2 + regardless of the site that + the user was trying to connect to. That is clearly not what you want .

- - + +
- - + face="Century Gothic, Arial, Helvetica"> + + - + @@ -1958,7 +1958,7 @@ you want - + @@ -1980,68 +1980,68 @@ you want - - - - - - - - - - - + + + + + + + + + +
ACTION SOURCE ORIGINAL
DEST
DNAT 155.186.235.151
- - - - + + + +

If you are running wu-ftpd, you should restrict the range of passive in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions so I use port range 65500-65535. In /etc/ftpaccess, this entry is appropriate:

- - - - -
- - - + + + + +
+ + +

passive ports 0.0.0.0/0 65500 65534

- - - - + + + +

If you are running pure-ftpd, you would include "-p 65500:65534" on the pure-ftpd runline.

- - - - + + + +

The important point here is to ensure that the port range used for FTP passive connections is unique and will not overlap with any usage on the firewall system.

- - - - -

Example 5. You - wish to allow unlimited - DMZ access to the host - with MAC address + + + + +

Example 5. You + wish to allow unlimited + DMZ access to the host + with MAC address 02:00:08:E3:FA:55.

- - - - + + + +
- - + face="Century Gothic, Arial, Helvetica"> + + - + @@ -2054,7 +2054,7 @@ any usage on the firewall system.

PORT(S) - + @@ -2068,23 +2068,23 @@ any usage on the firewall system.

- - - - - - - + + + + + + +
ACTION ORIGINAL
DEST
ACCEPT
- - + + Example 6. You wish to allow access to the SMTP server in your DMZ from all zones.
- -
- + +
+ @@ -2122,14 +2122,14 @@ from all zones.
- - - - - + + + + +


- Note: When 'all' is used as a source or destination, + Note: When 'all' is used as a source or destination, intra-zone traffic is not affected. In this example, if there were two DMZ interfaces then the above rule would NOT enable SMTP traffic between hosts on these interfaces.
@@ -2139,8 +2139,8 @@ from all zones.
port 25 directed to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177 in your DMZ. You also want to allow access from the internet directly to tcp port 25 on 192.0.2.177.
- -
+ +
@@ -2210,89 +2210,89 @@ to tcp port 25 on 192.0.2.177.
- - - + + +

Using "DNAT-" rather than "DNAT" avoids two extra copies of the third rule from being generated.
- -

Look here for information on other services. + +

Look here for information on other services.

- - - - -

+ + + + +

/etc/shorewall/common

- - - - -

Shorewall allows - definition of rules that - apply between all zones. - By default, these rules - are defined in the file - /etc/shorewall/common.def - but may be modified to - suit individual + + + + +

Shorewall allows + definition of rules that + apply between all zones. + By default, these rules + are defined in the file + /etc/shorewall/common.def + but may be modified to + suit individual requirements. Rather - -than modify - /etc/shorewall/common.def, - you should copy that - file to - /etc/shorewall/common - and modify + +than modify + /etc/shorewall/common.def, + you should copy that + file to + /etc/shorewall/common + and modify that file.

- - - - + + + +

The /etc/shorewall/common - -file is expected to - contain iptables - commands; rather than - running iptables - directly, you should run + +file is expected to + contain iptables + commands; rather than + running iptables + directly, you should run it indirectly using the Shorewall - function 'run_iptables'. - That way, if iptables - encounters an error, the - firewall will be safely + function 'run_iptables'. + That way, if iptables + encounters an error, the + firewall will be safely stopped.

- - - - -

+ + + + +

/etc/shorewall/masq

- - - - + + + +

The /etc/shorewall/masq file is used to define classical IP Masquerading and Source Network Address Translation (SNAT). There is one entry in the file for each subnet that you want to masquerade. In order to make use of this feature, you must have NAT enabled .

- - - - + + + +

Columns are:

- +
    -
  • INTERFACE - The interface - that will masquerade the subnet; this is normally your - internet interface. This interface name can be optionally - qualified by adding ":" and a subnet or host IP. When this - qualification is added, only packets addressed to that host or -subnet will be masqueraded. Beginning with Shorewall version 1.3.14, +
  • INTERFACE - The interface + that will masquerade the subnet; this is normally your + internet interface. This interface name can be optionally + qualified by adding ":" and a subnet or host IP. When this + qualification is added, only packets addressed to that host or +subnet will be masqueraded. Beginning with Shorewall version 1.3.14, if you have set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf, you can cause Shorewall to create an alias label of the form interfacename:digit (e.g., eth0:0) by placing that label @@ -2314,33 +2314,33 @@ to this file for each of those other subnetworks. Beginning with Shorewall 1.3.14, shorewall will masquerade/SNAT traffic from any host that is routed through the named interface.

    - The subnet may be optionally followed + The subnet may be optionally followed by "!' and a comma-separated list of addresses and/or subnets that are to be excluded from masquerading.
    • -
  • ADDRESS - The source address - to be used for outgoing packets. This column is optional and +
  • ADDRESS - The source address + to be used for outgoing packets. This column is optional and if left blank, the current primary IP address of the interface in the first column is used. If you have a static IP on that interface, listing it here makes processing of output packets a little less expensive for the firewall. If you specify an address in this column, it must be an IP address configured on the INTERFACE or you must have ADD_SNAT_ALIASES enabled in /etc/shorewall/shorewall.conf.
    • - +
- - - + + +

Example 1: You have eth0 connected to a cable modem and eth1 connected to your local subnetwork 192.168.9.0/24. Your /etc/shorewall/masq file would look like:

- - -
- - + + +
+ + - + @@ -2352,33 +2352,33 @@ you must have ADD_SNAT_ALIASES enabled in /etc/shorewall/ - - - - - - - - - - + + + + + + + + + +
INTERFACE SUBNET
- - - + + +

Example 2: You have a number of IPSEC tunnels through ipsec0 and you want to masquerade traffic from your 192.168.9.0/24 subnet to the remote subnet 10.1.0.0/16 only.

- - - -
- - + + + +
+ + - + @@ -2390,35 +2390,35 @@ you must have ADD_SNAT_ALIASES enabled in /etc/shorewall/ - - - - - - - - - - + + + + + + + + + +
INTERFACE SUBNET
- - - + + +

Example 3: You have a DSL line connected on eth0 and a local - network - (192.168.10.0/24) - connected to eth1. You - want all local->net - connections to use - source address + network + (192.168.10.0/24) + connected to eth1. You + want all local->net + connections to use + source address 206.124.146.176.

- - -
- + + +
+ - + @@ -2430,35 +2430,35 @@ you must have ADD_SNAT_ALIASES enabled in /etc/shorewall/ - - - - - - - - + + + + + + + +
INTERFACE192.168.10.0/24 206.124.146.176
- - - -

Example 4: - Same as example 3 - except that you wish - to exclude - 192.168.10.44 and - 192.168.10.45 from + + + +

Example 4: + Same as example 3 + except that you wish + to exclude + 192.168.10.44 and + 192.168.10.45 from the SNAT rule.

- - - - -
- - + + + + +
+ + - + @@ -2470,27 +2470,27 @@ you must have ADD_SNAT_ALIASES enabled in /etc/shorewall/ - - - - - - - - + + + + + + + +
INTERFACE192.168.10.0/24!192.168.10.44,192.168.10.45 206.124.146.176
- - + + Example 5 (Shorewall version >= 1.3.14): You have a second IP address (206.124.146.177) assigned to you and wish to use it for SNAT of the subnet 192.168.12.0/24. You want to give that address the name eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
- -
- + +
+ - + @@ -2502,99 +2502,99 @@ name eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/sho - - - - - - - - + + + + + + + +
INTERFACE192.168.12.0/24 206.124.146.177
- -

+ +

/etc/shorewall/proxyarp

- - - - -

If you want to - use proxy ARP on an - entire sub-network, - I suggest that you - look at + + + + +

If you want to + use proxy ARP on an + entire sub-network, + I suggest that you + look at + href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/"> http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. - - If you decide to use - the technique - described in that - HOWTO, you can set - the proxy_arp flag - for an interface + + If you decide to use + the technique + described in that + HOWTO, you can set + the proxy_arp flag + for an interface (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) - - by including the - proxyarp option - in the interface's - record in - + + by including the + proxyarp option + in the interface's + record in + /etc/shorewall/interfaces. When using - Proxy ARP - sub-netting, you do - NOT include - any entries in + Proxy ARP + sub-netting, you do + NOT include + any entries in /etc/shorewall/proxyarp.

- - - - + + + +

The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is - typically used for - enabling Proxy ARP - on a small set of + href="ProxyARP.htm">Proxy ARP. The file is + typically used for + enabling Proxy ARP + on a small set of systems since you need one entry - in - this file for each - system using proxy + in + this file for each + system using proxy ARP. Columns are:

- +
  • ADDRESS - address of the system.
    • -
  • INTERFACE - the interface - that connects to the system. If the interface is obvious +
  • INTERFACE - the interface + that connects to the system. If the interface is obvious from the subnetting, you may enter "-" in this column.
    • -
  • EXTERNAL - the external -interface that you want to honor ARP requests for the +
  • EXTERNAL - the external +interface that you want to honor ARP requests for the ADDRESS specified in the first column.
    • -
  • HAVEROUTE - If - you already have +
  • HAVEROUTE - If + you already have a route through - INTERFACE + INTERFACE to ADDRESS, - this - column should - contain - "Yes" - or - "yes". - If you want - Shorewall to add - the route, the - column should - contain - "No" - or + this + column should + contain + "Yes" + or + "yes". + If you want + Shorewall to add + the route, the + column should + contain + "No" + or "no".
    • - +
- +

Note: After you have made a change to the /etc/shorewall/proxyarp file, you may need to flush the ARP cache of all routers on the LAN segment connected to the interface specified in the @@ -2602,48 +2602,48 @@ ADDRESS specified in the first column. problems communicating between an individual host (A) on that segment and a system whose entry has changed, you may need to flush the ARP cache on host A as well.

- - - + + +

ISPs typically have ARP configured with long TTL (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump -nei <external interface> host <IP addr>"), it may take a long while to time out. I personally have had to contact my ISP and ask them to delete a stale entry in order to restore a system to working order after changing my proxy ARP settings.

- - - - -

Example: + + + + +

Example: You have public IP addresses 155.182.235.0/28. You configure your firewall as follows:

- +
  • eth0 - 155.186.235.1 (internet connection)
  • eth1 - 192.168.9.0/24 (masqueraded local systems)
    • -
  • eth2 - 192.168.10.1 (interface to +
  • eth2 - 192.168.10.1 (interface to your DMZ)
    • - +
- - - + + +

In your DMZ, you want to install a Web/FTP server with public address 155.186.235.4. On the Web server, you subnet just like the firewall's eth0 and you configure 155.186.235.1 as the default gateway. In your /etc/shorewall/proxyarp file, you will have:

- - - -
- - + + + +
+ + - + @@ -2656,31 +2656,31 @@ will have:

- - - - - - - - - - - + + + + + + + + + + +
ADDRESS INTERFACE eth0 No
- - + +

Note: You may want to configure the servers in your DMZ with a subnet that is smaller than the subnet of your internet interface. See the Proxy ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) for details. In this case you will want to place "Yes" in the HAVEROUTE column.

- - - -

Warning: Do not use Proxy ARP and + + + +

Warning: Do not use Proxy ARP and FreeS/Wan on the same system unless you are prepared to suffer the consequences. If you start or restart Shorewall with an IPSEC tunnel active, the proxied IP addresses are mistakenly assigned to the IPSEC @@ -2688,70 +2688,70 @@ FreeS/Wan on the same system unless you are prepared to suffer the consequences specify in the INTERFACE column of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I can't say if it is a bug in the Kernel or in FreeS/Wan.

- +

You might be able to work around this problem using the following (I haven't tried it):

- +

In /etc/shorewall/init, include:

- +

qt service ipsec stop

- +

In /etc/shorewall/start, include:

- +

qt service ipsec start

- - - -

+ + + +

/etc/shorewall/nat

- - - - + + + +

The /etc/shorewall/nat file is used to define static NAT. There is one entry in the file for each static NAT relationship that you wish to define. In order to make use of this feature, you must have NAT enabled .

- - - - + + + +

- IMPORTANT: If - all you want to do - is forward ports - to servers behind - your firewall, you - do NOT want to use + color="#ff0000"> + IMPORTANT: If + all you want to do + is forward ports + to servers behind + your firewall, you + do NOT want to use static NAT. Port forwarding can be accomplished - with - simple entries in - the - - rules file. - Also, in most - cases - - Proxy ARP - provides a - superior solution - to static NAT - because the + with + simple entries in + the + + rules file. + Also, in most + cases + + Proxy ARP + provides a + superior solution + to static NAT + because the internal systems are accessed - using - the same IP - address internally + using + the same IP + address internally and externally.

- - - - + + + +

Columns in an entry are:

- +
  • EXTERNAL - External IP address - This should NOT be the primary IP address @@ -2762,35 +2762,35 @@ of the interface named in the next column.
    • /etc/shorewall/shorewall.conf,  you can specify an alias label of the form interfacename:digit (e.g., eth0:0) and Shorewall will create the alias with that label. Alias labels created - in this way allow the alias to be visible to the ipconfig utility. + in this way allow the alias to be visible to the ipconfig utility. THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION.  -
  • INTERNAL - Internal IP +
  • INTERNAL - Internal IP address.
    • -
  • ALL - INTERFACES - - If Yes +
  • ALL + INTERFACES + - If Yes or yes (or left - empty), + empty), NAT - will - be - effective - from all - hosts. If - No or no - then NAT - will be + will + be + effective + from all + hosts. If + No or no + then NAT + will be effective only through - - the - interface - named in - the - INTERFACE + + the + interface + named in + the + INTERFACE column.
  • LOCAL - If Yes or yes and the ALL INTERFACES column contains Yes or yes, NAT will @@ -2798,50 +2798,50 @@ be effective from the firewall system. Note: For this to work, you must be running kernel 2.4.19 or later and iptables 1.2.6a or later and you must have enabled CONFIG_IP_NF_NAT_LOCAL in your kernel.
    • - +
- - -

Look here for additional information and an example. - + + +

Look here for additional information and an example. +

- - - -

+ + + +

/etc/shorewall/tunnels

- - - -

The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP, - OpenVPN and PPTP - tunnels with end-points on your firewall. To use ipsec, you must + + + +

The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP, + OpenVPN and PPTP + tunnels with end-points on your firewall. To use ipsec, you must install version 1.9, 1.91 or the current FreeS/WAN development snapshot.

- - - + + +

Note: For kernels 2.4.4 and above, you will need to use version 1.91 or a development snapshot as patching with version 1.9 results in kernel compilation errors.

- - - + + +

Instructions for setting up IPSEC tunnels may be found here, instructions for IPIP and GRE tunnels are here, instructions for OpenVPN tunnels are here, and instructions for PPTP tunnels are here.

- +

/etc/shorewall/shorewall.conf

- - - + + +

This file is used to set the following firewall parameters:

- +
    -
  • CLEAR_TC - Added at +
  • CLEAR_TC - Added at version 1.3.13
    If this option is set to 'No' then Shorewall won't clear the current traffic control rules during [re]start. This setting is intended @@ -2862,15 +2862,15 @@ SNAT or Masquerading are in use. To determine if your kernel has a FORWARD chain in the mangle table, use the "/sbin/shorewall show mangle" command; if a FORWARD chain is displayed then your kernel will support this option. If this option is not specified or if it is given the empty -value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No +value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
  • RFC1918_LOG_LEVEL - Added at version 1.3.12
    This parameter determines the level at which packets logged under the 'norfc1918' mechanism are logged. The value must be a valid syslog level and if no level is given, - then info is assumed. Prior to Shorewall version 1.3.12, these packets + href="shorewall_logging.html">syslog level and if no level is given, + then info is assumed. Prior to Shorewall version 1.3.12, these packets are always logged at the info level.
  • TCP_FLAGS_DISPOSITION - Added in Version 1.3.11
    @@ -2878,11 +2878,11 @@ value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No the checks enabled by the tcpflags interface option and must have a value of ACCEPT (accept the packet), REJECT (send an RST response) or DROP (ignore the packet). If not -set or if set to the empty value (e.g., TCP_FLAGS_DISPOSITION="") +set or if set to the empty value (e.g., TCP_FLAGS_DISPOSITION="") then TCP_FLAGS_DISPOSITION=DROP is assumed.
  • TCP_FLAGS_LOG_LEVEL - Added in Version 1.3.11
    - Determines the syslog + Determines the syslog level for logging packets that fail the checks enabled by the tcpflags interface option.The value must be a valid syslogd log level. If you don't want to log these packets, @@ -2896,7 +2896,7 @@ then TCP_FLAGS_DISPOSITION=DROP is assumed.
    • (reject the connection request) or DROP (ignore the connection request). If not set or if set to the empty value (e.g., MACLIST_DISPOSITION="") then MACLIST_DISPOSITION=REJECT is assumed. -
  • MACLIST_LOG_LEVEL - Added in Version +
  • MACLIST_LOG_LEVEL - Added in Version 1.3.10
    Determines the syslog level for logging connection @@ -2906,7 +2906,7 @@ then TCP_FLAGS_DISPOSITION=DROP is assumed.
    • MACLIST_LOG_LEVEL="").
  • NEWNOTSYN - Added in Version 1.3.8
    - When set to "Yes" or "yes", Shorewall will + When set to "Yes" or "yes", Shorewall will filter TCP packets that are not part of an established connention and that are not SYN packets (SYN flag on - ACK flag off). If set to "No", Shorewall will silently drop such packets. If not @@ -2917,10 +2917,10 @@ set or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No firewall, you should have NEWNOTSYN=Yes on both firewalls. You should also select NEWNOTSYN=Yes if you have asymmetric routing.
    • -
  • LOGNEWNOTSYN - Added in Version +
  • LOGNEWNOTSYN - Added in Version 1.3.6
    - Beginning with version 1.3.6, Shorewall - drops non-SYN TCP packets that are not part of an existing + Beginning with version 1.3.6, Shorewall + drops non-SYN TCP packets that are not part of an existing connection. If you would like to log these packets, set LOGNEWNOTSYN to the syslog level at which you want the packets logged. Example: LOGNEWNOTSYN=ULOG|
    @@ -2929,11 +2929,11 @@ You should also select NEWNOTSYN=Yes if you have asymmetric routing.< option are usually the result of broken remote IP stacks rather than the result of any sort of attempt to breach your firewall.
    • -
  • DETECT_DNAT_ADDRS +
  • DETECT_DNAT_ADDRS - Added in Version 1.3.4
    If set to "Yes" or "yes", Shorewall will detect the IP address(es) of the interface(es) to the source zone and will include this -(these) address(es) in DNAT rules as the original destination +(these) address(es) in DNAT rules as the original destination IP address. If set to "No" or "no", Shorewall will not detect this (these) address(es) and any destination IP address will match the DNAT rule. If not specified or empty, "DETECT_DNAT_ADDRS=Yes" is @@ -2947,66 +2947,66 @@ this facility, your kernel must have multiport support (CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used, Shorewall will generate a single rule from each record in the /etc/shorewall/rules file that meets these criteria:
    - - - + + +
    • No port range(s) specified
    • Specifies 15 or fewer ports
      • - - - + + +
    - - - + + +

    Rules not meeting those criteria will continue to generate an individual rule for each listed port or port range.

  • NAT_BEFORE_RULES
    - If set to "No" or "no", port forwarding - rules can override the contents of the /etc/shorewall/nat - file. If set to "Yes" or "yes", port forwarding rules cannot + If set to "No" or "no", port forwarding + rules can override the contents of the /etc/shorewall/nat + file. If set to "Yes" or "yes", port forwarding rules cannot override static NAT. If not set or set to an empty value, "Yes" is assumed.
  • FW
    - -     This - parameter - specifies the - name of the - firewall zone. + +     This + parameter + specifies the + name of the + firewall zone. If not set or if - set to an - empty string, - the value - "fw" + set to an + empty string, + the value + "fw" is assumed.
  • SUBSYSLOCK
    - This parameter should be set to -the name of a file that the firewall should create if -it starts successfully and remove when it stops. Creating - and removing this file allows Shorewall to work with your distribution's + This parameter should be set to +the name of a file that the firewall should create if +it starts successfully and remove when it stops. Creating + and removing this file allows Shorewall to work with your distribution's initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall. For Debian, the value is /var/state/shorewall and in LEAF -it is - /var/run/shorwall. +it is + /var/run/shorwall. Example: SUBSYSLOCK=/var/lock/subsys/shorewall.
  • STATEDIR
    - This parameter specifies the name + This parameter specifies the name of a directory where Shorewall stores state information. - If the directory doesn't exist when Shorewall starts, + If the directory doesn't exist when Shorewall starts, it will create the directory. Example: STATEDIR=/tmp/shorewall.

    - NOTE: If you change the STATEDIR + NOTE: If you change the STATEDIR variable while the firewall is running, create the new directory if necessary then copy the contents of the old directory to the new directory.
  • MODULESDIR
    This parameter specifies the directory where your kernel netfilter modules may be found. If - you leave the variable empty, Shorewall will supply the + you leave the variable empty, Shorewall will supply the value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.
  • LOGRATE and LOGBURST
    These parameters set the match @@ -3021,32 +3021,32 @@ LOGRATE and --limit-burst is set by LOGBURST). If both parameters LOGBURST=5
  • LOGFILE
    - - This parameter - tells the - /sbin/shorewall - program where - to look for + + This parameter + tells the + /sbin/shorewall + program where + to look for Shorewall messages - when - processing the - "show - log", - "monitor", - "status" - and - "hits" - commands. If - not assigned - or if assigned + when + processing the + "show + log", + "monitor", + "status" + and + "hits" + commands. If + not assigned + or if assigned an empty value, - /var/log/messages - is + /var/log/messages + is assumed.
  • NAT_ENABLED
    - This parameter determines whether + This parameter determines whether Shorewall supports NAT operations. NAT operations include:

    Static NAT
    @@ -3059,44 +3059,44 @@ assumed.
    • the parameter has a value of "no" or "No" then NAT is disabled.
  • MANGLE_ENABLED
    - This parameter determines if packet - mangling is enabled. If the parameter has no value or - has a value of "Yes" or "yes" than packet mangling is enabled. + This parameter determines if packet + mangling is enabled. If the parameter has no value or + has a value of "Yes" or "yes" than packet mangling is enabled. If the parameter has a value of "no" or "No" then packet mangling is disabled. If packet mangling is disabled, the /etc/shorewall/tos file is ignored.
  • IP_FORWARDING
    - This parameter determines whether - Shorewall enables or disables IPV4 Packet Forwarding + This parameter determines whether + Shorewall enables or disables IPV4 Packet Forwarding (/proc/sys/net/ipv4/ip_forward). Possible values are:

    On or on - packet forwarding will be enabled.
    Off or off - packet forwarding will be disabled.
    - Keep or keep - Shorewall will + Keep or keep - Shorewall will neither enable nor disable packet forwarding.

    If this variable is not set or -is given an empty value (IP_FORWARD="") then IP_FORWARD=On +is given an empty value (IP_FORWARD="") then IP_FORWARD=On is assumed.
  • ADD_IP_ALIASES
    This parameter determines whether - Shorewall automatically adds the + Shorewall automatically adds the external address(es) in /etc/shorewall/nat . If the variable - is set to "Yes" or "yes" then Shorewall automatically - adds these aliases. If it is set to "No" or "no", you must - add these aliases yourself using your distribution's network + is set to "Yes" or "yes" then Shorewall automatically + adds these aliases. If it is set to "No" or "no", you must + add these aliases yourself using your distribution's network configuration tools.

    If this variable is not set or is - given an empty value (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes + given an empty value (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes is assumed.
  • ADD_SNAT_ALIASES
    - This parameter determines whether Shorewall + This parameter determines whether Shorewall automatically adds the SNAT ADDRESS in /etc/shorewall/masq. If the variable is set to "Yes" or "yes" then Shorewall automatically adds these addresses. @@ -3104,318 +3104,318 @@ If it is set to "No" or "no", you must add these addresses yourself using your distribution's network configuration tools.

    If this variable is not set or is - given an empty value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No + given an empty value (ADD_SNAT_ALIASES="") then ADD_SNAT_ALIASES=No is assumed.
  • LOGUNCLEAN
    - - This parameter - determines the - logging level - of - mangled/invalid - packets + + This parameter + determines the + logging level + of + mangled/invalid + packets controlled by the 'dropunclean - and logunclean' - interface - options. If + href="#Unclean">dropunclean + and logunclean' + interface + options. If LOGUNCLEAN - is -empty - (LOGUNCLEAN=) - then packets - selected by - 'dropclean' are - dropped - silently - ('logunclean' + is +empty + (LOGUNCLEAN=) + then packets + selected by + 'dropclean' are + dropped + silently + ('logunclean' packets are logged - under - the 'info' log - level). - Otherwise, - these packets - are logged at - the specified - level - (Example: + under + the 'info' log + level). + Otherwise, + these packets + are logged at + the specified + level + (Example: LOGUNCLEAN=debug).
  • BLACKLIST_DISPOSITION
    - - This parameter - determines the - disposition of - packets from - blacklisted + + This parameter + determines the + disposition of + packets from + blacklisted hosts. It - may -have the value - DROP if the - packets are to - be dropped or - REJECT if the - packets are to + may +have the value + DROP if the + packets are to + be dropped or + REJECT if the + packets are to be replied with an ICMP port unreachable reply -or a TCP - RST (tcp - only). If you - do not assign - a value or if - you assign an - empty value - then DROP is +or a TCP + RST (tcp + only). If you + do not assign + a value or if + you assign an + empty value + then DROP is assumed.
  • BLACKLIST_LOGLEVEL
    - - This paremter - determines if - packets from - blacklisted - hosts are + + This paremter + determines if + packets from + blacklisted + hosts are logged and it determines - the - syslog level - that they are - to be logged - at. Its value + the + syslog level + that they are + to be logged + at. Its value is a syslog level - (Example: + href="shorewall_logging.html">syslog level + (Example: BLACKLIST_LOGLEVEL=debug). - - If you do not - assign a value - or if you - assign an - empty value - then packets - from - blacklisted - hosts are not + + If you do not + assign a value + or if you + assign an + empty value + then packets + from + blacklisted + hosts are not logged.
  • CLAMPMSS
    - - This parameter - enables the - TCP Clamp MSS - to PMTU - feature of - Netfilter and - is usually - required + + This parameter + enables the + TCP Clamp MSS + to PMTU + feature of + Netfilter and + is usually + required when your -internet - connection is - through PPPoE - or PPTP. If - set to - "Yes" - or - "yes", - the feature is - enabled. If +internet + connection is + through PPPoE + or PPTP. If + set to + "Yes" + or + "yes", + the feature is + enabled. If left blank or set to "No" - or - "no", + or + "no", the feature is not - enabled. - Note: This - option - requires - CONFIG_IP_NF_TARGET_TCPMSS + enabled. + Note: This + option + requires + CONFIG_IP_NF_TARGET_TCPMSS in + href="kernel.htm">in your kernel.
  • ROUTE_FILTER
    If this parameter is given the value "Yes" or "yes" then route filtering (anti-spoofing) is enabled on all network interfaces. The default value is "no".
    • - +
- - - - -

+ + + + +

/etc/shorewall/modules Configuration

- - - - + + + +

The file /etc/shorewall/modules contains commands for loading the kernel modules required by Shorewall-defined firewall rules. Shorewall will source this file during start/restart provided that it exists and that the directory specified by the MODULESDIR parameter exists (see /etc/shorewall/shorewall.conf above).

- - - - + + + +

The file that is released with Shorewall calls the Shorewall function "loadmodule" for the set of modules that I load.

- - - - + + + +

The loadmodule function is called as follows:

- - - - -
- - - - -

loadmodule - <modulename> + + + + +

+ + + + +

loadmodule + <modulename> [ <module parameters> ]

- - - - + + + +

where

- - - - -
- - - - + + + + +
+ + + +

<modulename>

- - - - - -
- - - - - -

is the name of the modules without the trailing ".o" (example + + + + + +

+ + + + + +

is the name of the modules without the trailing ".o" (example ip_conntrack).

- - - - - + + + + +

<module parameters>

- - - - - -
- - - - - + + + + + +
+ + + + +

Optional parameters to the insmod utility.

- - - - + + + +

The function determines if the module named by <modulename> is already loaded and if not then the function determines if the ".o" file corresponding to the module exists in the moduledirectory; if so, then the following command is executed:

- - - - -
- - - - + + + + +
+ + + +

insmod moduledirectory/<modulename>.o <module parameters>

- - - - -

If the file doesn't exist, the function determines of the ".o.gz" + + + + +

If the file doesn't exist, the function determines of the ".o.gz" file corresponding to the module exists in the moduledirectory. If it does, the function assumes that the running configuration supports compressed modules and execute the following command:

- - - - -
- - - - + + + + +
+ + + +

insmod moduledirectory/<modulename>.o.gz <module parameters>

- - - - - -

+ + + + + +

/etc/shorewall/tos Configuration

- - - - - + + + + +

The /etc/shorewall/tos file allows you to set the Type of Service field in packet headers based on packet source, packet destination, protocol, source port and destination port. In order for this file to be processed by Shorewall, you must have mangle support enabled .

- - - - - + + + + +

Entries in the file have the following columns:

- - - + + +
  • SOURCE -- The source zone. May be qualified by following the zone name with a colon (":") and either an IP address, an IP subnet, a MAC address in Shorewall Format or the name of an -interface. This column may also contain the name of +interface. This column may also contain the name of the firewall zone to indicate packets originating on the firewall itself or "all" to indicate any source.
    • -
  • DEST -- The destination -zone. May be qualified by following the zone name with -a colon (":") and either an IP address or an IP subnet. -Because packets are marked prior to routing, you may not specify - the name of an interface. This column may also contain +
  • DEST -- The destination +zone. May be qualified by following the zone name with +a colon (":") and either an IP address or an IP subnet. +Because packets are marked prior to routing, you may not specify + the name of an interface. This column may also contain "all" to indicate any destination.
    • -
  • PROTOCOL -- The name of +
  • PROTOCOL -- The name of a protocol in /etc/protocols or the protocol's number.
  • SOURCE PORT(S) -- The source port or a port range. For all ports, place a hyphen @@ -3423,22 +3423,22 @@ a protocol in /etc/protocols or the protocol's number.
  • DEST PORT(S) -- The destination port or a port range. To indicate all ports, place a hyphen ("-") in this column.
    • -
  • TOS -- The type of service. +
  • TOS -- The type of service. Must be one of the following:
    • - +
- - - -
- - - -
- - - - + + + +
+ + + +
+ + + +

Minimize-Delay (16)
Maximize-Throughput (8)
Maximize-Reliability (4)
@@ -3446,19 +3446,19 @@ hyphen ("-") in this column. Normal-Service (0)

- - - + + +

The /etc/shorewall/tos file that is included with Shorewall contains the following entries.

- - - -
- + + + +
+ - + @@ -3516,283 +3516,283 @@ hyphen ("-") in this column. - - - - - - - - - - - - + + + + + + + + + + + +
SOURCE DEST - 8
- - - + + +

WARNING: Users have reported that odd routing problems result from adding the ESP and AH protocols to the /etc/shorewall/tos file.

- - - + + +

/etc/shorewall/blacklist

- - - -

Each - line - in - /etc/shorewall/blacklist - contains - - an - IP + + + +

Each + line + in + /etc/shorewall/blacklist + contains + + an + IP address, a MAC address in Shorewall Format - or - subnet - address. - + href="#MAC">Shorewall Format + or + subnet + address. + Example:

- - + + 
      130.252.100.69
      206.124.146.0/24
- - - -

Packets - from - hosts - listed - in - - the - blacklist - file - will - - be - disposed - of - according - to - the - - value - assigned - to + + + +

Packets + from + hosts + listed + in + + the + blacklist + file + will + + be + disposed + of + according + to + the + + value + assigned + to the BLACKLIST_DISPOSITION - - and BLACKLIST_LOGLEVEL variables - - in - /etc/shorewall/shorewall.conf. - Only + + and BLACKLIST_LOGLEVEL variables + + in + /etc/shorewall/shorewall.conf. + Only packets - - arriving - on - interfaces - that - have - - the - 'blacklist' + + arriving + on + interfaces + that + have + + the + 'blacklist' option - - in - /etc/shorewall/interfaces - are - checked - - against - the + + in + /etc/shorewall/interfaces + are + checked + + against + the blacklist. The black list is designed to prevent listed hosts/subnets from accessing services on your network.

- +

Beginning with Shorewall 1.3.8, the blacklist file has three columns:

- +
    -
  • ADDRESS/SUBNET - As described +
  • ADDRESS/SUBNET - As described above.
  • PROTOCOL - Optional. If specified, only packets specifying this protocol will be blocked.
    • -
  • PORTS - Optional; may only be -given if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated - list of port numbers or service names (from /etc/services). If +
  • PORTS - Optional; may only be +given if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated + list of port numbers or service names (from /etc/services). If present, only packets destined for the specified protocol and one of the listed ports are blocked. When the PROTOCOL is icmp, the PORTS column contains a comma-separated list of ICMP type numbers or names (see "iptables -h icmp").
    • - +
- - - + + +

Shorewall also has a dynamic blacklist capability.

- - - + + +

IMPORTANT: The Shorewall blacklist file is NOT designed to police your users' web browsing -- to do that, I suggest that you install and configure Squid (http://www.squid-cache.org).

- - - - - + + + + +

/etc/shorewall/rfc1918 (Added in Version 1.3.1)

- - - - - + + + + +

This file lists the subnets affected by the norfc1918 interface option. Columns in the file are:

- - - - - + + + + +
    - +
  • SUBNET - The subnet using VLSM notation (e.g., 192.168.0.0/16).
    • - -
  • TARGET - What -to do with packets to/from the SUBNET: - - + +
  • TARGET - What +to do with packets to/from the SUBNET: + +
      - -
    • RETURN - Process the + +
    • RETURN - Process the packet normally thru the rules and policies.
      • - -
    • DROP - Silently drop + +
    • DROP - Silently drop the packet.
      • - -
    • logdrop - Log then -drop the packet -- see the RFC1918_LOG_LEVEL + +
    • logdrop - Log then +drop the packet -- see the RFC1918_LOG_LEVEL parameter above.
      • - - - - + + + +
    - +
    • - +
- - - - - -

/etc/shorewall/routestopped (Added in Version + + + + + +

/etc/shorewall/routestopped (Added in Version 1.3.4)

- - - - - + + + + +

This file defines the hosts that are accessible from the firewall when the firewall is stopped. Columns in the file are:

- - - - - + + + + +
    - -
  • INTERFACE - The firewall + +
  • INTERFACE - The firewall interface through which the host(s) comminicate with the firewall.
    • - -
  • HOST(S) - (Optional) -- A comma-separated list of IP/Subnet addresses. If not supplied + +
  • HOST(S) - (Optional) +- A comma-separated list of IP/Subnet addresses. If not supplied or supplied as "-" then 0.0.0.0/0 is assumed.
    • - +
- - - - - + + + + +

Example: When your firewall is stopped, you want firewall accessibility from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ interfaces through eth1 and your local hosts through eth2.

- - - - - -
- - + + + + + +
+ + - + - + - + - + - + - + - + - + - + - + - + - + - - - - - - + + + + + +
INTERFACEHOST(S)
eth2192.168.1.0/24
eth1-
- - - - - + + + + +

/etc/shorewall/maclist (Added in Version 1.3.10)

This file is described in the MAC Validation Documentation.
- +

/etc/shorewall/ecn (Added in Version 1.4.0)

This file is described in the ECN Control Documentation.

- -

Updated 3/21/2003 - Tom Eastep + +

Updated 3/21/2003 - Tom Eastep

- - - - + + + +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.

diff --git a/Shorewall-docs/Documentation_Index.htm b/Shorewall-docs/Documentation_Index.htm index f78703030..22d74cc74 100644 --- a/Shorewall-docs/Documentation_Index.htm +++ b/Shorewall-docs/Documentation_Index.htm @@ -1,31 +1,31 @@ - + - + - + - + The Documentation Index - + - +

The Shorewall Documentation Index

- +

has Moved Here

- -

Last updated 8/9/2002 - + +

Last updated 8/9/2002 - Tom Eastep

- +

Copyright © 2001, 2002 Thomas M. Eastep.


- + diff --git a/Shorewall-docs/FAQ.htm b/Shorewall-docs/FAQ.htm index 93634625a..44e58706f 100644 --- a/Shorewall-docs/FAQ.htm +++ b/Shorewall-docs/FAQ.htm @@ -1,1274 +1,1400 @@ - - - + + + - - - + + + - - - + + + - - - + + + Shorewall FAQ - - - - - + + + + + - - + + - - - + + - - - - - + + + + + +
- - - - - +
+ + + + +

Shorewall FAQs

-
- - + + +

PORT FORWARDING
+

+

1. I want to forward UDP - port 7777 to my my personal PC with IP address - 192.168.1.5. I've looked everywhere and can't find how - to do it.

- - -

1a. Ok -- I followed those instructions - but it doesn't work.
-

- - + port 7777 to my my personal PC with IP address + 192.168.1.5. I've looked everywhere and can't find +how to do it.

+ + +

1a. Ok -- I followed those instructions + but it doesn't work.
+

+ + +

1b. I'm still having problems with - port forwarding

- - -

2. I port forward www requests - to www.mydomain.com (IP 130.151.100.69) to system 192.168.1.5 - in my local network. External clients can browse - http://www.mydomain.com but internal clients can't.

- - -

2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 - addresses to hosts in Z. Hosts in Z cannot communicate - with each other using their external (non-RFC1918 addresses) - so they can't access each other using their DNS names.

- - -

3. I want to use Netmeeting - or MSN Instant Messenger with Shorewall. What - do I do?

- - -

4. I just used an online port scanner - to check my firewall and it shows some ports as - 'closed' rather than 'blocked'. Why?

- - -

4a. I just ran an nmap UDP scan - of my firewall and it showed 100s of ports as open!!!!

- - -

5. I've installed Shorewall and now - I can't ping through the firewall

- - -

6. Where are the log messages - written and how do I change the destination?

- - - -

6a. Are there any log parsers - that work with Shorewall?

- + port forwarding

+ +

1c. From the internet, I want to connect +to port 1022 on my firewall and have the firewall forward the connection +to port 22 on local system 192.168.1.3. How do I do that?
+

+ +

DNS and PORT FORWARDING/NAT
+

+ +

2. I port forward www requests + to www.mydomain.com (IP 130.151.100.69) to system + 192.168.1.5 in my local network. External clients +can browse http://www.mydomain.com but internal + clients can't.

+ + +

2a. I have a zone "Z" with an RFC1918 + subnet and I use static NAT to assign non-RFC1918 + addresses to hosts in Z. Hosts in Z cannot communicate + with each other using their external (non-RFC1918 addresses) + so they can't access each other using their DNS names.

+ + +

NETMEETING/MSN
+

+ +

3. I want to use Netmeeting + or MSN Instant Messenger with Shorewall. +What do I do?

+ + +

OPEN PORTS
+

+ +

4. I just used an online port scanner + to check my firewall and it shows some ports +as 'closed' rather than 'blocked'. Why?

+ + +

4a. I just ran an nmap UDP scan + of my firewall and it showed 100s of ports as open!!!!

+ + +

CONNECTION PROBLEMS

+ + +

5. I've installed Shorewall and now + I can't ping through the firewall
+
+ 15. My local systems can't see + out to the net

+ +

LOGGING
+

+ +

6. Where are the log messages + written and how do I change the destination?

+ + + +

6a. Are there any log parsers + that work with Shorewall?

+

6b. DROP messages on port 10619 are flooding the logs with their connect - requests. Can i exclude these error messages for this port temporarily - from logging in Shorewall?
-

- + requests. Can i exclude these error messages for this port temporarily + from logging in Shorewall?
+

+

6c. All day long I get a steady flow - of these DROP messages from port 53 to some high numbered - port. They get dropped, but what the heck are they?
-

- + of these DROP messages from port 53 to some high numbered + port. They get dropped, but what the heck are they?
+

+

6d. Why is the MAC address - in Shorewall log messages so long? I thought MAC addresses were - only 6 bytes in length.
-

- -

7. When I stop Shorewall using -'shorewall stop', I can't connect to anything. Why doesn't that command - work?

- - -

8. When I try to start Shorewall - on RedHat I get messages about insmod failing -- - what's wrong?
-

- - -

8a. When I try to start Shorewall -on RedHat I get a message referring me to FAQ #8
-

- -

9. Why can't Shorewall detect - my interfaces properly?

- - -

10. What distributions does - it work with?

- - -

11. What features does it -support?

- - -

12. Is there a GUI?

- - -

13. Why do you call it "Shorewall"?

- - -

14. I'm connected via a cable modem - and it has an internel web server that allows me to - configure/monitor it but as expected if I enable -rfc1918 blocking for my eth0 interface, it also blocks -the cable modems web server.

- - -

14a. Even though it assigns public - IP addresses, my ISP's DHCP server has an RFC 1918 - address. If I enable RFC 1918 filtering on my external -interface, my DHCP client cannot renew its lease.

- - -

15. My local systems can't see - out to the net

- - -

16. Shorewall is writing log messages - all over my console making it unusable!
-

- 17. so long? I thought MAC addresses +were only 6 bytes in length.
+

+ +

16. Shorewall is writing log messages + all over my console making it unusable!
+

+ 17. How do I find out why this traffic is getting logged?
-
- 18. Is there - any way to use aliased ip addresses with Shorewall, - and maintain separate rulesets for different IPs?
-
- 19. I have added - entries to /etc/shorewall/tcrules but they don't -seem to do anything. Why?
-
- 20. I have just -set up a server. Do I have to change Shorewall to allow access - to my server from the internet?
-
- 21. I see these strange - log entries occasionally; what are they?
-
- 22. I have some iptables - commands that I want to run when Shorewall starts. Which - file do I put them in?
-
- 23. Why do you use such ugly - fonts on your web site?
-
- 24. How can I allow conections - to let's say the ssh port only from specific IP Addresses -on the internet?
-
- 25. How to I tell which version of Shorewall - I am running?
+
+ 21. I see these strange log entries + occasionally; what are they?
+ +

STARTING AND STOPPING
+

+ +

7. When I stop Shorewall using +'shorewall stop', I can't connect to anything. Why doesn't that command + work?

+ + +

8. When I try to start Shorewall + on RedHat I get messages about insmod failing + -- what's wrong?
+

+ + +

8a. When I try to start Shorewall + on RedHat I get a message referring me to FAQ #8
+

+ +

9. Why can't Shorewall detect + my interfaces properly at startup?

+ + 22. I have some + iptables commands that I want to run when Shorewall +starts. Which file do I put them in?
+ +

ABOUT SHOREWALL
+

+ +

10. What distributions does + it work with?

+ + +

11. What features does it +support?

+ + +

12. Is there a GUI?

+ + +

13. Why do you call it "Shorewall"?

+ + 23. Why do you use such + ugly fonts on your web site?
+
+ 25. How to I tell which version of Shorewall + I am running?
+ +

RFC 1918
+

+ +

14. I'm connected via a cable modem + and it has an internel web server that allows me + to configure/monitor it but as expected if I enable + rfc1918 blocking for my eth0 interface, it also blocks +the cable modems web server.

+ + +

14a. Even though it assigns public + IP addresses, my ISP's DHCP server has an RFC 1918 + address. If I enable RFC 1918 filtering on my external + interface, my DHCP client cannot renew its lease.

+ + +

ALIAS IP ADDRESSES/VIRTUAL INTERFACES
+

+ + 18. Is there any +way to use aliased ip addresses with Shorewall, and + maintain separate rulesets for different IPs?
+ +

MISCELLANEOUS
+

+ 19. I have added entries to /etc/shorewall/tcrules + but they don't seem to do anything. Why?
+
+ 20. I have +just set up a server. Do I have to change Shorewall to +allow access to my server from the internet?
+
+ 24. How can I allow conections + to let's say the ssh port only from specific IP Addresses + on the internet?

- -
-

1. I want to forward UDP port 7777 to - my my personal PC with IP address 192.168.1.5. I've - looked everywhere and can't find how to do it.

- - +
+
+ +
+

1. I want to forward UDP port 7777 to + my my personal PC with IP address 192.168.1.5. I've + looked everywhere and can't find how to do it.

+ +

Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. The format of a - port-forwarding rule to a local system is as follows:

- - -
- - + href="Documentation.htm#Rules">rules file documentation shows how to + do port forwarding under Shorewall. The format of + a port-forwarding rule to a local system is as follows:

+ + +
+ + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local - IP address>[:<local port>]<protocol><port #>
-
-
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATnetloc:<local + IP address>[:<local port>]<protocol><port +#>
+
+
-
- - -

So to forward UDP port 7777 to internal system 192.168.1.5, - the rule is:

- - -
- - +
+ + +

So to forward UDP port 7777 to internal system 192.168.1.5, + the rule is:

+ + +
+ + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:192.168.1.5udp7777
-
-
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATnetloc:192.168.1.5udp7777
+
+
-
- - +
+ +
If - you want to forward requests directed to a particular address - ( <external IP> ) on your firewall to an internal -system:
- - -
- - + you want to forward requests directed to a particular address + ( <external IP> ) on your firewall to an internal + system: + + +
+ + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATnetloc:<local - IP address>[:<local port>]<protocol><port #>-<external -IP>
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATnetloc:<local + IP address>[:<local port>]<protocol><port +#>-<external + IP>
-
- - Finally, if you need to forward a range of ports, in the PORT -column specify the range as low-port:high-port.
- -

1a. Ok -- I followed those instructions - but it doesn't work

- - -

Answer: That is usually the result of one of two things:

- - +
+ + Finally, if you need to forward a range of ports, in the PORT + column specify the range as low-port:high-port.
+ +

1a. Ok -- I followed those instructions + but it doesn't work

+ + +

Answer: That is usually the result of one of three +things:

+ +
    -
  • You are trying to test - from inside your firewall (no, that won't work -- see - FAQ #2).
    • -
  • You have a more basic - problem with your local system such as an incorrect default - gateway configured (it should be set to the IP address -of your firewall's internal interface).
    • - - +
  • You are trying +to test from inside your firewall (no, that won't work +-- see FAQ #2).
    • +
  • You have a more +basic problem with your local system such as an incorrect +default gateway configured (it should be set to the IP address + of your firewall's internal interface).
    • +
  • Your ISP is blocking that particular port inbound.
    +
    • + +
- - + +

1b. I'm still having problems with port - forwarding

- Answer: To further diagnose -this problem:
- - + forwarding

+ Answer: To further diagnose + this problem:
+ +
    -
  • As root, type "iptables -t nat - -Z". This clears the NetFilter counters in the nat table.
    • -
  • Try to connect to the redirected - port from an external host.
    • -
  • As root type "shorewall show -nat"
    • -
  • Locate the appropriate DNAT rule. - It will be in a chain called <source zone>_dnat - ('net_dnat' in the above examples).
    • -
  • Is the packet count in the first - column non-zero? If so, the connection request is reaching - the firewall and is being redirected to the server. In this - case, the problem is usually a missing or incorrect default -gateway setting on the server (the server's default gateway should - be the IP address of the firewall's interface to the server).
    • -
  • If the packet count is zero:
    • - - - +
  • As root, type "iptables -t + nat -Z". This clears the NetFilter counters in the nat +table.
    • +
  • Try to connect to the redirected + port from an external host.
    • +
  • As root type "shorewall show + nat"
    • +
  • Locate the appropriate DNAT + rule. It will be in a chain called <source zone>_dnat + ('net_dnat' in the above examples).
    • +
  • Is the packet count in the + first column non-zero? If so, the connection request +is reaching the firewall and is being redirected to the server. + In this case, the problem is usually a missing or incorrect + default gateway setting on the server (the server's default + gateway should be the IP address of the firewall's interface + to the server).
    • +
  • If the packet count is zero:
    • + + +
      -
    • the connection request is not - reaching your server (possibly it is being blocked by your - ISP); or
      • -
    • you are trying to connect to - a secondary IP address on your firewall and your rule is -only redirecting the primary IP address (You need to specify - the secondary IP address in the "ORIG. DEST." column in your -DNAT rule); or
      • -
    • your DNAT rule doesn't match - the connection request in some other way. In that case, -you may have to use a packet sniffer such as tcpdump or ethereal -to further diagnose the problem.
      -
      • - - - +
    • the connection request +is not reaching your server (possibly it is being blocked +by your ISP); or
      • +
    • you are trying to connect + to a secondary IP address on your firewall and your rule + is only redirecting the primary IP address (You need to specify + the secondary IP address in the "ORIG. DEST." column in your + DNAT rule); or
      • +
    • your DNAT rule doesn't +match the connection request in some other way. In that +case, you may have to use a packet sniffer such as tcpdump or + ethereal to further diagnose the problem.
      +
      • + + +
    - - + +
- - -

2. I port forward www requests to www.mydomain.com - (IP 130.151.100.69) to system 192.168.1.5 in my local - network. External clients can browse http://www.mydomain.com - but internal clients can't.

- - + + +

1c. From the internet, I want + to connect to port 1022 on my firewall and have the firewall forward the +connection to port 22 on local system 192.168.1.3. How do I do that?

+ +
+
+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATnet
+ 		loc:192.168.1.3:22tcp1022
+
+
+
+
+
+ +

2. I port forward www requests to www.mydomain.com + (IP 130.151.100.69) to system 192.168.1.5 in my local + network. External clients can browse http://www.mydomain.com + but internal clients can't.

+ +

Answer: I have two objections to this setup.

- - + +
    -
  • Having an internet-accessible - server in your local network is like raising foxes -in the corner of your hen house. If the server is compromised, - there's nothing between that server and your other internal - systems. For the cost of another NIC and a cross-over cable, - you can put your server in a DMZ such that it is isolated from - your local systems - assuming that the Server can be located - near the Firewall, of course :-)
    • -
  • The accessibility problem - is best solved using Bind Version 9 "views" +
  • Having an internet-accessible + server in your local network is like raising foxes + in the corner of your hen house. If the server is compromised, + there's nothing between that server and your other internal + systems. For the cost of another NIC and a cross-over cable, + you can put your server in a DMZ such that it is isolated +from your local systems - assuming that the Server can be located + near the Firewall, of course :-)
    • +
  • The accessibility + problem is best solved using Bind Version 9 "views" (or using a separate DNS server for local clients) such that www.mydomain.com - resolves to 130.141.100.69 externally and 192.168.1.5 internally. - That's what I do here at shorewall.net for my local systems - that use static NAT.
    • - - + resolves to 130.141.100.69 externally and 192.168.1.5 internally. + That's what I do here at shorewall.net for my local systems + that use static NAT. + +
- - - -

If you insist on an IP solution to the accessibility problem - rather than a DNS solution, then assuming that your - external interface is eth0 and your internal interface - is eth1 and that eth1 has IP address 192.168.1.254 with subnet - 192.168.1.0/24, in /etc/shorewall/rules, add:

- - -
+ + + +

If you insist on an IP solution to the accessibility problem + rather than a DNS solution, then assuming that your + external interface is eth0 and your internal interface + is eth1 and that eth1 has IP address 192.168.1.254 with + subnet 192.168.1.0/24, in /etc/shorewall/rules, add:

+ + +
- - -
-
- - + + +
+
+ + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-130.151.100.69:192.168.1.254
-
-
- - -
-

That rule only works of course if you have a static external - IP address. If you have a dynamic IP address and -are running Shorewall 1.3.4 or later then include this -in /etc/shorewall/init:

-
- - -
+
+
+ + +
+

That rule only works of course if you have a static external + IP address. If you have a dynamic IP address and + are running Shorewall 1.3.4 or later then include this + in /etc/shorewall/init:

+
+ + +
     ETH0_IP=`find_interface_address eth0`
-
- - -
+
+ + +

and make your DNAT rule:

-
- - -
-
- - +
+ + +
+
+ + - - - - - - - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + + + + + + + +
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE PORTORIG. DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
ACTIONSOURCEDESTINATIONPROTOCOLPORTSOURCE + PORTORIG. +DEST.
DNATloc:192.168.1.0/24loc:192.168.1.5tcpwww-$ETH0_IP:192.168.1.254
-
-
- - -
-

Using this technique, you will want to configure your DHCP/PPPoE - client to automatically restart Shorewall each time - that you get a new IP address.

-
- - -

2a. I have a zone "Z" with an RFC1918 - subnet and I use static NAT to assign non-RFC1918 addresses - to hosts in Z. Hosts in Z cannot communicate with each -other using their external (non-RFC1918 addresses) so they -can't access each other using their DNS names.

- - -

Answer: This is another problem that is best solved - using Bind Version 9 "views". It allows both external - and internal clients to access a NATed host using the -host's DNS name.

- - +

+ + + +
+

Using this technique, you will want to configure your DHCP/PPPoE + client to automatically restart Shorewall each time + that you get a new IP address.

+
+ + +

2a. I have a zone "Z" with an RFC1918 + subnet and I use static NAT to assign non-RFC1918 + addresses to hosts in Z. Hosts in Z cannot communicate + with each other using their external (non-RFC1918 addresses) + so they can't access each other using their DNS names.

+ + +

Answer: This is another problem that is best solved + using Bind Version 9 "views". It allows both external + and internal clients to access a NATed host using the + host's DNS name.

+ +

Another good way to approach this problem is to switch from - static NAT to Proxy ARP. That way, the hosts in Z -have non-RFC1918 addresses and can be accessed externally -and internally using the same address.

- - + static NAT to Proxy ARP. That way, the hosts in +Z have non-RFC1918 addresses and can be accessed externally + and internally using the same address.

+ +

If you don't like those solutions and prefer routing all Z->Z traffic through your firewall then:

- - + +

a) Set the Z->Z policy to ACCEPT.
- b) Masquerade Z to itself.
-
- Example:

- - + b) Masquerade Z to itself.
+
+ Example:

+ +

Zone: dmz
- Interface: eth2
- Subnet: 192.168.2.0/24

- - + Interface: eth2
+ Subnet: 192.168.2.0/24

+ +

In /etc/shorewall/interfaces:

- - -
- - + + +
+ + - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
ZONEINTERFACEBROADCASTOPTIONS
dmzeth2192.168.2.255
-
ZONEINTERFACEBROADCASTOPTIONS
dmzeth2192.168.2.255
+
-
- - +
+ +

In /etc/shorewall/policy:

- - -
- - + + +
+ + - - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
SOURCE DESTINATIONPOLICYLIMIT:BURST
dmzdmzACCEPT
-
SOURCE + DESTINATIONPOLICYLIMIT:BURST
dmzdmzACCEPT
+
-
- - - +
+ + +

In /etc/shorewall/masq:

- - -
- - + + +
+ + - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + +
INTERFACE - SUBNETADDRESS
eth2192.168.2.0/24
-
INTERFACE + SUBNETADDRESS
eth2192.168.2.0/24
+
-
- - -

3. I want to use Netmeeting or MSN Instant - Messenger with Shorewall. What do I do?

- - +
+ + +

3. I want to use Netmeeting or MSN Instant + Messenger with Shorewall. What do I do?

+ +

Answer: There is an H.323 connection - tracking/NAT module that may help with Netmeeting. - Look here for a solution - for MSN IM but be aware that there are significant security risks involved - with this solution. Also check the Netfilter mailing list - archives at http://www.netfilter.org. -

- - -

4. I just used an online port scanner - to check my firewall and it shows some ports as -'closed' rather than 'blocked'. Why?

- - -

Answer: The common.def included with version 1.3.x - always rejects connection requests on TCP port 113 - rather than dropping them. This is necessary to prevent - outgoing connection problems to services that use the - 'Auth' mechanism for identifying requesting users. Shorewall - also rejects TCP ports 135, 137 and 139 as well as UDP ports - 137-139. These are ports that are used by Windows (Windows can - be configured to use the DCE cell locator on port 135). Rejecting - these connection requests rather than dropping them cuts down - slightly on the amount of Windows chatter on LAN segments connected - to the Firewall.

- - -

If you are seeing port 80 being 'closed', that's probably - your ISP preventing you from running a web server - in violation of your Service Agreement.

- - -

4a. I just ran an nmap UDP scan of my - firewall and it showed 100s of ports as open!!!!

- - -

Answer: Take a deep breath and read the nmap man page - section about UDP scans. If nmap gets nothing - back from your firewall then it reports the port as -open. If you want to see which UDP ports are really open, - temporarily change your net->all policy to REJECT, restart - Shorewall and do the nmap UDP scan again.

- - -

5. I've installed Shorewall and now I - can't ping through the firewall

- - -

Answer: If you want your firewall to be totally open - for "ping",

- - -

a) Create /etc/shorewall/common if it doesn't already exist. -
- b) Be sure that the first -command in the file is ". /etc/shorewall/common.def"
- c) Add the following to /etc/shorewall/common -

- - -
- - -

run_iptables -A icmpdef -p ICMP --icmp-type echo-request - -j ACCEPT
-

-
- For a complete description of Shorewall 'ping' management, - see this page. - + href="http://www.kfki.hu/%7Ekadlec/sw/netfilter/newnat-suite/"> H.323 connection + tracking/NAT module that may help with Netmeeting. + Look here for a solution + for MSN IM but be aware that there are significant security risks +involved with this solution. Also check the Netfilter mailing + list archives at http://www.netfilter.org. +

+ + +

4. I just used an online port scanner + to check my firewall and it shows some ports as + 'closed' rather than 'blocked'. Why?

+ + +

Answer: The common.def included with version 1.3.x + always rejects connection requests on TCP port + 113 rather than dropping them. This is necessary to + prevent outgoing connection problems to services that use + the 'Auth' mechanism for identifying requesting users. Shorewall + also rejects TCP ports 135, 137 and 139 as well as UDP ports + 137-139. These are ports that are used by Windows (Windows + can be configured to use the DCE cell locator on port + 135). Rejecting these connection requests rather than dropping + them cuts down slightly on the amount of Windows chatter on LAN segments + connected to the Firewall.

+ + +

If you are seeing port 80 being 'closed', that's probably + your ISP preventing you from running a web server + in violation of your Service Agreement.

+ + +

4a. I just ran an nmap UDP scan of my + firewall and it showed 100s of ports as open!!!!

+ + +

Answer: Take a deep breath and read the nmap man page + section about UDP scans. If nmap gets nothing + back from your firewall then it reports the port as + open. If you want to see which UDP ports are really open, + temporarily change your net->all policy to REJECT, restart + Shorewall and do the nmap UDP scan again.

+ + +

5. I've installed Shorewall and now I + can't ping through the firewall

+ + +

Answer: If you want your firewall to be totally open + for "ping",

+ + +

a) Create /etc/shorewall/common if it doesn't already exist. +
+ b) Be sure that the first + command in the file is ". /etc/shorewall/common.def"
+ c) Add the following +to /etc/shorewall/common

+ + +
+ + +

run_iptables -A icmpdef -p ICMP --icmp-type echo-request + -j ACCEPT
+

+
+ For a complete description of Shorewall 'ping' + management, see this page. + +

6. Where are the log messages written - and how do I change the destination?

- - + and how do I change the destination?

+ +

Answer: NetFilter uses the kernel's equivalent of syslog (see "man syslog") to log messages. It always uses the LOG_KERN (kern) facility (see "man openlog") and you get to choose the log level (again, see "man syslog") in your policies and rules. The destination for messaged -logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). - When you have changed /etc/syslog.conf, be sure to restart - syslogd (on a RedHat system, "service syslog restart"). -

- - -

By default, older versions of Shorewall ratelimited log messages - through settings - in /etc/shorewall/shorewall.conf -- If you want to log - all messages, set:

- - -
+ href="Documentation.htm#Rules">rules. The destination for messaged +logged by syslog is controlled by /etc/syslog.conf (see "man syslog.conf"). + When you have changed /etc/syslog.conf, be sure to + restart syslogd (on a RedHat system, "service syslog restart"). +

+ + +

By default, older versions of Shorewall ratelimited log messages + through settings + in /etc/shorewall/shorewall.conf -- If you want to +log all messages, set:

+ + +
     LOGLIMIT=""
     LOGBURST=""
-Beginning with Shorewall version 1.3.12, you can set up Shorewall to log all of its messages -to a separate file.
-
- - + to a separate file.
+
+ +

6a. Are there any log parsers that work - with Shorewall?

- - -

Answer: Here are several links that may be helpful: -

- - -
- - + with Shorewall?

+ + +

Answer: Here are several links that may be helpful: +

+ + +
+ +

http://www.shorewall.net/pub/shorewall/parsefw/
- http://www.fireparse.com
- http://cert.uni-stuttgart.de/projects/fwlogwatch
- http://www.logwatch.org
- http://gege.org/iptables
-

-
- I personnaly use Logwatch. It emails me a report - each day from my various systems with each report summarizing -the logged activity on the corresponding system. - + http://www.logwatch.org
+ http://gege.org/iptables
+

+
+ I personnaly use Logwatch. It emails me +a report each day from my various systems with each report +summarizing the logged activity on the corresponding system. + +

6b. DROP messages on port 10619 - are flooding the logs with their connect requests. Can i exclude - these error messages for this port temporarily from logging in Shorewall?

- Temporarily add the following rule:
- + are flooding the logs with their connect requests. Can i +exclude these error messages for this port temporarily from logging +in Shorewall?

+ Temporarily add the following rule:
+ 
	DROP    net    fw    udp    10619
- +

6c. All day long I get a steady flow - of these DROP messages from port 53 to some high numbered port. -They get dropped, but what the heck are they?

- + of these DROP messages from port 53 to some high numbered port. + They get dropped, but what the heck are they?

+ 
Jan  8 15:50:48 norcomix kernel: Shorewall:net2all:DROP:IN=eth0 OUT= MAC=00:40:c7:2e:09:c0:00:01:64:4a:70:00:08:00
                                                        SRC=208.138.130.16 DST=24.237.22.45 LEN=53 TOS=0x00 PREC=0x00
                                                        TTL=251 ID=8288 DF PROTO=UDP SPT=53 DPT=40275 LEN=33
- Answer: There are two possibilities:
- + Answer: There are two possibilities:
+
    -
  1. They are late-arriving replies to DNS queries.
    2. -
  2. They are corrupted reply packets.
    3. - +
  3. They are late-arriving replies to DNS queries.
    4. +
  4. They are corrupted reply packets.
    5. +
- You can distinguish the difference by setting the logunclean - option (/etc/shorewall/interfaces) - on your external interface (eth0 in the above example). If they get - logged twice, they are corrupted. I solve this problem by using an -/etc/shorewall/common file like this:
- -
+ You can distinguish the difference by setting the logunclean + option (/etc/shorewall/interfaces) + on your external interface (eth0 in the above example). If they +get logged twice, they are corrupted. I solve this problem by using +an /etc/shorewall/common file like this:
+ +
#
# Include the standard common.def file
#
. /etc/shorewall/common.def
#
# The following rule is non-standard and compensates for tardy
# DNS replies
#
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
-
- The above file is also include in all of my sample configurations - available in the Quick Start - Guides and in the common.def file in Shorewall 1.4.0 and later.
- +
+ The above file is also include in all of my sample configurations + available in the Quick Start + Guides and in the common.def file in Shorewall 1.4.0 and later.
+

6d. Why is the MAC address in - Shorewall log messages so long? I thought MAC addresses were only 6 -bytes in length.

- What is labeled as the MAC address in a Shorewall log message is actually - the Ethernet frame header. IT contains:
- + Shorewall log messages so long? I thought MAC addresses were only +6 bytes in length. + What is labeled as the MAC address in a Shorewall log message is +actually the Ethernet frame header. IT contains:
+
    -
  • the destination MAC address (6 bytes)
    • -
  • the source MAC address (6 bytes)
    • -
  • the ethernet frame type (2 bytes)
    • - +
  • the destination MAC address (6 bytes)
    • +
  • the source MAC address (6 bytes)
    • +
  • the ethernet frame type (2 bytes)
    • +
- Example:
-
- MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
- + Example:
+
+ MAC=00:04:4c:dc:e2:28:00:b0:8e:cf:3c:4c:08:00
+
    -
  • Destination MAC address = 00:04:4c:dc:e2:28
    • -
  • Source MAC address = 00:b0:8e:cf:3c:4c
    • -
  • Ethernet Frame Type = 08:00 (IP Version 4)
    • - +
  • Destination MAC address = 00:04:4c:dc:e2:28
    • +
  • Source MAC address = 00:b0:8e:cf:3c:4c
    • +
  • Ethernet Frame Type = 08:00 (IP Version 4)
    • +
- +

7. When I stop Shorewall using 'shorewall - stop', I can't connect to anything. Why doesn't that - command work?

- - -

The 'stop' command is intended to place your firewall into - a safe state whereby only those hosts listed in /etc/shorewall/routestopped' - are activated. If you want to totally open up your firewall, - you must use the 'shorewall clear' command.

- - -

8. When I try to start Shorewall on RedHat, - I get messages about insmod failing -- what's wrong?

- - -

Answer: The output you will see looks something like - this:

- - -
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
     Perhaps iptables or your kernel needs to be upgraded.
- - -

This is usually cured by the following sequence of commands: -

- - -
-
     service ipchains stop
     chkconfig --delete ipchains
     rmmod ipchains
-
- - -
-

Also, be sure to check the errata - for problems concerning the version of iptables (v1.2.3) - shipped with RH7.2.
+ stop', I can't connect to anything. Why doesn't +that command work? + + +

The 'stop' command is intended to place your firewall into + a safe state whereby only those hosts listed in /etc/shorewall/routestopped' + are activated. If you want to totally open up your + firewall, you must use the 'shorewall clear' command.

- -

8a. When I try to start Shorewall on RedHat -I get a message referring me to FAQ #8

- Answer: This is usually cured by the sequence of commands shown above -in FAQ #8 - -

-
- - -

- - + + +

8. When I try to start Shorewall on RedHat, + I get messages about insmod failing -- what's wrong?

+ + +

Answer: The output you will see looks something like + this:

+ + +
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
     Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
     /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
     iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
     Perhaps iptables or your kernel needs to be upgraded.
+ + +

This is usually cured by the following sequence of commands: +

+ + +
+
     service ipchains stop
     chkconfig --delete ipchains
     rmmod ipchains
+
+ + +
+

Also, be sure to check the errata + for problems concerning the version of iptables +(v1.2.3) shipped with RH7.2.
+

+ +

8a. When I try to start Shorewall on RedHat + I get a message referring me to FAQ #8

+ Answer: This is usually cured by the sequence of commands shown + above in FAQ #8 +
+

9. Why can't Shorewall detect my interfaces - properly?

- - -

I just installed Shorewall and when I issue the start command, - I see the following:

- - -
-
     Processing /etc/shorewall/shorewall.conf ...
     Processing /etc/shorewall/params ...
     Starting Shorewall...
     Loading Modules...
     Initializing...
     Determining Zones...
     Zones: net loc
     Validating interfaces file...
     Validating hosts file...
     Determining Hosts in Zones...
     Net Zone: eth0:0.0.0.0/0
     Local Zone: eth1:0.0.0.0/0
     Deleting user chains...
     Creating input Chains...
     ...
-
- - -
+ properly at startup? + + +

I just installed Shorewall and when I issue the start command, + I see the following:

+ + +
+
     Processing /etc/shorewall/params ...
     Processing /etc/shorewall/shorewall.conf ...
     Starting Shorewall...
     Loading Modules...
     Initializing...
     Determining Zones...
     Zones: net loc
     Validating interfaces file...
     Validating hosts file...
     Determining Hosts in Zones...
     Net Zone: eth0:0.0.0.0/0
     Local Zone: eth1:0.0.0.0/0
     Deleting user chains...
     Creating input Chains...
     ...
+
+ + +

Why can't Shorewall detect my interfaces properly?

-
- - -
+
+ + +

Answer: The above output is perfectly normal. The Net zone is defined as all hosts that are connected through eth0 and the local zone is defined as all hosts connected through eth1

-
- - -

10. What Distributions does it work +

+ + +

10. What Distributions does it work with?

- - -

Shorewall works with any GNU/Linux distribution that includes - the proper - prerequisites.

- - + + +

Shorewall works with any GNU/Linux distribution that includes + the proper + prerequisites.

+ +

11. What Features does it have?

- - -

Answer: See the Shorewall - Feature List.

- - + + +

Answer: See the Shorewall + Feature List.

+ +

12. Is there a GUI?

- - -

Answer: Yes. Shorewall support is included in Webmin - 1.060 and later versions. See http://www.webmin.com -

- - + + +

Answer: Yes. Shorewall support is included in Webmin + 1.060 and later versions. See http://www.webmin.com +

+ +

13. Why do you call it "Shorewall"?

- - -

Answer: Shorewall is a concatenation of "Shoreline" - (the -city where I live) and "Firewall". The full -name of the product is actually "Shoreline Firewall" but "Shorewall" -is must more commonly used.

- - -

14. I'm connected via a cable modem - and it has an internal web server that allows me to - configure/monitor it but as expected if I enable rfc1918 - blocking for my eth0 interface (the internet one), it also - blocks the cable modems web server.

- - -

Is there any way it can add a rule before the rfc1918 blocking - that will let all traffic to and from the 192.168.100.1 - address of the modem in/out but still block all other rfc1918 - addresses?

- - + + +

Answer: Shorewall is a concatenation of "Shoreline" + (the + city where I live) and "Firewall". The full + name of the product is actually "Shoreline Firewall" but "Shorewall" + is must more commonly used.

+ + +

14. I'm connected via a cable modem + and it has an internal web server that allows me + to configure/monitor it but as expected if I enable + rfc1918 blocking for my eth0 interface (the internet one), + it also blocks the cable modems web server.

+ + +

Is there any way it can add a rule before the rfc1918 blocking + that will let all traffic to and from the 192.168.100.1 + address of the modem in/out but still block all other + rfc1918 addresses?

+ +

Answer: If you are running a version of Shorewall earlier than 1.3.1, create /etc/shorewall/start and in it, place the following:

- - -
+ + +
     run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT
-
- - -
-

If you are running version 1.3.1 or later, simply add the - following to + + +

- - -
-
- - +
+ + +
+
+ + - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +
SUBNET - TARGET
192.168.100.1RETURN
SUBNET + TARGET
192.168.100.1RETURN
-
-
- - -
+
+ + + +

Be sure that you add the entry ABOVE the entry for 192.168.0.0/16.
-

- - -

Note: If you add a second IP address to your external firewall - interface to correspond to the modem address, you must - also make an entry in /etc/shorewall/rfc1918 for that address. - For example, if you configure the address 192.168.100.2 on - your firewall, then you would add two entries to /etc/shorewall/rfc1918: -
-

- - -
- +

+ + +

Note: If you add a second IP address to your external firewall + interface to correspond to the modem address, you +must also make an entry in /etc/shorewall/rfc1918 for that +address. For example, if you configure the address 192.168.100.2 +on your firewall, then you would add two entries to /etc/shorewall/rfc1918: +
+

+ + +
+ + - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + + +
SUBNET
- 		TARGET
-
192.168.100.1
- 		RETURN
-
192.168.100.2
- 		RETURN
-
SUBNET
+ 		TARGET
+
192.168.100.1
+ 		RETURN
+
192.168.100.2
+ 		RETURN
+
-
-
- - -
+
+ + + +

14a. Even though it assigns public IP addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my external interface, my DHCP client cannot renew its lease.

-
- - -
-

The solution is the same as FAQ 14 above. Simply substitute - the IP address of your ISPs DHCP server.

-
- - -

15. My local systems can't see out to - the net

- - -

Answer: Every time I read "systems can't see out to - the net", I wonder where the poster bought computers - with eyes and what those computers will "see" when things - are working properly. That aside, the most common causes - of this problem are:

- - + + + +
+

The solution is the same as FAQ 14 above. Simply substitute + the IP address of your ISPs DHCP server.

+
+ + +

15. My local systems can't see out to + the net

+ + +

Answer: Every time I read "systems can't see out to + the net", I wonder where the poster bought computers + with eyes and what those computers will "see" when things + are working properly. That aside, the most common causes + of this problem are:

+ +
    -
  1. - - - -

    The default gateway on each local system isn't set to - the IP address of the local firewall interface.

    -
    2. -
  2. - - - -

    The entry for the local network in the /etc/shorewall/masq - file is wrong or missing.

    -
    3. -
  3. - - - -

    The DNS settings on the local systems are wrong or the - user is running a DNS server on the firewall and - hasn't enabled UDP and TCP port 53 from the firewall - to the internet.

    -
    4. - - +
  4. + + + + +

    The default gateway on each local system isn't set to + the IP address of the local firewall interface.

    +
    5. +
  5. + + + + +

    The entry for the local network in the /etc/shorewall/masq + file is wrong or missing.

    +
    6. +
  6. + + + + +

    The DNS settings on the local systems are wrong or the + user is running a DNS server on the firewall and + hasn't enabled UDP and TCP port 53 from the firewall + to the internet.

    +
    7. + +
- - -

16. Shorewall is writing log messages - all over my console making it unusable!

- - -

Answer: "man dmesg" -- add a suitable 'dmesg' command - to your startup scripts or place it in /etc/shorewall/start. - Under RedHat, the max log level that is sent to the - console is specified in /etc/sysconfig/init in the LOGLEVEL - variable.
-

- - -

17. How do I find out why this traffic is getting - logged?

- Answer: Logging occurs -out of a number of chains (as indicated in the log message) - in Shorewall:
- - + + +

16. Shorewall is writing log messages + all over my console making it unusable!

+ + +

Answer: "man dmesg" -- add a suitable 'dmesg' command + to your startup scripts or place it in /etc/shorewall/start. + Under RedHat, the max log level that is sent to +the console is specified in /etc/sysconfig/init in the + LOGLEVEL variable.
+

+ + +

17. How do I find out why this traffic is getting + logged?

+ Answer: Logging occurs + out of a number of chains (as indicated in the log message) + in Shorewall:
+ +
    -
  1. man1918 - The destination - address is listed in /etc/shorewall/rfc1918 with a logdrop - target -- see /etc/shorewall/rfc1918.
    2. -
  2. rfc1918 - The source - address is listed in /etc/shorewall/rfc1918 with a logdrop - target -- see /etc/shorewall/rfc1918.
    3. -
  3. all2<zone>, - <zone>2all or all2all - - You have a policy that specifies -a log level and this packet is being logged under that policy. - If you intend to ACCEPT this traffic then you need a man1918 - The +destination address is listed in /etc/shorewall/rfc1918 + with a logdrop target -- see /etc/shorewall/rfc1918.
    4. +
  4. rfc1918 - The +source address is listed in /etc/shorewall/rfc1918 with +a logdrop target -- see /etc/shorewall/rfc1918.
    5. +
  5. all2<zone>, + <zone>2all or all2all - + You have a policy that specifies + a log level and this packet is being logged under that policy. + If you intend to ACCEPT this traffic then you need a rule to that effect.
    -
    6. -
  6. <zone1>2<zone2> - - Either you have a policy for <zone1> +
    7. +
  7. <zone1>2<zone2> + - Either you have a policy for <zone1> to <zone2> that specifies a log level and -this packet is being logged under that policy or this packet - matches a rule that includes - a log level.
    8. -
  8. <interface>_mac - -The packet is being logged under the maclist interface option.
    -
    9. -
  9. logpkt - The packet - is being logged under the logunclean interface option.
    10. -
  10. badpkt - The packet - is being logged under the dropunclean - interface option as specified - in the LOGUNCLEAN setting in rule that includes + a log level.
    11. +
  11. <interface>_mac + - The packet is being logged under the maclist + interface option.
    +
    12. +
  12. logpkt - The +packet is being logged under the logunclean + interface option.
    13. +
  13. badpkt - The +packet is being logged under the dropunclean + interface option +as specified in the LOGUNCLEAN setting in /etc/shorewall/shorewall.conf.
    14. -
  14. blacklst - The packet - is being logged because the source IP is blacklisted in - the /etc/shorewall/blacklist - file.
    15. -
  15. newnotsyn - The packet - is being logged because it is a TCP packet that is not -part of any current connection yet it is not a syn packet. - Options affecting the logging of such packets include NEWNOTSYN - and LOGNEWNOTSYN in blacklst - The + packet is being logged because the source IP is blacklisted + in the /etc/shorewall/blacklist + file.
    16. +
  16. newnotsyn - The + packet is being logged because it is a TCP packet that + is not part of any current connection yet it is not a syn packet. + Options affecting the logging of such packets include NEWNOTSYN + and LOGNEWNOTSYN in /etc/shorewall/shorewall.conf.
    17. -
  17. INPUT or FORWARD - - The packet has a source IP address that isn't in any -of your defined zones ("shorewall check" and look at the - printed zone definitions) or the chain is FORWARD and the destination - IP isn't in any of your defined zones.
    18. -
  18. logflags - The packet is being - logged because it failed the checks implemented by the tcpflags - interface option.
    -
    19. - - +
  19. INPUT or FORWARD + - The packet has a source IP address that isn't in any + of your defined zones ("shorewall check" and look at the + printed zone definitions) or the chain is FORWARD and the destination + IP isn't in any of your defined zones.
    20. +
  20. logflags - The packet is + being logged because it failed the checks implemented by +the tcpflags interface + option.
    +
    21. + +
- - -

18. Is there any way to use aliased ip addresses - with Shorewall, and maintain separate rulesets for different - IPs?

- Answer: Yes. See Shorewall and Aliased Interfaces. - -

19. I have added entries to /etc/shorewall/tcrules - but they don't seem to do anything. Why?

- You probably haven't set TC_ENABLED=Yes - in /etc/shorewall/shorewall.conf so the contents of the -tcrules file are simply being ignored.
- + + +

18. Is there any way to use aliased ip addresses + with Shorewall, and maintain separate rulesets for different + IPs?

+ Answer: Yes. See Shorewall and Aliased Interfaces. + +

19. I have added entries to /etc/shorewall/tcrules + but they don't seem to do anything. Why?

+ You probably haven't set TC_ENABLED=Yes + in /etc/shorewall/shorewall.conf so the contents of the + tcrules file are simply being ignored.
+ +

20. I have just set up a server. Do I have - to change Shorewall to allow access to my server from the - internet?
-

- Yes. Consult the
+ + Yes. Consult the QuickStart guide that you used during your initial setup for information about how to set up rules for your server.
- +

21. I see these strange log entries occasionally; - what are they?
-

- -
- + what are they?
+ + + +
+ 
Nov 25 18:58:52 linux kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:60:1d:f0:a6:f9:00:60:1d:f6:35:50:08:00
     SRC=206.124.146.179 DST=192.0.2.3 LEN=56 TOS=0x00 PREC=0x00 TTL=110 ID=18558 PROTO=ICMP TYPE=3 CODE=3 
     [SRC=192.0.2.3 DST=172.16.1.10 LEN=128 TOS=0x00 PREC=0x00 TTL=47 ID=0 DF PROTO=UDP SPT=53 DPT=2857 LEN=108 ]
-
- 192.0.2.3 is external on my firewall... 172.16.0.0/24 - is my internal LAN
-
- Answer: While most people associate - the Internet Control Message Protocol (ICMP) with 'ping', -ICMP is a key piece of the internet. ICMP is used to report -problems back to the sender of a packet; this is what is happening - here. Unfortunately, where NAT is involved (including SNAT, DNAT -and Masquerade), there are a lot of broken implementations. That is - what you are seeing with these messages.
-
- Here is my interpretation of what is happening - -- to confirm this analysis, one would have to have packet sniffers - placed a both ends of the connection.
-
- Host 172.16.1.10 behind NAT gateway 206.124.146.179 - sent a UDP DNS query to 192.0.2.3 and your DNS server tried - to send a response (the response information is in the brackets --- note source port 53 which marks this as a DNS reply). When the -response was returned to to 206.124.146.179, it rewrote the destination - IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no longer - had a connection on UDP port 2857. This causes a port unreachable - (type 3, code 3) to be generated back to 192.0.2.3. As this packet +
+ 192.0.2.3 is external on my firewall... + 172.16.0.0/24 is my internal LAN
+
+ Answer: While most people associate + the Internet Control Message Protocol (ICMP) with 'ping', + ICMP is a key piece of the internet. ICMP is used to report + problems back to the sender of a packet; this is what is happening + here. Unfortunately, where NAT is involved (including SNAT, DNAT + and Masquerade), there are a lot of broken implementations. That is + what you are seeing with these messages.
+
+ Here is my interpretation of what is happening + -- to confirm this analysis, one would have to have packet +sniffers placed a both ends of the connection.
+
+ Host 172.16.1.10 behind NAT gateway 206.124.146.179 + sent a UDP DNS query to 192.0.2.3 and your DNS server tried + to send a response (the response information is in the brackets + -- note source port 53 which marks this as a DNS reply). When the + response was returned to to 206.124.146.179, it rewrote the destination + IP TO 172.16.1.10 and forwarded the packet to 172.16.1.10 who no +longer had a connection on UDP port 2857. This causes a port unreachable + (type 3, code 3) to be generated back to 192.0.2.3. As this packet is sent back through 206.124.146.179, that box correctly changes the source address in the packet to 206.124.146.179 but doesn't reset -the DST IP in the original DNS response similarly. When the ICMP +the DST IP in the original DNS response similarly. When the ICMP reaches your firewall (192.0.2.3), your firewall has no record of having sent a DNS reply to 172.16.1.10 so this ICMP doesn't appear to be related to anything that was sent. The final result is that the packet @@ -1277,54 +1403,58 @@ where the source IP in the ICMP itself isn't set back to the external IP of the remote NAT gateway; that causes your firewall to log and drop the packet out of the rfc1918 chain because the source IP is reserved by RFC 1918.
- +

22. I have some iptables commands that - I want to run when Shorewall starts. Which file do I put - them in?

- You can place these commands in one of the - Shorewall Extension Scripts. - Be sure that you look at the contents of the chain(s) that you will be modifying - with your commands to be sure that the commands will do what -they are intended. Many iptables commands published in HOWTOs and -other instructional material use the -A command which adds the rules -to the end of the chain. Most chains that Shorewall constructs end -with an unconditional DROP, ACCEPT or REJECT rule and any rules that -you add after that will be ignored. Check "man iptables" and look at -the -I (--insert) command.
- + I want to run when Shorewall starts. Which file do I +put them in? + You can place these commands in one of + the Shorewall Extension Scripts. + Be sure that you look at the contents of the chain(s) that you will be +modifying with your commands to be sure that the commands will +do what they are intended. Many iptables commands published in +HOWTOs and other instructional material use the -A command which +adds the rules to the end of the chain. Most chains that Shorewall +constructs end with an unconditional DROP, ACCEPT or REJECT rule and +any rules that you add after that will be ignored. Check "man iptables" + and look at the -I (--insert) command.
+

23. Why do you use such ugly fonts on your - web site?

- The Shorewall web site is almost font neutral (it doesn't - explicitly specify fonts except on a few pages) so the fonts you -see are largely the default fonts configured in your browser. If you -don't like them then reconfigure your browser.
- -

24. How can I allow conections to let's say - the ssh port only from specific IP Addresses on the internet?

- In the SOURCE column of the rule, follow "net" by a colon - and a list of the host/subnet addresses as a comma-separated list.
- + web site? + The Shorewall web site is almost font neutral (it + doesn't explicitly specify fonts except on a few pages) so the +fonts you see are largely the default fonts configured in your browser. + If you don't like them then reconfigure your browser.
+ +

24. How can I allow conections to let's say + the ssh port only from specific IP Addresses on the internet?

+ In the SOURCE column of the rule, follow "net" by +a colon and a list of the host/subnet addresses as a comma-separated + list.
+ 
    net:<ip1>,<ip2>,...
- Example:
- + Example:
+ 
    ACCEPT	net:192.0.2.16/28,192.0.2.44	fw	tcp	22
- - + +
- +

25. How to I tell which version of Shorewall - I am running?
-

- At the shell prompt, type:
-
-     /sbin/shorewall version
-
- Last updated 3/11/2003 - Tom - Eastep - -

Copyright + I am running?
+ + At the shell prompt, type:
+
+ /sbin/shorewall version
+
+ Last updated 3/22/2003 - Tom + Eastep + +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.
-

+

+
+
+

diff --git a/Shorewall-docs/Forum.html b/Shorewall-docs/Forum.html index b0bb7b9ae..188976791 100644 --- a/Shorewall-docs/Forum.html +++ b/Shorewall-docs/Forum.html @@ -1,40 +1,40 @@ - + Shorewall Support Forum - + - + - + - - +
+

Support Forum
- +

-

REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please +

REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please read the Shorewall Support Guide.

-

Shorewall Support +

Shorewall Support Forum

- +

Updated 3/6/2003 - Tom Eastep

- +

Copyright © 2003 Thomas M. Eastep.


diff --git a/Shorewall-docs/GnuCopyright.htm b/Shorewall-docs/GnuCopyright.htm index 9edd1c7ae..59961611a 100644 --- a/Shorewall-docs/GnuCopyright.htm +++ b/Shorewall-docs/GnuCopyright.htm @@ -24,256 +24,256 @@ Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed.

0. PREAMBLE

-

The purpose of this License is to make a manual, textbook, or other written -document "free" in the sense of freedom: to assure everyone the effective -freedom to copy and redistribute it, with or without modifying it, either -commercially or noncommercially. Secondarily, this License preserves for the -author and publisher a way to get credit for their work, while not being +

The purpose of this License is to make a manual, textbook, or other written +document "free" in the sense of freedom: to assure everyone the effective +freedom to copy and redistribute it, with or without modifying it, either +commercially or noncommercially. Secondarily, this License preserves for the +author and publisher a way to get credit for their work, while not being considered responsible for modifications made by others.

-

This License is a kind of "copyleft", which means that derivative works of -the document must themselves be free in the same sense. It complements the GNU +

This License is a kind of "copyleft", which means that derivative works of +the document must themselves be free in the same sense. It complements the GNU General Public License, which is a copyleft license designed for free software.

-

We have designed this License in order to use it for manuals for free -software, because free software needs free documentation: a free program should -come with manuals providing the same freedoms that the software does. But this -License is not limited to software manuals; it can be used for any textual work, -regardless of subject matter or whether it is published as a printed book. We -recommend this License principally for works whose purpose is instruction or +

We have designed this License in order to use it for manuals for free +software, because free software needs free documentation: a free program should +come with manuals providing the same freedoms that the software does. But this +License is not limited to software manuals; it can be used for any textual work, +regardless of subject matter or whether it is published as a printed book. We +recommend this License principally for works whose purpose is instruction or reference.

1. APPLICABILITY AND DEFINITIONS

-

This License applies to any manual or other work that contains a notice -placed by the copyright holder saying it can be distributed under the terms of -this License. The "Document", below, refers to any such manual or work. Any +

This License applies to any manual or other work that contains a notice +placed by the copyright holder saying it can be distributed under the terms of +this License. The "Document", below, refers to any such manual or work. Any member of the public is a licensee, and is addressed as "you".

-

A "Modified Version" of the Document means any work containing the Document -or a portion of it, either copied verbatim, or with modifications and/or +

A "Modified Version" of the Document means any work containing the Document +or a portion of it, either copied verbatim, or with modifications and/or translated into another language.

-

A "Secondary Section" is a named appendix or a front-matter section of the -Document that deals exclusively with the relationship of the publishers or -authors of the Document to the Document's overall subject (or to related -matters) and contains nothing that could fall directly within that overall -subject. (For example, if the Document is in part a textbook of mathematics, a -Secondary Section may not explain any mathematics.) The relationship could be a -matter of historical connection with the subject or with related matters, or of +

A "Secondary Section" is a named appendix or a front-matter section of the +Document that deals exclusively with the relationship of the publishers or +authors of the Document to the Document's overall subject (or to related +matters) and contains nothing that could fall directly within that overall +subject. (For example, if the Document is in part a textbook of mathematics, a +Secondary Section may not explain any mathematics.) The relationship could be a +matter of historical connection with the subject or with related matters, or of legal, commercial, philosophical, ethical or political position regarding them.

-

The "Invariant Sections" are certain Secondary Sections whose titles are -designated, as being those of Invariant Sections, in the notice that says that +

The "Invariant Sections" are certain Secondary Sections whose titles are +designated, as being those of Invariant Sections, in the notice that says that the Document is released under this License.

-

The "Cover Texts" are certain short passages of text that are listed, as -Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document +

The "Cover Texts" are certain short passages of text that are listed, as +Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document is released under this License.

-

A "Transparent" copy of the Document means a machine-readable copy, -represented in a format whose specification is available to the general public, -whose contents can be viewed and edited directly and straightforwardly with -generic text editors or (for images composed of pixels) generic paint programs -or (for drawings) some widely available drawing editor, and that is suitable for -input to text formatters or for automatic translation to a variety of formats -suitable for input to text formatters. A copy made in an otherwise Transparent -file format whose markup has been designed to thwart or discourage subsequent -modification by readers is not Transparent. A copy that is not "Transparent" is +

A "Transparent" copy of the Document means a machine-readable copy, +represented in a format whose specification is available to the general public, +whose contents can be viewed and edited directly and straightforwardly with +generic text editors or (for images composed of pixels) generic paint programs +or (for drawings) some widely available drawing editor, and that is suitable for +input to text formatters or for automatic translation to a variety of formats +suitable for input to text formatters. A copy made in an otherwise Transparent +file format whose markup has been designed to thwart or discourage subsequent +modification by readers is not Transparent. A copy that is not "Transparent" is called "Opaque".

-

Examples of suitable formats for Transparent copies include plain ASCII -without markup, Texinfo input format, LaTeX input format, SGML or XML using a -publicly available DTD, and standard-conforming simple HTML designed for human -modification. Opaque formats include PostScript, PDF, proprietary formats that -can be read and edited only by proprietary word processors, SGML or XML for -which the DTD and/or processing tools are not generally available, and the -machine-generated HTML produced by some word processors for output purposes +

Examples of suitable formats for Transparent copies include plain ASCII +without markup, Texinfo input format, LaTeX input format, SGML or XML using a +publicly available DTD, and standard-conforming simple HTML designed for human +modification. Opaque formats include PostScript, PDF, proprietary formats that +can be read and edited only by proprietary word processors, SGML or XML for +which the DTD and/or processing tools are not generally available, and the +machine-generated HTML produced by some word processors for output purposes only.

-

The "Title Page" means, for a printed book, the title page itself, plus such -following pages as are needed to hold, legibly, the material this License -requires to appear in the title page. For works in formats which do not have any -title page as such, "Title Page" means the text near the most prominent +

The "Title Page" means, for a printed book, the title page itself, plus such +following pages as are needed to hold, legibly, the material this License +requires to appear in the title page. For works in formats which do not have any +title page as such, "Title Page" means the text near the most prominent appearance of the work's title, preceding the beginning of the body of the text.

2. VERBATIM COPYING

-

You may copy and distribute the Document in any medium, either commercially -or noncommercially, provided that this License, the copyright notices, and the -license notice saying this License applies to the Document are reproduced in all -copies, and that you add no other conditions whatsoever to those of this -License. You may not use technical measures to obstruct or control the reading -or further copying of the copies you make or distribute. However, you may accept -compensation in exchange for copies. If you distribute a large enough number of +

You may copy and distribute the Document in any medium, either commercially +or noncommercially, provided that this License, the copyright notices, and the +license notice saying this License applies to the Document are reproduced in all +copies, and that you add no other conditions whatsoever to those of this +License. You may not use technical measures to obstruct or control the reading +or further copying of the copies you make or distribute. However, you may accept +compensation in exchange for copies. If you distribute a large enough number of copies you must also follow the conditions in section 3.

-

You may also lend copies, under the same conditions stated above, and you may +

You may also lend copies, under the same conditions stated above, and you may publicly display copies.

3. COPYING IN QUANTITY

-

If you publish printed copies of the Document numbering more than 100, and -the Document's license notice requires Cover Texts, you must enclose the copies -in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover -Texts on the front cover, and Back-Cover Texts on the back cover. Both covers -must also clearly and legibly identify you as the publisher of these copies. The -front cover must present the full title with all words of the title equally -prominent and visible. You may add other material on the covers in addition. -Copying with changes limited to the covers, as long as they preserve the title -of the Document and satisfy these conditions, can be treated as verbatim copying +

If you publish printed copies of the Document numbering more than 100, and +the Document's license notice requires Cover Texts, you must enclose the copies +in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover +Texts on the front cover, and Back-Cover Texts on the back cover. Both covers +must also clearly and legibly identify you as the publisher of these copies. The +front cover must present the full title with all words of the title equally +prominent and visible. You may add other material on the covers in addition. +Copying with changes limited to the covers, as long as they preserve the title +of the Document and satisfy these conditions, can be treated as verbatim copying in other respects.

-

If the required texts for either cover are too voluminous to fit legibly, you -should put the first ones listed (as many as fit reasonably) on the actual +

If the required texts for either cover are too voluminous to fit legibly, you +should put the first ones listed (as many as fit reasonably) on the actual cover, and continue the rest onto adjacent pages.

-

If you publish or distribute Opaque copies of the Document numbering more -than 100, you must either include a machine-readable Transparent copy along with -each Opaque copy, or state in or with each Opaque copy a publicly-accessible -computer-network location containing a complete Transparent copy of the -Document, free of added material, which the general network-using public has -access to download anonymously at no charge using public-standard network -protocols. If you use the latter option, you must take reasonably prudent steps, -when you begin distribution of Opaque copies in quantity, to ensure that this -Transparent copy will remain thus accessible at the stated location until at -least one year after the last time you distribute an Opaque copy (directly or +

If you publish or distribute Opaque copies of the Document numbering more +than 100, you must either include a machine-readable Transparent copy along with +each Opaque copy, or state in or with each Opaque copy a publicly-accessible +computer-network location containing a complete Transparent copy of the +Document, free of added material, which the general network-using public has +access to download anonymously at no charge using public-standard network +protocols. If you use the latter option, you must take reasonably prudent steps, +when you begin distribution of Opaque copies in quantity, to ensure that this +Transparent copy will remain thus accessible at the stated location until at +least one year after the last time you distribute an Opaque copy (directly or through your agents or retailers) of that edition to the public.

-

It is requested, but not required, that you contact the authors of the -Document well before redistributing any large number of copies, to give them a +

It is requested, but not required, that you contact the authors of the +Document well before redistributing any large number of copies, to give them a chance to provide you with an updated version of the Document.

4. MODIFICATIONS

-

You may copy and distribute a Modified Version of the Document under the -conditions of sections 2 and 3 above, provided that you release the Modified -Version under precisely this License, with the Modified Version filling the role -of the Document, thus licensing distribution and modification of the Modified -Version to whoever possesses a copy of it. In addition, you must do these things +

You may copy and distribute a Modified Version of the Document under the +conditions of sections 2 and 3 above, provided that you release the Modified +Version under precisely this License, with the Modified Version filling the role +of the Document, thus licensing distribution and modification of the Modified +Version to whoever possesses a copy of it. In addition, you must do these things in the Modified Version:

 

    -
  • A. Use in the Title Page (and on the covers, if any) a - title distinct from that of the Document, and from those of previous versions - (which should, if there were any, be listed in the History section of the - Document). You may use the same title as a previous version if the original +
  • A. Use in the Title Page (and on the covers, if any) a + title distinct from that of the Document, and from those of previous versions + (which should, if there were any, be listed in the History section of the + Document). You may use the same title as a previous version if the original publisher of that version gives permission.
    • -
  • B. List on the Title Page, as authors, one or more - persons or entities responsible for authorship of the modifications in the - Modified Version, together with at least five of the principal authors of the +
  • B. List on the Title Page, as authors, one or more + persons or entities responsible for authorship of the modifications in the + Modified Version, together with at least five of the principal authors of the Document (all of its principal authors, if it has less than five).
    • -
  • C. State on the Title page the name of the publisher of +
  • C. State on the Title page the name of the publisher of the Modified Version, as the publisher.
  • D. Preserve all the copyright notices of the Document.
    • -
  • E. Add an appropriate copyright notice for your +
  • E. Add an appropriate copyright notice for your modifications adjacent to the other copyright notices.
    • -
  • F. Include, immediately after the copyright notices, a - license notice giving the public permission to use the Modified Version under +
  • F. Include, immediately after the copyright notices, a + license notice giving the public permission to use the Modified Version under the terms of this License, in the form shown in the Addendum below.
    • -
  • G. Preserve in that license notice the full lists of - Invariant Sections and required Cover Texts given in the Document's license +
  • G. Preserve in that license notice the full lists of + Invariant Sections and required Cover Texts given in the Document's license notice.
  • H. Include an unaltered copy of this License.
    • -
  • I. Preserve the section entitled "History", and its - title, and add to it an item stating at least the title, year, new authors, - and publisher of the Modified Version as given on the Title Page. If there is - no section entitled "History" in the Document, create one stating the title, - year, authors, and publisher of the Document as given on its Title Page, then - add an item describing the Modified Version as stated in the previous +
  • I. Preserve the section entitled "History", and its + title, and add to it an item stating at least the title, year, new authors, + and publisher of the Modified Version as given on the Title Page. If there is + no section entitled "History" in the Document, create one stating the title, + year, authors, and publisher of the Document as given on its Title Page, then + add an item describing the Modified Version as stated in the previous sentence.
    • -
  • J. Preserve the network location, if any, given in the - Document for public access to a Transparent copy of the Document, and likewise - the network locations given in the Document for previous versions it was based - on. These may be placed in the "History" section. You may omit a network - location for a work that was published at least four years before the Document - itself, or if the original publisher of the version it refers to gives +
  • J. Preserve the network location, if any, given in the + Document for public access to a Transparent copy of the Document, and likewise + the network locations given in the Document for previous versions it was based + on. These may be placed in the "History" section. You may omit a network + location for a work that was published at least four years before the Document + itself, or if the original publisher of the version it refers to gives permission.
    • -
  • K. In any section entitled "Acknowledgements" or - "Dedications", preserve the section's title, and preserve in the section all - the substance and tone of each of the contributor acknowledgements and/or +
  • K. In any section entitled "Acknowledgements" or + "Dedications", preserve the section's title, and preserve in the section all + the substance and tone of each of the contributor acknowledgements and/or dedications given therein.
    • -
  • L. Preserve all the Invariant Sections of the Document, - unaltered in their text and in their titles. Section numbers or the equivalent +
  • L. Preserve all the Invariant Sections of the Document, + unaltered in their text and in their titles. Section numbers or the equivalent are not considered part of the section titles.
    • -
  • M. Delete any section entitled "Endorsements". Such a +
  • M. Delete any section entitled "Endorsements". Such a section may not be included in the Modified Version.
    • -
  • N. Do not retitle any existing section as "Endorsements" +
  • N. Do not retitle any existing section as "Endorsements" or to conflict in title with any Invariant Section.
-

If the Modified Version includes new front-matter sections or appendices that -qualify as Secondary Sections and contain no material copied from the Document, -you may at your option designate some or all of these sections as invariant. To -do this, add their titles to the list of Invariant Sections in the Modified -Version's license notice. These titles must be distinct from any other section +

If the Modified Version includes new front-matter sections or appendices that +qualify as Secondary Sections and contain no material copied from the Document, +you may at your option designate some or all of these sections as invariant. To +do this, add their titles to the list of Invariant Sections in the Modified +Version's license notice. These titles must be distinct from any other section titles.

-

You may add a section entitled "Endorsements", provided it contains nothing -but endorsements of your Modified Version by various parties--for example, -statements of peer review or that the text has been approved by an organization +

You may add a section entitled "Endorsements", provided it contains nothing +but endorsements of your Modified Version by various parties--for example, +statements of peer review or that the text has been approved by an organization as the authoritative definition of a standard.

-

You may add a passage of up to five words as a Front-Cover Text, and a -passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover -Texts in the Modified Version. Only one passage of Front-Cover Text and one of -Back-Cover Text may be added by (or through arrangements made by) any one -entity. If the Document already includes a cover text for the same cover, -previously added by you or by arrangement made by the same entity you are acting -on behalf of, you may not add another; but you may replace the old one, on +

You may add a passage of up to five words as a Front-Cover Text, and a +passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover +Texts in the Modified Version. Only one passage of Front-Cover Text and one of +Back-Cover Text may be added by (or through arrangements made by) any one +entity. If the Document already includes a cover text for the same cover, +previously added by you or by arrangement made by the same entity you are acting +on behalf of, you may not add another; but you may replace the old one, on explicit permission from the previous publisher that added the old one.

-

The author(s) and publisher(s) of the Document do not by this License give -permission to use their names for publicity for or to assert or imply +

The author(s) and publisher(s) of the Document do not by this License give +permission to use their names for publicity for or to assert or imply endorsement of any Modified Version.

5. COMBINING DOCUMENTS

-

You may combine the Document with other documents released under this -License, under the terms defined in section 4 above for modified versions, -provided that you include in the combination all of the Invariant Sections of -all of the original documents, unmodified, and list them all as Invariant +

You may combine the Document with other documents released under this +License, under the terms defined in section 4 above for modified versions, +provided that you include in the combination all of the Invariant Sections of +all of the original documents, unmodified, and list them all as Invariant Sections of your combined work in its license notice.

-

The combined work need only contain one copy of this License, and multiple -identical Invariant Sections may be replaced with a single copy. If there are -multiple Invariant Sections with the same name but different contents, make the -title of each such section unique by adding at the end of it, in parentheses, -the name of the original author or publisher of that section if known, or else a -unique number. Make the same adjustment to the section titles in the list of +

The combined work need only contain one copy of this License, and multiple +identical Invariant Sections may be replaced with a single copy. If there are +multiple Invariant Sections with the same name but different contents, make the +title of each such section unique by adding at the end of it, in parentheses, +the name of the original author or publisher of that section if known, or else a +unique number. Make the same adjustment to the section titles in the list of Invariant Sections in the license notice of the combined work.

-

In the combination, you must combine any sections entitled "History" in the -various original documents, forming one section entitled "History"; likewise -combine any sections entitled "Acknowledgements", and any sections entitled +

In the combination, you must combine any sections entitled "History" in the +various original documents, forming one section entitled "History"; likewise +combine any sections entitled "Acknowledgements", and any sections entitled "Dedications". You must delete all sections entitled "Endorsements."

6. COLLECTIONS OF DOCUMENTS

-

You may make a collection consisting of the Document and other documents -released under this License, and replace the individual copies of this License -in the various documents with a single copy that is included in the collection, -provided that you follow the rules of this License for verbatim copying of each +

You may make a collection consisting of the Document and other documents +released under this License, and replace the individual copies of this License +in the various documents with a single copy that is included in the collection, +provided that you follow the rules of this License for verbatim copying of each of the documents in all other respects.

-

You may extract a single document from such a collection, and distribute it -individually under this License, provided you insert a copy of this License into -the extracted document, and follow this License in all other respects regarding +

You may extract a single document from such a collection, and distribute it +individually under this License, provided you insert a copy of this License into +the extracted document, and follow this License in all other respects regarding verbatim copying of that document.

7. AGGREGATION WITH INDEPENDENT WORKS

-

A compilation of the Document or its derivatives with other separate and -independent documents or works, in or on a volume of a storage or distribution -medium, does not as a whole count as a Modified Version of the Document, -provided no compilation copyright is claimed for the compilation. Such a -compilation is called an "aggregate", and this License does not apply to the -other self-contained works thus compiled with the Document, on account of their -being thus compiled, if they are not themselves derivative works of the +

A compilation of the Document or its derivatives with other separate and +independent documents or works, in or on a volume of a storage or distribution +medium, does not as a whole count as a Modified Version of the Document, +provided no compilation copyright is claimed for the compilation. Such a +compilation is called an "aggregate", and this License does not apply to the +other self-contained works thus compiled with the Document, on account of their +being thus compiled, if they are not themselves derivative works of the Document.

-

If the Cover Text requirement of section 3 is applicable to these copies of -the Document, then if the Document is less than one quarter of the entire -aggregate, the Document's Cover Texts may be placed on covers that surround only -the Document within the aggregate. Otherwise they must appear on covers around +

If the Cover Text requirement of section 3 is applicable to these copies of +the Document, then if the Document is less than one quarter of the entire +aggregate, the Document's Cover Texts may be placed on covers that surround only +the Document within the aggregate. Otherwise they must appear on covers around the whole aggregate.

8. TRANSLATION

-

Translation is considered a kind of modification, so you may distribute -translations of the Document under the terms of section 4. Replacing Invariant -Sections with translations requires special permission from their copyright -holders, but you may include translations of some or all Invariant Sections in -addition to the original versions of these Invariant Sections. You may include a -translation of this License provided that you also include the original English -version of this License. In case of a disagreement between the translation and -the original English version of this License, the original English version will +

Translation is considered a kind of modification, so you may distribute +translations of the Document under the terms of section 4. Replacing Invariant +Sections with translations requires special permission from their copyright +holders, but you may include translations of some or all Invariant Sections in +addition to the original versions of these Invariant Sections. You may include a +translation of this License provided that you also include the original English +version of this License. In case of a disagreement between the translation and +the original English version of this License, the original English version will prevail.

9. TERMINATION

-

You may not copy, modify, sublicense, or distribute the Document except as -expressly provided for under this License. Any other attempt to copy, modify, -sublicense or distribute the Document is void, and will automatically terminate -your rights under this License. However, parties who have received copies, or -rights, from you under this License will not have their licenses terminated so +

You may not copy, modify, sublicense, or distribute the Document except as +expressly provided for under this License. Any other attempt to copy, modify, +sublicense or distribute the Document is void, and will automatically terminate +your rights under this License. However, parties who have received copies, or +rights, from you under this License will not have their licenses terminated so long as such parties remain in full compliance.

10. FUTURE REVISIONS OF THIS LICENSE

-

The Free Software Foundation may publish new, revised versions of the GNU -Free Documentation License from time to time. Such new versions will be similar -in spirit to the present version, but may differ in detail to address new +

The Free Software Foundation may publish new, revised versions of the GNU +Free Documentation License from time to time. Such new versions will be similar +in spirit to the present version, but may differ in detail to address new problems or concerns. See http://www.gnu.org/copyleft/.

-

Each version of the License is given a distinguishing version number. If the -Document specifies that a particular numbered version of this License "or any -later version" applies to it, you have the option of following the terms and -conditions either of that specified version or of any later version that has -been published (not as a draft) by the Free Software Foundation. If the Document -does not specify a version number of this License, you may choose any version +

Each version of the License is given a distinguishing version number. If the +Document specifies that a particular numbered version of this License "or any +later version" applies to it, you have the option of following the terms and +conditions either of that specified version or of any later version that has +been published (not as a draft) by the Free Software Foundation. If the Document +does not specify a version number of this License, you may choose any version ever published (not as a draft) by the Free Software Foundation.

 

diff --git a/Shorewall-docs/IPIP.htm b/Shorewall-docs/IPIP.htm index b64f475fb..02e4bd63c 100644 --- a/Shorewall-docs/IPIP.htm +++ b/Shorewall-docs/IPIP.htm @@ -1,74 +1,74 @@ - + GRE/IPIP Tunnels - + - + - + - - +
+

GRE and IPIP Tunnels
- +

Warning: GRE and IPIP Tunnels are insecure when used over the internet; use them at your own risk

- +

GRE and IPIP tunneling with Shorewall can be used to bridge two masqueraded networks.

- +

The simple scripts described in the Linux Advanced Routing and Shaping HOWTO work fine with Shorewall. Shorewall also includes a tunnel script for automating tunnel configuration. If you have installed the RPM, the tunnel script may be found in the Shorewall documentation directory (usually /usr/share/doc/shorewall-<version>/).

- +

Bridging two Masqueraded Networks

- +

Suppose that we have the following situation:

- +

- +

We want systems in the 192.168.1.0/24 subnetwork to be able -to communicate with the systems in the 10.0.0.0/8 network. This is accomplished +to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file and the /etc/shorewall/tunnel script that is included with Shorewall.

- -

The 'tunnel' script is not installed in /etc/shorewall by -default -- If you install using the tarball, the script is included in the + +

The 'tunnel' script is not installed in /etc/shorewall by +default -- If you install using the tarball, the script is included in the tarball; if you install using the RPM, the file is in your Shorewall documentation directory (normally /usr/share/doc/shorewall-<version>).

- -

In the /etc/shorewall/tunnel script, set the 'tunnel_type' + +

In the /etc/shorewall/tunnel script, set the 'tunnel_type' parameter to the type of tunnel that you want to create.

- +

Example:

- -
+ +

tunnel_type=gre

- +

On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called 'vpn' and declare it in /etc/shorewall/zones on both systems as follows.

- -
+ +
@@ -81,15 +81,15 @@ it in /etc/shorewall/zones on both systems as follows.

- +
VPN Remote Subnet
- +

On system A, the 10.0.0.0/8 will comprise the vpn zone. In /etc/shorewall/interfaces:

- -
+ +
@@ -104,14 +104,14 @@ zone. In /etc/shorewall/interfaces:

- +
10.255.255.255  
- +

In /etc/shorewall/tunnels on system A, we need the following:

- -
+ +
@@ -126,17 +126,17 @@ zone. In /etc/shorewall/interfaces:

- +
134.28.54.2  
- +

This entry in /etc/shorewall/tunnels, opens the firewall so that the IP encapsulation protocol (4) will be accepted to/from the remote gateway.

- +

In the tunnel script on system A:

- -
+ +

tunnel=tosysb
myrealip=206.161.148.9 (for GRE tunnel only)
myip=192.168.1.1
@@ -144,11 +144,11 @@ zone. In /etc/shorewall/interfaces:

gateway=134.28.54.2
subnet=10.0.0.0/8

- -

Similarly, On system B the 192.168.1.0/24 subnet will comprise the vpn + +

Similarly, On system B the 192.168.1.0/24 subnet will comprise the vpn zone. In /etc/shorewall/interfaces:

- -
+ +
@@ -163,14 +163,14 @@ zone. In /etc/shorewall/interfaces:

- +
192.168.1.255  
- +

In /etc/shorewall/tunnels on system B, we have:

- -
+ +
@@ -185,14 +185,14 @@ zone. In /etc/shorewall/interfaces:

- +
206.191.148.9  
- +

And in the tunnel script on system B:

- -
+ +

tunnel=tosysa
myrealip=134.28.54.2 (for GRE tunnel only)
myip=10.0.0.1
@@ -200,15 +200,15 @@ zone. In /etc/shorewall/interfaces:

gateway=206.191.148.9
subnet=192.168.1.0/24

- +

You can rename the modified tunnel scripts if you like; be sure that they are secured so that root can execute them.

- +

You will need to allow traffic between the "vpn" zone and the "loc" zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file:

- -
+ +
@@ -229,18 +229,18 @@ traffic in both directions, you can use the policy file:

- +
ACCEPT  
- +

On both systems, restart Shorewall and run the modified tunnel script with the "start" argument on each system. The systems in the two masqueraded subnetworks can now talk to each other

- +

Updated 2/22/2003 - Tom Eastep

- +

Copyright © 2001, 2002, 2003Thomas M. Eastep.


diff --git a/Shorewall-docs/IPSEC.htm b/Shorewall-docs/IPSEC.htm index 98e7d4852..99cbf4add 100644 --- a/Shorewall-docs/IPSEC.htm +++ b/Shorewall-docs/IPSEC.htm @@ -1,77 +1,77 @@ - + Shorewall IPSec Tunneling - + - + - + - - - + +
+

IPSEC Tunnels
- +

Configuring FreeS/Wan

There is an excellent guide to configuring IPSEC tunnels at http://jixen.tripod.com . I highly recommend -that you consult that site for information about confuring FreeS/Wan.  -

Warning: Do not use Proxy ARP and -FreeS/Wan on the same system unless you are prepared to suffer the consequences. -If you start or restart Shorewall with an IPSEC tunnel active, the proxied -IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) -rather than to the interface that you specify in the INTERFACE column of +that you consult that site for information about confuring FreeS/Wan.  +

Warning: Do not use Proxy ARP and +FreeS/Wan on the same system unless you are prepared to suffer the consequences. +If you start or restart Shorewall with an IPSEC tunnel active, the proxied +IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX) +rather than to the interface that you specify in the INTERFACE column of /etc/shorewall/proxyarp. I haven't had the time to debug this problem so I can't say if it is a bug in the Kernel or in FreeS/Wan. 

- -

You might be able to work around this problem using the following + +

You might be able to work around this problem using the following (I haven't tried it):

- +

In /etc/shorewall/init, include:

- +

     qt service ipsec stop

- +

In /etc/shorewall/start, include:

- +

    qt service ipsec start

- +

IPSec Gateway on the Firewall System

- +

Suppose that we have the following sutuation:

- +

- -

We want systems in the 192.168.1.0/24 sub-network to be able + +

We want systems in the 192.168.1.0/24 sub-network to be able to communicate with systems in the 10.0.0.0/8 network.

- +

To make this work, we need to do two things:

- -

a) Open the firewall so that the IPSEC tunnel can be established + +

a) Open the firewall so that the IPSEC tunnel can be established (allow the ESP and AH protocols and UDP Port 500).

- +

b) Allow traffic through the tunnel.

- -

Opening the firewall for the IPSEC tunnel is accomplished + +

Opening the firewall for the IPSEC tunnel is accomplished by adding an entry to the /etc/shorewall/tunnels file.

- +

In /etc/shorewall/tunnels on system A, we need the following 

- -
+ +
@@ -86,14 +86,14 @@ by adding an entry to the /etc/shorewall/tunnels file.

- - + +
134.28.54.2  
- +

In /etc/shorewall/tunnels on system B, we would have:

- -
+ +
@@ -108,21 +108,21 @@ by adding an entry to the /etc/shorewall/tunnels file.

- - + +
206.161.148.9  
- +

Note: If either of the endpoints is behind a NAT gateway then the tunnels file entry on the other endpoint should specify a tunnel type of ipsecnat rather than ipsec and the GATEWAY address should specify the external address of the NAT gateway.

-

You need to define a zone for the remote subnet or include - it in your local zone. In this example, we'll assume that you have created +

You need to define a zone for the remote subnet or include + it in your local zone. In this example, we'll assume that you have created a zone called "vpn" to represent the remote subnet.

- -
+ +
@@ -135,15 +135,15 @@ a zone called "vpn" to represent the remote subnet.

- - + +
VPN Remote Subnet
- -

At both systems, ipsec0 would be included in /etc/shorewall/interfaces + +

At both systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn" interface:

- -
+ +
@@ -158,16 +158,16 @@ as a "vpn" interface:

- - + +
   
- -

You will need to allow traffic between the "vpn" zone and - the "loc" zone -- if you simply want to admit all traffic in both + +

You will need to allow traffic between the "vpn" zone and + the "loc" zone -- if you simply want to admit all traffic in both directions, you can use the policy file:

- -
+ +
@@ -188,31 +188,31 @@ as a "vpn" interface:

- - + +
ACCEPT  
- +

Once you have these entries in place, restart Shorewall (type shorewall restart); you are now ready to configure the tunnel in FreeS/WAN .

- -

Mobile System (Road + +

Mobile System (Road Warrior)

- +

Suppose that you have a laptop system (B) that you take with you when you travel and you want to be able to establish a secure connection back to your local network.

- +

- -

You need to define a zone for the laptop or include it in - your local zone. In this example, we'll assume that you have created + +

You need to define a zone for the laptop or include it in + your local zone. In this example, we'll assume that you have created a zone called "vpn" to represent the remote host.

- -
+ +
@@ -225,16 +225,16 @@ a zone called "vpn" to represent the remote host.

- - + +
VPN Remote Subnet
- -

In this instance, the mobile system (B) has IP address 134.28.54.2 -but that cannot be determined in advance. In the /etc/shorewall/tunnels file + +

In this instance, the mobile system (B) has IP address 134.28.54.2 +but that cannot be determined in advance. In the /etc/shorewall/tunnels file on system A, the following entry should be made:

- -
+ +
@@ -249,26 +249,26 @@ on system A, the following entry should be made:

- - + +
0.0.0.0/0 vpn
- -

Note that the GATEWAY ZONE column contains the name of the zone corresponding -to peer subnetworks. This indicates that the gateway system itself comprises + +

Note that the GATEWAY ZONE column contains the name of the zone corresponding +to peer subnetworks. This indicates that the gateway system itself comprises the peer subnetwork; in other words, the remote gateway is a standalone system.

- -

You will need to configure /etc/shorewall/interfaces and establish + +

You will need to configure /etc/shorewall/interfaces and establish your "through the tunnel" policy as shown under the first example above.

- +

Dynamic RoadWarrior Zones

- Beginning with Shorewall release 1.3.10, you can define multiple VPN zones -and add and delete remote endpoints dynamically using /sbin/shorewall. In + Beginning with Shorewall release 1.3.10, you can define multiple VPN zones +and add and delete remote endpoints dynamically using /sbin/shorewall. In /etc/shorewall/zones:

- -
+ +
@@ -303,14 +303,14 @@ and add and delete remote endpoints dynamically using /sbin/shorewall. In - - + +
Third VPN Zone

In /etc/shorewall/tunnels:
- -
+ +
@@ -334,32 +334,32 @@ and add and delete remote endpoints dynamically using /sbin/shorewall. In - - + +
vpn1,vpn2,vpn3

- When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall -will issue warnings to that effect. These warnings may be safely ignored. -FreeS/Wan may now be configured to have three different Road Warrior connections -with the choice of connection being based on X-509 certificates or some other + When Shorewall is started, the zones vpn[1-3] will all be empty and Shorewall +will issue warnings to that effect. These warnings may be safely ignored. +FreeS/Wan may now be configured to have three different Road Warrior connections +with the choice of connection being based on X-509 certificates or some other means. Each of these connectioins will utilize a different updown script that adds the remote station to the appropriate zone when the connection comes up and that deletes the remote station when the connection comes down. For example, when 134.28.54.2 connects for the vpn2 zone the 'up' part of the script will issue the command":

- +
/sbin/shorewall add ipsec0:134.28.54.2 vpn2
and the 'down' part will:
- +
/sbin/shorewall delete ipsec0:134.28.54.2 vpn
- -

Last updated 10/23/2002 - + +

Last updated 10/23/2002 - Tom Eastep

- -

+ +

Copyright © 2001, 2002 Thomas M. Eastep.



diff --git a/Shorewall-docs/Install.htm b/Shorewall-docs/Install.htm index 073c631de..59234757b 100644 --- a/Shorewall-docs/Install.htm +++ b/Shorewall-docs/Install.htm @@ -1,34 +1,34 @@ - + Shorewall Installation - + - + - + - - - + +
-

Shorewall Installation and +

+

Shorewall Installation and Upgrade
- +

Before upgrading, be sure to review the Upgrade Issues

- +

Install using RPM
Install using tarball
Install the .lrp
@@ -37,16 +37,16 @@ Upgrade the .lrp
Configuring Shorewall
Uninstall/Fallback

- +

To install Shorewall using the RPM:

- -

If you have RedHat 7.2 and are running iptables version 1.2.3 (at a - shell prompt, type "/sbin/iptables --version"), you must upgrade to version + +

If you have RedHat 7.2 and are running iptables version 1.2.3 (at a + shell prompt, type "/sbin/iptables --version"), you must upgrade to version 1.2.4 either from the RedHat update - site or from the Shorewall Errata page before + href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update + site or from the Shorewall Errata page before attempting to start Shorewall.

- +
  • Install the RPM (rpm -ivh <shorewall rpm>).

    @@ -60,7 +60,7 @@ on the iproute package. Unfortunately, some distributions call this package iproute2 which will cause the installation of Shorewall to fail with the diagnostic:

    -     error: failed dependencies:iproute is needed by shorewall-1.4.0-1 +     error: failed dependencies:iproute is needed by shorewall-1.4.0-1

    This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps @@ -68,19 +68,19 @@ This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps
  • Edit the configuration files to -match your configuration. WARNING - YOU CAN NOT - SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION - IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND - AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY +match your configuration. WARNING - YOU CAN NOT + SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION + IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND + AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.
  • Start the firewall by typing "shorewall start"
    • - +
- -

To install Shorewall using the tarball + +

To install Shorewall using the tarball and install script:

- +
  • unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
  • cd to the shorewall directory (the version is encoded in the @@ -94,43 +94,43 @@ NETWORK CONNECTIVITY.
    • href="http://www.debian.org">Debian then type "./install.sh"
  • If you are using SuSe then type "./install.sh /etc/init.d"
    • -
  • If your distribution has directory /etc/rc.d/init.d +
  • If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh"
    • -
  • For other distributions, determine where your distribution - installs init scripts and type "./install.sh <init script +
  • For other distributions, determine where your distribution + installs init scripts and type "./install.sh <init script directory>
  • Edit the configuration files to match your configuration.
  • Start the firewall by typing "shorewall start"
    • -
  • If the install script was unable to configure Shorewall to be +
  • If the install script was unable to configure Shorewall to be started automatically at boot, see these instructions.
    • - +
- -

To install my version of Shorewall on a fresh Bering + +

To install my version of Shorewall on a fresh Bering disk, simply replace the "shorwall.lrp" file on the image with the file that - you downloaded. See the two-interface QuickStart + you downloaded. See the two-interface QuickStart Guide for information about further steps required.

- -

If you already have the Shorewall RPM installed + +

If you already have the Shorewall RPM installed and are upgrading to a new version:

- +

If you are upgrading from a 1.2 version of Shorewall to a 1.4 version -or and you have entries in the /etc/shorewall/hosts file then please check - your /etc/shorewall/interfaces file to be sure that it contains an entry - for each interface mentioned in the hosts file. Also, there are certain +or and you have entries in the /etc/shorewall/hosts file then please check + your /etc/shorewall/interfaces file to be sure that it contains an entry + for each interface mentioned in the hosts file. Also, there are certain 1.2 rule forms that are no longer supported under 1.4 (you must use the new 1.4 syntax). See the upgrade issues for details.

- +
  • Upgrade the RPM (rpm -Uvh <shorewall rpm file>) Note: If you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., - "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). - -

    Note1: Some SuSE users have encountered a problem whereby - rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel + "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). + +

    Note1: Some SuSE users have encountered a problem whereby + rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel is installed. If this happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps <shorewall rpm>).

    @@ -148,12 +148,12 @@ which will cause the upgrade of Shorewall to fail with the diagnostic:
    and the new Shorewall version (type "shorewall check") and correct as necessary.

  • Restart the firewall (shorewall restart).
    • - +
- +

If you already have Shorewall installed and are upgrading to a new version using the tarball:

- +

If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and you have entries in the /etc/shorewall/hosts file then please check your /etc/shorewall/interfaces file to be sure that it contains an entry for @@ -161,7 +161,7 @@ each interface mentioned in the hosts file. rule forms that are no longer supported under 1.4 (you must use the new 1.4 syntax). See the upgrade issues for details.

- +
  • unpack the tarball (tar -zxf shorewall-x.y.z.tgz).
  • cd to the shorewall directory (the version is encoded in the @@ -175,35 +175,35 @@ details.

    href="http://www.debian.org">Debian then type "./install.sh"
  • If you are using SuSe then type "./install.sh /etc/init.d"
    • -
  • If your distribution has directory /etc/rc.d/init.d +
  • If your distribution has directory /etc/rc.d/init.d or /etc/init.d then type "./install.sh"
    • -
  • For other distributions, determine where your distribution - installs init scripts and type "./install.sh <init script +
  • For other distributions, determine where your distribution + installs init scripts and type "./install.sh <init script directory>
  • See if there are any incompatibilities between your configuration and the new Shorewall version (type "shorewall check") and correct as necessary.
  • Restart the firewall by typing "shorewall restart"
    • - +
If you already have a running Bering installation and wish to upgrade to a later version of Shorewall:

    UNDER CONSTRUCTION...
- +

Configuring Shorewall

- -

You will need to edit some or all of the configuration files to match + +

You will need to edit some or all of the configuration files to match your setup. In most cases, the Shorewall QuickStart Guides contain all of the information you need.

- +
    - +
- -

Updated 3/18/2003 - Tom Eastep + +

Updated 3/18/2003 - Tom Eastep

- +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.


diff --git a/Shorewall-docs/MAC_Validation.html b/Shorewall-docs/MAC_Validation.html index f0ea5b7b7..60db899b2 100644 --- a/Shorewall-docs/MAC_Validation.html +++ b/Shorewall-docs/MAC_Validation.html @@ -2,28 +2,28 @@ MAC Verification - + - + - + - - - + +
- + +

MAC Verification

All traffic from an interface or from a subnet on an interface @@ -35,18 +35,18 @@ each MAC address may be optionally associated with one or more IP addresses. - module name ipt_mac.o).

There are four components to this facility.
- +
  1. The maclist interface option in /etc/shorewall/interfaces. When this option is specified, all traffic arriving on the interface is subjet to MAC verification.
  2. The maclist option in /etc/shorewall/hosts. When this option - is specified for a subnet, all traffic from that subnet is subject to MAC + href="Documentation.htm#Hosts">/etc/shorewall/hosts. When this option + is specified for a subnet, all traffic from that subnet is subject to MAC verification.
    3. -
  3. The /etc/shorewall/maclist file. This file is used to associate - MAC addresses with interfaces and to optionally associate IP addresses +
  4. The /etc/shorewall/maclist file. This file is used to associate + MAC addresses with interfaces and to optionally associate IP addresses with MAC addresses.
  5. The MACLIST_DISPOSITION and MACLIST_LOG_LEVEL variables in /etc/shorewall/shorewall.conf. @@ -57,52 +57,52 @@ and determines the disposition of connection requests that fail MAC verificat value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.
    6. - +
The columns in /etc/shorewall/maclist are:
- +
  • INTERFACE - The name of an ethernet interface on the Shorewall system.
  • MAC - The MAC address of a device on the ethernet segment connected by INTERFACE. It is not necessary to use the Shorewall MAC format in this column although you may use that format if you so choose.
    • -
  • IP Address - An optional comma-separated list of IP addresses +
  • IP Address - An optional comma-separated list of IP addresses for the device whose MAC is listed in the MAC column.
    • - +
- +

Example 1: Here are my files:

/etc/shorewall/shorewall.conf:
- + 
     MACLIST_DISPOSITION=REJECT
     MACLIST_LOG_LEVEL=info
/etc/shorewall/interfaces:
- + 
     #ZONE           INTERFACE       BROADCAST       OPTIONS
     net             eth0            206.124.146.255 norfc1918,dhcp,blacklist
     loc             eth2            192.168.1.255   dhcp,maclist
     dmz             eth1            192.168.2.255
     net             eth3            206.124.146.255 blacklist
     -               texas           192.168.9.255
     loc             ppp+
/etc/shorewall/maclist:
- + 
     #INTERFACE              MAC                     IP ADDRESSES (Optional)
     eth2                    00:A0:CC:63:66:89       192.168.1.3      #Wookie
     eth2                    00:10:B5:EC:FD:0B       192.168.1.4      #Tarry
     eth2                    00:A0:CC:DB:31:C4       192.168.1.5      #Ursa
     eth2                    00:A0:CC:DB:31:C4       192.168.1.128/26 #PPTP Clients to server on Ursa
     eth2                    00:06:25:aa:a8:0f       192.168.1.7      #Eastept1 (Wireless)
     eth2                    00:04:5A:0E:85:B9       192.168.1.250    #Wap
As shown above, I use MAC Verification on my local zone.
- +

Example 2: Router in Local Zone

- Suppose now that I add a second ethernet segment to my local zone -and gateway that segment via a router with MAC address 00:06:43:45:C6:15 -and IP address 192.168.1.253. Hosts in the second segment have IP addresses + Suppose now that I add a second ethernet segment to my local zone +and gateway that segment via a router with MAC address 00:06:43:45:C6:15 +and IP address 192.168.1.253. Hosts in the second segment have IP addresses in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist file:
- + 
     eth2                     00:06:43:45:C6:15       192.168.1.253,192.168.2.0/24
- This entry accomodates traffic from the router itself (192.168.1.253) + This entry accomodates traffic from the router itself (192.168.1.253) and from the second LAN segment (192.168.2.0/24). Remember that all traffic being sent to my firewall from the 192.168.2.0/24 segment will be forwarded by the router so that traffic's MAC address will be that of the router -(00:06:43:45:C6:15) and not that of the host sending the traffic. - -

Updated 2/21/2002 - Tom Eastep +(00:06:43:45:C6:15) and not that of the host sending the traffic. + +

Updated 2/21/2002 - Tom Eastep

- - - + + +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.

diff --git a/Shorewall-docs/NAT.htm b/Shorewall-docs/NAT.htm index 4a8c9a130..b45526c6e 100644 --- a/Shorewall-docs/NAT.htm +++ b/Shorewall-docs/NAT.htm @@ -1,57 +1,57 @@ - + Shorewall NAT - + - + - -
+ +
- - +
+

Static NAT
- +

IMPORTANT: If all you want to do is forward ports to servers behind your firewall, you do NOT want to use static -NAT. Port forwarding can be accomplished with simple entries in the +NAT. Port forwarding can be accomplished with simple entries in the rules file.

- +

Static NAT is a way to make systems behind a firewall and configured with private IP addresses (those reserved for private use in RFC1918) appear to have public IP addresses. Before you try to use this technique, I strongly recommend that you read the Shorewall Setup Guide.

- +

The following figure represents a static NAT environment.

- +

- +
- -

Static NAT can be used to make the systems with the + +

Static NAT can be used to make the systems with the 10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If -we assume that the interface to the upper subnet is eth0, then the following +we assume that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT file would make the lower left-hand system appear -to have IP address 130.252.100.18 and the right-hand one to have IP address +to have IP address 130.252.100.18 and the right-hand one to have IP address 130.252.100.19.

- + @@ -75,27 +75,27 @@ to have IP address 130.252.100.18 and the right-hand one to have IP address - +
yes yes
- -

Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above - example) is (are) not included in any specification in /etc/shorewall/masq + +

Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above + example) is (are) not included in any specification in /etc/shorewall/masq or /etc/shorewall/proxyarp.

- -

Note 1: The "ALL INTERFACES" column -is used to specify whether access to the external IP from all firewall - interfaces should undergo NAT (Yes or yes) or if only access from the - interface in the INTERFACE column should undergo NAT. If you leave this + +

Note 1: The "ALL INTERFACES" column +is used to specify whether access to the external IP from all firewall + interfaces should undergo NAT (Yes or yes) or if only access from the + interface in the INTERFACE column should undergo NAT. If you leave this column empty, "Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.

- -

Note 2: Shorewall will automatically add the external address to the + +

Note 2: Shorewall will automatically add the external address to the specified interface unless you specify ADD_IP_ALIASES="no" (or "No") in /etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if you set it to "Yes" or "yes" then you must NOT configure your own alias(es).

- +

Note 3: The contents of the "LOCAL" column determine whether packets originating on the firewall itself and destined for the EXTERNAL address are redirected to the internal ADDRESS. If this @@ -103,9 +103,9 @@ column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains "Yes" or "yes") then such packets are redirected; otherwise, such packets are not redirected. The LOCAL column was added in version 1.1.8.

- +
- +

Last updated 1/11/2003 - Tom Eastep

Copyright © - - - + + + Shorewall News - - - - - - + + + + + + - - - + + + - - + + - - - - + + + +
- - - - - + width="100%"> + + + + +

Shorewall News Archive
- - + +

3/24/2003 - Shorewall 1.4.1

- - - - - - - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + + + + +

This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0 and removes additional warts.

Problems Corrected:

- +
    -
  1. When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), +
  2. When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file is empty. That problem has been corrected so that ECN disabling rules are only added if there are entries in /etc/shorewall/ecn.
New Features:
- +
Note: In the list that follows, the term group refers to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a host address) accessed through a particular interface. Examples:
- +
eth0:0.0.0.0/0
eth2:192.168.1.0/24
eth3:192.0.2.123
@@ -90,7 +90,7 @@ host address) accessed through a particular interface. Examples:
You can use the "shorewall check" command to see the groups associated with each of your zones.
- +
  1. Beginning with Shorewall 1.4.1, if a zone Z comprises more than one group then if there is no explicit Z to Z policy and there are no @@ -101,7 +101,7 @@ handle traffic from a group to itself.
  2. A NONE policy is introduced in 1.4.1. When a policy of NONE is specified from Z1 to Z2:
- +
  • There may be no rules created that govern connections from Z1 to Z2.
  • Shorewall will not create any infrastructure to handle traffic from @@ -115,17 +115,17 @@ of how these changes may affect your configuration. release is simply to remove the cruft that has accumulated in Shorewall over time.

    - IMPORTANT: Shorewall 1.4.0 requires the iproute package + IMPORTANT: Shorewall 1.4.0 requires the iproute package ('ip' utility).

    Function from 1.3 that has been omitted from this version include:
    - +
      -
    1. The MERGE_HOSTS variable in shorewall.conf is no longer +
    2. The MERGE_HOSTS variable in shorewall.conf is no longer supported. Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.

      3. -
    3. Interface names of the form <device>:<integer> +
    4. Interface names of the form <device>:<integer> in /etc/shorewall/interfaces now generate an error.

      5. @@ -134,12 +134,12 @@ in /etc/shorewall/interfaces now generate an error.
      of the 'noping' or 'filterping' interface options.

      -
    5. The 'routestopped' option in the /etc/shorewall/interfaces -and /etc/shorewall/hosts files is no longer supported and will generate +
    6. The 'routestopped' option in the /etc/shorewall/interfaces +and /etc/shorewall/hosts files is no longer supported and will generate an error at startup if specified.

      7. -
    7. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no +
    8. The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer accepted.

      9. @@ -149,12 +149,12 @@ longer accepted.
    9. The icmp.def file has been removed.
      10. - +
    Changes for 1.4 include:
    - +
      -
    1. The /etc/shorewall/shorewall.conf file has been completely +
    2. The /etc/shorewall/shorewall.conf file has been completely reorganized into logical sections.

      3. @@ -169,21 +169,21 @@ reorganized into logical sections.
      common chain by default.

      -
    3. In addition to behaving like OLD_PING_HANDLING=No, Shorewall - 1.4 no longer unconditionally accepts outbound ICMP packets. So if you - want to 'ping' from the firewall, you will need the appropriate rule or +
    4. In addition to behaving like OLD_PING_HANDLING=No, Shorewall + 1.4 no longer unconditionally accepts outbound ICMP packets. So if you + want to 'ping' from the firewall, you will need the appropriate rule or policy.

    5. CONTINUE is now a valid action for a rule (/etc/shorewall/rules).

      6. -
    6. 802.11b devices with names of the form wlan<n> now support +
    7. 802.11b devices with names of the form wlan<n> now support the 'maclist' option.

      8. -
    8. Explicit Congestion Notification (ECN - RFC 3168) may now be turned - off on a host or network basis using the new /etc/shorewall/ecn file. To +
    9. Explicit Congestion Notification (ECN - RFC 3168) may now be turned + off on a host or network basis using the new /etc/shorewall/ecn file. To use this facility:

         a) You must be running kernel 2.4.20
      @@ -192,52 +192,52 @@ use this facility:
         c) You must have iptables 1.2.7a installed.

      10. -
    10. The /etc/shorewall/params file is now processed first so that variables +
    11. The /etc/shorewall/params file is now processed first so that variables may be used in the /etc/shorewall/shorewall.conf file.

    12. Shorewall now gives a more helpful diagnostic when the - 'ipchains' compatibility kernel module is loaded and a 'shorewall start' + 'ipchains' compatibility kernel module is loaded and a 'shorewall start' command is issued.

    13. The SHARED_DIR variable has been removed from shorewall.conf. This - variable was for use by package maintainers and was not documented for + variable was for use by package maintainers and was not documented for general use.

    14. Shorewall now ignores 'default' routes when detecting masq'd networks.
      15. - +
    - +

    3/10/2003 - Shoreall 1.3.14a

    - +

    A roleup of the following bug fixes and other updates:

    - +
      -
    • There is an updated rfc1918 file that reflects the resent allocation +
    • There is an updated rfc1918 file that reflects the resent allocation of 222.0.0.0/8 and 223.0.0.0/8.
      • - +
    - +
      -
    • The documentation for the routestopped file claimed that a comma-separated +
    • The documentation for the routestopped file claimed that a comma-separated list could appear in the second column while the code only supported a single host or network address.
      • -
    • Log messages produced by 'logunclean' and 'dropunclean' were not +
    • Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.
    • 802.11b devices with names of the form wlan<n> don't support the 'maclist' interface option.
    • Log messages generated by RFC 1918 filtering are not rate limited.
    • The firewall fails to start in the case where you have "eth0 eth1" in /etc/shorewall/masq and the default route is through eth1
      • - +
    - +

    2/8/2003 - Shoreawall 1.3.14

    - +

    New features include

    - +
    1. An OLD_PING_HANDLING option has been added to shorewall.conf. When set to Yes, Shorewall ping handling is as it has always been @@ -249,9 +249,9 @@ FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterpi options in /etc/shorewall/interfaces will all generate an error.

      2. -
    2. It is now possible to direct Shorewall to create a "label" - such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes - and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead +
    3. It is now possible to direct Shorewall to create a "label" + such as  "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes + and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead of just the interface name:
       
         a) In the INTERFACE column of /etc/shorewall/masq
      @@ -272,9 +272,9 @@ will be determined by the setting of the MARK_IN_FORWARD_CHAIN option in       shorewall.conf.

      4. -
    4. When an interface name is entered in the SUBNET column -of the /etc/shorewall/masq file, Shorewall previously masqueraded -traffic from only the first subnet defined on that interface. It did +
    5. When an interface name is entered in the SUBNET column +of the /etc/shorewall/masq file, Shorewall previously masqueraded +traffic from only the first subnet defined on that interface. It did not masquerade traffic from:
       
         a) The subnets associated with other addresses on the @@ -287,14 +287,14 @@ not masquerade traffic from:
       
      Example 1 -- This is how it works in 1.3.14.
        
      - - + + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - + + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
      - - + + 
         [root@gateway test]# shorewall start
         ...
         Masqueraded Subnets and Hosts:
             To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
             To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
         Processing /etc/shorewall/tos...
       
      When upgrading to Shorewall 1.3.14, if you have multiple @@ -308,59 +308,59 @@ don't wish to masquerade.
       
      Example 2 -- Suppose that your current config is as follows:
        
      - - + + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         eth0                    192.168.10.0/24         206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - + + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
       
         In this case, the second entry in /etc/shorewall/masq is no longer required.
       
      - Example 3 -- What if your current configuration is like + Example 3 -- What if your current configuration is like this?
       
      - - + + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - + + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
       
      -    In this case, you would want to change the entry in  +    In this case, you would want to change the entry in  /etc/shorewall/masq to:
      - - + + 
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    192.168.1.0/24          206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      6. - +
    - +


    2/5/2003 - Shorewall Support included in Webmin 1.060

    - +

    Webmin version 1.060 now has Shorewall support included as standard. See http://www.webmin.com.

    2/4/2003 - Shorewall 1.3.14-RC1

    - +

    Includes the Beta 2 content plus support for OpenVPN tunnels.

    - +

    1/28/2003 - Shorewall 1.3.14-Beta2

    - -

    Includes the Beta 1 content plus restores VLAN device names of the form + +

    Includes the Beta 1 content plus restores VLAN device names of the form $dev.$vid (e.g., eth0.1)

    - +

    1/25/2003 - Shorewall 1.3.14-Beta1

    - +

    The Beta includes the following changes:

    - +
      -
    1. An OLD_PING_HANDLING option has been added to shorewall.conf. - When set to Yes, Shorewall ping handling is as it has always been +
    2. An OLD_PING_HANDLING option has been added to shorewall.conf. + When set to Yes, Shorewall ping handling is as it has always been (see http://www.shorewall.net/ping.html).

      When OLD_PING_HANDLING=No, icmp echo (ping) is handled @@ -392,14 +392,14 @@ not masquerade traffic from:
       
      Example 1 -- This is how it works in 1.3.14.
        
      - - + + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - + + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
      - - + + 
         [root@gateway test]# shorewall start
         ...
         Masqueraded Subnets and Hosts:
             To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
             To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
         Processing /etc/shorewall/tos...
       
      When upgrading to Shorewall 1.3.14, if you have multiple @@ -413,38 +413,38 @@ don't wish to masquerade.
       
      Example 2 -- Suppose that your current config is as follows:
        
      - - + + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         eth0                    192.168.10.0/24         206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - + + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
       
         In this case, the second entry in /etc/shorewall/masq is no longer required.
       
      - Example 3 -- What if your current configuration is like + Example 3 -- What if your current configuration is like this?
       
      - - + + 
         [root@gateway test]# cat /etc/shorewall/masq
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    eth2                    206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      - - + + 
         [root@gateway test]# ip route show dev eth2
         192.168.1.0/24  scope link
         192.168.10.0/24  proto kernel  scope link  src 192.168.10.254
         [root@gateway test]#
       
      -    In this case, you would want to change the entry in  +    In this case, you would want to change the entry in  /etc/shorewall/masq to:
      - - + + 
         #INTERFACE              SUBNET                  ADDRESS
         eth0                    192.168.1.0/24          206.124.146.176
         #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
      3. - +
    - +

    1/18/2003 - Shorewall 1.3.13 Documentation in PDF Format

    - - + +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.13 documenation. the PDF may be downloaded from

        target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
        http://slovakia.shorewall.net/pub/shorewall/pdf/ - +

    1/17/2003 - shorewall.net has MOVED 

    - +

    Thanks to the generosity of Alex Martin and Rett Consulting, www.shorewall.net and ftp.shorewall.net are now hosted on a system in Bellevue, Washington. A big thanks to Alex for making this happen.

    - +

    1/13/2003 - Shorewall 1.3.13

    - +

    Just includes a few things that I had on the burner:

    - +
      -
    1. A new 'DNAT-' action has been added for entries - in the /etc/shorewall/rules file. DNAT- is intended for advanced +
    2. A new 'DNAT-' action has been added for entries + in the /etc/shorewall/rules file. DNAT- is intended for advanced users who wish to minimize the number of rules that connection requests must traverse.

      - A Shorewall DNAT rule actually generates two iptables + A Shorewall DNAT rule actually generates two iptables rules: a header rewriting rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT- rule only generates the first of these rules. This is handy when you have several DNAT rules that would @@ -487,7 +487,7 @@ generate the same ACCEPT rule.
      206.124.146.179
              ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,...

      -    These three rules ended up generating _three_ copies +    These three rules ended up generating _three_ copies of

               ACCEPT net  dmz:206.124.146.177 tcp smtp
      @@ -495,9 +495,9 @@ generate the same ACCEPT rule.
         By writing the rules this way, I end up with only one copy of the ACCEPT rule.

      -         DNAT-  net  dmz:206.124.146.177 tcp smtp -  +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.178
      -         DNAT-  net  dmz:206.124.146.177 tcp smtp -  +         DNAT-  net  dmz:206.124.146.177 tcp smtp -  206.124.146.179
              ACCEPT net  dmz:206.124.146.177 tcp www,smtp,ftp,....

      @@ -506,8 +506,8 @@ generate the same ACCEPT rule.
      the applicable policy between each pair of zones.

      3. -
    3. A new CLEAR_TC option has been added to shorewall.conf. - If this option is set to 'No' then Shorewall won't clear the current +
    4. A new CLEAR_TC option has been added to shorewall.conf. + If this option is set to 'No' then Shorewall won't clear the current traffic control rules during [re]start. This setting is intended for use by people that prefer to configure traffic shaping when the network interfaces come up rather than when the firewall is started. If that @@ -517,42 +517,42 @@ the applicable policy between each pair of zones.
      in /etc/shorewall/tcrules.

      5. -
    5. A new SHARED_DIR variable has been added that -allows distribution packagers to easily move the shared directory +
    6. A new SHARED_DIR variable has been added that +allows distribution packagers to easily move the shared directory (default /usr/lib/shorewall). Users should never have a need to change the value of this shorewall.conf setting.
      7. - +
    - -

    1/6/2003 - BURNOUT + +

    1/6/2003 - BURNOUT

    - -

    Until further notice, I will not be involved in either Shorewall Development + +

    Until further notice, I will not be involved in either Shorewall Development or Shorewall Support

    - +

    -Tom Eastep

    - +

    12/30/2002 - Shorewall Documentation in PDF Format

    - - + +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12 documenation. the PDF may be downloaded from

    - - + +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
        http://slovakia.shorewall.net/pub/shorewall/pdf/

    - - + +

    12/27/2002 - Shorewall 1.3.12 Released

    - +

    Features include:

    - +
    1. "shorewall refresh" now reloads the traffic shaping rules (tcrules and tcstart).
      2. @@ -562,24 +562,24 @@ failure near the end of the trace rather than up in the middle of it.
    2. "shorewall [re]start" has been speeded up by more than 40% with my configuration. Your milage may vary.
      3. -
    3. A "shorewall show classifiers" command has +
    4. A "shorewall show classifiers" command has been added which shows the current packet classification filters. The output from this command is also added as a separate page in "shorewall monitor"
      5. -
    5. ULOG (must be all caps) is now accepted as -a valid syslog level and causes the subject packets to be logged +
    6. ULOG (must be all caps) is now accepted as +a valid syslog level and causes the subject packets to be logged using the ULOG target rather than the LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) and log all Shorewall messages to a separate log file.
      7. -
    7. If you are running a kernel that has a FORWARD - chain in the mangle table ("shorewall show mangle" will show -you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes - in shorewall.conf. This allows -for marking input packets based on their destination even when +
    8. If you are running a kernel that has a FORWARD + chain in the mangle table ("shorewall show mangle" will show +you the chains in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes + in shorewall.conf. This allows +for marking input packets based on their destination even when you are using Masquerading or SNAT.
      9. -
    9. I have cluttered up the /etc/shorewall directory +
    10. I have cluttered up the /etc/shorewall directory with empty 'init', 'start', 'stop' and 'stopped' files. If you already have a file with one of these names, don't worry -- the upgrade process won't overwrite your file.
      11. @@ -589,27 +589,27 @@ upgrade process won't overwrite your file. of entries in the /etc/shorewall/rfc1918 file. Previously, these packets were always logged at the 'info' level.
      - +
    - +

    12/20/2002 - Shorewall 1.3.12 Beta 3

    This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would fail to start and "shorewall refresh" would also fail.
    - +

    12/20/2002 - Shorewall 1.3.12 Beta 2

    - -

    The first public Beta version of Shorewall 1.3.12 is now available (Beta + +

    The first public Beta version of Shorewall 1.3.12 is now available (Beta 1 was made available only to a limited audience).

    Features include:
    - +
      -
    1. "shorewall refresh" now reloads the traffic +
    2. "shorewall refresh" now reloads the traffic shaping rules (tcrules and tcstart).
      3. -
    3. "shorewall debug [re]start" now turns +
    4. "shorewall debug [re]start" now turns off debugging after an error occurs. This places the point of the failure near the end of the trace rather than up in the middle of it.
      5. @@ -619,8 +619,8 @@ of it. has been added which shows the current packet classification filters. The output from this command is also added as a separate page in "shorewall monitor" -
    5. ULOG (must be all caps) is now accepted - as a valid syslog level and causes the subject packets to be +
    6. ULOG (must be all caps) is now accepted + as a valid syslog level and causes the subject packets to be logged using the ULOG target rather than the LOG target. This allows you to run ulogd (available from http://www.gnumonks.org/projects/ulogd) @@ -635,59 +635,59 @@ will show you the chains in the mangle table), you can set MARK_IN_F directory with empty 'init', 'start', 'stop' and 'stopped' files. If you already have a file with one of these names, don't worry -- the upgrade process won't overwrite your file.
      7. - +
    You may download the Beta from:
    - +
    http://www.shorewall.net/pub/shorewall/Beta
    ftp://ftp.shorewall.net/pub/shorewall/Beta
    - +

    12/12/2002 - Mandrake Multi Network Firewall Powered by Mandrake Linux

    - Shorewall is at the center of MandrakeSoft's + Shorewall is at the center of MandrakeSoft's recently-announced Multi + href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi Network Firewall (MNF) product. Here is the press release.
    - +

    12/7/2002 - Shorewall Support for Mandrake 9.0

    - +

    Two months and 3 days after I ordered Mandrake 9.0, it was finally delivered. I have installed 9.0 on one of my systems and I am now in a position to support Shorewall users who run Mandrake 9.0.

    - +

    12/6/2002 - Debian 1.3.11a Packages Available

    - - + +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - - + +

    12/3/2002 - Shorewall 1.3.11a

    - +

    This is a bug-fix roll up which includes Roger Aich's fix for DNAT with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users who don't need rules of this type need not upgrade to 1.3.11.

    - +

    11/24/2002 - Shorewall 1.3.11

    - +

    In this version:

    - +
      -
    • A 'tcpflags' option has been added - to entries in /etc/shorewall/interfaces. - This option causes Shorewall to make a set of sanity check on TCP +
    • A 'tcpflags' option has been added + to entries in /etc/shorewall/interfaces. + This option causes Shorewall to make a set of sanity check on TCP packet header flags.
      • -
    • It is now allowed to use 'all' +
    • It is now allowed to use 'all' in the SOURCE or DEST column in a rule. When used, 'all' must + href="Documentation.htm#Rules">rule. When used, 'all' must appear by itself (in may not be qualified) and it does not enable intra-zone traffic. For example, the rule

      @@ -701,49 +701,49 @@ dash.
    • fw->fw policies now generate a startup error. fw->fw rules generate a warning and are ignored
      • - +
    - +

    11/14/2002 - Shorewall Documentation in PDF Format

    - - + +

    Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10 documenation. the PDF may be downloaded from

    - - + +

        ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
        http://slovakia.shorewall.net/pub/shorewall/pdf/

    - - -

    11/09/2002 - Shorewall is Back at SourceForge + + +

    11/09/2002 - Shorewall is Back at SourceForge

    - - + +

    The main Shorewall 1.3 web site is now back at SourceForge at http://shorewall.sf.net.

    - - + +

    11/09/2002 - Shorewall 1.3.10

    - - + +

    In this version:

    - - + +
    • You may now define the contents of a zone dynamically - with the "shorewall + with the "shorewall add" and "shorewall delete" commands. These commands are expected to be used primarily within FreeS/Wan updown scripts.
    • Shorewall can now do MAC verification on ethernet segments. You can specify the set of allowed MAC addresses on the -segment and you can optionally tie each MAC address to one or more +segment and you can optionally tie each MAC address to one or more IP addresses.
    • PPTP Servers and Clients running on the firewall system may now be defined in the href="IPSEC.htm">remote IPSEC endpoint is behind a NAT gateway.
    • The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
      • -
    • The main firewall script is -now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall - is very small and uses /sbin/shorewall to do the real work. - This change makes custom distributions such as for Debian and - for Gentoo easier to manage since it is /etc/init.d/shorewall +
    • The main firewall script is +now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall + is very small and uses /sbin/shorewall to do the real work. + This change makes custom distributions such as for Debian and + for Gentoo easier to manage since it is /etc/init.d/shorewall that tends to have distribution-dependent code
      • - - + +
    - - + +

    10/24/2002 - Shorewall is now in Gentoo Linux

    - Alexandru Hartmann reports that + Alexandru Hartmann reports that his Shorewall package is now a part of the Gentoo Linux distribution. + href="http://www.gentoo.org">the Gentoo Linux distribution. Thanks Alex!
    - - + +

    10/23/2002 - Shorewall 1.3.10 Beta 1

    In this version:
    - - + +
    • You may now define the contents of a zone dynamically - with the "shorewall add" - and "shorewall delete" commands. These commands are + href="IPSEC.htm#Dynamic">define the contents of a zone dynamically + with the "shorewall add" + and "shorewall delete" commands. These commands are expected to be used primarily within FreeS/Wan updown + href="http://www.xs4all.nl/%7Efreeswan/">FreeS/Wan updown scripts.
    • Shorewall can now do MAC verification on ethernet segments. - You can specify the set of allowed MAC addresses on the - segment and you can optionally tie each MAC address to one or + href="MAC_Validation.html"> MAC verification on ethernet segments. + You can specify the set of allowed MAC addresses on the + segment and you can optionally tie each MAC address to one or more IP addresses.
      • -
    • PPTP Servers and Clients running +
    • PPTP Servers and Clients running on the firewall system may now be defined in the /etc/shorewall/tunnels file.
      • -
    • A new 'ipsecnat' tunnel type +
    • A new 'ipsecnat' tunnel type is supported for use when the remote IPSEC endpoint is behind a NAT gateway.
      • -
    • The PATH used by Shorewall +
    • The PATH used by Shorewall may now be specified in /etc/shorewall/shorewall.conf.
    • The main firewall script is now /usr/lib/shorewall/firewall. The script in /etc/init.d/shorewall is very small and uses /sbin/shorewall to do the real work. - This change makes custom distributions such as for Debian - and for Gentoo easier to manage since it is /etc/init.d/shorewall + This change makes custom distributions such as for Debian + and for Gentoo easier to manage since it is /etc/init.d/shorewall that tends to have distribution-dependent code.
      • - - + +
    You may download the Beta from:
    - - + + - - + +

    10/10/2002 -  Debian 1.3.9b Packages Available

    - - + +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - - + +

    10/9/2002 - Shorewall 1.3.9b

    - This release rolls up fixes to + This release rolls up fixes to the installer and to the firewall script.
    - - + +

    10/6/2002 - Shorewall.net now running on RH8.0

    - The firewall and server here + The firewall and server here at shorewall.net are now running RedHat release 8.0.

    9/30/2002 - Shorewall 1.3.9a

    Roles up the fix for broken tunnels.
    - - + +

    9/30/2002 - TUNNELS Broken in 1.3.9!!!

    - There is an updated firewall + There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall -- copy that file to /usr/lib/shorewall/firewall.
    - - + +

    9/28/2002 - Shorewall 1.3.9

    - - + +

    In this version:

    - - + +
    • DNS Names are -now allowed in Shorewall config files (although I recommend against + href="configuration_file_basics.htm#dnsnames">DNS Names are +now allowed in Shorewall config files (although I recommend against using them).
      • -
    • The connection SOURCE - may now be qualified by both interface and IP address +
    • The connection SOURCE + may now be qualified by both interface and IP address in a Shorewall rule.
      • -
    • Shorewall startup +
    • Shorewall startup is now disabled after initial installation until the file /etc/shorewall/startup_disabled is removed. This avoids nasty surprises during reboot for users who install Shorewall but don't configure it.
    • The 'functions' and 'version' files and the 'firewall' symbolic link have -been moved from /var/lib/shorewall to /usr/lib/shorewall +been moved from /var/lib/shorewall to /usr/lib/shorewall to appease the LFS police at Debian.
      • - - + +
    - - -

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + + +

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability Restored

    Brown Paper Bag - A couple of recent configuration + A couple of recent configuration changes at www.shorewall.net broke the Search facility:
    - - -
    - - + + +
    + +
    1. Mailing List Archive Search was not available.
      2. -
    2. The Site Search +
    3. The Site Search index was incomplete
    4. Only one page of matches was presented.
      5. - - - + + +
    Hopefully these problems - are now corrected. - -

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability + are now corrected. + +

    9/23/2002 - Full Shorewall Site/Mailing List Archive Search Capability Restored

    - A couple of recent configuration - changes at www.shorewall.net had the negative effect + A couple of recent configuration + changes at www.shorewall.net had the negative effect of breaking the Search facility:
    - - + +
      -
    1. Mailing List Archive +
    2. Mailing List Archive Search was not available.
    3. The Site Search index was incomplete
      4. -
    4. Only one page of +
    5. Only one page of matches was presented.
      6. - - + +
    - Hopefully these problems + Hopefully these problems are now corrected.
    - - + +

    9/18/2002 -  Debian 1.3.8 Packages Available

    - - + +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - - + +

    9/16/2002 - Shorewall 1.3.8

    - - + +

    In this version:

    - - + +
    • A NEWNOTSYN option has been - added to shorewall.conf. This option determines whether Shorewall - accepts TCP packets which are not part of an established + href="Documentation.htm#Conf">NEWNOTSYN option has been + added to shorewall.conf. This option determines whether Shorewall + accepts TCP packets which are not part of an established connection and that are not 'SYN' packets (SYN flag on and ACK flag off).
    • The need for the 'multi' option to communicate between zones za - and zb on the same interface is removed in the case where + and zb on the same interface is removed in the case where the chain 'za2zb' and/or 'zb2za' exists. 'za2zb' will exist if:
      • - - - + + +
      • There is a policy for za to zb; or
        • -
      • There is +
      • There is at least one rule for za to zb.
        • - - - + + +
      - - + +
    - - + +
    • The /etc/shorewall/blacklist file now contains three columns. In addition to -the SUBNET/ADDRESS column, there are optional PROTOCOL +the SUBNET/ADDRESS column, there are optional PROTOCOL and PORT columns to block only certain applications from the blacklisted addresses.
      • - - + +
    - - + +

    9/11/2002 - Debian 1.3.7c Packages Available

    - - + +

    Apt-get sources listed at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - - + +

    9/2/2002 - Shorewall 1.3.7c

    - - + +

    This is a role up of a fix for "DNAT" rules where the source zone is $FW (fw).

    - - + +

    8/31/2002 - I'm not available

    - - -

    I'm currently on vacation  -- please respect my need for a couple of + + +

    I'm currently on vacation  -- please respect my need for a couple of weeks free of Shorewall problem reports.

    - - + +

    -Tom

    - - + +

    8/26/2002 - Shorewall 1.3.7b

    - - + +

    This is a role up of the "shorewall refresh" bug fix and the change which reverses the order of "dhcp" and "norfc1918" checking.

    - - + +

    8/26/2002 - French FTP Mirror is Operational

    - - + +

    ftp://france.shorewall.net/pub/mirrors/shorewall is now available.

    - - + +

    8/25/2002 - Shorewall Mirror in France

    - - + +

    Thanks to a Shorewall user in Paris, the Shorewall web site is now mirrored at http://france.shorewall.net.

    - - + +

    8/25/2002 - Shorewall 1.3.7a Debian Packages Available

    - - + +

    Lorenzo Martignoni reports that the packages for version 1.3.7a are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - - + +

    8/22/2002 - Shorewall 1.3.7 Wins a Brown Paper Bag Award for its Author -- Shorewall 1.3.7a released

    - - + +

    1.3.7a corrects problems occurring in rules file processing when starting Shorewall 1.3.7.

    - - + +

    8/22/2002 - Shorewall 1.3.7 Released 8/13/2002

    - - + +

    Features in this release include:

    - - + +
    • The 'icmp.def' file is now empty! The rules in that file were required in ipchains firewalls but are not required in Shorewall. Users who have ALLOWRELATED=No in shorewall.conf should see + href="Documentation.htm#Conf">shorewall.conf should see the Upgrade Issues.
      • -
    • A 'FORWARDPING' +
    • A 'FORWARDPING' option has been added to shorewall.conf. The effect - of setting this variable to Yes is the same as - the effect of adding an ACCEPT rule for ICMP echo-request - in /etc/shorewall/icmpdef. - Users who have such a rule in icmpdef are encouraged + href="Documentation.htm#Conf"> shorewall.conf. The effect + of setting this variable to Yes is the same as + the effect of adding an ACCEPT rule for ICMP echo-request + in /etc/shorewall/icmpdef. + Users who have such a rule in icmpdef are encouraged to switch to FORWARDPING=Yes.
    • The loopback CLASS A Network (127.0.0.0/8) has been added to the rfc1918 file.
      • -
    • Shorewall now +
    • Shorewall now works with iptables 1.2.7
      • -
    • The documentation +
    • The documentation and web site no longer uses FrontPage themes.
      • - - + +
    - - + +

    I would like to thank John Distler for his valuable input regarding TCP SYN and ICMP treatment in Shorewall. That input has led to marked improvement in Shorewall in the last two releases.

    - - + +

    8/13/2002 - Documentation in the CVS Repository

    - - + +

    The Shorewall-docs project now contains just the HTML and image files - the Frontpage files have been removed.

    - - + +

    8/7/2002 - STABLE branch added to CVS Repository

    - - + +

    This branch will only be updated after I release a new version of Shorewall so you can always update from this branch to get the latest stable tree.

    - - + +

    8/7/2002 - Upgrade Issues section added to the Errata Page

    - - + +

    Now there is one place to go to look for issues involved with upgrading to recent versions of Shorewall.

    - - + +

    8/7/2002 - Shorewall 1.3.6

    - - + +

    This is primarily a bug-fix rollup with a couple of new features:

    - - + + - - + +

    7/30/2002 - Shorewall 1.3.5b Released

    - - + +

    This interim release:

    - - + +
    • Causes the firewall script to remove the lock file if it is killed.
      • @@ -1156,16 +1156,16 @@ firewall script to remove the lock file if it is killed./etc/shorewall/hosts file.
    • Includes the - latest QuickStart + latest QuickStart Guides.
      • - - + +
    - - + +

    7/29/2002 - New Shorewall Setup Guide Available

    - - + +

    The first draft of this guide is available at http://www.shorewall.net/shorewall_setup_guide.htm. The guide is intended for use by people who @@ -1173,309 +1173,309 @@ are setting up Shorewall to manage multiple public IP addresses and by people who want to learn more about Shorewall than is described in the single-address guides. Feedback on the new guide is welcome.

    - - + +

    7/28/2002 - Shorewall 1.3.5 Debian Package Available

    - - + +

    Lorenzo Martignoni reports that the packages are version 1.3.5a and are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - - + +

    7/27/2002 - Shorewall 1.3.5a Released

    - - + +

    This interim release restores correct handling of REDIRECT rules.

    - - + +

    7/26/2002 - Shorewall 1.3.5 Released

    - - -

    This will be the last Shorewall release for a while. I'm going to be + + +

    This will be the last Shorewall release for a while. I'm going to be focusing on rewriting a lot of the documentation.

    - - + +

     In this version:

    - - + +
      -
    • Empty and invalid - source and destination qualifiers are now detected - in the rules file. It is a good idea to use the 'shorewall - check' command before you issue a 'shorewall restart' - command be be sure that you don't have any configuration problems +
    • Empty and invalid + source and destination qualifiers are now detected + in the rules file. It is a good idea to use the 'shorewall + check' command before you issue a 'shorewall restart' + command be be sure that you don't have any configuration problems that will prevent a successful restart.
    • Added MERGE_HOSTS variable in shorewall.conf to provide saner behavior of the /etc/shorewall/hosts file.
      • -
    • The time that - the counters were last reset is now displayed in the +
    • The time that + the counters were last reset is now displayed in the heading of the 'status' and 'show' commands.
      • -
    • A proxyarp +
    • A proxyarp option has been added for entries in /etc/shorewall/interfaces. - This option facilitates Proxy ARP sub-netting as described in + href="Documentation.htm#Interfaces">/etc/shorewall/interfaces. + This option facilitates Proxy ARP sub-netting as described in the Proxy ARP subnetting mini-HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/). Specifying the proxyarp option for an interface causes Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp.
      • -
    • The Samples +
    • The Samples have been updated to reflect the new capabilities in this release.
      • - - + +
    - - + +

    7/16/2002 - New Mirror in Argentina

    - - + +

    Thanks to Arturo "Buanzo" Busleiman, there is now a Shorewall mirror in Argentina. Thanks Buanzo!!!

    - - + +

    7/16/2002 - Shorewall 1.3.4 Released

    - - + +

    In this version:

    - - + +
    • A new /etc/shorewall/routestopped - file has been added. This file is intended to - eventually replace the routestopped option - in the /etc/shorewall/interface and /etc/shorewall/hosts - files. This new file makes remote firewall administration - easier by allowing any IP or subnet to be enabled while + href="Documentation.htm#Routestopped"> /etc/shorewall/routestopped + file has been added. This file is intended to + eventually replace the routestopped option + in the /etc/shorewall/interface and /etc/shorewall/hosts + files. This new file makes remote firewall administration + easier by allowing any IP or subnet to be enabled while Shorewall is stopped.
      • -
    • An /etc/shorewall/stopped - extension script -has been added. This script is invoked after Shorewall +
    • An /etc/shorewall/stopped + extension script +has been added. This script is invoked after Shorewall has stopped.
    • A DETECT_DNAT_ADDRS option has been added to /etc/shoreall/shorewall.conf. + href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf. When this option is selected, DNAT rules only apply when the destination address is the external interface's primary IP address.
    • The QuickStart Guide has - been broken into three guides and has been almost + href="shorewall_quickstart_guide.htm">QuickStart Guide has + been broken into three guides and has been almost entirely rewritten.
      • -
    • The Samples +
    • The Samples have been updated to reflect the new capabilities in this release.
      • - - + +
    - - + +

    7/8/2002 - Shorewall 1.3.3 Debian Package Available

    - - + +

    Lorenzo Marignoni reports that the packages are available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - - + +

    7/6/2002 - Shorewall 1.3.3 Released

    - - + +

    In this version:

    - - + +
    • Entries in /etc/shorewall/interface that use the wildcard character ("+") now have the "multi" option assumed.
      • -
    • The 'rfc1918' - chain in the mangle table has been renamed 'man1918' - to make log messages generated from that chain distinguishable - from those generated by the 'rfc1918' chain in the +
    • The 'rfc1918' + chain in the mangle table has been renamed 'man1918' + to make log messages generated from that chain distinguishable + from those generated by the 'rfc1918' chain in the filter table.
      • -
    • Interface names - appearing in the hosts file are now validated against +
    • Interface names + appearing in the hosts file are now validated against the interfaces file.
    • The TARGET column in the rfc1918 file is now checked for correctness.
      • -
    • The chain structure - in the nat table has been changed to reduce the - number of rules that a packet must traverse and to correct +
    • The chain structure + in the nat table has been changed to reduce the + number of rules that a packet must traverse and to correct problems with NAT_BEFORE_RULES=No
    • The "hits" command has been enhanced.
      • - - + +
    - - + +

    6/25/2002 - Samples Updated for 1.3.2

    - - + +

    The comments in the sample configuration files have been updated to reflect new features introduced in Shorewall 1.3.2.

    - - + +

    6/25/2002 - Shorewall 1.3.1 Debian Package Available

    - - + +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - - + +

    6/19/2002 - Documentation Available in PDF Format

    - - + +

    Thanks to Mike Martinez, the Shorewall Documentation is now available for download in Adobe PDF format.

    - - + +

    6/16/2002 - Shorewall 1.3.2 Released

    - - + +

    In this version:

    - - + + - - + +

    6/6/2002 - Why CVS Web access is Password Protected

    - - + +

    Last weekend, I installed the CVS Web package to provide brower-based access to the Shorewall CVS repository. Since then, I have had several instances where my server was almost unusable due to the high load generated by website copying tools like HTTrack and WebStripper. These mindless tools:

    - - + +
    • Ignore robot.txt files.
      • -
    • Recursively +
    • Recursively copy everything that they find.
    • Should be classified as weapons rather than tools.
      • - - + +
    - - + +

    These tools/weapons are particularly damaging when combined with CVS Web because they doggedly follow every link in the cgi-generated HTML resulting in 1000s of executions - of the cvsweb.cgi script. Yesterday, I spend several + of the cvsweb.cgi script. Yesterday, I spend several hours implementing measures to block these tools but unfortunately, these measures resulted in my server OOM-ing under even moderate load.

    - - + +

    Until I have the time to understand the cause of the OOM (or until I buy more RAM if that is what is required), CVS Web access will remain Password Protected.

    - - + +

    6/5/2002 - Shorewall 1.3.1 Debian Package Available

    - - + +

    Lorenzo Marignoni reports that the package is available at http://security.dsi.unimi.it/~lorenzo/debian.html.

    - - + +

    6/2/2002 - Samples Corrected

    - - + +

    The 1.3.0 samples configurations had several serious problems that prevented DNS and SSH from working properly. These problems have been corrected in the 1.3.1 samples.

    - - + +

    6/1/2002 - Shorewall 1.3.1 Released

    - - + +

    Hot on the heels of 1.3.0, this release:

    - - + +
    • Corrects a serious problem with "all <zone> CONTINUE" - policies. This problem is present in all versions of + policies. This problem is present in all versions of Shorewall that support the CONTINUE policy. These previous - versions optimized away the "all2<zone>" + versions optimized away the "all2<zone>" chain and replaced it with the "all2all" chain with the usual result that a policy of REJECT was enforced rather than the intended CONTINUE policy.
    • Adds an /etc/shorewall/rfc1918 + href="Documentation.htm#rfc1918">/etc/shorewall/rfc1918 file for defining the exact behavior of the 'norfc1918' interface option.
      • - - + +
    - - + +

    5/29/2002 - Shorewall 1.3.0 Released

    - - + +

    In addition to the changes in Beta 1, Beta 2 and RC1, Shorewall 1.3.0 includes:

    - - + +
    • A 'filterping' interface option that allows ICMP echo-request (ping) requests addressed to the firewall to be handled by entries in /etc/shorewall/rules and /etc/shorewall/policy.
      • - - + +
    - - + +

    5/23/2002 - Shorewall 1.3 RC1 Available

    - - + +

    In addition to the changes in Beta 1 and Beta 2, RC1 (Version 1.2.92) incorporates the following:

    - - + +
      -
    • Support for -the /etc/shorewall/whitelist file has been withdrawn. +
    • Support for +the /etc/shorewall/whitelist file has been withdrawn. If you need whitelisting, see these instructions.
      • - - + +
    - - + +

    5/19/2002 - Shorewall 1.3 Beta 2 Available

    - - -

    In addition to the changes in Beta 1, this release which carries the + + +

    In addition to the changes in Beta 1, this release which carries the designation 1.2.91 adds:

    - - + +
      -
    • The structure - of the firewall is changed markedly. There is now +
    • The structure + of the firewall is changed markedly. There is now an INPUT and a FORWARD chain for each interface; this reduces the number of rules that a packet must traverse, especially in complicated setups.
      • @@ -1488,129 +1488,129 @@ an INPUT and a FORWARD chain for each interface; this reduces and the documentation has been updated accordingly.
    • The sample configurations have been updated for 1.3.
      • - - + +
    - - + +

    5/17/2002 - Shorewall 1.3 Beta 1 Available

    - - + +

    Beta 1 carries the version designation 1.2.90 and implements the following features:

    - - + +
    • Simplified rule syntax which makes the intent of each rule clearer and hopefully makes Shorewall easier to learn.
    • Upward compatibility - with 1.2 configuration files has been maintained + with 1.2 configuration files has been maintained so that current users can migrate to the new syntax at their convenience.
    • WARNING:  Compatibility with the old - parameterized sample configurations has NOT been maintained. - Users still running those configurations should migrate - to the new sample configurations before upgrading to + color="#cc6666">WARNING:  Compatibility with the old + parameterized sample configurations has NOT been maintained. + Users still running those configurations should migrate + to the new sample configurations before upgrading to 1.3 Beta 1.
      • - - + +
    - - + +

    5/4/2002 - Shorewall 1.2.13 is Available

    - - + +

    In this version:

    - - + + - - + +

    4/30/2002 - Shorewall Debian News

    - - -

    Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the -Debian + + +

    Lorenzo Marignoni reports that Shorewall 1.2.12 is now in both the +Debian Testing Branch and the Debian + href="http://packages.debian.org/unstable/net/shorewall.html">Debian Unstable Branch.

    - - + +

    4/20/2002 - Shorewall 1.2.12 is Available

    - - + +
      -
    • The 'try' command +
    • The 'try' command works again
    • There is now a single RPM that also works with SuSE.
      • - - + +
    - - + +

    4/17/2002 - Shorewall Debian News

    - - + +

    Lorenzo Marignoni reports that:

    - - + + - - + +

    Thanks, Lorenzo!

    - - + +

    4/16/2002 - Shorewall 1.2.11 RPM Available for SuSE

    - - + +

    Thanks to Stefan Mohr, there is now a Shorewall 1.2.11 + href="http://www.shorewall.net/pub/shorewall/shorewall-1.2-11.i686.suse73.rpm"> SuSE RPM available.

    - - + +

    4/13/2002 - Shorewall 1.2.11 Available

    - - + +

    In this version:

    - - + +
      -
    • The 'try' command - now accepts an optional timeout. If the timeout is - given in the command, the standard configuration will +
    • The 'try' command + now accepts an optional timeout. If the timeout is + given in the command, the standard configuration will automatically be restarted after the new configuration has been running for that length of time. This prevents a remote admin from being locked out of the firewall in the case where @@ -1620,55 +1620,55 @@ the new configuration starts but prevents access.
      • ROUTE_FILTER parameter in /etc/shorewall/shorewall.conf.
    • Individual -IP source addresses and/or subnets may now be excluded +IP source addresses and/or subnets may now be excluded from masquerading/SNAT.
      • -
    • Simple "Yes/No" - and "On/Off" values are now case-insensitive in +
    • Simple "Yes/No" + and "On/Off" values are now case-insensitive in /etc/shorewall/shorewall.conf.
      • - - + +
    - - + +

    4/13/2002 - Hamburg Mirror now has FTP

    - - + +

    Stefan now has an FTP mirror at ftp://germany.shorewall.net/pub/shorewall.  Thanks Stefan!

    - - + +

    4/12/2002 - New Mirror in Hamburg

    - - + +

    Thanks to Stefan Mohr, there is now a mirror of the Shorewall website at http://germany.shorewall.net.

    - - + +

    4/10/2002 - Shorewall QuickStart Guide Version 1.1 Available

    - - + +

    Version 1.1 of the QuickStart Guide is now available. Thanks to those who have read version 1.0 and offered their suggestions. Corrections have also been made to the sample scripts.

    - - + +

    4/9/2002 - Shorewall QuickStart Guide Version 1.0 Available

    - - + +

    Version 1.0 of the QuickStart Guide is now available. This Guide and its accompanying sample configurations are expected to provide a replacement for the recently withdrawn parameterized samples.

    - - + +

    4/8/2002 - Parameterized Samples Withdrawn

    - - + +

    Although the parameterized samples have allowed people to get a firewall @@ -1677,113 +1677,113 @@ set the wrong level of expectation among those who have used them. I am therefore withdrawing support for the samples and I am recommending that they not be used in new Shorewall installations.

    - - + +

    4/2/2002 - Updated Log Parser

    - - + +

    John Lodge has provided an updated version of his CGI-based log parser + href="pub/shorewall/parsefw/">CGI-based log parser with corrected date handling.

    - - + +

    3/30/2002 - Shorewall Website Search Improvements

    - - + +

    The quick search on the home page now excludes the mailing list archives. The Extended Search allows excluding the archives or restricting the - search to just the archives. An archive search form + search to just the archives. An archive search form is also available on the mailing list information page.

    - - + +

    3/28/2002 - Debian Shorewall News (From Lorenzo Martignoni)

    - - + + - - + +

    3/25/2002 - Log Parser Available

    - - + +

    John Lodge has provided a CGI-based log parser for Shorewall. Thanks John.

    - - + +

    3/20/2002 - Shorewall 1.2.10 Released

    - - + +

    In this version:

    - - + +
    • A "shorewall try" command has been added (syntax: shorewall try <configuration directory>). This - command attempts "shorewall -c <configuration directory> - start" and if that results in the firewall being stopped + command attempts "shorewall -c <configuration directory> + start" and if that results in the firewall being stopped due to an error, a "shorewall start" command is executed. The 'try' command allows you to create a new configuration and attempt - to start it; if there is an error that leaves your firewall - in the stopped state, it will automatically be restarted using + href="Documentation.htm#Configs"> configuration and attempt + to start it; if there is an error that leaves your firewall + in the stopped state, it will automatically be restarted using the default configuration (in /etc/shorewall).
    • A new variable ADD_SNAT_ALIASES has been added to /etc/shorewall/shorewall.conf. + href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf. If this variable is set to "Yes", Shorewall will automatically add IP addresses listed in the third column of -the /etc/shorewall/masq +the /etc/shorewall/masq file.
      • -
    • Copyright notices +
    • Copyright notices have been added to the documenation.
      • - - + +
    - - + +

    3/11/2002 - Shorewall 1.2.9 Released

    - - + +

    In this version:

    - - + + - - + +

    3/1/2002 - 1.2.8 Debian Package is Available

    - - + +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    - - + +

    2/25/2002 - New Two-interface Sample

    - - + +

    I've enhanced the two interface sample to allow access from the firewall to servers in the local zone - + href="http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz"> http://www.shorewall.net/pub/shorewall/LATEST.samples/two-interfaces.tgz

    - - + +

    2/23/2002 - Shorewall 1.2.8 Released

    - - + +

    Do to a serious problem with 1.2.7, I am releasing 1.2.8. It corrects problems associated with the lock file used to prevent multiple state-changing operations from occuring simultaneously. My apologies for any inconvenience my carelessness may have caused.

    - - + +

    2/22/2002 - Shorewall 1.2.7 Released

    - - + +

    In this version:

    - - + +
      -
    • UPnP probes -(UDP destination port 1900) are now silently dropped +
    • UPnP probes +(UDP destination port 1900) are now silently dropped in the common chain
      • -
    • RFC 1918 checking - in the mangle table has been streamlined to no longer - require packet marking. RFC 1918 checking in the filter +
    • RFC 1918 checking + in the mangle table has been streamlined to no longer + require packet marking. RFC 1918 checking in the filter table has been changed to require half as many rules as previously.
    • A 'shorewall - check' command has been added that does a cursory + check' command has been added that does a cursory validation of the zones, interfaces, hosts, rules and policy files.
      • - - + +
    - - + +

    2/18/2002 - 1.2.6 Debian Package is Available

    - - + +

    See http://security.dsi.unimi.it/~lorenzo/debian.html

    - - + +

    2/8/2002 - Shorewall 1.2.6 Released

    - - + +

    In this version:

    - - + +
      -
    • $-variables -may now be used anywhere in the configuration files +
    • $-variables +may now be used anywhere in the configuration files except /etc/shorewall/zones.
    • The interfaces - and hosts files now have their contents validated + and hosts files now have their contents validated before any changes are made to the existing Netfilter configuration. The appearance of a zone name that isn't defined in /etc/shorewall/zones causes "shorewall start" and "shorewall restart" to abort without changing the Shorewall - state. Unknown options in either file cause a warning to + state. Unknown options in either file cause a warning to be issued.
      • -
    • A problem occurring - when BLACKLIST_LOGLEVEL was not set has been +
    • A problem occurring + when BLACKLIST_LOGLEVEL was not set has been corrected.
      • - - + +
    - - + +

    2/4/2002 - Shorewall 1.2.5 Debian Package Available

    - - + +

    see http://security.dsi.unimi.it/~lorenzo/debian.html

    - - + +

    2/1/2002 - Shorewall 1.2.5 Released

    - - -

    Due to installation problems with Shorewall 1.2.4, I have released Shorewall + + +

    Due to installation problems with Shorewall 1.2.4, I have released Shorewall 1.2.5. Sorry for the rapid-fire development.

    - - + +

    In version 1.2.5:

    - - + +
      -
    • The installation +
    • The installation problems have been corrected.
    • SNAT is now supported.
      • -
    • A "shorewall +
    • A "shorewall version" command has been added
    • The default value of the STATEDIR variable in /etc/shorewall/shorewall.conf has been changed to /var/lib/shorewall in order - to conform to the GNU/Linux File Hierarchy Standard, Version + to conform to the GNU/Linux File Hierarchy Standard, Version 2.2.
      • - - + +
    - - + +

    1/28/2002 - Shorewall 1.2.4 Released

    - - + + - - + +

    1/27/2002 - Shorewall 1.2.3 Debian Package Available -- see http://security.dsi.unimi.it/~lorenzo/debian.html

    - - + +

    1/20/2002 - Corrected firewall script available 

    - - -

    Corrects a problem with BLACKLIST_LOGLEVEL. See the + + +

    Corrects a problem with BLACKLIST_LOGLEVEL. See the errata for details.

    - - + +

    1/19/2002 - Shorewall 1.2.3 Released

    - - + +

    This is a minor feature and bugfix release. The single new feature is:

    - - + +
    • Support for TCP MSS Clamp to PMTU -- This support is usually required - when the internet connection is via PPPoE or PPTP + when the internet connection is via PPPoE or PPTP and may be enabled using the CLAMPMSS option in /etc/shorewall/shorewall.conf.
      • - - + +
    - - + +

    The following problems were corrected:

    - - + +
      -
    • The "shorewall +
    • The "shorewall status" command no longer hangs.
      • -
    • The "shorewall +
    • The "shorewall monitor" command now displays the icmpdef chain
      • -
    • The CLIENT PORT(S) +
    • The CLIENT PORT(S) column in tcrules is no longer ignored
      • - - + +
    - - + +

    1/18/2002 - Shorewall 1.2.2 packaged with new LEAF release

    - - -

    Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution + + +

    Jacques Nilo and Eric Wolzak have released a kernel 2.4.16 LEAF distribution that includes Shorewall 1.2.2. See http://leaf.sourceforge.net/devel/jnilo + href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo for details.

    - - + +

    1/11/2002 - Debian Package (.deb) Now Available - Thanks to Lorenzo Martignoni, a 1.2.2 Shorewall Debian package is now available. There is a link to Lorenzo's site from the Shorewall download page.

    - - + +

    1/9/2002 - Updated 1.2.2 /sbin/shorewall available - This corrected version restores the "shorewall status" command to health.

    - - + +

    1/8/2002 - Shorewall 1.2.2 Released

    - - + +

    In version 1.2.2

    - - + +
    • Support for -IP blacklisting has been added - - - - +IP blacklisting has been added + + + +
      • You specify whether you want packets from blacklisted hosts dropped or rejected using the BLACKLIST_DISPOSITION + href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION setting in /etc/shorewall/shorewall.conf
      • You specify whether you want packets from blacklisted hosts logged and at what syslog level using the BLACKLIST_LOGLEVEL + href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL setting in /etc/shorewall/shorewall.conf
        • -
      • You list the - IP addresses/subnets that you wish to blacklist in +
      • You list the + IP addresses/subnets that you wish to blacklist in /etc/shorewall/blacklist
      • You specify the interfaces you want checked against the blacklist @@ -2034,70 +2034,70 @@ IP blacklisting has been added
      • The black list is refreshed from /etc/shorewall/blacklist by the "shorewall refresh" command.
        • - - - - - + + + + +
      • -
    • Use of TCP RST - replies has been expanded  - - - - +
    • Use of TCP RST + replies has been expanded  + + + +
        -
      • TCP connection +
      • TCP connection requests rejected because of a REJECT policy are now replied with a TCP RST packet.
        • -
      • TCP connection +
      • TCP connection requests rejected because of a protocol=all rule in /etc/shorewall/rules are now replied with a TCP RST packet.
        • - - - - - + + + + +
    • A LOGFILE specification has - been added to /etc/shorewall/shorewall.conf. LOGFILE is used - to tell the /sbin/shorewall program where to look for Shorewall + been added to /etc/shorewall/shorewall.conf. LOGFILE is used + to tell the /sbin/shorewall program where to look for Shorewall messages.
      • - - + +
    - - + +

    1/5/2002 - New Parameterized Samples (version 1.2.0) released. These are minor updates to the previously-released samples. There are two new rules added:

    - - + +
    • Unless you have explicitly enabled Auth connections (tcp port 113) - to your firewall, these connections will be REJECTED + to your firewall, these connections will be REJECTED rather than DROPPED. This speeds up connection establishment to some servers.
      • -
    • Orphan DNS replies +
    • Orphan DNS replies are now silently dropped.
      • - - + +
    - - + +

    See the README file for upgrade instructions.

    - - + +

    1/1/2002 - Shorewall Mailing List Moving

    - - + +

    The Shorewall mailing list hosted at Sourceforge is moving to Shorewall.net. If you are a current subscriber to the list at Sourceforge, @@ -2105,14 +2105,14 @@ rather than DROPPED. This speeds up connection establishment If you would like to subscribe to the new list, visit http://www.shorewall.net/mailman/listinfo/shorewall-users.

    - - + +

    12/31/2001 - Shorewall 1.2.1 Released

    - - + +

    In version 1.2.1:

    - - + + - - -

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist + + +

    12/21/2001 - Shorewall 1.2.0 Released! - I couldn't resist releasing 1.2 on 12/21/2001

    - - + +

    Version 1.2 contains the following new features:

    - - + + - - -

    For the next month or so, I will continue to provide corrections to version - 1.1.18 as necessary so that current version 1.1.x - users will not be forced into a quick upgrade to 1.2.0 + + +

    For the next month or so, I will continue to provide corrections to version + 1.1.18 as necessary so that current version 1.1.x + users will not be forced into a quick upgrade to 1.2.0 just to have access to bug fixes.

    - - + +

    For those of you who have installed one of the Beta RPMS, you will need to use the "--oldpackage" option when upgrading to 1.2.0:

    - - -
    - - + + +
    + +

    rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm

    - - -

    12/19/2001 - Thanks to Steve - Cowles, there is now a Shorewall mirror in + + +

    12/19/2001 - Thanks to Steve + Cowles, there is now a Shorewall mirror in Texas. This web site is mirrored at http://www.infohiiway.com/shorewall + href="http://www.infohiiway.com/shorewall" target="_top">http://www.infohiiway.com/shorewall and the ftp site is at ftp://ftp.infohiiway.com/pub/mirrors/shorewall. 

    - - + +

    11/30/2001 - A new set of the parameterized Sample + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.18">Sample Configurations has been released. In this version:

    - - + +
    • Ping is now allowed between the zones.
      • -
    • In the three-interface - configuration, it is now possible to configure the +
    • In the three-interface + configuration, it is now possible to configure the internet services that are to be available to servers in the DMZ. 
      • - - + +
    - - + +

    11/20/2001 - The current version of Shorewall is 1.1.18. 

    - - + +

    In this version:

    - - + +
      -
    • The spelling +
    • The spelling of ADD_IP_ALIASES has been corrected in the shorewall.conf file
    • The logic for deleting user-defined chains has been simplified so that it avoids a bug in the LRP version of the 'cut' utility.
      • -
    • The /var/lib/lrpkg/shorwall.conf +
    • The /var/lib/lrpkg/shorwall.conf file has been corrected to properly display the NAT entry in that file.
      • - - + +
    - - -

    11/19/2001 - Thanks to Juraj - Ontkanin, there is now a Shorewall mirror - in the Slovak Republic. The website is now mirrored - at http://www.nrg.sk/mirror/shorewall + + +

    11/19/2001 - Thanks to Juraj + Ontkanin, there is now a Shorewall mirror + in the Slovak Republic. The website is now mirrored + at http://www.nrg.sk/mirror/shorewall and the FTP site is mirrored at ftp://ftp.nrg.sk/mirror/shorewall.

    - - -

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. + + +

    11/2/2001 - Announcing Shorewall Parameter-driven Sample Configurations. There are three sample configurations:

    - - + +
    • One Interface -- for a standalone system.
      • -
    • Two Interfaces +
    • Two Interfaces -- A masquerading firewall.
      • -
    • Three Interfaces +
    • Three Interfaces -- A masquerading firewall with DMZ.
      • - - + +
    - - + +

    Samples may be downloaded from ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 + href="ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17"> ftp://ftp.shorewall.net/pub/shorewall/samples-1.1.17 . See the README file for instructions.

    - - - -

    11/1/2001 - The current version of Shorewall is 1.1.17.  I intend - this to be the last of the 1.1 Shorewall + + + +

    11/1/2001 - The current version of Shorewall is 1.1.17.  I intend + this to be the last of the 1.1 Shorewall releases.

    - - - + + +

    In this version:

    - - + + - - -

    10/22/2001 - The current version of Shorewall is 1.1.16. In this + + +

    10/22/2001 - The current version of Shorewall is 1.1.16. In this version:

    - - + +
      -
    • A new "shorewall +
    • A new "shorewall show connections" command has been added.
    • In the "shorewall monitor" output, the currently tracked connections @@ -2272,20 +2272,20 @@ of ADD_IP_ALIASES release, Shorewall unconditionally added the external IP adddress(es) specified in /etc/shorewall/nat. Beginning with version 1.1.16, a new parameter (ADD_IP_ALIASES) may be - set to "no" (or "No") to inhibit this behavior. - This allows IP aliases created using your distribution's - network configuration tools to be used in static + href="Documentation.htm#Aliases">ADD_IP_ALIASES) may be + set to "no" (or "No") to inhibit this behavior. + This allows IP aliases created using your distribution's + network configuration tools to be used in static NAT. 
      • - - + +
    - - -

    10/15/2001 - The current version of Shorewall is 1.1.15. In this + + +

    10/15/2001 - The current version of Shorewall is 1.1.15. In this version:

    - - + + - - + +

    10/4/2001 - The current version of Shorewall is 1.1.14. In this version

    - - + +     - - + +

    9/12/2001 - The current version of Shorewall is 1.1.13. In this version

    - - + +
    • Shell variables can now be used to parameterize Shorewall rules.
    • The second column - in the hosts file may now contain a comma-separated + in the hosts file may now contain a comma-separated list.

      Example:
      -     sea    +     sea    eth0:130.252.100.0/24,206.191.149.0/24
    • Handling of -multi-zone interfaces has been improved. See the +multi-zone interfaces has been improved. See the documentation for the /etc/shorewall/interfaces file.
      • - - + +
    - - + +

    8/28/2001 - The current version of Shorewall is 1.1.12. In this version

    - - + +
    • Several columns - in the rules file may now contain comma-separated + in the rules file may now contain comma-separated lists.
      • -
    • Shorewall is +
    • Shorewall is now more rigorous in parsing the options in /etc/shorewall/interfaces.
    • Complementation using "!" is now supported in rules.
      • - - + +
    - - + +

    7/28/2001 - The current version of Shorewall is 1.1.11. In this version

    - - + +
      -
    • A "shorewall -refresh" command has been added to allow for refreshing +
    • A "shorewall +refresh" command has been added to allow for refreshing the rules associated with the broadcast address on a dynamic interface. This command should be used in place of "shorewall restart" when the internet interface's IP address changes.
      • -
    • The /etc/shorewall/start - file (if any) is now processed after all temporary - rules have been deleted. This change prevents the accidental - removal of rules added during the processing of that +
    • The /etc/shorewall/start + file (if any) is now processed after all temporary + rules have been deleted. This change prevents the accidental + removal of rules added during the processing of that file.
      • -
    • The "dhcp" interface - option is now applicable to firewall interfaces +
    • The "dhcp" interface + option is now applicable to firewall interfaces used by a DHCP server running on the firewall.
    • The RPM can now be built from the .tgz file using "rpm -tb" 
      • - - + +
    - - + +

    7/6/2001 - The current version of Shorewall is 1.1.10. In this version

    - - + +
    • Shorewall now - enables Ipv4 Packet Forwarding by default. Packet -forwarding may be disabled by specifying IP_FORWARD=Off - in /etc/shorewall/shorewall.conf. If you don't -want Shorewall to enable or disable packet forwarding, - add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf + enables Ipv4 Packet Forwarding by default. Packet +forwarding may be disabled by specifying IP_FORWARD=Off + in /etc/shorewall/shorewall.conf. If you don't +want Shorewall to enable or disable packet forwarding, + add IP_FORWARDING=Keep to your /etc/shorewall/shorewall.conf file.
      • -
    • The "shorewall - hits" command no longer lists extraneous service +
    • The "shorewall + hits" command no longer lists extraneous service names in its last report.
      • -
    • Erroneous instructions - in the comments at the head of the firewall script +
    • Erroneous instructions + in the comments at the head of the firewall script have been corrected.
      • - - + +
    - - + +

    6/23/2001 - The current version of Shorewall is 1.1.9. In this version

    - - + +
    • The "tunnels" file really is in the RPM now.
      • -
    • SNAT can now +
    • SNAT can now be applied to port-forwarded connections.
    • A bug which would cause firewall start failures in some dhcp configurations has been fixed.
      • -
    • The firewall -script now issues a message if you have the name of +
    • The firewall +script now issues a message if you have the name of an interface in the second column in an entry in /etc/shorewall/masq and that interface is not up.
    • You can now @@ -2454,32 +2454,32 @@ configure Shorewall so that it
    • Support for IPIP tunnels has been added.
      • - - + +
    - - + +

    6/18/2001 - The current version of Shorewall is 1.1.8. In this version

    - - + + - - + +

    6/2/2001 - The current version of Shorewall is 1.1.7. In this version

    - - + +
    • The TOS rules are now deleted when the firewall is stopped.
      • @@ -2490,94 +2490,94 @@ applied to packets originating on the firewall itself now install without iproute2 being installed.
    • The documentation has been cleaned up.
      • -
    • The sample configuration - files included in Shorewall have been formatted +
    • The sample configuration + files included in Shorewall have been formatted to 80 columns for ease of editing on a VGA console.
      • - - + +
    - - + +

    5/25/2001 - The current version of Shorewall is 1.1.6. In this version

    - - + + - - + +

    5/20/2001 - The current version of Shorewall is 1.1.5. In this version

    - - + + - - + +

    5/10/2001 - The current version of Shorewall is 1.1.4. In this version

    - - + +
    • Accepting RELATED connections + href="Documentation.htm#Conf">Accepting RELATED connections is now optional.
    • Corrected problem where if "shorewall start" aborted early (due -to kernel configuration errors for example), superfluous +to kernel configuration errors for example), superfluous 'sed' error messages were reported.
    • Corrected rules generated for port redirection.
      • -
    • The order in -which iptables kernel modules are loaded has been +
    • The order in +which iptables kernel modules are loaded has been corrected (Thanks to Mark Pavlidis). 
      • - - + +
    - - + +

    4/28/2001 - The current version of Shorewall is 1.1.3. In this version

    - - + +
    • Correct message issued when Proxy ARP address added (Thanks to Jason @@ -2587,164 +2587,164 @@ version

      the firewall.
    • /etc/shorewall/icmp.def and /etc/shorewall/common.def are now used to - define the icmpdef and common chains unless overridden + define the icmpdef and common chains unless overridden by the presence of /etc/shorewall/icmpdef or /etc/shorewall/common.
      • -
    • In the .lrp, -the file /var/lib/lrpkg/shorwall.conf has been corrected. - An extra space after "/etc/shorwall/policy" has been +
    • In the .lrp, +the file /var/lib/lrpkg/shorwall.conf has been corrected. + An extra space after "/etc/shorwall/policy" has been removed and "/etc/shorwall/rules" has been added.
      • -
    • When a sub-shell - encounters a fatal error and has stopped the firewall, - it now kills the main shell so that the main shell will +
    • When a sub-shell + encounters a fatal error and has stopped the firewall, + it now kills the main shell so that the main shell will not continue.
    • A problem has been corrected where a sub-shell stopped the firewall - and main shell continued resulting in a perplexing error + and main shell continued resulting in a perplexing error message referring to "common.so" resulted.
    • Previously, placing "-" in the PORT(S) column in /etc/shorewall/rules resulted in an error message during start. This has been corrected.
      • -
    • The first line +
    • The first line of "install.sh" has been corrected -- I had inadvertently deleted the initial "#".
      • - - + +
    - - + +

    4/12/2001 - The current version of Shorewall is 1.1.2. In this version

    - - + +
      -
    • Port redirection +
    • Port redirection now works again.
    • The icmpdef -and common chains may +and common chains may now be user-defined.
      • -
    • The firewall +
    • The firewall no longer fails to start if "routefilter" is specified - for an interface that isn't started. A warning message + for an interface that isn't started. A warning message is now issued in this case.
    • The LRP Version is renamed "shorwall" for 8,3 MSDOS file system compatibility.
    • A couple of LRP-specific problems were corrected.
      • - - + +
    - - + +

    4/8/2001 - Shorewall is now affiliated with the Leaf Project

    - - + +

    4/5/2001 - The current version of Shorewall is 1.1.1. In this version:

    - - + +
      -
    • The common chain - is traversed from INPUT, OUTPUT and FORWARD before +
    • The common chain + is traversed from INPUT, OUTPUT and FORWARD before logging occurs
      • -
    • The source has +
    • The source has been cleaned up dramatically
    • DHCP DISCOVER - packets with RFC1918 source addresses no longer + packets with RFC1918 source addresses no longer generate log messages. Linux DHCP clients generate such packets and it's annoying to see them logged. 
      • - - + +
    - - + +

    3/25/2001 - The current version of Shorewall is 1.1.0. In this version:

    - - + +
      -
    • Log messages +
    • Log messages now indicate the packet disposition.
      • -
    • Error messages +
    • Error messages have been improved.
    • The ability -to define zones consisting of an enumerated set of +to define zones consisting of an enumerated set of hosts and/or subnetworks has been added.
      • -
    • The zone-to-zone - chain matrix is now sparse so that only those chains +
    • The zone-to-zone + chain matrix is now sparse so that only those chains that contain meaningful rules are defined.
    • 240.0.0.0/4 -and 169.254.0.0/16 have been added to the source +and 169.254.0.0/16 have been added to the source subnetworks whose packets are dropped under the norfc1918 interface option.
    • Exits are now provided for executing an user-defined script when - a chain is defined, when the firewall is initialized, - when the firewall is started, when the firewall + a chain is defined, when the firewall is initialized, + when the firewall is started, when the firewall is stopped and when the firewall is cleared.
      • -
    • The Linux kernel's - route filtering facility can now be specified +
    • The Linux kernel's + route filtering facility can now be specified selectively on network interfaces.
      • - - + +
    - - + +

    3/19/2001 - The current version of Shorewall is 1.0.4. This version:

    - - + +
    • Allows user-defined - zones. Shorewall now has only one pre-defined + zones. Shorewall now has only one pre-defined zone (fw) with the remaining zones being defined in the new configuration file /etc/shorewall/zones. The /etc/shorewall/zones file released in this version provides behavior that is compatible with Shorewall 1.0.3. 
      • -
    • Adds the ability +
    • Adds the ability to specify logging in entries in the /etc/shorewall/rules file.
      • -
    • Correct handling - of the icmp-def chain so that only ICMP packets are +
    • Correct handling + of the icmp-def chain so that only ICMP packets are sent through the chain.
      • -
    • Compresses the - output of "shorewall monitor" if awk is installed. - Allows the command to work if awk isn't installed (although +
    • Compresses the + output of "shorewall monitor" if awk is installed. + Allows the command to work if awk isn't installed (although it's not pretty).
      • - - + +
    - - -

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix + + +

    3/13/2001 - The current version of Shorewall is 1.0.3. This is a bug-fix release with no new features.

    - - + +
    • The PATH variable - in the firewall script now includes /usr/local/bin + in the firewall script now includes /usr/local/bin and /usr/local/sbin.
    • DMZ-related chains are now correctly deleted if the DMZ is deleted.
    • The interface OPTIONS for "gw" interfaces are no longer ignored.
      • - - + +
    - - -

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an - additional "gw" (gateway) zone for tunnels and - it supports IPSEC tunnels with end-points on the firewall. + + +

    3/8/2001 - The current version of Shorewall is 1.0.2. It supports an + additional "gw" (gateway) zone for tunnels and + it supports IPSEC tunnels with end-points on the firewall. There is also a .lrp available now.

    - - + +

    Updated 3/21/2003 - Tom Eastep

    - - + +

    Copyright © 2001, 2002 Thomas M. Eastep.

    diff --git a/Shorewall-docs/OPENVPN.html b/Shorewall-docs/OPENVPN.html index 4e2971c84..9041e1565 100755 --- a/Shorewall-docs/OPENVPN.html +++ b/Shorewall-docs/OPENVPN.html @@ -1,33 +1,33 @@ - + OpenVPN Tunnels - + - + - + - - - + +
    +

    OpenVPN Tunnels
    - +


    - +

    OpenVPN is a robust and highly configurable VPN (Virtual Private Network) daemon which can be used to securely link two or more private networks using an encrypted tunnel over the internet. OpenVPN is an Open Source project @@ -35,32 +35,32 @@ and is licensed under the GPL. OpenVPN can be downloaded from http://openvpn.sourceforge.net/.

    - +

    OpenVPN support was added to Shorewall in version 1.3.14.

    - +

    Bridging two Masqueraded Networks

    - +

    Suppose that we have the following situation:

    - +

    - +

    We want systems in the 192.168.1.0/24 subnetwork to be able to communicate with the systems in the 10.0.0.0/8 network. This is accomplished through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy file and OpenVPN.

    - +

    While it was possible to use the Shorewall start and stop script to start and stop OpenVPN, I decided to use the init script of OpenVPN to start and stop it.

    - +

    On each firewall, you will need to declare a zone to represent the remote subnet. We'll assume that this zone is called 'vpn' and declare it in /etc/shorewall/zones on both systems as follows.

    - -
    + +
    @@ -73,15 +73,15 @@ the GPL. OpenVPN can be downloaded from VPN - - + +
    Remote Subnet
    - +

    On system A, the 10.0.0.0/8 will comprise the vpn zone. In /etc/shorewall/interfaces:

    - -
    + +
    @@ -97,14 +97,14 @@ zone. In /etc/shorewall/interfaces:

    - - + +
     
    - +

    In /etc/shorewall/tunnels on system A, we need the following:

    - -
    + +
    @@ -119,18 +119,18 @@ zone. In /etc/shorewall/interfaces:

    - - + +
    134.28.54.2  
    - +

    This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN traffic on the default port 5000/udp will be accepted to/from the remote gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels like this:

    - -
    + +
    @@ -145,18 +145,18 @@ gateway. If you change the port used by OpenVPN to 7777, you can define - - + +
    134.28.54.2  
    - +

    This is the OpenVPN config on system A:

    - -
    + +

    - -
    + +

    dev tun
    local 206.162.148.9
    remote 134.28.54.2
    @@ -171,11 +171,11 @@ gateway. If you change the port used by OpenVPN to 7777, you can define verb 5

    - +

    Similarly, On system B the 192.168.1.0/24 subnet will comprise the vpn zone. In /etc/shorewall/interfaces:

    - -
    + +
    @@ -190,14 +190,14 @@ gateway. If you change the port used by OpenVPN to 7777, you can define - - + +
    192.168.1.255  
    - +

    In /etc/shorewall/tunnels on system B, we have:

    - -
    + +
    @@ -212,14 +212,14 @@ gateway. If you change the port used by OpenVPN to 7777, you can define - - + +
    206.191.148.9  
    - +

    And in the OpenVPN config on system B:

    - -
    + +

    dev tun
    local 134.28.54.2
    remote 206.162.148.9
    @@ -233,12 +233,12 @@ gateway. If you change the port used by OpenVPN to 7777, you can define verb 5

    - +

    You will need to allow traffic between the "vpn" zone and the "loc" zone on both systems -- if you simply want to admit all traffic in both directions, you can use the policy file:

    - -
    + +
    @@ -259,20 +259,20 @@ traffic in both directions, you can use the policy file:

    - - + +
    ACCEPT  
    - +

    On both systems, restart Shorewall and start OpenVPN. The systems in the two masqueraded subnetworks can now talk to each other.

    - -

    Updated 2/4/2003 - Tom Eastep + +

    Updated 2/4/2003 - Tom Eastep and Simon Mater

    - +

    - +

    Copyright © 2003 Thomas M. Eastep. and Simon Mater

    diff --git a/Shorewall-docs/PPTP.htm b/Shorewall-docs/PPTP.htm index a2cca4472..cb654149b 100644 --- a/Shorewall-docs/PPTP.htm +++ b/Shorewall-docs/PPTP.htm @@ -1,52 +1,52 @@ - + - + - + - + Shorewall PPTP - + - - - + +
    +

    PPTP
    - +

    Shorewall easily supports PPTP in a number of configurations:

    - + - +

    1. PPTP Server Running on your Firewall

    - +

    I will try to give you an idea of how to set up a PPTP server on your firewall system. This isn't a detailed HOWTO but rather an example of how I have set up a working PPTP server on my own firewall.

    - +

    The steps involved are:

    - +
    1. Patching and building pppd
    2. Patching and building your Kernel
      3. @@ -54,36 +54,36 @@ up a working PPTP server on my own firewall.

    3. Configuring pppd
    4. Configuring pptpd
    5. Configuring Shorewall
      6. - +
    - +

    Patching and Building pppd

    - +

    To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary site for releases of pppd is ftp://ftp.samba.org/pub/ppp.

    - +

    You will need the following patches:

    - + - -

    You may also want the following patch if you want to require remote hosts + +

    You may also want the following patch if you want to require remote hosts to use encryption:

    - + - +

    Un-tar the pppd source and uncompress the patches into one directory (the patches and the ppp-2.4.1 directory are all in a single parent directory):

    - +
    • cd ppp-2.4.1
    • patch -p1 < ../ppp-2.4.0-openssl-0.9.6-mppe.patch
      • @@ -91,56 +91,56 @@ to use encryption:

    • (Optional) patch -p1 < ../require-mppe.diff
    • ./configure
    • make
      • - +
    - -

    You will need to install the resulting binary on your firewall system. + +

    You will need to install the resulting binary on your firewall system. To do that, I NFS mount my source filesystem and use "make install" from the ppp-2.4.1 directory.

    - +

    Patching and Building your Kernel

    - +

    You will need one of the following patches depending on your kernel version:

    - + - +

    Uncompress the patch into the same directory where your top-level kernel source is located and:

    - +
    • cd <your GNU/Linux source top-level directory>
    • patch -p1 < ../linux-2.4.16-openssl-0.9.6b-mppe.patch
      • - +
    - +

    Now configure your kernel. Here is my ppp configuration:

    - -
    + +

    - +

    Configuring Samba

    - +

    You will need a WINS server (Samba configured to run as a WINS server is - fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) + fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) is:

    - -
    + +
    [global]
         workgroup = TDM-NSTOP
         netbios name = WOOKIE
         server string = GNU/Linux Box
         encrypt passwords = Yes
         log file = /var/log/samba/%m.log
         max log size = 0
         socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
         os level = 65
         domain master = True
         preferred master = True
         dns proxy = No
         wins support = Yes
         printing = lprng

    [homes]
         comment = Home Directories
         valid users = %S
         read only = No
         create mask = 0664
         directory mask = 0775

    [printers]
         comment = All Printers
         path = /var/spool/samba
         printable = Yes
    - +

    Configuring pppd

    - +

    Here is a copy of my /etc/ppp/options.poptop file:

    - -
    + +

    ipparam PoPToP
    lock
    mtu 1490
    @@ -163,9 +163,9 @@ is:

    require-mppe
    require-mppe-stateless

    - +

    Notes:

    - +
    • System 192.168.1.3 acts as a WINS server so I have included that IP as the 'ms-wins' value.
      • @@ -173,55 +173,55 @@ IP as the 'ms-wins' value. address 206.124.146.177.
    • I am requiring 128-bit stateless compression (my kernel is built with the 'require-mppe.diff' patch mentioned above.
      • - +
    - +

    Here's my /etc/ppp/chap-secrets:

    - -
    + +

    Secrets for authentication using CHAP
    # client        server    secret    IP addresses
    CPQTDM\\TEastep *         <shhhhhh> 192.168.1.7
    TEastep         *         <shhhhhh> 192.168.1.7

    - -

    I am the only user who connects to the server but I may connect either -with or without a domain being specified. The system I connect from is my -laptop so I give it the same IP address when tunneled in at it has when I + +

    I am the only user who connects to the server but I may connect either +with or without a domain being specified. The system I connect from is my +laptop so I give it the same IP address when tunneled in at it has when I use its wireless LAN card around the house.

    - +

    You will also want the following in /etc/modules.conf:

    - + 
         alias ppp-compress-18 ppp_mppe
         alias ppp-compress-21 bsd_comp
         alias ppp-compress-24 ppp_deflate
         alias ppp-compress-26 ppp_deflate
    - +

    Configuring pptpd

    - +

    PoPTop (pptpd) is available from http://poptop.lineo.com/.

    - +

    Here is a copy of my /etc/pptpd.conf file:

    - -
    + +

    option /etc/ppp/options.poptop
    speed 115200
    localip 192.168.1.254
    remoteip 192.168.1.33-38

    - +

    Notes:

    - +
      -
    • I specify the /etc/ppp/options.poptop file as my ppp options file +
    • I specify the /etc/ppp/options.poptop file as my ppp options file (I have several).
    • The local IP is the same as my internal interface's (192.168.1.254).
      • -
    • I have assigned a remote IP range that overlaps my local network. -This, together with 'proxyarp' in my /etc/ppp/options.poptop file make +
    • I have assigned a remote IP range that overlaps my local network. +This, together with 'proxyarp' in my /etc/ppp/options.poptop file make the remote hosts look like they are part of the local subnetwork.
      • - +
    - +

    I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:

    - -
    + +

    #!/bin/sh
    #
    # /etc/rc.d/init.d/pptpd
    @@ -259,15 +259,15 @@ the remote hosts look like they are part of the local subnetwork.

    •     ;;
    esac

- +

Configuring Shorewall

- +

I consider hosts connected to my PPTP server to be just like local systems. My key Shorewall entries are:

- +

/etc/shorewall/zones:

- -
+ +
@@ -285,14 +285,14 @@ the remote hosts look like they are part of the local subnetwork. - - + +
Local My Local Network including remote PPTP clients
- +

/etc/shorewall/interfaces:

- -
+ +
@@ -319,14 +319,14 @@ the remote hosts look like they are part of the local subnetwork. - - + +
   
- +

/etc/shorewall/hosts:

- -
+ +
@@ -344,14 +344,14 @@ the remote hosts look like they are part of the local subnetwork. - - + +
ppp+:192.168.1.0/24  
- +

/etc/shorewall/policy:

- -
+ +
@@ -366,15 +366,15 @@ the remote hosts look like they are part of the local subnetwork. - - + +
ACCEPT  
- +

/etc/shorewall/rules (For Shorewall versions up to and including 1.3.9b):

- -
- + +
+ @@ -416,11 +416,11 @@ the remote hosts look like they are part of the local subnetwork. - - + +
   
- +

/etc/shoreawll/tunnels (For Shorewall versions 1.3.10 and later)

@@ -453,10 +453,10 @@ and later)


Note: I have multiple ppp interfaces on my firewall. If you have a single ppp interface, you probably want:

- +

/etc/shorewall/interfaces:

- -
+ +
@@ -483,19 +483,19 @@ ppp interface, you probably want:

- - + +
   
- +

and no entries in /etc/shorewall/hosts.

- -

2. PPTP Server Running Behind + +

2. PPTP Server Running Behind your Firewall

- +

If you have a single external IP address, add the following to your /etc/shorewall/rules file:

- + @@ -528,15 +528,15 @@ file:

- - + +
   
- -

If you have multiple external IP address and you want to forward a single -<external address>, add the following to your /etc/shorewall/rules + +

If you have multiple external IP address and you want to forward a single +<external address>, add the following to your /etc/shorewall/rules file:

- -

  + +

  @@ -569,51 +569,51 @@ file:

- - + +
- <external address>

- -

3. PPTP Clients Running Behind + +

3. PPTP Clients Running Behind your Firewall

- -

You shouldn't have to take any special action for this case unless you -wish to connect multiple clients to the same external server. In that case, + +

You shouldn't have to take any special action for this case unless you +wish to connect multiple clients to the same external server. In that case, you will need to follow the instructions at http://www.impsec.org/linux/masquerade/ip_masq_vpn.html. I recommend that you also add these two lines to your /etc/shorewall/modules file:

- -
+ +

loadmodule ip_conntrack_pptp
loadmodule ip_nat_pptp

- +

4. PPTP Client Running on your Firewall.

- +

The PPTP GNU/Linux client is available at http://sourceforge.net/projects/pptpclient/.    - Rather than use the configuration script that comes with the client, I built + Rather than use the configuration script that comes with the client, I built my own. I also build my own kernel as described above rather than using the mppe package that is available with the client. My /etc/ppp/options file is mostly unchanged from what came with the client (see below).

- +

The key elements of this setup are as follows:

- +
  1. Define a zone for the remote network accessed via PPTP.
  2. Associate that zone with a ppp interface.
  3. Define rules for PPTP traffic to/from the firewall.
  4. Define rules for traffic two and from the remote zone.
    5. - +
- +

Here are examples from my setup:

- +

/etc/shorewall/zones

- -
+ +
@@ -626,14 +626,14 @@ my own. I also build my own kernel as described above - - + +
Compaq Compaq Intranet
- +

/etc/shorewall/interfaces

- -
+ +
@@ -648,14 +648,14 @@ my own. I also build my own kernel as described above - - + +
   
- +

/etc/shorewall/hosts

- -
+ +
@@ -668,15 +668,15 @@ my own. I also build my own kernel as described above - - + +
ppp+:!192.168.1.0/24  
- +

/etc/shorewall/rules (For Shorewall versions up to and including 1.3.9b)

- -
- + +
+ @@ -709,11 +709,11 @@ my own. I also build my own kernel as described above - - + +
   
- +

/etc/shorewall/tunnels (For Shorewall versions 1.3.10 and later)

@@ -749,12 +749,12 @@ because I also run a PPTP server on my firewall (see above). Using this techniq allows me to distinguish clients of my own PPTP server from arbitrary hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients and Compaq doesn't use that RFC1918 Class C subnet.

- -

I use this script in /etc/init.d to control the client. The reason that + +

I use this script in /etc/init.d to control the client. The reason that I disable ECN when connecting is that the Compaq tunnel servers don't do ECN yet and reject the initial TCP connection request if I enable ECN :-(

- -
+ +

#!/bin/sh
#
# /etc/rc.d/init.d/pptp
@@ -816,10 +816,10 @@ yet and reject the initial TCP connection request if I enable ECN :-(

esac

- +

Here's my /etc/ppp/options file:

- -
+ +

#
# Identify this connection
#
@@ -863,11 +863,11 @@ yet and reject the initial TCP connection request if I enable ECN :-(

lcp-echo-failure 10
lcp-echo-interval 10

- +

My /etc/ppp/ip-up.local file sets up the routes that I need to route Compaq traffic through the PPTP tunnel:

- -
+ +

#/bin/sh

case $6 in
@@ -879,19 +879,19 @@ yet and reject the initial TCP connection request if I enable ECN :-(

    ;;
esac

- -

Finally, I run the following script every five minutes under crond to + +

Finally, I run the following script every five minutes under crond to restart the tunnel if it fails:

- + 
     #!/bin/sh
     restart_pptp() {
         /sbin/service pptp stop
         sleep 10
         if /sbin/service pptp start; then
             /usr/bin/logger "PPTP Restarted"
         fi
     }

     if [ -n "`ps ax | grep /usr/sbin/pptp | grep -v grep`" ]; then
         exit 0
     fi

     echo "Attempting to restart PPTP"

     restart_pptp > /dev/null 2>&1 &
- +

Here's a script and corresponding ip-up.local from Jerry Vonau that controls two PPTP connections.

- +

Last modified 10/23/2002 - Tom Eastep

- -

Copyright + +

Copyright © 2001, 2002 Thomas M. Eastep.



diff --git a/Shorewall-docs/ProxyARP.htm b/Shorewall-docs/ProxyARP.htm index faba6583a..53549db45 100644 --- a/Shorewall-docs/ProxyARP.htm +++ b/Shorewall-docs/ProxyARP.htm @@ -1,54 +1,54 @@ - + Shorewall Proxy ARP - + - + - + - + - - - + +
+

Proxy ARP
- -

Proxy ARP allows you to insert a firewall in front of a set of servers - without changing their IP addresses and without having to re-subnet. - Before you try to use this technique, I strongly recommend that you read + +

Proxy ARP allows you to insert a firewall in front of a set of servers + without changing their IP addresses and without having to re-subnet. + Before you try to use this technique, I strongly recommend that you read the Shorewall Setup Guide.

- +

The following figure represents a Proxy ARP environment.

- -
+ +

- +
- -

Proxy ARP can be used to make the systems with addresses - 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) - subnet.  Assuming that the upper firewall interface is eth0 and the - lower interface is eth1, this is accomplished using the following entries + +

Proxy ARP can be used to make the systems with addresses + 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) + subnet.  Assuming that the upper firewall interface is eth0 and the + lower interface is eth1, this is accomplished using the following entries in /etc/shorewall/proxyarp:

- -
+ +
@@ -69,45 +69,45 @@ the Shorewall Setup Guide.

- - + +
eth0 no
- -

Be sure that the internal systems (130.242.100.18 and 130.252.100.19  + +

Be sure that the internal systems (130.242.100.18 and 130.252.100.19  in the above example) are not included in any specification in /etc/shorewall/masq or /etc/shorewall/nat.

- -

Note that I've used an RFC1918 IP address for eth1 - that IP address is + +

Note that I've used an RFC1918 IP address for eth1 - that IP address is irrelevant.

- -

The lower systems (130.252.100.18 and 130.252.100.19) should have their - subnet mask and default gateway configured exactly the same way that + +

The lower systems (130.252.100.18 and 130.252.100.19) should have their + subnet mask and default gateway configured exactly the same way that the Firewall system's eth0 is configured. In other words, they should be configured just like they would be if they were parallel to the firewall rather than behind it.

- +

NOTE: Do not add the Proxy ARP'ed address(es) (130.252.100.18 and 130.252.100.19 in the above example)  to the external interface (eth0 in this example) of the firewall.

- -
-

A word of warning is in order here. ISPs typically configure - their routers with a long ARP cache timeout. If you move a system from + +

+

A word of warning is in order here. ISPs typically configure + their routers with a long ARP cache timeout. If you move a system from parallel to your firewall to behind your firewall with Proxy ARP, it will - probably be HOURS before that system can communicate with the internet. + probably be HOURS before that system can communicate with the internet. There are a couple of things that you can try:

- +
    -
  1. (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP Illustrated, +
  2. (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP Illustrated, Vol 1 reveals that a

    - "gratuitous" ARP packet should cause the ISP's router to refresh their -ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the + "gratuitous" ARP packet should cause the ISP's router to refresh their +ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC address for its own IP; in addition to ensuring that the IP address isn't a duplicate...

    @@ -124,8 +124,8 @@ iputils package include "arping", whose "-U" flag does just that:
    proxied IP>
        arping -U -I eth0 66.58.99.83 # for example

    - Stevens goes on to mention that not all systems respond correctly to gratuitous - ARPs, but googling for "arping -U" seems to support the idea that it works + Stevens goes on to mention that not all systems respond correctly to gratuitous + ARPs, but googling for "arping -U" seems to support the idea that it works most of the time.

    To use arping with Proxy ARP in the above example, you would have to:
    @@ -141,44 +141,44 @@ dev eth0
        shorewall start

    3. -
  3. You can call your ISP and ask them to purge the stale ARP cache +
  4. You can call your ISP and ask them to purge the stale ARP cache entry but many either can't or won't purge individual entries.
    5. - +
- You can determine if your ISP's gateway ARP cache is stale using ping - and tcpdump. Suppose that we suspect that the gateway router has a stale + You can determine if your ISP's gateway ARP cache is stale using ping + and tcpdump. Suppose that we suspect that the gateway router has a stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:
- -
+ +
	tcpdump -nei eth0 icmp
- -
-

Now from 130.252.100.19, ping the ISP's gateway (which we + +

+

Now from 130.252.100.19, ping the ISP's gateway (which we will assume is 130.252.100.254):

- -
+ +
	ping 130.252.100.254
- -
+ +

We can now observe the tcpdump output:

- -
+ +
	13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)
	13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply
- -
-

Notice that the source MAC address in the echo request is - different from the destination MAC address in the echo reply!! In this - case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 + +

+

Notice that the source MAC address in the echo request is + different from the destination MAC address in the echo reply!! In this + case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still associates 130.252.100.19 with the NIC in that system rather than with the firewall's eth0.

- +

Last updated 3/21/2003 - Tom Eastep

Copyright © - + Springtime in Seattle!!! - + - + - + - - - + +
+

Visit Seattle in the Springtime!!!!
- +


@@ -36,14 +36,14 @@

- +

The view from my office window -- think I'll go out and enjoy the deck (Yes -- that is snow on the deck...).

- -

Updated 3/7/2003 - Tom Eastep + +

Updated 3/7/2003 - Tom Eastep

- +

Copyright © 2001, 2002 Thomas M. Eastep.


diff --git a/Shorewall-docs/Shorewall_CA_html.html b/Shorewall-docs/Shorewall_CA_html.html index df64c0309..712bece44 100644 --- a/Shorewall-docs/Shorewall_CA_html.html +++ b/Shorewall-docs/Shorewall_CA_html.html @@ -2,27 +2,27 @@ Shorewall Certificate Authority - + - + - + - - - + +
- + +

Shorewall Certificate Authority (CA) Certificate

Given that I develop and support Shorewall without asking for any renumeration, @@ -30,7 +30,7 @@ as Thawte (A Division of VeriSign) for an X.509 certificate to prove that I am who I am. I have therefore established my own Certificate Authority (CA) and sign my own X.509 certificates. I use these certificates on my list -server (https://lists.shorewall.net) +server (https://lists.shorewall.net) which hosts parts of this web site.

X.509 certificates are the basis for the Secure Socket Layer (SSL). As @@ -48,42 +48,42 @@ of bits (an X.509 certificate) for $200US+ per year!!!I
I wish that I had decided to become a CA rather that designing and writing Shorewall.

- What does this mean to you? It means that the X.509 certificate that my -server will present to your browser will not have been signed by one of the -authorities known to your browser. If you try to connect to my server using -SSL, your browser will frown and give you a dialog box asking if you want + What does this mean to you? It means that the X.509 certificate that my +server will present to your browser will not have been signed by one of the +authorities known to your browser. If you try to connect to my server using +SSL, your browser will frown and give you a dialog box asking if you want to accept the sleezy X.509 certificate being presented by my server.

There are two things that you can do:
- +
  1. You can accept the mail.shorewall.net certificate when your browser asks -- your acceptence of the certificate can be temporary (for that access only) or perminent.
    2. -
  2. You can download and install my (self-signed) CA -certificate. This will make my Certificate Authority known to your browser +
  3. You can download and install my (self-signed) CA +certificate. This will make my Certificate Authority known to your browser so that it will accept any certificate signed by me.
    4. - +
What are the risks?
- +
  1. If you install my CA certificate then you assume that I am trustworthy and that Shorewall running on your firewall won't redirect HTTPS requests - intented to go to your bank's server to one of my systems that will present + intented to go to your bank's server to one of my systems that will present your browser with a bogus certificate claiming that my server is that of your bank.
    2. -
  2. If you only accept my server's certificate when prompted then the +
  3. If you only accept my server's certificate when prompted then the most that you have to loose is that when you connect to https://mail.shorewall.net, the server you are connecting to might not be mine.
    4. - +
- I have my CA certificate loaded into all of my browsers but I certainly + I have my CA certificate loaded into all of my browsers but I certainly won't be offended if you decline to load it into yours... :-)
- +

Last Updated 1/17/2003 - Tom Eastep

- +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.

diff --git a/Shorewall-docs/Shorewall_CVS_Access.html b/Shorewall-docs/Shorewall_CVS_Access.html index 2bdd36ba8..e9d6d819a 100644 --- a/Shorewall-docs/Shorewall_CVS_Access.html +++ b/Shorewall-docs/Shorewall_CVS_Access.html @@ -2,27 +2,27 @@ Shorewall CVS Access - + - + - + - - - + +
+

Shorewall CVS Access



Lots of people try to download the entire Shorewall website for off-line @@ -33,18 +33,18 @@ the pages in Shorewall CVS access are cgi-generated which places a tremendous password controlled. When you are asked to log in, enter "Shorewall" (NOTE THE CAPITALIZATION!!!!!) for both the user name and the password.

- -
+ + - -

Updated 1/14/2002 - - Tom Eastep + +

Updated 1/14/2002 + - Tom Eastep

- -

Copyright + +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.



diff --git a/Shorewall-docs/Shorewall_Squid_Usage.html b/Shorewall-docs/Shorewall_Squid_Usage.html index 803a46e5b..1ae2992c4 100644 --- a/Shorewall-docs/Shorewall_Squid_Usage.html +++ b/Shorewall-docs/Shorewall_Squid_Usage.html @@ -2,14 +2,14 @@ Shorewall Squid Usage - + - + - + @@ -28,8 +28,8 @@
- - + +

This page covers Shorewall configuration to use with
-     The following instructions mention the files -/etc/shorewall/start and /etc/shorewall/init -- if you don't have those +     The following instructions mention the files +/etc/shorewall/start and /etc/shorewall/init -- if you don't have those files, siimply create them.

-     When the Squid server is in the DMZ zone or -in the local zone, that zone must be defined ONLY by its interface -- no -/etc/shorewall/hosts file entries. That is because the packets being routed +     When the Squid server is in the DMZ zone or +in the local zone, that zone must be defined ONLY by its interface -- no +/etc/shorewall/hosts file entries. That is because the packets being routed to the Squid server still have their original destination IP addresses.

@@ -70,32 +70,32 @@ to the Squid server still have their original destination IP addresses.
color="#009900">MANGLE_ENABLED=Yes

Three different configurations are covered:
- +
  1. Squid running on the Firewall.
    2. -
  2. Squid running in the +
  3. Squid running in the local network
    4. -
  4. Squid running in the +
  5. Squid running in the DMZ
    6. - +
- +

Squid Running on the Firewall

- You want to redirect all local www connection requests + You want to redirect all local www connection requests EXCEPT those to your - own http server (206.124.146.177) - to a Squid transparent - proxy running on the firewall and listening on port 3128. Squid + own http server (206.124.146.177) + to a Squid transparent + proxy running on the firewall and listening on port 3128. Squid will of course require access to remote web servers.

In /etc/shorewall/rules:

- -
+ +
- + @@ -107,7 +107,7 @@ EXCEPT those to your PORT(S) - + @@ -130,59 +130,59 @@ EXCEPT those to your - - - - - - - - - + + + + + + + + +
ACTION SOURCE ORIGINAL
DEST
REDIRECT

- +

Squid Running in the local network

- You want to redirect all local www connection requests to a Squid - transparent proxy + You want to redirect all local www connection requests to a Squid + transparent proxy running in your local zone at 192.168.1.3 and listening on port 3128. Your local interface is eth1. There may also be a web server running on 192.168.1.3. It is assumed that web access is already enabled from the local zone to the internet.
- -

WARNING: This setup may conflict with - other aspects of your gateway including but not limited to traffic shaping + +

WARNING: This setup may conflict with + other aspects of your gateway including but not limited to traffic shaping and route redirection. For that reason, I don't recommend it.

- +
  • On your firewall system, issue the following command
    • - +
- -
+ +
echo 202 www.out >> /etc/iproute2/rt_tables
- +
  • In /etc/shorewall/init, put:
    • - +
- -
+ +
if [ -z "`ip rule list | grep www.out`" ] ; then
	ip rule add fwmark 202 table www.out
	ip route add default via 192.168.1.3 dev eth1 table www.out
	ip route flush cache
	echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects
fi
- +
  • In /etc/shorewall/rules:

    - + - + @@ -194,7 +194,7 @@ EXCEPT those to your PORT(S) - + - - - - - - - - - + + + + + + + + +
    ACTION SOURCE ORIGINAL
    DEST
    ACCEPT
    @@ -209,21 +209,21 @@ EXCEPT those to your

  • Alternativfely, you can have the following policy:

    - + @@ -250,85 +250,85 @@ EXCEPT those to your - - + +


  • In /etc/shorewall/start add:
    • - +
- -
+ +
iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202
- +
    -
  • On 192.168.1.3, arrange for the following command to be executed +
  • On 192.168.1.3, arrange for the following command to be executed after networking has come up
    - + 
    iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128
    • - +
- -
If you are running RedHat on the server, you can simply execute + +
If you are running RedHat on the server, you can simply execute the following commands after you have typed the iptables command above:
- -
+ +
- + 
iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables start
- +
- +

Squid Running in the DMZ (This is what I do)

- You have a single Linux system in your DMZ with IP address 192.0.2.177. - You want to run both a web server and Squid on that system. Your DMZ interface + You have a single Linux system in your DMZ with IP address 192.0.2.177. + You want to run both a web server and Squid on that system. Your DMZ interface is eth1 and your local interface is eth2.
- +
  • On your firewall system, issue the following command
    • - +
- -
+ +
echo 202 www.out >> /etc/iproute2/rt_tables
- +
  • In /etc/shorewall/init, put:
    • - +
- -
+ +
if [ -z "`ip rule list | grep www.out`" ] ; then
	ip rule add fwmark 202 table www.out
	ip route add default via 192.0.2.177 dev eth1 table www.out
	ip route flush cache
fi
- +
  •  Do one of the following:

    A) In /etc/shorewall/start add
    • - +
- -
+ +
	iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202
- -
B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf + +
B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf and add the following entry in /etc/shorewall/tcrules:
- -
-
+ +
+
@@ -359,15 +359,15 @@ EXCEPT those to your - - + +
-
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:
- -
-
+ +
+
@@ -398,19 +398,19 @@ EXCEPT those to your - - + +
-

- +
  • In /etc/shorewall/rules, you will need:
    • - +
- -
+ +
@@ -448,38 +448,38 @@ EXCEPT those to your - - + +


- +
    -
  • On 192.0.2.177 (your Web/Squid server), arrange for the following +
  • On 192.0.2.177 (your Web/Squid server), arrange for the following command to be executed after networking has come up
    - + 
    iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128
    • - +
- -
If you are running RedHat on the server, you can simply execute + +
If you are running RedHat on the server, you can simply execute the following commands after you have typed the iptables command above:
- -
+ +
- + 
iptables-save > /etc/sysconfig/iptables
chkconfig --level 35 iptables start
- +
- +

Updated 2/22/2003 - Tom Eastep

- - + + Copyright © 2003 Thomas M. Eastep.
diff --git a/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html index 63b6b92fa..3006da5b1 100644 --- a/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html +++ b/Shorewall-docs/Shorewall_and_Aliased_Interfaces.html @@ -2,196 +2,168 @@ Shorewall and Aliased Interfaces - + - + - + - - - + + - - - - + + + + +
- - +
+ +

Shorewall and Aliased Interfaces

-
-
- -

Background

- The traditional net-tools contain a program called ifconfig which - is used to configure network devices. ifconfig introduced the concept of -aliased or virtial interfaces. These virtual interfaces have -names of the form interface:integer (e.g., eth0:0) and ifconfig -treats them more or less like real interfaces.
-
- Example:
- -
[root@gateway root]# ifconfig eth0:0
eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55
          inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0x2000
[root@gateway root]#
- The ifconfig utility is being gradually phased out in favor of the ip - utility which is part of the iproute package. The ip utility does -not use the concept of aliases or virtual interfaces but rather treats additional - addresses on an interface as addresses. The ip utility does provide for interaction - with ifconfig in that it allows addresses to be labeled.
-
- Example:
-
- -
[root@gateway root]# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
    link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
    inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
[root@gateway root]#
- Note that one cannot type "ip addr show dev eth0:0"
- -
[root@gateway root]# ip addr show dev eth0:0
Device "eth0:0" does not exist.
[root@gateway root]#
- The iptables program doesn't support virtual interfaces in either it's -"-i" or "-o" command options; as a consequence, Shorewall does not allow -them to be used in the /etc/shorewall/interfaces file.
-
- -

So how do I handle more than one address on an interface?

- Depends on what you are trying to do with the interfaces. In the sub-sections - that follow, we'll take a look at common scenarios.
- -

Separate Rules

- If you need to make a rule for traffic to/from the firewall itself only -apply to a particular IP address, simply qualify the $FW zone with the IP -address.
-
- Example (allow SSH from net to eth0:0 above):
-
- -
- - - - - - - - - - - - - - - - - - - - - - -
ACTION
- 		SOURCE
- 		DESTINATION
- 		PROTOCOL
- 		PORT(S)
- 		SOURCE PORT(S)
- 		ORIGINAL DESTINATION
-
DNAT
- 		net
- 		fw:206.124.146.178
- 		tcp
- 		22
-
-
-

-
- -

DNAT

- Suppose that I had set up eth0:0 as above and I wanted to port forward -from that virtual interface to a web server running in my local zone at 192.168.1.3. - That is accomplised by a single rule in the /etc/shorewall/rules file:
+ +

Background

+ The traditional net-tools contain a program called ifconfig which + is used to configure network devices. ifconfig introduced the concept of + aliased or virtial interfaces. These virtual interfaces have + names of the form interface:integer (e.g., eth0:0) and ifconfig + treats them more or less like real interfaces.
+
+ Example:
+ +
[root@gateway root]# ifconfig eth0:0
eth0:0    Link encap:Ethernet  HWaddr 02:00:08:3:FA:55
          inet addr:206.124.146.178  Bcast:206.124.146.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          Interrupt:11 Base address:0x2000
[root@gateway root]#
+ The ifconfig utility is being gradually phased out in favor of the ip + utility which is part of the iproute package. The ip utility does + not use the concept of aliases or virtual interfaces but rather treats additional + addresses on an interface as objects. The ip utility does provide for interaction + with ifconfig in that it allows addresses to be labeled and labels +may take the form of ipconfig virtual interfaces.
+
+ Example:
+
+ +
[root@gateway root]# ip addr show dev eth0
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
    link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
    inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0
[root@gateway root]#
+ Note that one cannot type "ip addr show dev eth0:0" because "eth0:0" +is a label for a particular address rather than a device name.
+ +
[root@gateway root]# ip addr show dev eth0:0
Device "eth0:0" does not exist.
[root@gateway root]#
+ The iptables program doesn't support virtual interfaces in either it's + "-i" or "-o" command options; as a consequence, Shorewall does not allow + them to be used in the /etc/shorewall/interfaces file.
+
+ +

So how do I handle more than one address on an interface?

+ The answer depends on what you are trying to do with the interfaces. +In the sub-sections that follow, we'll take a look at common scenarios.
+ +

Separate Rules

+ If you need to make a rule for traffic to/from the firewall itself that +only applies to a particular IP address, simply qualify the $FW zone with +the IP address.

- -
+ Example (allow SSH from net to eth0:0 above):
+
+ +
- - - - - - - - - - - - + + + + + + + + + + + + + + + + - - - - - - - - - + + +
ACTION
- 		SOURCE
- 		DESTINATION
- 		PROTOCOL
- 		PORT(S)
- 		SOURCE PORT(S)
- 		ORIGINAL DESTINATION
-
DNAT
+
ACTION
+ 		SOURCE
+ 		DESTINATION
+ 		PROTOCOL
+ 		PORT(S)
+ 		SOURCE PORT(S)
+ 		ORIGINAL DESTINATION
+
DNAT
+ 		net
+ 		fw:206.124.146.178
+ 		tcp
+ 		22
+
net
+
loc:192.168.1.3
- 		tcp
- 		80
- 		-
- 		206.124.146.178
-

- + +

DNAT

+ Suppose that I had set up eth0:0 as above and I wanted to port forward + from that virtual interface to a web server running in my local zone at +192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules +file:
+
+ +
+ + + + + + + + + + + + + + + + + + + + + + +
ACTION
+ 		SOURCE
+ 		DESTINATION
+ 		PROTOCOL
+ 		PORT(S)
+ 		SOURCE PORT(S)
+ 		ORIGINAL DESTINATION
+
DNAT
+ 		net
+ 		loc:192.168.1.3
+ 		tcp
+ 		80
+ 		-
+ 		206.124.146.178
+
+
+
+

SNAT

- If you wanted to use eth0:0 as the IP address for outbound connections -from your local zone (eth1), then in /etc/shorewall/masq:
-
- -
- - - - - - - - - - - - - - -
INTERFACE
- 		SUBNET
- 		ADDRESS
-
eth0
- 		eth1
- 		206.124.146.178
-
-
-
- Shorewall can create the alias (additional address) for you if you set -ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall -1.3.14, Shorewall can actually create the "label" (virtual interface) so -that you can see the created address using ifconfig. In addition to setting -ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE -column as follows:
- -
+ If you wanted to use eth0:0 as the IP address for outbound connections + from your local zone (eth1), then in /etc/shorewall/masq:
+
+ +
@@ -203,65 +175,56 @@ column as follows:
- - - + +
eth0:0
+ 		eth0
 eth1
 206.124.146.178

- -

STATIC NAT

- If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, - you would have the following in /etc/shorewall/nat:
-
- -
+ Shorewall can create the alias (additional address) for you if you set + ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall + 1.3.14, Shorewall can actually create the "label" (virtual interface) so + that you can see the created address using ifconfig. In addition to setting + ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE + column as follows:
+ +
- - - - - - - - - - - - - - - - - + + + + + + + + + + + + +
EXTERNAL
- 		INTERFACE
- 		INTERNAL
- 		ALL INTERFACES
- 		LOCAL
-
206.124.146.178
- 		eth0
- 		192.168.1.3
- 		no
- 		no
-
INTERFACE
+ 		SUBNET
+ 		ADDRESS
+
eth0:0
+ 		eth1
+ 		206.124.146.178
+
-
-
- Shorewall can create the alias (additional address) for you if you set -ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall -1.3.14, Shorewall can actually create the "label" (virtual interface) so -that you can see the created address using ifconfig. In addition to setting -ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE -column as follows:
-
- -
+
+
+ +

STATIC NAT

+ If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, + you would have the following in /etc/shorewall/nat:
+
+ +
@@ -279,7 +242,7 @@ column as follows:
- @@ -288,188 +251,118 @@ column as follows:
- - + +
206.124.146.178
eth0:0
+ 		eth0
 192.168.1.3
 no

-
- In either case, to create rules that pertain only to this NAT pair, you -simply qualify the local zone with the internal IP address.
-
- Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.
-
- -
- - - - - - - - - - - - - - - - - - - - - - -
ACTION
- 		SOURCE
- 		DESTINATION
- 		PROTOCOL
- 		PORT(S)
- 		SOURCE PORT(S)
- 		ORIGINAL DESTINATION
-
ACCEPT
- 		net
- 		loc:192.168.1.3
- 		tcp
- 		22
-
-
-
+
+ Shorewall can create the alias (additional address) for you if you set + ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall + 1.3.14, Shorewall can actually create the "label" (virtual interface) so + that you can see the created address using ifconfig. In addition to setting + ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE + column as follows:

-
- -

MULTIPLE SUBNETS

- Sometimes multiple IP addresses are used because there are multiple subnetworks - configured on a LAN segment. This technique does not provide for any security - between the subnetworks if the users of the systems have administrative privileges - because in that case, the users can simply manipulate their system's routing - table to bypass your firewall/router. Nevertheless, there are cases where - you simply want to consider the LAN segment itself as a zone and allow your - firewall/router to route between the two subnetworks.
-
- Example 1:  Local interface eth1 interfaces to 192.168.1.0/24 and -192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 -is 192.168.20.254. You want to simply route all requests between the two -subnetworks.
-
- In /etc/shorewall/interfaces:
-
- -
+ +
- - - - - - - - - - - - - - - + + + + + + + + + + + + + + + + +
ZONE
- 		INTERFACE
- 		BROADCAST
- 		OPTIONS
-
loc
- 		eth1
- 		192.168.1.255,192.168.20.255
- 		Note 1:
-
EXTERNAL
+ 		INTERFACE
+ 		INTERNAL
+ 		ALL INTERFACES
+ 		LOCAL
+
206.124.146.178
+ 		eth0:0
+ 		192.168.1.3
+ 		no
+ 		no
+
-
+
- Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify - the multi option.
+ In either case, to create rules that pertain only to this NAT pair, you + simply qualify the local zone with the internal IP address.

- In /etc/shorewall/policy:
+ Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. +192.168.1.3.

- -
- - - - - - - - - - - - - - - - - - -
SOURCE
- 		DESTINATION
- 		POLICY
- 		LOG LEVEL
- 		BURST:LIMIT
-
loc
- 		loc
- 		ACCEPT
-
-
-
-
-
- Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. - The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. - You want to make these subnetworks into separate zones and control the -access between them (the users of the systems do not have administrative -privileges).
-
- In /etc/shorewall/zones:
-
- -
- - - - - - - - - - - - - - - - - - - -
ZONE
- 		DISPLAY
- 		DESCRIPTION
-
loc
- 		Local
- 		Local Zone 1
-
loc2
- 		Local2
- 		Local Zone 2
-
-
-
- In /etc/shorewall/interfaces:
-
- -
- + +
+
+ + + + + + + + + + + + + + + + + + + + +
ACTION
+ 		SOURCE
+ 		DESTINATION
+ 		PROTOCOL
+ 		PORT(S)
+ 		SOURCE PORT(S)
+ 		ORIGINAL DESTINATION
+
ACCEPT
+ 		net
+ 		loc:192.168.1.3
+ 		tcp
+ 		22
+
+
+
+
+
+ +

MULTIPLE SUBNETS

+ Sometimes multiple IP addresses are used because there are multiple subnetworks + configured on a LAN segment. This technique does not provide for any security + between the subnetworks if the users of the systems have administrative +privileges because in that case, the users can simply manipulate their system's +routing table to bypass your firewall/router. Nevertheless, there are cases +where you simply want to consider the LAN segment itself as a zone and allow +your firewall/router to route between the two subnetworks.
+
+ Example 1:  Local interface eth1 interfaces to 192.168.1.0/24 and + 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 + is 192.168.20.254. You want to simply route all requests between the two + subnetworks.
+ +

If you are running Shorewall 1.4.1 or Later

+In /etc/shorewall/interfaces:
+
+ + @@ -487,26 +380,64 @@ privileges).
- - - + +
ZONE
 192.168.1.255,192.168.20.255
Note 1:
+
+
+
+ In /etc/shorewall/hosts:
+ +
+ + + + + + + + + + + + + + + + + + + +
ZONE
+ 		HOSTS
+ 		OPTIONS
+
loc
+ 		eth0:192.168.1.0/24
+
+
loc
+ 		eth0:192.168.20.0/24
+
+
+
+
+Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall +1.4.1 and later releases default to allowing intra-zone traffic.
+

If you are running Shorewall 1.4.0 or earlier
+

+In /etc/shorewall/interfaces:

-
- Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify - the multi option.
-
- In /etc/shorewall/hosts:
- -
+ +
- + @@ -514,36 +445,177 @@ privileges).
- + + + + + +
ZONE
HOSTS
+ 		INTERFACE
+ 		BROADCAST
 OPTIONS
loc
eth0:192.168.1.0/24
+ 		eth1
+ 		192.168.1.255,192.168.20.255
+ 		Note 1:
+
+
+
+ Note 1: If you are running Shorewall 1.3.10 or earlier then you must +specify the multi option.
+
+ In /etc/shorewall/policy:
+
+ +
+ + + + + + + + + + + + + + + + + +
SOURCE
+ 		DESTINATION
+ 		POLICY
+ 		LOG LEVEL
+ 		BURST:LIMIT
+
loc
+ 		loc
+ 		ACCEPT

+
+
+
+ Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24. + The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254. + You want to make these subnetworks into separate zones and control the access + between them (the users of the systems do not have administrative privileges).
+
+ In /etc/shorewall/zones:
+
+ +
+ + + + + + + + + + + - - - - + +
ZONE
+ 		DISPLAY
+ 		DESCRIPTION
+
loc
+ 		Local
+ 		Local Zone 1
+
loc2
eth0:192.168.20.0/24
+ 		Local2

+ 		Local Zone 2
-
-
- In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that - you want to permit.
-
- -

Last Updated 3/5/2003 A - Tom Eastep

- -

Copyright © - 2001, 2002, 2003 Thomas M. Eastep.
-
-


-
+
+ In /etc/shorewall/interfaces:
+
+ +
+ + + + + + + + + + + + + + + + +
ZONE
+ 		INTERFACE
+ 		BROADCAST
+ 		OPTIONS
+
-
+ 		eth1
+ 		192.168.1.255,192.168.20.255
+ 		Note 1:
+
+
+
+ Note 1: If you are running Shorewall 1.3.10 or earlier then you must +specify the multi option.
+
+ In /etc/shorewall/hosts:
+ +
+ + + + + + + + + + + + + + + + + + + +
ZONE
+ 		HOSTS
+ 		OPTIONS
+
loc
+ 		eth0:192.168.1.0/24
+
+
loc2
+ 		eth0:192.168.20.0/24
+
+
+
+
+ In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic +that you want to permit.
+
+ +

Last Updated 3/22/2003 A - Tom Eastep

+ +

Copyright © + 2001, 2002, 2003 Thomas M. Eastep.
+
+

+
+
+
diff --git a/Shorewall-docs/Shorewall_index_frame.htm b/Shorewall-docs/Shorewall_index_frame.htm index ddb2bd735..dd65643c9 100644 --- a/Shorewall-docs/Shorewall_index_frame.htm +++ b/Shorewall-docs/Shorewall_index_frame.htm @@ -1,47 +1,47 @@ - - + + - - + + - - + + - - + + Shorewall Index - + - + target="main"> + - + - - - - + + +
- - - - + + + + +

Shorewall
- - - + bgcolor="#ffffff"> + + + - - - - + + + +
- +

- Note: Search is unavailable + Note: Search is unavailable Daily 0200-0330 GMT.
- - + +

Quick Search
- - + +

Extended Search

- +

Copyright © 2001-2003 Thomas M. Eastep.

- + diff --git a/Shorewall-docs/Shorewall_sfindex_frame.htm b/Shorewall-docs/Shorewall_sfindex_frame.htm index c3693715a..e8a4b4365 100644 --- a/Shorewall-docs/Shorewall_sfindex_frame.htm +++ b/Shorewall-docs/Shorewall_sfindex_frame.htm @@ -1,47 +1,47 @@ - - + + - - + + - - + + - - + + Shorewall Index - - - - + + + + - + - - - - + + +
- - - - + + + + +

Shorewall
- - - + bgcolor="#ffffff"> + + + - - - - - + + + + +
- - + +

Note: Search is unavailable Daily 0200-0330 GMT.
- - + +

Quick Search
- + - - + +

Extended Search

- - + +

Copyright © 2001-2003 Thomas M. Eastep.

diff --git a/Shorewall-docs/VPN.htm b/Shorewall-docs/VPN.htm index 893839efc..29c2cf414 100755 --- a/Shorewall-docs/VPN.htm +++ b/Shorewall-docs/VPN.htm @@ -1,57 +1,57 @@ - + - + - + - + VPN - + - - +
+

VPN
- +

It is often the case that a system behind the firewall needs to be able to access a remote network through Virtual Private Networking (VPN). The two most common means for doing this are IPSEC and PPTP. The basic setup is shown in the following diagram:

- +

- +

A system with an RFC 1918 address needs to access a remote network through a remote gateway. For this example, we will assume that the local system has IP address 192.168.1.12 and that the remote gateway has IP address 192.0.2.224.

- +

If PPTP is being used, there are no firewall requirements beyond the default loc->net ACCEPT policy. There is one restriction however: Only one local system at a time can be connected to a single remote gateway unless you patch your kernel from the 'Patch-o-matic' patches available at http://www.netfilter.org.

- +

If IPSEC is being used then only one system may connect to the remote gateway and there are firewall configuration requirements as follows:

- -
+ +
@@ -84,17 +84,17 @@ follows:

- +
   
- +

If you want to be able to give access to all of your local systems to the remote network, you should consider running a VPN client on your firewall. As starting points, see http://www.shorewall.net/Documentation.htm#Tunnels or http://www.shorewall.net/PPTP.htm.

- +

Last modified 12/21/2002 - Tom Eastep

Copyright © 2002 Thomas M. Eastep.

diff --git a/Shorewall-docs/blacklisting_support.htm b/Shorewall-docs/blacklisting_support.htm index 8a36ff001..cd091bcd4 100644 --- a/Shorewall-docs/blacklisting_support.htm +++ b/Shorewall-docs/blacklisting_support.htm @@ -1,42 +1,42 @@ - + - + - + - + Blacklisting Support - + - - - + +
+

Blacklisting Support
- +

Shorewall supports two different forms of blacklisting; static and dynamic.

- +

Static Blacklisting

- +

Shorewall static blacklisting support has the following configuration parameters:

- + - +

Dynamic Blacklisting

- +

Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting doesn't use any configuration parameters but is rather controlled using /sbin/shorewall commands:

- +
  • drop <ip address list> - causes packets from the listed IP addresses to be silently dropped by the firewall.
    • @@ -71,25 +71,25 @@ listed IP addresses to be rejected by the firewall.
  • save - save the dynamic blacklisting configuration so that it will be automatically restored the next time that the firewall is restarted.
  • show dynamic - displays the dynamic blacklisting configuration.
    • - +
Dynamic blacklisting is not dependent on the "blacklist" option in /etc/shorewall/interfaces.
- +

Example 1:

- + 
     shorewall drop 192.0.2.124 192.0.2.125
- +

    Drops packets from hosts 192.0.2.124 and 192.0.2.125

- +

Example 2:

- + 
     shorewall allow 192.0.2.125
- +

    Reenables access from 192.0.2.125.

- +

Last updated 2/7/2003 - Tom Eastep

- +

Copyright © 2002, 2003 Thomas M. Eastep.


diff --git a/Shorewall-docs/configuration_file_basics.htm b/Shorewall-docs/configuration_file_basics.htm index ad30e3e78..cf1ae3431 100644 --- a/Shorewall-docs/configuration_file_basics.htm +++ b/Shorewall-docs/configuration_file_basics.htm @@ -1,50 +1,50 @@ - + - + - + - + Configuration File Basics - + - - - + +
- - + + +

Configuration Files
- -

Warning: If you copy or edit your - configuration files on a system running Microsoft Windows, you must + +

Warning: If you copy or edit your + configuration files on a system running Microsoft Windows, you must run them through dos2unix + href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix before you use them with Shorewall.

- +

Files

- +

Shorewall's configuration files are in the directory /etc/shorewall.

- +
    -
  • /etc/shorewall/shorewall.conf - used to set +
  • /etc/shorewall/shorewall.conf - used to set several firewall parameters.
  • /etc/shorewall/params - use this file to set shell variables that you will expand in other files.
    • -
  • /etc/shorewall/zones - partition the firewall's +
  • /etc/shorewall/zones - partition the firewall's view of the world into zones.
  • /etc/shorewall/policy - establishes firewall high-level policy.
    • @@ -56,75 +56,75 @@ several firewall parameters. where to use many-to-one (dynamic) Network Address Translation (a.k.a. Masquerading) and Source Network Address Translation (SNAT). -
  • /etc/shorewall/modules - directs the firewall +
  • /etc/shorewall/modules - directs the firewall to load kernel modules.
    • -
  • /etc/shorewall/rules - defines rules that are +
  • /etc/shorewall/rules - defines rules that are exceptions to the overall policies established in /etc/shorewall/policy.
  • /etc/shorewall/nat - defines static NAT rules.
  • /etc/shorewall/proxyarp - defines use of Proxy ARP.
  • /etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts accessible when Shorewall is stopped.
    • -
  • /etc/shorewall/tcrules - defines marking of +
  • /etc/shorewall/tcrules - defines marking of packets for later use by traffic control/shaping or policy routing.
  • /etc/shorewall/tos - defines rules for setting the TOS field in packet headers.
    • -
  • /etc/shorewall/tunnels - defines IPSEC, GRE +
  • /etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on the firewall system.
  • /etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.
    • -
  • /etc/shorewall/init - commands that you wish to execute at the +
  • /etc/shorewall/init - commands that you wish to execute at the beginning of a "shorewall start" or "shorewall restart".
  • /etc/shorewall/start - commands that you wish to execute at the completion of a "shorewall start" or "shorewall restart"
    • -
  • /etc/shorewall/stop - commands that you wish to execute at the +
  • /etc/shorewall/stop - commands that you wish to execute at the beginning of a "shorewall stop".
  • /etc/shorewall/stopped - commands that you wish to execute at the completion of a "shorewall stop".
  • /etc/shorewall/ecn - disable Explicit Congestion Notification (ECN - RFC 3168) to remote hosts or networks.
    • - +
- +

Comments

- +

You may place comments in configuration files by making the first non-whitespace character a pound sign ("#"). You may also place comments at the end of any line, again by delimiting the comment from the rest of the line with a pound sign.

- +

Examples:

- + 
# This is a comment
- + 
ACCEPT	net	fw	tcp	www	#This is an end-of-line comment
- +

Line Continuation

- -

You may continue lines in the configuration files using the usual backslash + +

You may continue lines in the configuration files using the usual backslash ("\") followed immediately by a new line character.

- +

Example:

- + 
ACCEPT	net	fw	tcp \
smtp,www,pop3,imap  #Services running on the firewall
- +

Using DNS Names

- +

- +

WARNING: I personally recommend strongly against using DNS names in Shorewall configuration files. If you use DNS names and you are called out of bed at 2:00AM because Shorewall won't start as a result of DNS problems then don't say that you were not forewarned.

- +

    -Tom

- -

Beginning with Shorwall 1.3.9, Host addresses in Shorewall - configuration files may be specified as either IP addresses or DNS + +

Beginning with Shorwall 1.3.9, Host addresses in Shorewall + configuration files may be specified as either IP addresses or DNS Names.

DNS names in iptables rules aren't nearly as useful as @@ -133,17 +133,17 @@ utility resolves the name to one or more IP addresses and inserts those addresses into the rule. So changes in the DNS->IP address relationship that occur after the firewall has started have absolutely no effect on the firewall's ruleset.

- +

If your firewall rules include DNS names then:

- +
    -
  • If your /etc/resolv.conf is wrong then your firewall +
  • If your /etc/resolv.conf is wrong then your firewall won't start.
    • -
  • If your /etc/nsswitch.conf is wrong then your firewall +
  • If your /etc/nsswitch.conf is wrong then your firewall won't start.
    • -
  • If your Name Server(s) is(are) down then your firewall +
  • If your Name Server(s) is(are) down then your firewall won't start.
    • -
  • If your startup scripts try to start your firewall +
  • If your startup scripts try to start your firewall before starting your DNS server then your firewall won't start.
  • Factors totally outside your control (your ISP's router @@ -151,131 +151,131 @@ before starting your DNS server then your firewall won't start.
  • You must bring up your network interfaces prior to starting your firewall.
    • - +
- -

Each DNS name much be fully qualified and include a minumum - of two periods (although one may be trailing). This restriction is - imposed by Shorewall to insure backward compatibility with existing + +

Each DNS name much be fully qualified and include a minumum + of two periods (although one may be trailing). This restriction is + imposed by Shorewall to insure backward compatibility with existing configuration files.

Examples of valid DNS names:

- +
  • mail.shorewall.net
  • shorewall.net. (note the trailing period).
    • - +
Examples of invalid DNS names:
- +
  • mail (not fully qualified)
  • shorewall.net (only one period)
    • - +
DNS names may not be used as:
- +
  • The server address in a DNAT rule (/etc/shorewall/rules file)
  • In the ADDRESS column of an entry in /etc/shorewall/masq.
  • In the /etc/shorewall/nat file.
    • - +
These restrictions are not imposed by Shorewall simply for your inconvenience but are rather limitations of iptables.
- +

Complementing an Address or Subnet

- -

Where specifying an IP address, a subnet or an interface, you can - precede the item with "!" to specify the complement of the item. For + +

Where specifying an IP address, a subnet or an interface, you can + precede the item with "!" to specify the complement of the item. For example, !192.168.1.4 means "any host but 192.168.1.4". There must be no white space following the "!".

- +

Comma-separated Lists

- -

Comma-separated lists are allowed in a number of contexts within the + +

Comma-separated lists are allowed in a number of contexts within the configuration files. A comma separated list:

- +
  • Must not have any embedded white space.
    Valid: routefilter,dhcp,norfc1918
    Invalid: routefilter,     dhcp,     norfc1818
    • -
  • If you use line continuation to break a comma-separated - list, the continuation line(s) must begin in column 1 (or +
  • If you use line continuation to break a comma-separated + list, the continuation line(s) must begin in column 1 (or there would be embedded white space)
  • Entries in a comma-separated list may appear in any order.
    • - +
- +

Port Numbers/Service Names

- -

Unless otherwise specified, when giving a port number you can use + +

Unless otherwise specified, when giving a port number you can use either an integer or a service name from /etc/services.

- +

Port Ranges

- -

If you need to specify a range of ports, the proper syntax is <low - port number>:<high port number>. For example, - if you want to forward the range of tcp ports 4000 through 4100 to + +

If you need to specify a range of ports, the proper syntax is <low + port number>:<high port number>. For example, + if you want to forward the range of tcp ports 4000 through 4100 to local host 192.168.1.3, the entry in /etc/shorewall/rules is:

- + 
     DNAT	net	loc:192.168.1.3	tcp	4000:4100
If you omit the low port number, a value of zero is assumed; if you omit the high port number, a value of 65535 is assumed.
- +

Using Shell Variables

- -

You may use the /etc/shorewall/params file to set shell variables + +

You may use the /etc/shorewall/params file to set shell variables that you can then use in some of the other configuration files.

- +

It is suggested that variable names begin with an upper case letter to distinguish them from variables used internally + size="1"> to distinguish them from variables used internally within the Shorewall programs

- +

Example:

- -
- + +
+ 
NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=routefilter,norfc1918
- +


Example (/etc/shorewall/interfaces record):

- -
- + face="Century Gothic, Arial, Helvetica"> + +
+ 
net $NET_IF $NET_BCAST $NET_OPTIONS
- - + +

The result will be the same as if the record had been written

- -
- + face="Century Gothic, Arial, Helvetica"> + +
+ 
net eth0 130.252.100.255 routefilter,norfc1918
- - - -

Variables may be used anywhere in the other configuration + + + +

Variables may be used anywhere in the other configuration files.

- +

Using MAC Addresses

- -

Media Access Control (MAC) addresses can be used to specify packet + +

Media Access Control (MAC) addresses can be used to specify packet source in several of the configuration files. To use this feature, - your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) + your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC) included.

- -

MAC addresses are 48 bits wide and each Ethernet Controller has a + +

MAC addresses are 48 bits wide and each Ethernet Controller has a unique MAC address.

In GNU/Linux, MAC addresses are usually written as @@ -283,12 +283,12 @@ local host 192.168.1.3, the entry in /etc/shorewall/rules is:

     [root@gateway root]# ifconfig eth0
     eth0 Link encap:Ethernet HWaddr 02:00:08:E3:FA:55
-      inet addr:206.124.146.176 Bcast:206.124.146.255 +      inet addr:206.124.146.176 Bcast:206.124.146.255 Mask:255.255.255.0
     UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
-      RX packets:2398102 errors:0 dropped:0 overruns:0 +      RX packets:2398102 errors:0 dropped:0 overruns:0 frame:0
-      TX packets:3044698 errors:0 dropped:0 overruns:0 +      TX packets:3044698 errors:0 dropped:0 overruns:0 carrier:0
     collisions:30394 txqueuelen:100
     RX bytes:419871805 (400.4 Mb) TX bytes:1659782221 @@ -301,44 +301,44 @@ in another way. In Shorewall, MAC addresses begin with a tilde ("~") and consist of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in the example above would be written "~02-00-08-E3-FA-55".

- -

Note: It is not necessary to use the special Shorewall notation + +

Note: It is not necessary to use the special Shorewall notation in the /etc/shorewall/maclist file.

- +

Shorewall Configurations

- -

Shorewall allows you to have configuration directories other than /etc/shorewall. - The shorewall start -and restart commands allow you to specify an alternate configuration - directory and Shorewall will use the files in the alternate directory - rather than the corresponding files in /etc/shorewall. The alternate + +

Shorewall allows you to have configuration directories other than /etc/shorewall. + The shorewall start +and restart commands allow you to specify an alternate configuration + directory and Shorewall will use the files in the alternate directory + rather than the corresponding files in /etc/shorewall. The alternate directory need not contain a complete configuration; those files not in the alternate directory will be read from /etc/shorewall.

- -

This facility permits you to easily create a test or temporary configuration + +

This facility permits you to easily create a test or temporary configuration by:

- +
  1. copying the files that need modification from /etc/shorewall to a separate directory;
    2. -
  2. modify those files in the separate directory; +
  3. modify those files in the separate directory; and
  4. specifying the separate directory in a shorewall start or shorewall restart command (e.g., shorewall -c /etc/testconfig restart ).
    5. - +
- - - - + + + +

Updated 2/24/2003 - Tom Eastep

- - - -

Copyright + + + +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.


diff --git a/Shorewall-docs/copyright.htm b/Shorewall-docs/copyright.htm index f2877a9c6..387a1a254 100644 --- a/Shorewall-docs/copyright.htm +++ b/Shorewall-docs/copyright.htm @@ -1,37 +1,37 @@ - + - + - + - + Copyright - + - - +
+

Copyright
- +

Copyright ©  2000, 2001, 2003 Thomas M Eastep
 

- -
+ +

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.1 or any later version published by the Free Software Foundation; with diff --git a/Shorewall-docs/dhcp.htm b/Shorewall-docs/dhcp.htm index d736f42eb..14fe573ab 100644 --- a/Shorewall-docs/dhcp.htm +++ b/Shorewall-docs/dhcp.htm @@ -1,80 +1,80 @@ - + - + - + - + DHCP - + - - +
+

DHCP
- +

If you want to Run a DHCP Server on your firewall

- +
    -
  • -

    Specify the "dhcp" option on each interface to be - served by your server in the /etc/shorewall/interfaces +

  • +

    Specify the "dhcp" option on each interface to be + served by your server in the /etc/shorewall/interfaces file. This will generate rules that will allow DHCP to and from your firewall system.

    • -
  • +

  • When starting "dhcpd", you need to list those interfaces -on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd. +on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.

- +

If a Firewall Interface gets its IP Address via DHCP

- +
    -
  • +

  • Specify the "dhcp" option for this interface in the - /etc/shorewall/interfaces + /etc/shorewall/interfaces file. This will generate rules that will allow DHCP to and from your firewall system.

    • -
  • +

  • If you know that the dynamic address is always going -to be in the same subnet, you can specify the subnet address in the interface's - entry in the /etc/shorewall/interfaces +to be in the same subnet, you can specify the subnet address in the interface's + entry in the /etc/shorewall/interfaces file.

    • -
  • +

  • If you don't know the subnet address in advance, you should specify "detect" for the interface's subnet address in the /etc/shorewall/interfaces file and start Shorewall after the interface has started.

    • -
  • -

    In the event that the subnet address might change while +

  • +

    In the event that the subnet address might change while Shorewall is started, you need to arrange for a "shorewall refresh" command to be executed when a new dynamic IP address gets assigned to the interface. Check your DHCP client's documentation.

- +

Last updated 11/03/2002 - Tom Eastep

- +

Copyright © 2001, 2002 Thomas M. Eastep.


diff --git a/Shorewall-docs/download.htm b/Shorewall-docs/download.htm index cd2cee24c..b24c2eb5f 100644 --- a/Shorewall-docs/download.htm +++ b/Shorewall-docs/download.htm @@ -1,60 +1,60 @@ - + - + - + - + Download - + - - - + +
- - + + +

Shorewall Download
- - + +

I strongly urge you to read and print a copy of the Shorewall QuickStart Guide + href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide for the configuration that most closely matches your own.

- -

The entire set of Shorewall documentation is available in PDF format + +

The entire set of Shorewall documentation is available in PDF format at:

- +

    ftp://slovakia.shorewall.net/mirror/shorewall/pdf/
    http://slovakia.shorewall.net/pub/shorewall/pdf/
-     rsync://slovakia.shorewall.net/shorewall/pdf/ +     rsync://slovakia.shorewall.net/shorewall/pdf/

- +

The documentation in HTML format is included in the .rpm and in the .tgz packages below.

- -

Once you've printed the appropriate QuickStart Guide, download + +

Once you've printed the appropriate QuickStart Guide, download one of the modules:

- + - +

The documentation in HTML format is included in the .tgz and .rpm files and there is an documentation .deb that also contains the documentation.  The .rpm will install the documentation in your default document directory which can be obtained using the following command:

- -
+ +

rpm --eval '%{defaultdocdir}'

- +

Please verify the version that you have downloaded -- during the release of a new version of Shorewall, the links below may point to a newer or an older version than is shown below.

- +
  • RPM - "rpm -qip LATEST.rpm"
    • -
  • TARBALL - "tar -ztf LATEST.tgz" (the directory +
  • TARBALL - "tar -ztf LATEST.tgz" (the directory name will contain the version)
  • LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar -zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
    • - +
- +

Once you have verified the version, check the errata to see - if there are updates that apply to the version that you have + if there are updates that apply to the version that you have downloaded.

- +

WARNING - YOU CAN NOT SIMPLY INSTALL - THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION - IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed + THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION + IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.

- -

Download Latest Version (1.4.0): Remember that updates - to the mirrors occur 1-12 hours after an update to the Washington + +

Download Latest Version (1.4.0): Remember that updates + to the mirrors occur 1-12 hours after an update to the Washington State site.

- -
+ +
@@ -139,16 +139,16 @@ the Debian @@ -156,16 +156,16 @@ the Debian href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download .rpm  
Download + href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download .tgz 
Download + href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download .lrp
+ href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums"> Download.md5sums
Download + href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.samples">Download .samples
 @@ -177,29 +177,29 @@ the Debian href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm
Download + href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download .tgz 
Download + href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download .lrp
+ href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums"> Download.md5sums
Download + href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.samples">Download .samples
 @@ -231,16 +231,16 @@ the Debian href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download .rpm  
Download + href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download .tgz 
Download + href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download .lrp
Download + href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download .md5sums
Download + href="ftp://germany.shorewall.net/pub/shorewall/LATEST.samples">Download .samples
 @@ -252,16 +252,16 @@ the Debian href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm  
Download + href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download .tgz 
+ href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> Download .lrp
Download + href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download .md5sums
 + href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples"> Download .samples
 @@ -269,16 +269,16 @@ the Debian href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm  
Download + href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download .tgz 
+ href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp"> Download .lrp
Download + href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download .md5sums
 + href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.samples"> Download .samples
 @@ -289,15 +289,15 @@ the Debian @@ -305,7 +305,7 @@ the Debian href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download .rpm  
Download + href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download .tgz 
Download @@ -327,16 +327,16 @@ the Debian - - - + + +
Download .rpm
Download + href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download .tgz 
Download + href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download .lrp
+ href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums"> Download.md5sums
Download + href="http://slovakia.shorewall.net/pub/shorewall/LATEST.samples">Download .samples
 Download .rpm  
Download + href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download .tgz 
Download .lrp
+ href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums"> Download.md5sums
 Download @@ -214,16 +214,16 @@ the Debian href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download .rpm
Download + href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download .tgz
Download + href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download .lrp
+ href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums"> Download.md5sums
Download + href="http://germany.shorewall.net/pub/shorewall/LATEST.samples">Download .samples
 Download .rpm
Download + href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz 
Download + href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp
Download + href="http://france.shorewall.net/pub/LATEST.md5sums">Download .md5sums
- Download + Download .samples
 Download .rpm
Download + href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download .tgz 
Download + href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download .lrp
Download + href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download .md5sums
Download + href="http://www.shorewall.net/pub/shorewall/LATEST.samples">Download .samples
 Debian href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download .lrp
Download + href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download .md5sums
Download .samples
- +

Browse Download Sites:

- -
+ +
@@ -429,26 +429,26 @@ the Debian - - - + + +
Browse
- +

CVS:

- -
+ +

The CVS repository - at cvs.shorewall.net contains the latest snapshots of the each - Shorewall component. There's no guarantee that what you find there + href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository + at cvs.shorewall.net contains the latest snapshots of the each + Shorewall component. There's no guarantee that what you find there will work at all.

- +

Last Updated 3/6/2003 - Tom Eastep

- +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.

diff --git a/Shorewall-docs/errata.htm b/Shorewall-docs/errata.htm index a39b6c83f..7def275a4 100644 --- a/Shorewall-docs/errata.htm +++ b/Shorewall-docs/errata.htm @@ -1,80 +1,80 @@ - - + + Shorewall 1.4 Errata - - - + + + - - + + - - + + - + - + - - - - + + +
- - + + +

Shorewall Errata/Upgrade Issues
- +

IMPORTANT

- +
    -
  1. - - -

    If you use a Windows system to download - a corrected script, be sure to run the script through +

  2. + + +

    If you use a Windows system to download + a corrected script, be sure to run the script through dos2unix after you have moved + style="text-decoration: none;"> dos2unix after you have moved it to your Linux system.

    3. -
  3. - - +
  4. + +

    If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar -the archive, replace the 'firewall' script in the untarred directory +the archive, replace the 'firewall' script in the untarred directory with the one you downloaded below, and then run install.sh.

    5. -
  5. - - +
  6. + +

    When the instructions say to install a corrected firewall script in /usr/share/shorewall/firewall, you may rename the existing file before copying in the new file.

    7. -
  7. - -

    DO NOT INSTALL CORRECTED COMPONENTS - ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. - For example, do NOT install the 1.3.9a firewall script if you are running +

  8. + +

    DO NOT INSTALL CORRECTED COMPONENTS + ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. + For example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.

    9. - +
- + - -
+ +

Problems in Version 1.4

- - + +

- +

1.4.0

  • When running under certain shells Shorewall will attempt to create @@ -116,145 +116,145 @@ ECN rules even when /etc/shorewall/ecn is empty. You may either just remove correct script in /usr/share/shorewall/firewall as described above.
-
+

Upgrade Issues

- +

The upgrade issues have moved to a separate page.

- -
-

Problem with + +
+

Problem with iptables version 1.2.3

- -
- + +
+

There are a couple of serious bugs in iptables 1.2.3 that - prevent it from working with Shorewall. Regrettably, + prevent it from working with Shorewall. Regrettably, RedHat released this buggy iptables in RedHat 7.2. 

- - + +

I have built a corrected 1.2.3 rpm which you can download here  and I have also built an - iptables-1.2.4 rpm which you can download here. If you are currently - running RedHat 7.1, you can install either of these RPMs + iptables-1.2.4 rpm which you can download here. If you are currently + running RedHat 7.1, you can install either of these RPMs before you upgrade to RedHat 7.2.

- - -

Update 11/9/2001: RedHat - has released an iptables-1.2.4 RPM of their own which you can + + +

Update 11/9/2001: RedHat + has released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html. I have installed this RPM on my firewall and it works fine.

- - -

If you would like to patch iptables 1.2.3 yourself, + + +

If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This patch - which corrects a problem with parsing of the --log-level specification + which corrects a problem with parsing of the --log-level specification while this patch corrects a problem in handling the  TOS target.

- - + +

To install one of the above patches:

- - + +
  • cd iptables-1.2.3/extensions
  • patch -p0 < the-patch-file
    • - - + +
- - -

Problems with kernels >= 2.4.18 + + +

Problems with kernels >= 2.4.18 and RedHat iptables

- -
- -

Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 + +

+ +

Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may experience the following:

- - -
- + + +
+ 
# shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
- - -

The RedHat iptables RPM is compiled with debugging enabled but the - user-space debugging code was not updated to reflect recent changes in - the Netfilter 'mangle' table. You can correct the problem by + + +

The RedHat iptables RPM is compiled with debugging enabled but the + user-space debugging code was not updated to reflect recent changes in + the Netfilter 'mangle' table. You can correct the problem by installing this iptables RPM. If you are already running a 1.2.5 version of iptables, you will need to specify the --oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

- - -

Problems installing/upgrading + + +

Problems installing/upgrading RPM on SuSE

- - -

If you find that rpm complains about a conflict - with kernel <= 2.2 yet you have a 2.4 kernel - installed, simply use the "--nodeps" option to + + +

If you find that rpm complains about a conflict + with kernel <= 2.2 yet you have a 2.4 kernel + installed, simply use the "--nodeps" option to rpm.

- - + +

Installing: rpm -ivh --nodeps <shorewall rpm>

- - + +

Upgrading: rpm -Uvh --nodeps <shorewall rpm>

- - -

Problems with + + +

Problems with iptables version 1.2.7 and MULTIPORT=Yes

- - -

The iptables 1.2.7 release of iptables has made - an incompatible change to the syntax used to - specify multiport match rules; as a consequence, - if you install iptables 1.2.7 you must be running + + +

The iptables 1.2.7 release of iptables has made + an incompatible change to the syntax used to + specify multiport match rules; as a consequence, + if you install iptables 1.2.7 you must be running Shorewall 1.3.7a or later or:

- - + +
  • set MULTIPORT=No in /etc/shorewall/shorewall.conf; or
  • if you are running Shorewall 1.3.6 you may install - this firewall script in /var/lib/shorewall/firewall + href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> + this firewall script in /var/lib/shorewall/firewall as described above.
    • - +
- +

Problems with RH Kernel 2.4.18-10 and NAT

- /etc/shorewall/nat entries of the following form will result + /etc/shorewall/nat entries of the following form will result in Shorewall being unable to start:

- + 
#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
192.0.2.22      eth0            192.168.9.22    yes                     yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Error message is:
- + 
Setting up NAT...
iptables: Invalid argument
Terminated

The solution is to put "no" in the LOCAL column. Kernel support for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT
- -

Last updated 3/21/2003 - + +

Last updated 3/21/2003 - Tom Eastep

- +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.

diff --git a/Shorewall-docs/errata_1.htm b/Shorewall-docs/errata_1.htm index 8162cb5ec..cdd1e06c3 100644 --- a/Shorewall-docs/errata_1.htm +++ b/Shorewall-docs/errata_1.htm @@ -17,191 +17,191 @@ - -

To those of you who downloaded the 1.1.13 updated firewall script prior + +

To those of you who downloaded the 1.1.13 updated firewall script prior to Sept 20, 2001:

- -
- -

Prior -to 20:00 20 Sept 2001 GMT, the link under 1.1.13 pointed to a broken version + +

+ +

Prior +to 20:00 20 Sept 2001 GMT, the link under 1.1.13 pointed to a broken version of the firewall script. This has now been corrected. I apologize for any confusion this may have caused.

- +

Version 1.1.18

- +
- +

In the original .lrp, /etc/init.d/shorewall was not secured for execute access. I have replaced the incorrect .lrp (shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).

- +
- +

Version 1.1.17

- -
- + +
+

In shorewall.conf, ADD_IP_ALIASES was incorrectly spelled IP_ADD_ALIASAES. There is a corrected version of the file here.

- +

This problem is also corrected in version 1.1.18.

- +

Version 1.1.16

- -
+ +

- The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly spelled IP_ADD_ALIASES + The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly spelled IP_ADD_ALIASES in the firewall script. To correct this problem, install the corrected firewall script in the location pointed to by the symbolic link /etc/shorewall/firewall.

- +

This problem is also corrected in version 1.1.17.

- +

Version 1.1.14-1.1.15

- -
+ +

There are no corrections for these versions.

- +

Version 1.1.13

- -
+ +

The firewall fails to start if a rule with the following format is given:

- +

<disposition>    z1:www.xxx.yyy.zzz    z2    proto    p1,p2,p3

- +

To correct this problem, install this corrected firewall script in the location pointed to by the symbolic link /etc/shorewall/firewall. 

- +

Version 1.1.12

- -
+ +

- The LRP version of Shorewall 1.1.12 has the incorrect /etc/shorewall/functions + The LRP version of Shorewall 1.1.12 has the incorrect /etc/shorewall/functions file. This incorrect file results in many error messages of the form:

- -
+ +

separate_list: not found

- +

The correct file may be obtained here . This problem is also corrected in version 1.1.13.

- +

Version 1.1.11

- -
+ +

There are no known problems with this version.

- +

Version 1.1.10

- -
+ +

If the following conditions were met:

- +
    - -
  1. + +

  2. - A LAN segment attached to the firewall was served by a DHCP server + A LAN segment attached to the firewall was served by a DHCP server running on the firewall.

    3. - -
  3. + +

  4. There were entries in /etc/shorewall/hosts that referred to the interface to that LAN segment.

    5. - +
- +

- then up until now it has been necessary to include entries for 0.0.0.0 + then up until now it has been necessary to include entries for 0.0.0.0 and 255.255.255.255 for that interface in /etc/shorewall/hosts. This version of the firewall script makes those additions unnecessary provided that you simply include "dhcp" in the options for the interface in /etc/shorewall/interfaces. Install the script into the location pointed to by the symbolic link /etc/shorewall/firewall.

- +

This problem has also been corrected in version 1.1.11.

- +

Version 1.1.9

- +
    -
  • The shorewall "hits" command lists extraneous service names in the final +
  • The shorewall "hits" command lists extraneous service names in the final report. This version of the shorewall script corrects this problem.
    - - + +
- - + +

Version 1.1.8

- +
    -
  • Under some circumstances, the "dhcp" option on an interface triggers -a bug in the firewall script that results in a "chain already exists" +
  • Under some circumstances, the "dhcp" option on an interface triggers +a bug in the firewall script that results in a "chain already exists" error. This version of the firewall script corrects this problem. Install it into the location pointed to by the symbolic link /etc/shorewall/firewall.

    This problem is also corrected in version 1.1.9.
    - - + +
- - + +

Version 1.1.7

- +
    -
  • If the /etc/shorewall/rules template from version 1.1.7 is used, a warning +
  • If the /etc/shorewall/rules template from version 1.1.7 is used, a warning message appears during firewall startup:

    -     Warning: Invalid Target - rule "@ icmp-unreachable packet." +     Warning: Invalid Target - rule "@ icmp-unreachable packet." ignored

    This warning may be eliminated by replacing the "@" in column 1 of line 17 with "#"
- -
+ +

This problem is also corrected in version 1.1.8

- +

Last updated 12/21/2001 - Tom Eastep diff --git a/Shorewall-docs/errata_2.htm b/Shorewall-docs/errata_2.htm index 29250ef7d..d1e23d8c6 100644 --- a/Shorewall-docs/errata_2.htm +++ b/Shorewall-docs/errata_2.htm @@ -1,15 +1,15 @@ - + Shorewall 1.2 Errata - + - + - - + + @@ -19,130 +19,130 @@
- +

- + IMPORTANT

- +

- + If you use a Windows system to download a corrected script, be sure to run the script through dos2unix after you have moved it to your Linux system.

- +

- - When the instructions say to install a corrected firewall script in - /etc/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the - existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall - before you do that. /etc/shorewall/firewall is a symbolic link that points - to the 'shorewall' file used by your system initialization scripts to - start Shorewall during boot and it is that file that must be overwritten + + When the instructions say to install a corrected firewall script in + /etc/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the + existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall + before you do that. /etc/shorewall/firewall is a symbolic link that points + to the 'shorewall' file used by your system initialization scripts to + start Shorewall during boot and it is that file that must be overwritten with the corrected script.

- +
- +

Problems in Version 1.2

- +

Version 1.2.13

- +
  • - -

    Some users have reported problems installing the RPM - on SuSE 7.3 where rpm reports a conflict with kernel <= 2.2 even - though a 2.4 kernel RPM is installed. To get around this problem, use - the --nodeps option to rpm (e.g., "rpm -ivh --nodeps + +

    Some users have reported problems installing the RPM + on SuSE 7.3 where rpm reports a conflict with kernel <= 2.2 even + though a 2.4 kernel RPM is installed. To get around this problem, use + the --nodeps option to rpm (e.g., "rpm -ivh --nodeps shorewall-1.2-13.noarch.rpm").

    - The problem stems from the fact that SuSE does not - include a package named "kernel" but rather has a number of packages - that provide the virtual package "kernel". Since virtual packages have - no version associated with them, a conflict results. Since the + The problem stems from the fact that SuSE does not + include a package named "kernel" but rather has a number of packages + that provide the virtual package "kernel". Since virtual packages have + no version associated with them, a conflict results. Since the workaround is simple, I don't intend to change the Shorewall package.

    - +
  • - +

    Shorewall accepts invalid rules of the form:

    - ACCEPT <src> <dest>:<ip addr> all <port number> - + ACCEPT <src> <dest>:<ip addr> all <port number> - <original ip address>

    -     The <port number> is ignored with the result that all - connection requests from the <src> zone whose original destination IP - address matches the last column are forwarded to the <dest> zone, IP +     The <port number> is ignored with the result that all + connection requests from the <src> zone whose original destination IP + address matches the last column are forwarded to the <dest> zone, IP address <ip addr>.  - This corrected firewall script correctly generates an error when + This corrected firewall script correctly generates an error when such a rule is encountered.

    - +
- +

Version 1.2.11

- +
  • - +

    The 'try' command is broken.

  • - -

    The usage text printed by the shorewall utility + +

    The usage text printed by the shorewall utility doesn't show the optional timeout for the 'try' command.

- +

Both problems are corrected by this new version of /sbin/shorewall.

- +

Sample Configurations:

- +
  • - -

    There have been several problems with SSH, DNS and - ping in the two- and three-interface examples. Before reporting - problems with these services, please verify that you have the latest + +

    There have been several problems with SSH, DNS and + ping in the two- and three-interface examples. Before reporting + problems with these services, please verify that you have the latest version of the appropriate sample 'rules' file.

- +

All Versions through 1.2.10

- +
@@ -166,93 +166,93 @@ dos2unix
- +

All Versions through 1.2.8

- +
  • - -

    The shorewall.conf file and the documentation - incorrectly refer to a parameter in /etc/shorewall/shorewall.conf - called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (see - the corrected online documentation). Users of the rpm should - change the name (and possibly the value) of this parameter so that - Shorewall interacts properly with the SysV init scripts. The + +

    The shorewall.conf file and the documentation + incorrectly refer to a parameter in /etc/shorewall/shorewall.conf + called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (see + the corrected online documentation). Users of the rpm should + change the name (and possibly the value) of this parameter so that + Shorewall interacts properly with the SysV init scripts. The documentation on this web site has been corrected and here's a corrected version of shorewall.conf.

    - +
  • - -

    The documentation indicates that a comma-separated - list of IP/subnet addresses may appear in an entry in the hosts file. - This is not the case; if you want to specify multiple addresses for a + +

    The documentation indicates that a comma-separated + list of IP/subnet addresses may appear in an entry in the hosts file. + This is not the case; if you want to specify multiple addresses for a zone, you need to have a separate entry for each address.

    - +
- +

Version 1.2.7

- +

Version 1.2.7 is quite broken -- please install 1.2.8

- -

If you have installed and started version 1.2.7 then before trying + +

If you have installed and started version 1.2.7 then before trying to restart under 1.2.8:

    -
  1. Look at your /etc/shorewall/shorewall.conf file and note the directory - named in the STATEDIR variable. If that variable is empty, assume +
  2. Look at your /etc/shorewall/shorewall.conf file and note the directory + named in the STATEDIR variable. If that variable is empty, assume /var/state/shorewall.
  3. Remove the file 'lock' in the directory determined in step 1.

You may now restart using 1.2.8.

- +

Version 1.2.6

- +
  • - +

    GRE and IPIP tunnels are broken.

  • - +

    The following rule results in a start error:

    -    ACCEPT    z1    z2    +    ACCEPT    z1    z2    icmp

- +

To correct the above problems, install this corrected firewall script in  /etc/shorewall/firewall..

Version 1.2.5

- +
  • - -

    The new ADDRESS column in /etc/shorewall/masq cannot + +

    The new ADDRESS column in /etc/shorewall/masq cannot contain a $-variable name.

  • - -

    Errors result if $FW appears in the + +

    Errors result if $FW appears in the /etc/shorewall/policy file.

  • - -

    Using Blacklisting without setting BLACKLIST_LOGLEVEL + +

    Using Blacklisting without setting BLACKLIST_LOGLEVEL results in an error at start time.

- +

To correct the above problems, install this corrected firewall script in /etc/shorewall/firewall.

 

- +

Version 1.2.4

- +

  • This version will not install "out of the box" without modification. Before attempting to start the @@ -261,9 +261,9 @@ dos2unix you are upgrading from a previous version of Shorewall, version 1.2.4 will work without modification.

- +

Version 1.2.3

- +

  • When BLACKLIST_LOGLEVEL is set, packets from blacklisted @@ -271,44 +271,44 @@ dos2unix corrected firewall script in /etc/shorewall/firewall.

- +

Alternatively, edit /etc/shorewall/firewall and change line 1564 from:

- + 
          run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \
- +

to

- + 
          run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \
- +

Version 1.2.2

- +
  • The "shorewall status" command hangs after it displays the chain information. Here's a corrected /sbin/shorewall. if  you want to simply modify your copy of /sbin/shorewall, then at line 445 change this:
- +
- + 
       status)
            clear
- +
- +

to this:

- +
- + 
       status)
            get_config
            clear
- +
  • The "shorewall monitor" command @@ -322,9 +322,9 @@ dos2unix updated firewall script.  Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for spotting this bug.
- +

Version 1.2.1

- +
  • The new logunclean interface option is not described in the help text in /etc/shorewall/interfaces. An updated @@ -334,68 +334,68 @@ dos2unix firewall script are broken in the case of a REJECT policy, however; in REJECT policy chains, all requests are currently replied to with an ICMP port-unreachable packet. This - corrected firewall script replies to TCP requests with TCP RST in + corrected firewall script replies to TCP requests with TCP RST in REJECT policy chains. Place the script in /etc/shorewall/firewall.
- +

Version 1.2.0

- +
- +

Note: If you are upgrading from one of the Beta RPMs to 1.2.0, you must use the "--oldpackage" option to rpm (e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).

- +

The tunnel script released in version 1.2.0 contained errors -- a corrected script is available.

- +
- +
- +

Problem with iptables version 1.2.3

- +
- +

There are a couple of serious bugs in iptables 1.2.3 that - prevent it from working with Shorewall. Regrettably, + prevent it from working with Shorewall. Regrettably, RedHat released this buggy iptables in RedHat 7.2. 

- +

I have built a corrected 1.2.3 rpm which you can download here  and I have also built an - iptables-1.2.4 rpm which you can download here. If -you are currently running RedHat 7.1, you can install either of these RPMs + iptables-1.2.4 rpm which you can download here. If +you are currently running RedHat 7.1, you can install either of these RPMs before you upgrade to RedHat 7.2.

- +

Update 11/9/2001: RedHat has released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html. I have installed this RPM on my firewall and it works fine.

- +

If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This patch which corrects a problem with parsing of the --log-level specification while this patch corrects a problem in handling the  TOS target.

- +

To install one of the above patches:

  • cd iptables-1.2.3/extensions
  • patch -p0 < the-patch-file
- +
- -

Problems with kernel 2.4.18 + +

Problems with kernel 2.4.18 and RedHat iptables

-

Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may +

Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may experience the following:

# shorewall start
@@ -418,21 +418,21 @@ iptables: libiptc/libip4tc.c:380: do_check: Assertion
 Aborted (core dumped)
-

The RedHat iptables RPM is compiled with debugging enabled but the - user-space debugging code was not updated to reflect recent changes in the +

The RedHat iptables RPM is compiled with debugging enabled but the + user-space debugging code was not updated to reflect recent changes in the Netfilter 'mangle' table. You can correct the problem by installing - this iptables RPM. If you are already running a 1.2.5 version of - iptables, you will need to specify the --oldpackage option to rpm (e.g., + this iptables RPM. If you are already running a 1.2.5 version of + iptables, you will need to specify the --oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

- +

Last updated 5/24/2002 - Tom Eastep

-

Copyright +

Copyright © 2001, 2002 Thomas M. Eastep.

diff --git a/Shorewall-docs/errata_3.html b/Shorewall-docs/errata_3.html index 92b98f31d..59cc0fc9a 100755 --- a/Shorewall-docs/errata_3.html +++ b/Shorewall-docs/errata_3.html @@ -1,65 +1,65 @@ - - + + Shorewall 1.3 Errata - - - + + + - - + + - - + + - + - - - - + + +
- - + + +

Shorewall Errata/Upgrade Issues
- +

IMPORTANT

- +
    -
  1. - - +
  2. + +

    If you use a Windows system to download a corrected script, be sure to run the script through dos2unix after you have moved it to your Linux system.

    3. -
  3. - - +
  4. + +

    If you are installing Shorewall for the first time and plan to use the .tgz and install.sh script, you can untar the archive, replace the 'firewall' script in the untarred directory with the one you downloaded below, and then run install.sh.

    5. -
  5. - - +
  6. + +

    If you are running a Shorewall version earlier - than 1.3.11, when the instructions say to install a corrected + than 1.3.11, when the instructions say to install a corrected firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD @@ -71,17 +71,17 @@ boot. It is that file that must be overwritten with the corrected script. Beginning with Shorewall 1.3.11, you may rename the existing file before copying in the new file.

    7. -
  7. - +
  8. +

    DO NOT INSTALL CORRECTED COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.

    9. - +
- + - -
+ +

Problems in Version 1.3

- - + +

Version 1.3.14

- +
  • There is an updated - rfc1918 file that reflects the resent allocation of 222.0.0.0/8 and + href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/rfc1918">updated + rfc1918 file that reflects the resent allocation of 222.0.0.0/8 and 223.0.0.0/8.
    • - +
- +
    -
  • The documentation for the routestopped file claimed that a comma-separated +
  • The documentation for the routestopped file claimed that a comma-separated list could appear in the second column while the code only supported a single host or network address.
  • Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.
    • @@ -131,15 +131,15 @@ support the 'maclist' interface option.
  • The firewall fails to start in the case where you have "eth0 eth1" in /etc/shorewall/masq and the default route is through eth1.
    • - +
These problems have been corrected in this - firewall script which may be installed in /usr/lib/shorewall as described + href="http://www.shorewall.net/pub/shorewall/errata/1.3.14/firewall">this + firewall script which may be installed in /usr/lib/shorewall as described above.
- +

Version 1.3.13

- +
  • The 'shorewall add' command produces an error message referring to 'find_interfaces_by_maclist'.
    • @@ -147,60 +147,60 @@ in /etc/shorewall/masq and the default route is through eth1.
  • The 'shorewall add' command can fail with "iptables: Index of insertion too big".
    • - +
All three problems are corrected by this firewall script which may be installed in /usr/lib/shorewall as described above.
- +
    -
  • VLAN interface names of the form "ethn.m" (e.g., -eth0.1) are not supported in this version or in 1.3.12. If you need such +
  • VLAN interface names of the form "ethn.m" (e.g., +eth0.1) are not supported in this version or in 1.3.12. If you need such support, post on the users list and I can provide you with a patched version.
    • - +
- +

Version 1.3.12

- +
    -
  • If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect +
  • If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is the same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is corrected by this firewall script which may be installed in /usr/lib/shorewall as described above.
    • -
  • VLAN interface names of the form "ethn.m" (e.g., -eth0.1) are not supported in this version or in 1.3.13. If you need such +
  • VLAN interface names of the form "ethn.m" (e.g., +eth0.1) are not supported in this version or in 1.3.13. If you need such support, post on the users list and I can provide you with a patched version.
    • - +
- +

Version 1.3.12 LRP

- +
  • The .lrp was missing the /etc/shorewall/routestopped file -- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.
    • - +
- +

Version 1.3.11a

- + - +

Version 1.3.11

- +
  • When installing/upgrading using the .rpm, you may receive the following warnings:
    @@ -211,8 +211,8 @@ this problem.
    These warnings are harmless and may be ignored. Users downloading the .rpm from shorewall.net or mirrors should no longer see these warnings as the .rpm you will get from there has been corrected.
    • -
  • DNAT rules that exclude a source subzone (SOURCE column -contains ! followed by a sub-zone list) result in an error message and +
  • DNAT rules that exclude a source subzone (SOURCE column +contains ! followed by a sub-zone list) result in an error message and Shorewall fails to start.

    Install
    This problem is corrected in version 1.3.11a.
    • - +
- +

Version 1.3.10

- + - +

Version 1.3.9a

- +
    -
  • If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No +
  • If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No then the following message appears during "shorewall [re]start":
    • - +
- + 
          recalculate_interfacess: command not found
- +
The updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall - corrects this problem.Copy the script to /usr/lib/shorewall/firewall + target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + corrects this problem.Copy the script to /usr/lib/shorewall/firewall as described above.
- +
Alternatively, edit /usr/lob/shorewall/firewall and change the single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess' to 'recalculate_interface'.
- +
  • The installer (install.sh) issues a misleading message "Common functions installed in /var/lib/shorewall/functions" whereas @@ -274,163 +274,163 @@ now and not just a symbolic link to the real script.
    href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here is an updated version that corrects these problems.
    • - +
- +

Version 1.3.9

TUNNELS Broken in 1.3.9!!! There is an updated firewall script at ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall + target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall -- copy that file to /usr/lib/shorewall/firewall as described above.

- Version 1.3.8 + Version 1.3.8
    -
  • Use of shell variables in the LOG LEVEL or SYNPARMS +
  • Use of shell variables in the LOG LEVEL or SYNPARMS columns of the policy file doesn't work.
  • A DNAT rule with the same original and new IP addresses but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")
    • - +
Installing + href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall"> this corrected firewall script in /var/lib/shorewall/firewall as described above corrects these - problems. + problems.

Version 1.3.7b

- - -

DNAT rules where the source zone is 'fw' ($FW) - result in an error message. Installing + + +

DNAT rules where the source zone is 'fw' ($FW) + result in an error message. Installing + href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> this corrected firewall script in /var/lib/shorewall/firewall as described above corrects this problem.

- - + +

Version 1.3.7a

- - -

"shorewall refresh" is not creating the proper - rule for FORWARDPING=Yes. Consequently, after - "shorewall refresh", the firewall will not forward - icmp echo-request (ping) packets. Installing + + +

"shorewall refresh" is not creating the proper + rule for FORWARDPING=Yes. Consequently, after + "shorewall refresh", the firewall will not forward + icmp echo-request (ping) packets. Installing + href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> this corrected firewall script in /var/lib/shorewall/firewall as described above corrects this problem.

- - + +

Version <= 1.3.7a

- - -

If "norfc1918" and "dhcp" are both specified as - options on a given interface then RFC 1918 - checking is occurring before DHCP checking. This - means that if a DHCP client broadcasts using an - RFC 1918 source address, then the firewall will + + +

If "norfc1918" and "dhcp" are both specified as + options on a given interface then RFC 1918 + checking is occurring before DHCP checking. This + means that if a DHCP client broadcasts using an + RFC 1918 source address, then the firewall will reject the broadcast (usually logging it). This has two problems:

- - + +
  1. If the firewall is running a DHCP server, the -client won't be able to obtain an IP address +client won't be able to obtain an IP address lease from that server.
  2. With this order of checking, the "dhcp" option -cannot be used as a noise-reduction - measure where there are both dynamic and static +cannot be used as a noise-reduction + measure where there are both dynamic and static clients on a LAN segment.
    3. - +
- - + +

- This version of the 1.3.7a firewall script - corrects the problem. It must be -installed in /var/lib/shorewall as + href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall"> + This version of the 1.3.7a firewall script + corrects the problem. It must be +installed in /var/lib/shorewall as described above.

- - + +

Version 1.3.7

- - -

Version 1.3.7 dead on arrival -- please use - version 1.3.7a and check your version against - these md5sums -- if there's a difference, please + + +

Version 1.3.7 dead on arrival -- please use + version 1.3.7a and check your version against + these md5sums -- if there's a difference, please download again.

- - + + 
	d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz
	6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm
	3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp
- +

In other words, type "md5sum <whatever package you downloaded> and compare the result with what you see above.

- +

I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the .7 version in each sequence from now on.

- +

Version 1.3.6

- +
    -
  • - - +
  • + +

    If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf, an error occurs when the firewall script attempts to add an SNAT alias.

    • -
  • - - +
  • + +

    The logunclean and dropunclean options cause errors during startup when Shorewall is run with iptables 1.2.7.

    • - +
- +

These problems are fixed in - this correct firewall script which must be installed in - /var/lib/shorewall/ as described above. These problems are also + href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> + this correct firewall script which must be installed in + /var/lib/shorewall/ as described above. These problems are also corrected in version 1.3.7.

- +

Two-interface Samples 1.3.6 (file two-interfaces.tgz)

- -

A line was inadvertently deleted from the "interfaces + +

A line was inadvertently deleted from the "interfaces file" -- this line should be added back in if the version that you downloaded is missing it:

- +

net    eth0    detect    routefilter,dhcp,norfc1918

- -

If you downloaded two-interfaces-a.tgz then the above + +

If you downloaded two-interfaces-a.tgz then the above line should already be in the file.

- +

Version 1.3.5-1.3.5b

- -

The new 'proxyarp' interface option doesn't work :-( + +

The new 'proxyarp' interface option doesn't work :-( This is fixed in - this corrected firewall script which must be installed in + href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> + this corrected firewall script which must be installed in /var/lib/shorewall/ as described above.

- +

Versions 1.3.4-1.3.5a

- -

Prior to version 1.3.4, host file entries such as the + +

Prior to version 1.3.4, host file entries such as the following were allowed:

- -
+ +
	adm	eth0:1.2.4.5,eth0:5.6.7.8
- -
+ +

That capability was lost in version 1.3.4 so that it is only possible to  include a single host specification on each line. This problem is corrected by modified 1.3.5a firewall script. Install the script in /var/lib/pub/shorewall/firewall as instructed above.

- -
+ +

This problem is corrected in version 1.3.5b.

- +

Version 1.3.5

- -

REDIRECT rules are broken in this version. Install + +

REDIRECT rules are broken in this version. Install + href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall"> this corrected firewall script in /var/lib/pub/shorewall/firewall as instructed above. This problem is corrected in version 1.3.5a.

- +

Version 1.3.n, n < 4

- -

The "shorewall start" and "shorewall restart" commands + +

The "shorewall start" and "shorewall restart" commands to not verify that the zones named in the /etc/shorewall/policy file have been previously defined in the /etc/shorewall/zones file. The "shorewall check" command does perform this verification so it's a good idea to run that command after you have made configuration changes.

- +

Version 1.3.n, n < 3

- -

If you have upgraded from Shorewall 1.2 and after + +

If you have upgraded from Shorewall 1.2 and after "Activating rules..." you see the message: "iptables: No chains/target/match by that name" then you probably have an entry in /etc/shorewall/hosts that specifies an interface that you didn't include -in /etc/shorewall/interfaces. To correct this problem, you +in /etc/shorewall/interfaces. To correct this problem, you must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and later versions produce a clearer error message in this case.

- +

Version 1.3.2

- -

Until approximately 2130 GMT on 17 June 2002, the + +

Until approximately 2130 GMT on 17 June 2002, the download sites contained an incorrect version of the .lrp file. That file can be identified by its size (56284 bytes). The correct version has a size of 38126 bytes.

- +
    -
  • The code to detect a duplicate interface - entry in /etc/shorewall/interfaces contained a typo that +
  • The code to detect a duplicate interface + entry in /etc/shorewall/interfaces contained a typo that prevented it from working correctly.
  • "NAT_BEFORE_RULES=No" was broken; it behaved just like "NAT_BEFORE_RULES=Yes".
    • - +
- +

Both problems are corrected in + href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall"> this script which should be installed in /var/lib/shorewall as described above.

- + - +

Version 1.3.1

- +
  • TCP SYN packets may be double counted when LIMIT:BURST is included in a CONTINUE or ACCEPT policy @@ -532,169 +532,169 @@ found that affects only the 'routestopped' option.
    prior to 1850 GMT today should download and install the corrected script again to ensure that this second problem is corrected.
    • - +
- +

These problems are corrected in + href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall"> this firewall script which should be installed in /etc/shorewall/firewall as described above.

- +

Version 1.3.0

- +
  • Folks who downloaded 1.3.0 from the links on the download page before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than 1.3.0. -The "shorewall version" command will tell you which version +The "shorewall version" command will tell you which version that you have installed.
  • The documentation NAT.htm file uses - non-existent wallpaper and bullet graphic files. The + non-existent wallpaper and bullet graphic files. The + href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm"> corrected version is here.
    • - +
- -
+ +

Upgrade Issues

- +

The upgrade issues have moved to a separate page.

- -
+ +

Problem with iptables version 1.2.3

- -
- -

There are a couple of serious bugs in iptables 1.2.3 that + +

+ +

There are a couple of serious bugs in iptables 1.2.3 that prevent it from working with Shorewall. Regrettably, RedHat released this buggy iptables in RedHat 7.2. 

- - + +

I have built a - corrected 1.2.3 rpm which you can download here  and I have + href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> + corrected 1.2.3 rpm which you can download here  and I have also built an + href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> iptables-1.2.4 rpm which you can download here. If you are currently - running RedHat 7.1, you can install either of these RPMs + running RedHat 7.1, you can install either of these RPMs before you upgrade to RedHat 7.2.

- - + +

Update 11/9/2001: RedHat has released an iptables-1.2.4 RPM of their own which you can download from http://www.redhat.com/support/errata/RHSA-2001-144.html. - I have installed this RPM on my firewall and it works + href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html. + I have installed this RPM on my firewall and it works fine.

- - + +

If you would like to patch iptables 1.2.3 yourself, the patches are available for download. This patch + href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch which corrects a problem with parsing of the --log-level specification while this patch + href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch corrects a problem in handling the  TOS target.

- - + +

To install one of the above patches:

- - + +
  • cd iptables-1.2.3/extensions
  • patch -p0 < the-patch-file
    • - - + +
- - -

Problems with kernels >= 2.4.18 + + +

Problems with kernels >= 2.4.18 and RedHat iptables

- -
- + +
+

Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may experience the following:

- - -
- + + +
+ 
# shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.
Aborted (core dumped)
- - -

The RedHat iptables RPM is compiled with debugging enabled but the + + +

The RedHat iptables RPM is compiled with debugging enabled but the user-space debugging code was not updated to reflect recent changes in the Netfilter 'mangle' table. You can correct the problem by installing - this iptables RPM. If you are already running a 1.2.5 version - of iptables, you will need to specify the --oldpackage option + href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> + this iptables RPM. If you are already running a 1.2.5 version + of iptables, you will need to specify the --oldpackage option to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").

- - + +

Problems installing/upgrading RPM on SuSE

- - -

If you find that rpm complains about a conflict - with kernel <= 2.2 yet you have a 2.4 kernel - installed, simply use the "--nodeps" option to + + +

If you find that rpm complains about a conflict + with kernel <= 2.2 yet you have a 2.4 kernel + installed, simply use the "--nodeps" option to rpm.

- - + +

Installing: rpm -ivh --nodeps <shorewall rpm>

- - + +

Upgrading: rpm -Uvh --nodeps <shorewall rpm>

- - -

Problems with + + +

Problems with iptables version 1.2.7 and MULTIPORT=Yes

- - -

The iptables 1.2.7 release of iptables has made - an incompatible change to the syntax used to - specify multiport match rules; as a consequence, - if you install iptables 1.2.7 you must be running + + +

The iptables 1.2.7 release of iptables has made + an incompatible change to the syntax used to + specify multiport match rules; as a consequence, + if you install iptables 1.2.7 you must be running Shorewall 1.3.7a or later or:

- - + + - +

Problems with RH Kernel 2.4.18-10 and NAT

/etc/shorewall/nat entries of the following form will result in Shorewall being unable to start:

- + 
#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
192.0.2.22      eth0            192.168.9.22    yes                     yes
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
Error message is:
- + 
Setting up NAT...
iptables: Invalid argument
Terminated

- The solution is to put "no" in the LOCAL column. Kernel -support for LOCAL=yes has never worked properly and 2.4.18-10 has -disabled it. The 2.4.19 kernel contains corrected support under a new + The solution is to put "no" in the LOCAL column. Kernel +support for LOCAL=yes has never worked properly and 2.4.18-10 has +disabled it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton option; see http://www.shorewall.net/Documentation.htm#NAT
- -

Last updated 3/8/2003 - + +

Last updated 3/8/2003 - Tom Eastep

- +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.

diff --git a/Shorewall-docs/fallback.htm b/Shorewall-docs/fallback.htm index ca93dbbde..f9309f4ce 100644 --- a/Shorewall-docs/fallback.htm +++ b/Shorewall-docs/fallback.htm @@ -70,5 +70,5 @@ type "rpm -e shorewall".

Last updated 3/26/2001 - Tom Eastep

-Copyright +Copyright © 2001, 2002 Thomas M. Eastep. diff --git a/Shorewall-docs/gnu_mailman.htm b/Shorewall-docs/gnu_mailman.htm index 840c088d7..ce43f9633 100644 --- a/Shorewall-docs/gnu_mailman.htm +++ b/Shorewall-docs/gnu_mailman.htm @@ -1,38 +1,38 @@ - + - + - + - + GNU Mailman - + - - - + +
+

GNU Mailman/Postfix the Easy Way
- +

 

- +

The following was posted on the Postfix mailing list on 5/4/2002 by Michael Tokarev as a suggested addition to the Postfix FAQ.

- +

Q: Mailman does not work with Postfix, complaining about GID mismatch

A: Mailman uses a setgid wrapper that is designed to be used in system-wide @@ -48,7 +48,7 @@ and group mailman. Like:
Make sure that /var/mailman/aliases.db is owned by mailman user (this may be done by executing postalias as mailman userid).

- Next, instead of using mailman-suggested aliases entries with wrapper, + Next, instead of using mailman-suggested aliases entries with wrapper, use the following:

instead of
@@ -62,14 +62,14 @@ use the following:
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist
...

- -

The above tip works with Mailman 2.0; Mailman 2.1 has adopted something + +

The above tip works with Mailman 2.0; Mailman 2.1 has adopted something very similar so that no workaround is necessary. See the README.POSTFIX file included with Mailman-2.1. 

- +

Last updated 12/29/2002 - Tom Eastep

- +

Copyright © 2001, 2002 Thomas M. Eastep.


diff --git a/Shorewall-docs/hosts_file.htm b/Shorewall-docs/hosts_file.htm index 72ad66b7a..c06d22058 100644 --- a/Shorewall-docs/hosts_file.htm +++ b/Shorewall-docs/hosts_file.htm @@ -12,7 +12,7 @@

The Hosts File

-

Since there seems to be a lot of confusion regarding the +

Since there seems to be a lot of confusion regarding the /etc/shorewall/hosts file, I have created this page to try to clear the fog.

 

diff --git a/Shorewall-docs/kernel.htm b/Shorewall-docs/kernel.htm index aa5f5b829..378e31ef9 100644 --- a/Shorewall-docs/kernel.htm +++ b/Shorewall-docs/kernel.htm @@ -142,5 +142,5 @@ the options selected above built as modules:

Last updated 3/10/2002 - Tom Eastep

-Copyright +Copyright © 2001, 2002 Thomas M. Eastep. diff --git a/Shorewall-docs/mailing_list.htm b/Shorewall-docs/mailing_list.htm index ff74b41a7..b9ea6def6 100644 --- a/Shorewall-docs/mailing_list.htm +++ b/Shorewall-docs/mailing_list.htm @@ -1,53 +1,53 @@ - - + + - - + + - - + + - - + + Shorewall Mailing Lists - - - + + + - + - - - - + + +
- - - + + +

Vexira Logo

- - + + - - + +

 

- + +

Shorewall Mailing Lists
- +
- +


Powered by Postfix    
- - + +

REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please read the Shorewall Support Guide.

-

If you experience problems with any of these lists, please +

If you experience problems with any of these lists, please let me know

- +

Not able to Post Mail to shorewall.net?

- +

You can report such problems by sending mail to tom dot eastep at hp dot com.

- +

A Word about SPAM Filters 

- - -

Before subscribing please read my policy + + +

Before subscribing please read my policy about list traffic that bounces. Also please note that the mail server at shorewall.net checks incoming mail:

- +
  1. against Spamassassin (including Vipul's Razor).
  2. to ensure that the sender address is fully qualified.
    3. -
  3. to verify that the sender's domain has an A or MX +
  4. to verify that the sender's domain has an A or MX record in DNS.
    5. -
  5. to ensure that the host name in the HELO/EHLO command +
  6. to ensure that the host name in the HELO/EHLO command is a valid fully-qualified DNS name that resolves.
    7. - +
- +

Please post in plain text

- A growing number of MTAs serving list subscribers are rejecting - all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net - "for continuous abuse" because it has been my policy to allow HTML in + A growing number of MTAs serving list subscribers are rejecting + all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net + "for continuous abuse" because it has been my policy to allow HTML in list posts!!

I think that blocking all HTML is a Draconian way to control @@ -122,36 +122,36 @@ of HTML based e-mail". Nevertheless, to allow subscribers to receive list posts as must as possible, I have now configured the list server at shorewall.net to strip all HTML from outgoing posts. This means that HTML-only posts will be bounced by the list server.
- +

Note: The list server limits posts to 120kb.

- +

Other Mail Delivery Problems

If you find that you are missing an occasional list post, your e-mail admin may be blocking mail whose Received: headers contain the names of certain ISPs. Again, I believe that such policies hurt more than they help but I'm not prepared to go so far as to start stripping Received: headers to circumvent those policies.
- +

Mailing Lists Archive Search

- +
- -

Match: - + +

Match: + - Format: - + Format: + - Sort by: - + Sort by: +

- - + +

Please do not try to download the entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't stand the traffic. If I catch you, you will be blacklisted.

- +

Shorewall CA Certificate

- If you want to trust X.509 certificates issued by Shoreline + If you want to trust X.509 certificates issued by Shoreline Firewall (such as the one used on my web site), you may download and install my CA certificate in your browser. If you don't wish to trust my certificates then you can either use unencrypted access when subscribing to Shorewall mailing lists or you can use secure access (SSL) and accept the server's certificate when prompted by your browser.
- +

Shorewall Users Mailing List

- +

The Shorewall Users Mailing list provides a way for users to get answers to questions and to report problems. Information of general interest to the Shorewall user community is also posted to this list.

- +

Before posting a problem report to this list, please see the problem reporting guidelines.

- +

To subscribe to the mailing list:

- + - +

To post to the list, post to shorewall-users@lists.shorewall.net.

- +

The list archives are at http://lists.shorewall.net/pipermail/shorewall-users.

- +

Note that prior to 1/1/2002, the mailing list was hosted at Sourceforge. The archives from that list may be found at www.geocrawler.com/lists/3/Sourceforge/9327/0/.

- +

Shorewall Announce Mailing List

- -

This list is for announcements of general interest to the + +

This list is for announcements of general interest to the Shorewall community. To subscribe:

- +

- + - +


The list archives are at http://lists.shorewall.net/pipermail/shorewall-announce.

- +

Shorewall Development Mailing List

- +

The Shorewall Development Mailing list provides a forum for the exchange of ideas about the future of Shorewall and for coordinating ongoing Shorewall Development.

- +

To subscribe to the mailing list:

- + - +

To post to the list, post to shorewall-devel@lists.shorewall.net

- +

The list archives are at http://lists.shorewall.net/pipermail/shorewall-devel.

- +

How to Unsubscribe from one of the Mailing Lists

- +

There seems to be near-universal confusion about unsubscribing from Mailman-managed lists although Mailman 2.1 has attempted to make this less confusing. To unsubscribe:

- +
    -
  • - +
  • +

    Follow the same link above that you used to subscribe to the list.

    • -
  • - +
  • +

    Down at the bottom of that page is the following text: " To unsubscribe from <list name>, get a password reminder, or change your subscription options enter your subscription email address:". Enter your email address in the box and click on the "Unsubscribe or edit options" button.

    • -
  • - +
  • +

    There will now be a box where you can enter your password and click on "Unsubscribe"; if you have forgotten your password, there is another button that will cause your password to be emailed to you.

    • - +
- -
+ +

Frustrated by having to Rebuild Mailman to use it with Postfix?

- +

Check out these instructions

- +

Last updated 2/24/2003 - Tom Eastep

- +

Copyright © 2001, 2002, 2003 Thomas M. Eastep.

diff --git a/Shorewall-docs/mailing_list_problems.htm b/Shorewall-docs/mailing_list_problems.htm index f9fdde6c7..5d91d695d 100644 --- a/Shorewall-docs/mailing_list_problems.htm +++ b/Shorewall-docs/mailing_list_problems.htm @@ -1,48 +1,48 @@ - + - + - + - + Mailing List Problems - + - - - + +
- + +

Mailing List Problems
- +

Shorewall.net is currently experiencing mail delivery problems to at least one address in each of the following domains:

- -
-
+ +
+ 
2020ca - delivery to this domain has been disabled (cause unknown)
arosy.de - delivery to this domain has been disabled (Relay access denied)
arundel.homelinux.org - delivery to this domain has been disabled (connection timed out, connection refused)
asurfer.com - (Mailbox full)
bol.com.br - delivery to this domain has been disabled (Mailbox Full)
cuscominc.com - delivery to this domain has been disabled (bouncing mail from all sources with "Mail rejected because the server you are sending to is misconfigured").
cvnet.psi.br - (DNS configuration error -- MX is cvn-srv1.cvnet.psi.br.cvnet.psi.br)
datakota.com - (DNS Timeouts)
excite.com - delivery to this domain has been disabled (cause unknown)
epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
freefish.dyndns.org - delivery to this domain has been disabled (Name Server Problem -- Host not found)
gmx.net - delivery to this domain has been disabled (cause unknown)
hotmail.com - delivery to this domain has been disabled (Mailbox over quota)
intercom.net - delivery to this domain has been disabled (cause unknown)
nitialcs.com - delivery to this domain has been disabled (cause unknown)
intelligents.2y.net - delivery to this domain has been disabled (Name Service Problem -- Host not Found).
khp-inc.com - delivery to this domain has been disabled (anti-virus problems)
kieninger.de - delivery to this domain has been disabled (relaying to <xxxxx@kieninger.de> prohibited by administrator)
lariera.com - delivery to this domain has been disabled (Unknown User)
mfocus.com.my - delivery to this domain has been disabled (MTA at mailx.mfocus.com.my not delivering and not giving a reason)
navair.navy.mil - delivery to this domain has been disabled (A restriction in the system prevented delivery of the message)
opermail.net - delivery to this domain has been disabled (cause unknown)
penquindevelopment.com - delivery to this domain has been disabled (connection timed out)
scip-online.de - delivery to this domain has been disabled (cause unknown)
spctnet.com - connection timed out - delivery to this domain has been disabled
telusplanet.net - delivery to this domain has been disabled (cause unknown)
the-techy.com - delivery to this domain has been disabled  (clueless administrator - continuous DNS problems) 
yahoo.com - delivery to this domain has been disabled (Mailbox over quota)
- +

Last updated 12/17/2002 02:51 GMT - Tom Eastep

- +

Copyright © 2002 Thomas M. Eastep.

- +

 


diff --git a/Shorewall-docs/myfiles.htm b/Shorewall-docs/myfiles.htm index beaaaf83e..e268df93e 100644 --- a/Shorewall-docs/myfiles.htm +++ b/Shorewall-docs/myfiles.htm @@ -1,39 +1,39 @@ - + My Shorewall Configuration - - + + - + - + - + - - - + +
- + +

About My Network
- +
- +

My Current Network

- -
+ +

Warning 1: I use a combination of Static NAT and Proxy ARP, neither of which are relevant to a simple configuration with a single public IP address. @@ -45,183 +45,183 @@ your configuration.

Warning 2: My configuration uses features introduced in Shorewall version 1.4.1.

- +

I have DSL service and have 5 static IP addresses (206.124.146.176-180). - My DSL "modem" (Fujitsu Speedport) - is connected to eth0. I have a local network connected to eth2 (subnet + My DSL "modem" (Fujitsu Speedport) + is connected to eth0. I have a local network connected to eth2 (subnet 192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). 

- +

I use:

- +
  • Static NAT for Ursa (my XP System) - Internal address 192.168.1.5 and external address 206.124.146.178.
  • Static NAT for Wookie (my Linux System). Internal address 192.168.1.3 and external address 206.124.146.179.
    • -
  • SNAT through the primary gateway address (206.124.146.176) +
  • SNAT through the primary gateway address (206.124.146.176) for  my Wife's system (Tarry) and the laptop when connected through the Wireless Access Point (wap)
    • - +
- +

The firewall runs on a 256MB PII/233 with RH8.0.

- -

Wookie runs Samba and acts as the a WINS server.  Wookie is in its + +

Wookie runs Samba and acts as the a WINS server.  Wookie is in its own 'whitelist' zone called 'me'.

- -

My laptop (eastept1) is connected to eth3 using a cross-over cable. - It runs its own Sygate firewall -software and is managed by Proxy ARP. It connects to the local network + +

My laptop (eastept1) is connected to eth3 using a cross-over cable. + It runs its own Sygate firewall +software and is managed by Proxy ARP. It connects to the local network through a PPTP server running on Ursa.

- -

The single system in the DMZ (address 206.124.146.177) runs postfix, - Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP - server (Pure-ftpd). The system also runs fetchmail to fetch our email + +

The single system in the DMZ (address 206.124.146.177) runs postfix, + Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP + server (Pure-ftpd). The system also runs fetchmail to fetch our email from our old and current ISPs. That server is managed through Proxy ARP.

- -

The firewall system itself runs a DHCP server that serves the local + +

The firewall system itself runs a DHCP server that serves the local network.

- +

All administration and publishing is done using ssh/scp. I have X installed on both the firewall and the server but no X server or desktop is installed. X applications tunnel through SSH to XWin.exe running on Ursa.

- +

I run an SNMP server on my firewall to serve MRTG running + href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG running in the DMZ.

- +

- +

 

- -

The ethernet interface in the Server is configured - with IP address 206.124.146.177, netmask - 255.255.255.0. The server's default gateway is - 206.124.146.254 (Router at my ISP. This is the same + +

The ethernet interface in the Server is configured + with IP address 206.124.146.177, netmask + 255.255.255.0. The server's default gateway is + 206.124.146.254 (Router at my ISP. This is the same default gateway used by the firewall itself). On the firewall, Shorewall automatically adds a host route to 206.124.146.177 through eth1 (192.168.2.1) because of the entry in /etc/shorewall/proxyarp (see below).

- -

A similar setup is used on eth3 (192.168.3.1) which + +

A similar setup is used on eth3 (192.168.3.1) which interfaces to my laptop (206.124.146.180).

- +

Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior access.

- +

- +

Shorewall.conf

- -
+ +
SHARED_DIR=/usr/share/shorewall
LOGFILE=/var/log/firewall
LOGRATE=
LOGBURST=
LOGUNCLEAN=info
BLACKLIST_LOGLEVEL=
LOGNEWNOTSYN=
MACLIST_LOG_LEVEL=$LOG
TCP_FLAGS_LOG_LEVEL=$LOG
RFC1918_LOG_LEVEL=$LOG
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/state/shorewall
MODULESDIR=
FW=fw
NAT_ENABLED=Yes
MANGLE_ENABLED=Yes
IP_FORWARDING=On
ADD_IP_ALIASES=Yes
ADD_SNAT_ALIASES=Yes
TC_ENABLED=Yes
CLEAR_TC=No
MARK_IN_FORWARD_CHAIN=No
CLAMPMSS=Yes
ROUTE_FILTER=No
NAT_BEFORE_RULES=No
MULTIPORT=Yes
DETECT_DNAT_IPADDRS=Yes
MUTEX_TIMEOUT=60
NEWNOTSYN=Yes
BLACKLIST_DISPOSITION=DROP
MACLIST_DISPOSITION=REJECT
TCP_FLAGS_DISPOSITION=DROP
- +

- +

Params File (Edited):

- +
MIRRORS=<list of shorewall mirror ip addresses>
NTPSERVERS=<list of the NTP servers I sync with>
LOG=ULOG
TEXAS=<ip address of gateway in Dallas>
- +

Zones File

- -
+ +
#ZONE	DISPLAY		COMMENTS
net     Internet        Internet
me      Wookie          My Linux Workstation
dmz     DMZ             Demilitarized zone
loc     Local           Local networks
tx      Texas           Peer Network in Dallas
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
- +

Interfaces File:

- -
- + +
+

This is set up so that I can start the firewall before bringing up my Ethernet interfaces.

- -
+ +
#ZONE	INERFACE	BROADCAST	OPTIONS
net     eth0            206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc     eth2            192.168.1.255   dhcp,maclist
dmz     eth1            192.168.2.255
net     eth3            206.124.146.255
-       texas           192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
- +

Hosts File:

- -
+ +
#ZONE		HOST(S)			OPTIONS
me              eth2:192.168.1.3
tx              texas:192.168.8.0/22
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
- +

Routestopped File:

- -
+ +
#INTERFACQ	HOST(S)
eth1            206.124.146.177
eth2            -
eth3            206.124.146.180
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
- +

Policy File:

- -
+ +
#SOURCE		DESTINATION	POLICY		LOG LEVEL	BURST:LIMIT
me		loc		NONE
loc		me		NONE
me              all             ACCEPT
tx              me              ACCEPT
all             me              CONTINUE        -               2/sec:5
loc             net             ACCEPT
$FW             loc             ACCEPT
$FW             tx              ACCEPT
loc             tx              ACCEPT
loc             fw              REJECT          $LOG
net             all             DROP            $LOG            10/sec:40
all             all             REJECT          $LOG
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE
- +

Masq File:

- -
- -

Although most of our internal systems use static NAT, my wife's system - (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with + +

+ +

Although most of our internal systems use static NAT, my wife's system + (192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops. Also, I masquerade wookie to the peer subnet in Texas.

- -
+ +
#INTERFACE              SUBNET          ADDRESS
eth0:0.0.0.0/0          eth2            206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
- +

NAT File:

- -
+ +
#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL
206.124.146.178 eth0:0          192.168.1.5     No                      No
206.124.146.179 eth0:1          192.168.1.3     No                      No
192.168.1.193   eth2:0          206.124.146.177 No                      No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
- +

Proxy ARP File:

- -
+ +
#ADDRESS                INTERFACE       EXTERNAL        HAVEROUTE
206.124.146.177         eth1            eth0            No
206.124.146.180         eth3            eth0            No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
- +

Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):

- -
+ +
#TYPE			ZONE    GATEWAY         GATEWAY ZONE    PORT
gre                     net     $TEXAS
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
- +

Common File:

- -
+ +
. /etc/shorewall/common.def
run_iptables -A common -p tcp --dport auth -j REJECT
- -

Rules File (The shell variables + +

Rules File (The shell variables are set in /etc/shorewall/params):

- -
+ +
################################################################################################################################################################
#RESULT         CLIENT(S)                       SERVER(S)               PROTO   PORT(S)                                 CLIENT          ORIGINAL DEST:SNAT
################################################################################################################################################################
# Local Network to Internet - Reject attempts by Trojans to call home
#
REJECT:$LOG     loc                             net                     tcp     6667
#
# Stop NETBIOS crap since our policy is ACCEPT
#
REJECT          loc                             net                     tcp     137,445
REJECT          loc                             net                     udp     137:139
LOG:$LOG        loc                             net                     tcp     137:139
################################################################################################################################################################
# Local Network to Firewall
#
ACCEPT          loc                             fw                      tcp     ssh,time,10000
ACCEPT          loc                             fw                      udp     snmp
ACCEPT          loc                             fw                      udp     ntp
################################################################################################################################################################
# Local Network to DMZ (10027 is our SMTP backdoor that bypasses virus/spam filtering)
#
ACCEPT          loc                             dmz                     udp     domain
ACCEPT          loc                             dmz                     tcp     smtp,domain,ssh,imap,https,imaps,cvspserver,www,ftp,10027,10000,8080    -
################################################################################################################################################################
# Internet to DMZ
#
ACCEPT          net                             dmz                     tcp     www,smtp,ftp,imaps,domain,cvspserver,https,imap -
ACCEPT          net                             dmz                     udp     domain
ACCEPT          net:$MIRRORS                    dmz                     tcp     rsync
ACCEPT:$LOG     net                             dmz                     tcp     32768:61000                             20
DROP            net                             dmz                     tcp     1433
################################################################################################################################################################
#
# Net to Local
#
# My laptop isn't NATTED when in its docking station. To allow access to the local lan, I need a VPN to Ursa which is enabled by the following "half"-rules.
#
DNAT-           net                             loc:192.168.1.5         tcp     1723                                    -               206.124.146.178
DNAT-           net                             loc:192.168.1.5         gre     -                                       -               206.124.146.178
#
# When I'm "on the road", the following two rules allow me VPN access back home.
#
ACCEPT          net                             loc:192.168.1.5         tcp     1723
ACCEPT          net                             loc:192.168.1.5         gre
#
# ICQ to Ursa
#
ACCEPT          net                             loc:192.168.1.5         tcp     4000:4100
################################################################################################################################################################
# Net to me
#
ACCEPT          net                             me:192.168.1.3          tcp     4000:4100
################################################################################################################################################################
# DMZ to Internet
#
ACCEPT          dmz                             net                     tcp     smtp,domain,www,https,whois,echo,2702,21,2703,ssh
ACCEPT          dmz                             net                     udp     domain
ACCEPT          dmz                             net:206.124.128.8       tcp     pop3
ACCEPT          dmz                             net:66.216.26.115       tcp     pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG     dmz                             net                     tcp     1024:                                   20
################################################################################################################################################################
# DMZ to Firewall -- ntp & snmp
#
ACCEPT          dmz                             fw                      udp     ntp                                     ntp
ACCEPT          dmz                             fw                      tcp     snmp
ACCEPT          dmz                             fw                      udp     snmp
################################################################################################################################################################
#
# DMZ to Local Network
#
ACCEPT          dmz                             loc                     tcp     smtp
################################################################################################################################################################
#
# DMZ to Me -- NFS
#
ACCEPT          dmz                             me                      tcp     111
ACCEPT          dmz                             me                      udp     111
ACCEPT          dmz                             me                      udp     2049
ACCEPT          dmz                             me                      udp     32700:
################################################################################################################################################################
# Internet to Firewall
#
ACCEPT          net:eth3:206.124.146.180        fw                      udp     ntp                                     ntp
REJECT          net                             fw                      tcp     www
DROP            net                             fw                      tcp     1433
DROP            net:eth3:!206.124.146.180       fw                      all
################################################################################################################################################################
# Firewall to Internet
#
ACCEPT          fw                              net:$NTPSERVERS         udp     ntp                                     ntp
ACCEPT          fw                              net                     udp     domain
ACCEPT          fw                              net                     tcp     domain,www,https,ssh,1723,whois,1863
ACCEPT          fw                              net                     udp     33435:33535
ACCEPT          fw                              net                     icmp    8
################################################################################################################################################################
# Firewall to DMZ
#
ACCEPT          fw                              dmz                     tcp     www,ftp,ssh,smtp
ACCEPT          fw                              dmz                     udp     domain
ACCEPT          fw                              dmz                     icmp    8
REJECT          fw                              dmz                     udp     137:139
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
- +

Tom Eastep

- Copyright + Copyright © 2001, 2002, 2003 Thomas M. Eastep.


diff --git a/Shorewall-docs/netfilter_overview.htm b/Shorewall-docs/netfilter_overview.htm index 399d36259..76d8a3e87 100644 --- a/Shorewall-docs/netfilter_overview.htm +++ b/Shorewall-docs/netfilter_overview.htm @@ -16,30 +16,30 @@

 

1.0 Tables

-

Chains of rules are organized into Tables. +

Chains of rules are organized into Tables. Netfilter currently has three tables.

  1. -

    Mangle Table - This allows the contents of the packet to be -changed. Shorewall uses rules in this table to mark packets for traffic -shaping/control (/etc/shorewall/tcrules file) and for setting the Type of +

    Mangle Table - This allows the contents of the packet to be +changed. Shorewall uses rules in this table to mark packets for traffic +shaping/control (/etc/shorewall/tcrules file) and for setting the Type of Service (TOS) for the packet (/etc/shorewall/tos).

  2. -

    NAT Table - Allows modification of the source and destination IP +

    NAT Table - Allows modification of the source and destination IP and port.

  3. -

    Filter Table - This is where most ACCEPT/DROP/REJECT decisions +

    Filter Table - This is where most ACCEPT/DROP/REJECT decisions are made in Shorewall.

-

Each table has a number of pre-defined chains as shown in -the table that follows. Packets flow through the chains in the order of that +

Each table has a number of pre-defined chains as shown in +the table that follows. Packets flow through the chains in the order of that table.

@@ -74,8 +74,8 @@ table.

  • Static NAT DNAT mapping
    • - Only connection requests go here -- packets that are part of or - related to an established connection use information from the connection + Only connection requests go here -- packets that are part of or + related to an established connection use information from the connection tracking table. @@ -111,8 +111,8 @@ table.

    NAT OUTPUT DNAT rules where the source zone is fw - Only connection requests go here -- packets that are part of or - related to an established connection use information from the connection + Only connection requests go here -- packets that are part of or + related to an established connection use information from the connection tracking table. @@ -126,13 +126,13 @@ table.

  • Static NAT SNAT Mapping
    • - Only connection requests go here -- packets that are part of or - related to an established connection use information from the connection + Only connection requests go here -- packets that are part of or + related to an established connection use information from the connection tracking table.
    -

    The connection tracking table can be displayed using the +

    The connection tracking table can be displayed using the "shorewall show connections" command.

    diff --git a/Shorewall-docs/ping.html b/Shorewall-docs/ping.html index 7a392c7bb..5bdccb829 100644 --- a/Shorewall-docs/ping.html +++ b/Shorewall-docs/ping.html @@ -2,150 +2,150 @@ ICMP Echo-request (Ping) - + - + - + - - - + +
    +

    ICMP Echo-request (Ping)

    - Shorewall 'Ping' management has evolved over time with the latest change + Shorewall 'Ping' management has evolved over time with the latest change coming in Shorewall version 1.4.0.
    - +

    Shorewall Versions >= 1.4.0

    - In order to accept ping requests from zone z1 to zone z2 where the policy -for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the + In order to accept ping requests from zone z1 to zone z2 where the policy +for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the form:
    - -
    ACCEPT    z1    z2    + +
    ACCEPT    z1    z2    icmp    8
    Example:

    To permit ping from the local zone to the firewall:
    - -
    ACCEPT    loc    fw    + +
    ACCEPT    loc    fw    icmp    8
    If you would like to accept 'ping' by default even when the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it doesn't already exist and in that file place the following command:
    - -
    + +
    run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT
    - With that rule in place, if you want to ignore 'ping' from z1 to z2 then + With that rule in place, if you want to ignore 'ping' from z1 to z2 then you need a rule of the form:
    - -
    DROP    z1    z2    + +
    DROP    z1    z2    icmp    8
    Example:

    To drop ping from the internet, you would need this rule in /etc/shorewall/rules:

    - -
    DROP    net    fw    + +
    DROP    net    fw    icmp    8
    - +

    Shorewall Versions >= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf

    - In 1.3.14, Ping handling was put under control of the rules and policies - just like any other connection request. In order to accept ping requests + In 1.3.14, Ping handling was put under control of the rules and policies + just like any other connection request. In order to accept ping requests from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the form:
    - -
    ACCEPT    z1    z2    + +
    ACCEPT    z1    z2    icmp    8
    Example:

    To permit ping from the local zone to the firewall:
    - -
    ACCEPT    loc    fw    + +
    ACCEPT    loc    fw    icmp    8
    If you would like to accept 'ping' by default even when the relevant policy is DROP or REJECT, create /etc/shorewall/icmpdef if it doesn't already exist and in that file place the following command:
    - -
    + +
    run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT
    - With that rule in place, if you want to ignore 'ping' from z1 to z2 then + With that rule in place, if you want to ignore 'ping' from z1 to z2 then you need a rule of the form:
    - -
    DROP    z1    z2    + +
    DROP    z1    z2    icmp    8
    Example:

    To drop ping from the internet, you would need this rule in /etc/shorewall/rules:
    - -
    DROP    net    fw    + +
    DROP    net    fw    icmp    8
    - +
    - +

    Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf

    There are several aspects to the old Shorewall Ping management:
    - +
    1. The noping and filterping interface options in /etc/shorewall/interfaces.
    2. The FORWARDPING option in /etc/shorewall/shorewall.conf.
    3. Explicit rules in /etc/shorewall/rules.
      4. - +
    There are two cases to consider:
    - +
    1. Ping requests addressed to the firewall itself; and
    2. Ping requests being forwarded to another system. Included here are all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple routing.
      3. - +
    These cases will be covered separately.
    - +

    Ping Requests Addressed to the Firewall Itself

    For ping requests addressed to the firewall, the sequence is as follows:
    - +
    1. If neither noping nor filterping are specified for the interface that receives the ping request then the request will be responded to with an ICMP echo-reply.
      2. -
    2. If noping is specified for the interface that receives the +
    3. If noping is specified for the interface that receives the ping request then the request is ignored.
    4. If filterping is specified for the interface then the request is passed to the rules/policy evaluation.
      5. - +
    - +

    Ping Requests Forwarded by the Firewall

    These requests are always passed to rules/policy evaluation.
    - +

    Rules Evaluation

    Ping requests are ICMP type 8. So the general rule format is:

    -     Target    Source    +     Target    Source    Destination    icmp    8

    Example 1. Accept pings from the net to the dmz (pings are responded @@ -158,11 +158,11 @@ to with an ICMP echo-reply):

        DROP    net    fw    icmp    8
    - +

    Policy Evaluation

    - If no applicable rule is found, then the policy for the source to the + If no applicable rule is found, then the policy for the source to the destination is applied.
    - +
    1. If the relevant policy is ACCEPT then the request is responded to with an ICMP echo-reply.
      2. @@ -170,12 +170,12 @@ to with an ICMP echo-reply. then the request is responded to with an ICMP echo-reply.
    2. Otherwise, the relevant REJECT or DROP policy is used and the request is either rejected or simply ignored.
      3. - +
    - -

    Updated 2/14/2003 - Tom Eastep + +

    Updated 2/14/2003 - Tom Eastep

    - +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.


    diff --git a/Shorewall-docs/ports.htm b/Shorewall-docs/ports.htm index e6d655c99..d8824ecde 100644 --- a/Shorewall-docs/ports.htm +++ b/Shorewall-docs/ports.htm @@ -1,200 +1,200 @@ - + Shorewall Port Information - + - + - + - - - + +
    +

    Ports required for Various Services/Applications
    - +

    In addition to those applications described in the /etc/shorewall/rules documentation, here are some other services/applications that you may need to configure your firewall to accommodate.

    - +

    NTP (Network Time Protocol)

    - -
    + +

    UDP Port 123

    - +

    rdate

    - -
    + +

    TCP Port 37

    - +

    UseNet (NNTP)

    - -
    + +

    TCP Port 119

    - +

    DNS

    - -
    + +

    UDP Port 53. If you are configuring a DNS client, you will probably want to open TCP Port 53 as well.
    - If you are configuring a server, only open TCP Port 53 if you will -return long replies to queries or if you need to enable ZONE transfers. In + If you are configuring a server, only open TCP Port 53 if you will +return long replies to queries or if you need to enable ZONE transfers. In the latter case, be sure that your server is properly configured.

    - +

    ICQ   

    - -
    + +

    UDP Port 4000. You will also need to open a range of TCP ports which you can specify to your ICQ client. By default, clients use 4000-4100.

    - +

    PPTP

    - -
    + +

    Protocol 47 (NOT port 47) and TCP Port 1723 (Lots more information here).

    - +

    IPSEC

    - -
    + +

    Protocols 50 and 51 (NOT ports 50 and 51) and UDP Port 500. These should be opened in both directions (Lots more information here and here).

    - +

    SMTP

    - -
    + +

     TCP Port 25.

    - +

    POP3

    - -
    + +

    TCP Port 110.

    - +

    TELNET

    - -
    + +

    TCP Port 23.

    - +

    SSH

    - -
    + +

    TCP Port 22.

    - +

    Auth (identd)

    - -
    + +

    TCP Port 113

    - +

    Web Access

    - -
    + +

    TCP Ports 80 and 443.

    - +

    FTP

    - -
    + +

    Server configuration is covered on in the /etc/shorewall/rules documentation,

    - -

    For a client, you must open outbound TCP port 21 and be sure that your - kernel is compiled to support FTP connection tracking. If you build this - support as a module, Shorewall will automatically load the module from + +

    For a client, you must open outbound TCP port 21 and be sure that your + kernel is compiled to support FTP connection tracking. If you build this + support as a module, Shorewall will automatically load the module from /var/lib/<kernel version>/kernel/net/ipv4/netfilter. 

    - -

    If you run an FTP server on a nonstandard port or you need to access - such a server, then you must specify that port in /etc/shorewall/modules. - For example, if you run an FTP server that listens on port 49 then you would + +

    If you run an FTP server on a nonstandard port or you need to access + such a server, then you must specify that port in /etc/shorewall/modules. + For example, if you run an FTP server that listens on port 49 then you would have:

    - -
    + +

    loadmodule ip_conntrack_ftp ports=21,49
    loadmodule ip_nat_ftp ports=21,49

    - -

    Note that you MUST include port 21 in the ports list or you may + +

    Note that you MUST include port 21 in the ports list or you may have problems accessing regular FTP servers.

    - +

    If there is a possibility that these modules might be loaded before Shorewall starts, then you should include the port list in /etc/modules.conf:

    - -
    + +

    options ip_conntrack_ftp ports=21,49
    options ip_nat_ftp ports=21,49

    - +

    SMB/NMB (Samba/Windows Browsing/File Sharing)

    - +
    - -
    + +

    TCP Ports 137, 139 and 445.
    UDP Ports 137-139.

    Also, see this page.

    - +

    Traceroute

    - -
    + +

    UDP ports 33434 through 33434+<max number of hops>-1

    - +

    NFS

    - -
    -

    I personally use the following rules for opening access from zone z1 + +

    +

    I personally use the following rules for opening access from zone z1 to a server with IP address a.b.c.d in zone z2:

    - + 
    ACCEPT	z1	z2:a.b.c.d	udp	111
    ACCEPT	z1	z2:a.b.c.d	tcp	111
    ACCEPT	z1	z2:a.b.c.d	udp	2049
    ACCEPT	z1	z2:a.b.c.d	udp	32700:
    - -
    -

    Note that my rules only cover NFS using UDP (the normal case). There + +

    +

    Note that my rules only cover NFS using UDP (the normal case). There is lots of additional information at  http://nfs.sourceforge.net/nfs-howto/security.html

    - -

    Didn't find what you are looking for -- have you looked in your own + +

    Didn't find what you are looking for -- have you looked in your own /etc/services file?

    - +

    Still looking? Try http://www.networkice.com/advice/Exploits/Ports

    - +

    Last updated 2/25/2003 - Tom Eastep

    Copyright © - + - + - + - + Quotes from Shorewall Users - + - - - + +
    +

    Quotes from Shorewall Users
    - +

    "The configuration is intuitive and flexible, and much easier than any of the other iptables-based firewall programs out there. After sifting through many other scripts, it is obvious that yours is the most well thought-out @@ -36,55 +36,55 @@ and complete one available." -- BC, USA

    "My case was almost like [the one above]. Well. instead of 'weeks' it was 'months' for me, and I think I needed two minutes more:
    - +
    • One to see that I had no Internet access from the firewall itself.
    • Other to see that this was the default configuration, and it was enough to uncomment a line in /etc/shorewall/policy.
      • - +
    - Minutes instead of months! Congratulations and thanks for such a simple -and well documented thing for something as huge as iptables." -- JV, Spain. - + Minutes instead of months! Congratulations and thanks for such a simple +and well documented thing for something as huge as iptables." -- JV, Spain. +

    "I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without - any problems. Your documentation is great and I really appreciate + any problems. Your documentation is great and I really appreciate your network configuration info. That really helped me out alot. THANKS!!!" -- MM.

    - +

    "[Shorewall is a] great, great project. I've used/tested may firewall - scripts but this one is till now the best." -- B.R, Netherlands + scripts but this one is till now the best." -- B.R, Netherlands

    - +

    "Never in my +12 year career as a sys admin have I witnessed someone so relentless in developing a secure, state of the art, safe and useful - product as the Shorewall firewall package for no cost or obligation + product as the Shorewall firewall package for no cost or obligation involved." -- Mario Kerecki, Toronto

    - -

    "one time more to report, that your great shorewall in the latest + +

    "one time more to report, that your great shorewall in the latest release 1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines up and running with shorewall on several versions - starting with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!" -- SM, Germany

    - +

    "You have the best support of any other package I've ever used." -- SE, US

    - +

    "Because our company has information which has been classified by the national government as secret, our security doesn't stop by putting a fence around our company. Information security is a hot issue. We also make use of checkpoint firewalls, but not all of the internet servers are guarded by checkpoint, some of them are running....Shorewall." -- Name withheld by request, Europe

    - +

    "thanx for all your efforts you put into shorewall - this product stands out against a lot of commercial stuff i´ve been working with in terms of flexibillity, quality & support" -- RM, Austria

    - +

    "I have never seen such a complete firewall package that is so easy to configure. I searched the Debian package system for firewall scripts and Shorewall won hands down." -- RG, Toronto

    - +

    "My respects... I've just found and installed Shorewall 1.3.3-1 and it is a wonderful piece of software. I've just sent out an email to about 30 people recommending it. :-)
    @@ -95,11 +95,11 @@ by request, Europe

    -- RP, Guatamala

     

    - +

    Updated 3/18/2003 - - Tom Eastep + - Tom Eastep

    - +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.


    diff --git a/Shorewall-docs/samba.htm b/Shorewall-docs/samba.htm index 6656b21bf..cd6964bda 100644 --- a/Shorewall-docs/samba.htm +++ b/Shorewall-docs/samba.htm @@ -17,7 +17,7 @@ -

    If you wish to run Samba on your firewall and access shares between the +

    If you wish to run Samba on your firewall and access shares between the firewall and local hosts, you need the following rules:

    /etc/shorewall/rules:

    diff --git a/Shorewall-docs/seattlefirewall_index.htm b/Shorewall-docs/seattlefirewall_index.htm index 42a8a48c3..5bdfa74da 100644 --- a/Shorewall-docs/seattlefirewall_index.htm +++ b/Shorewall-docs/seattlefirewall_index.htm @@ -1,371 +1,386 @@ - - - - - - - + + + + + + + Shoreline Firewall (Shorewall) 1.4 - - - - - - - + + + + + + + - - - - + + + + - - - - - - + + + + - - - - - - - - - - + color="#ffffff">Shorewall 1.3 Site is here +
    + + + + + + + + + + + + + +
    - - - - - - - - - - + +
    + + + + + + + + + +

    Shorwall Logo - - (Shorewall Logo) -

    - - -
    + + + +

    Shorewall 1.4 "iptables made easy" 

    -
    - - - -

    + color="#ffffff"> "iptables made easy" +

    + + + +

    - - - - - - - - - - - - - + + + + + + + + + + + + +
    Shorewall 1.3 Site is here                   -            
    - -
    -
    - - - - -
    - -
    - + + + + +
    + +
    + - - - - - - + + + + - - - - - - - - - - - - - + + + + + + + + + + + + + + + +
    - - - - - - - - - - - + +
    + + + + + + + + + + + +

    What is it?

    - - - - - - - - - - - - - + + + + + + + + + + + + +

    The Shoreline Firewall, more commonly known as "Shorewall", is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

    - - - - - - - - - - - - - + + + + + + + + + + + + +

    This program is free software; you can redistribute it and/or modify - it under the -terms of Version - 2 of the GNU General Public License as published by the Free + it under the + terms of Version + 2 of the GNU General Public License as published by the Free Software Foundation.
    - -
    - - This program is distributed - in the hope that it will be useful, but - WITHOUT ANY WARRANTY; without even the implied - warranty of MERCHANTABILITY or FITNESS FOR - A PARTICULAR PURPOSE. See the GNU General Public License - for more details.
    - -
    - - You should have received - a copy of the GNU General Public License - along with this program; if not, write + +
    + + This program is distributed + in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied + warranty of MERCHANTABILITY or FITNESS FOR + A PARTICULAR PURPOSE. See the GNU General Public +License for more details.
    + +
    + + You should have received + a copy of the GNU General Public License + along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    - - - - - - - - - - - - - + + + + + + + + + + + + +

    Copyright 2001, 2002, 2003 Thomas M. Eastep

    - - - - - - - - - - - - - + + + + + + + + + + + + +

    - - Jacques Nilo - and Eric Wolzak have a LEAF (router/firewall/gateway - on a floppy, CD or compact flash) distribution - called Bering that features + + Jacques + Nilo and Eric Wolzak have a LEAF (router/firewall/gateway + on a floppy, CD or compact flash) distribution + called Bering that features Shorewall-1.3.14 and Kernel-2.4.20. You can find - their work at: http://leaf.sourceforge.net/devel/jnilo
    -

    - - - - - - - +

    + + + + + + +

    Congratulations to Jacques and Eric on the recent release of Bering 1.1!!!
    -

    - +

    +

    This is a mirror of the main Shorewall web site at SourceForge (http://shorewall.sf.net)

    - +

    News

    - +

    3/24/2003 - Shorewall 1.4.1 (New) -

    -This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0 -and removes additional warts.
    -
    - Problems Corrected:
    +

    + This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0 + and removes additional warts.
    +
    + Problems Corrected:
    +
      -
    1. When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), -it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn -file is empty. That problem has been corrected so that ECN disabling rules -are only added if there are entries in /etc/shorewall/ecn.
      2. +
    2. When Shorewall 1.4.0 is run under the ash shell (such as on +Bering/LEAF), it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn + file is empty. That problem has been corrected so that ECN disabling rules + are only added if there are entries in /etc/shorewall/ecn.
      3. +
    - New Features:
    + New Features:
    +
    Note: In the list that follows, the term group refers -to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be -a host address) accessed through a particular interface. Examples:
    + to a particular network or subnetwork (which may be 0.0.0.0/0 or it may +be a host address) accessed through a particular interface. Examples:
    +
    eth0:0.0.0.0/0
    -eth2:192.168.1.0/24
    -eth3:192.0.2.123
    + eth2:192.168.1.0/24
    + eth3:192.0.2.123
    +
    + You can use the "shorewall check" command to see the groups associated +with each of your zones.
    -You can use the "shorewall check" command to see the groups associated with -each of your zones.
    - +
      -
    1. Beginning with Shorewall 1.4.1, if a zone Z comprises more than -one group then if there is no explicit Z to Z policy and there are -no rules governing traffic from Z to Z then Shorewall will permit all traffic -between the groups in the zone.
      2. -
    2. Beginning with Shorewall 1.4.1, Shorewall will never create rules -to handle traffic from a group to itself.
      3. -
    3. A NONE policy is introduced in 1.4.1. When a policy of NONE is -specified from Z1 to Z2:
      4. +
    4. Beginning with Shorewall 1.4.1, if a zone Z comprises more +than one group then if there is no explicit Z to Z policy and there +are no rules governing traffic from Z to Z then Shorewall will permit all +traffic between the groups in the zone.
      5. +
    5. Beginning with Shorewall 1.4.1, Shorewall will never create +rules to handle traffic from a group to itself.
      6. +
    6. A NONE policy is introduced in 1.4.1. When a policy of NONE +is specified from Z1 to Z2:
      7. +
    +
      -
    • There may be no rules created that govern connections from Z1 -to Z2.
      • -
    • Shorewall will not create any infrastructure to handle traffic -from Z1 to Z2.
      • +
    • There may be no rules created that govern connections from +Z1 to Z2.
      • +
    • Shorewall will not create any infrastructure to handle traffic + from Z1 to Z2.
      • +
    -See the upgrade issues for a discussion -of how these changes may affect your configuration.
    + See the upgrade issues for a discussion + of how these changes may affect your configuration.
    +

    More News

    - +

    Donations

    - - -     		M

    +
    - -
    - -
    - - - - + +
    + +
    + + + + - - - - - - + + + + - - - - - - - - - - + + + + + + + + + + + + +
    - - - - - - - - - - + +
    + + + + + + + + + +

    - -

    - - - - - - - - - - - - + +

    + + + + + + + + + + + + +

    Shorewall is free but if you try it and find it useful, please consider making a donation - to Starlight + to Starlight Children's Foundation. Thanks!

    - -
    - - - - -

    Updated 3/21/2003 - Tom Eastep - -
    -

    + + + + +

    Updated 3/21/2003 - Tom Eastep + +
    +

    +
    +

    -
    + diff --git a/Shorewall-docs/shoreline.htm b/Shorewall-docs/shoreline.htm index 2ccc58089..c6c6905b6 100644 --- a/Shorewall-docs/shoreline.htm +++ b/Shorewall-docs/shoreline.htm @@ -1,46 +1,46 @@ - + About the Shorewall Author - - + + - + - + - + - - - + +
    - + +

    Tom Eastep
    - +

    Tom on the PCT - 1991

    - +

    Tarry & Tom -- August 2002

    - + - -

    I am currently a member of the design team for the next-generation + +

    I am currently a member of the design team for the next-generation operating system from the NonStop Enterprise Division of HP.

    - -

    I became interested in Internet Security when I established a home office - in 1999 and had DSL service installed in our home. I investigated + +

    I became interested in Internet Security when I established a home office + in 1999 and had DSL service installed in our home. I investigated ipchains and developed the scripts which are now collectively known as Seattle Firewall. Expanding on what I learned from Seattle Firewall, I then designed and wrote Shorewall.

    - +

    I telework from our home in Shoreline, Washington where I live with my wife Tarry. 

    - +

    Our current home network consists of:

    - +
      -
    • 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & -20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. +
    • 1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & +20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Serves as a PPTP server for Road Warrior access. Dual boots Mandrake 9.0.
      • -
    • Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) +
    • Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My personal Linux System which runs Samba configured as a WINS server. This system also has VMware installed and can run both Debian Woody and SuSE 8.1 in virtual machines.
      • -
    • K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  - - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), +
    • K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  + - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), DNS server (Bind 9).
      • -
    • PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 - LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0  +
    • PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 + LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0  and a DHCP server.
    • Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.
    • PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main work system.
      • - +
    - +

    For more about our network see my Shorewall Configuration.

    - +

    All of our other systems are made by Compaq (part of the new HP).. All of our Tulip NICs are Netgear FA310TXs.

    - +

    Protected by Shorewall

    - +

    Last updated 3/17/2003 - Tom Eastep

    Copyright © 2001, 2002, 2003 Thomas + size="2">Copyright © 2001, 2002, 2003 Thomas M. Eastep.


    diff --git a/Shorewall-docs/shorewall_extension_scripts.htm b/Shorewall-docs/shorewall_extension_scripts.htm index 73910506c..9b9fbe0c5 100644 --- a/Shorewall-docs/shorewall_extension_scripts.htm +++ b/Shorewall-docs/shorewall_extension_scripts.htm @@ -1,45 +1,45 @@ - + - + - + - + Shorewall Extension Scripts - - + + - + - - - + - - - + + +
    - + + +

    Extension Scripts

    - +
    - - -

    Extension scripts are user-provided scripts that are invoked at various -points during firewall start, restart, stop and clear. The scripts are -placed in /etc/shorewall and are processed using the Bourne shell "source" + + +

    Extension scripts are user-provided scripts that are invoked at various +points during firewall start, restart, stop and clear. The scripts are +placed in /etc/shorewall and are processed using the Bourne shell "source" mechanism. The following scripts can be supplied:

    - +
    • init -- invoked early in "shorewall start" and "shorewall restart"
      • @@ -47,77 +47,77 @@ restart"
    • stop -- invoked as a first step when the firewall is being stopped.
    • stopped -- invoked after the firewall has been stopped.
    • clear -- invoked after the firewall has been cleared.
      • -
    • refresh -- invoked while the firewall is being refreshed but before +
    • refresh -- invoked while the firewall is being refreshed but before the common and/or blacklst chains have been rebuilt.
      • -
    • newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' +
    • newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain has been created but before any rules have been added to it.
      • - +
    - - - - -

    If your version of Shorewall doesn't have the file that you want + + + + +

    If your version of Shorewall doesn't have the file that you want to use from the above list, you can simply create the file yourself.

    - -

    You can also supply a script with the same name as any of the filter + +

    You can also supply a script with the same name as any of the filter chains in the firewall and the script will be invoked after the /etc/shorewall/rules file has been processed but before the /etc/shorewall/policy file has been processed.

    - - - - -

    The /etc/shorewall/common file receives special treatment. If this file -is present, the rules that it defines will totally replace the default -rules in the common chain. These default rules are contained in the -file /etc/shorewall/common.def which may be used as a starting point + + + + +

    The /etc/shorewall/common file receives special treatment. If this file +is present, the rules that it defines will totally replace the default +rules in the common chain. These default rules are contained in the +file /etc/shorewall/common.def which may be used as a starting point for making your own customized file.

    - - - - -

    Rather than running iptables directly, you should run it using the - function run_iptables. Similarly, rather than running "ip" directly, -you should use run_ip. These functions accept the same arguments as the - underlying command but cause the firewall to be stopped if an error occurs + + + + +

    Rather than running iptables directly, you should run it using the + function run_iptables. Similarly, rather than running "ip" directly, +you should use run_ip. These functions accept the same arguments as the + underlying command but cause the firewall to be stopped if an error occurs during processing of the command.

    - - - - + + + +

    If you decide to create /etc/shorewall/common it is a good idea to use the following technique

    - - - - + + + +

    /etc/shorewall/common:

    - - - - -
    - + + + + +
    + 
    . /etc/shorewall/common.def
    <add your rules here>
    - -

    If you need to supercede a rule in the released common.def file, you can -add the superceding rule before the '.' command. Using this technique allows - you to add new rules while still getting the benefit of the latest common.def + +

    If you need to supercede a rule in the released common.def file, you can +add the superceding rule before the '.' command. Using this technique allows + you to add new rules while still getting the benefit of the latest common.def file.

    - - - -

    Remember that /etc/shorewall/common defines rules that are only applied -if the applicable policy is DROP or REJECT. These rules are NOT applied + + + +

    Remember that /etc/shorewall/common defines rules that are only applied +if the applicable policy is DROP or REJECT. These rules are NOT applied if the policy is ACCEPT or CONTINUE.

    - - - + + +

    Last updated 2/18/2003 - Tom Eastep

    - +

    Copyright 2002, 2003 Thomas M. Eastep


    diff --git a/Shorewall-docs/shorewall_features.htm b/Shorewall-docs/shorewall_features.htm index ec305966e..e025fa940 100644 --- a/Shorewall-docs/shorewall_features.htm +++ b/Shorewall-docs/shorewall_features.htm @@ -1,114 +1,114 @@ - + - + - + - + Shorewall Features - + - - - + +
    +

    Shorewall Features
    - +
      -
    • Uses Netfilter's connection tracking facilities for stateful packet +
    • Uses Netfilter's connection tracking facilities for stateful packet filtering.
    • Can be used in a wide range of router/firewall/gateway applications. - +
      • Completely customizable using configuration files.
      • No limit on the number of network interfaces.
      • Allows you to partitions the network into zones and gives you complete + href="Documentation.htm#Zones">zones and gives you complete control over the connections permitted between each pair of zones.
        • -
      • Multiple interfaces per zone and multiple zones per interface +
      • Multiple interfaces per zone and multiple zones per interface permitted.
      • Supports nested and overlapping zones.
        • - +
      • -
    • QuickStart Guides (HOWTOs) +
    • QuickStart Guides (HOWTOs) to help get your first firewall up and running quickly
    • A GUI is available via Webmin 1.060 and later (http://www.webmin.com)
    • Extensive documentation + href="shorewall_quickstart_guide.htm#Documentation">documentation included in the .tgz and .rpm downloads.
      • -
    • Flexible address management/routing support (and you can -use all types in the same firewall): +
    • Flexible address management/routing support (and you can +use all types in the same firewall):
    • Blacklisting of individual IP addresses and subnetworks is supported.
    • Operational support: - +
      • Commands to start, stop and clear the firewall
        • -
      • Supports status monitoring with an audible alarm +
      • Supports status monitoring with an audible alarm when an "interesting" packet is detected.
      • Wide variety of informational commands.
        • - +
      • -
    • VPN Support +
    • VPN Support
    • Support for Traffic Control/Shaping integration.
      • -
    • Wide support for different GNU/Linux Distributions. - +
    • Wide support for different GNU/Linux Distributions. +
    • Media Access Control (MAC) Address Verification

      • - +
    - +

    Last updated 2/5/2003 - Tom Eastep

    - +

    Copyright © 2001-2003 Thomas M. Eastep.

    diff --git a/Shorewall-docs/shorewall_firewall_structure.htm b/Shorewall-docs/shorewall_firewall_structure.htm index a82e5bfe0..cf8c57a81 100644 --- a/Shorewall-docs/shorewall_firewall_structure.htm +++ b/Shorewall-docs/shorewall_firewall_structure.htm @@ -21,17 +21,17 @@ Shorewall views the network in which it is running as a set of zones. Shorewall itself defines exactly one zone called "fw" which refers to the firewall system itself . The /etc/shorewall/zones file -is used to define additional zones and the example file provided with Shorewall +is used to define additional zones and the example file provided with Shorewall defines the zones:

    1. net -- the (untrusted) internet.
    2. - dmz - systems that must be accessible from the internet and from the -local network.  These systems cannot be trusted completely since their servers + dmz - systems that must be accessible from the internet and from the +local network.  These systems cannot be trusted completely since their servers may have been compromised through a security exploit.
    3. - loc - systems in your local network(s). These systems must be protected + loc - systems in your local network(s). These systems must be protected from the internet and from the DMZ and in some cases, from each other.

    Note: You can specify the name of the firewall zone. @@ -41,79 +41,79 @@ from the internet and from the DMZ and in some cases, from each other. -

    While zones are normally disjoint (no two zones have a host in common), +

    While zones are normally disjoint (no two zones have a host in common), there are cases where nested or overlapping zone definitions are appropriate.

    For a general picture of how packets traverse a Netfilter firewall, see http://www.netfilter.org/documentation/tutorials/blueflux/iptables-tutorial.html#TRAVERSINGOFTABLES.

    - Packets entering the firewall first pass through the mangle table's - PREROUTING chain (you can see the mangle table by typing "shorewall show - mangle"). If the packet entered through an interface that has the norfc1918 - option, then the packet is sent down the man1918  which will drop - the packet if its destination IP address is reserved (as specified in the - /etc/shorewall/rfc1918 file). Next the packet passes through the pretos - chain to set its TOS field as specified in the /etc/shorewall/tos file. - Finally, if traffic control/shaping is being used, the packet is sent through - the tcpre chain to be marked for later use in policy routing or traffic + Packets entering the firewall first pass through the mangle table's + PREROUTING chain (you can see the mangle table by typing "shorewall show + mangle"). If the packet entered through an interface that has the norfc1918 + option, then the packet is sent down the man1918  which will drop + the packet if its destination IP address is reserved (as specified in the + /etc/shorewall/rfc1918 file). Next the packet passes through the pretos + chain to set its TOS field as specified in the /etc/shorewall/tos file. + Finally, if traffic control/shaping is being used, the packet is sent through + the tcpre chain to be marked for later use in policy routing or traffic control.

    -

    Next, if the packet isn't part of an established connection, it passes - through the nat table's PREROUTING chain (you can see the nat table by - typing "shorewall show nat"). If you are doing both static nat and - port forwarding, the order in which chains are traversed is dependent on the - setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is on then - packets will ender a chain called interface_in where interface is - the name of the interface on which the packet entered. Here it's destination IP - is compared to each of the EXTERNAL IP addresses from /etc/shorewall/nat - that correspond to this interface; if there is a match, DNAT is applied and the - packet header is modified to the IP in the INTERNAL column of the nat +

    Next, if the packet isn't part of an established connection, it passes + through the nat table's PREROUTING chain (you can see the nat table by + typing "shorewall show nat"). If you are doing both static nat and + port forwarding, the order in which chains are traversed is dependent on the + setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is on then + packets will ender a chain called interface_in where interface is + the name of the interface on which the packet entered. Here it's destination IP + is compared to each of the EXTERNAL IP addresses from /etc/shorewall/nat + that correspond to this interface; if there is a match, DNAT is applied and the + packet header is modified to the IP in the INTERNAL column of the nat file record. If the destination address doesn't match any of the rules in the - interface_in chain then the packet enters a chain called sourcezone_dnat - where sourcezone is the source zone of the packet. There it is compared + interface_in chain then the packet enters a chain called sourcezone_dnat + where sourcezone is the source zone of the packet. There it is compared for a match against each of the DNAT records in the rules file that specify - sourcezone as the source zone. If a match is found, the destination IP - address (and possibly the destination port) is modified based on the rule + sourcezone as the source zone. If a match is found, the destination IP + address (and possibly the destination port) is modified based on the rule matched. If NAT_BEFORE_RULES is off, then the order of traversal of the interface_in and sourcezone_dnat is reversed.

    - Traffic is next sent to an input chain in the mail Netfilter table - (called 'filter'). If the traffic is destined for the - firewall itself, the name of the input chain is formed by appending "_in" to - the interface name. So traffic on eth0 destined for the firewall will enter a - chain called eth0_in. The input chain for traffic that will be routed to - another system is formed by appending "_fwd" to the interface name. So traffic - from eth1 that is going to be forwarded enters a chain called eth1_fwd. - Interfaces described with the wild-card character ("+") in - /etc/shorewall/interfaces, share input chains. if ppp+ appears in - /etc/shorewall/interfaces then all PPP interfaces (ppp0, ppp1, ...) will share - the input chains ppp_in and ppp_fwd. In other words, "+" is + Traffic is next sent to an input chain in the mail Netfilter table + (called 'filter'). If the traffic is destined for the + firewall itself, the name of the input chain is formed by appending "_in" to + the interface name. So traffic on eth0 destined for the firewall will enter a + chain called eth0_in. The input chain for traffic that will be routed to + another system is formed by appending "_fwd" to the interface name. So traffic + from eth1 that is going to be forwarded enters a chain called eth1_fwd. + Interfaces described with the wild-card character ("+") in + /etc/shorewall/interfaces, share input chains. if ppp+ appears in + /etc/shorewall/interfaces then all PPP interfaces (ppp0, ppp1, ...) will share + the input chains ppp_in and ppp_fwd. In other words, "+" is deleted from the name before forming the input chain names.

    - While the use of input chains may seem wasteful in simple environments, in - complex setups it substantially reduces the number of rules that each packet + While the use of input chains may seem wasteful in simple environments, in + complex setups it substantially reduces the number of rules that each packet must traverse. 

    - Traffic directed from a zone to the firewall itself is sent through a + Traffic directed from a zone to the firewall itself is sent through a chain named <zone name>2fw. For example, traffic inbound from the internet and addressed to the firewall is sent through a chain named net2fw. Similarly, traffic originating in the firewall and being sent to -a host in a given zone is sent through a chain named fw2<zone name>. - For example, traffic originating in the firewall and destined +a host in a given zone is sent through a chain named fw2<zone name>. + For example, traffic originating in the firewall and destined for a host in the local network is sent through a chain named fw2loc.  

    - Traffic being forwarded between two zones (or from one interface to a + Traffic being forwarded between two zones (or from one interface to a zone to another interface to that zone) is sent through a chain named <source zone>2 <destination zone>. So for example, traffic originating in a local system and destined for a remote web server is sent through chain loc2net. This chain is referred to -as the canonical chain from <source zone> to <destination -zone>. Any destination NAT will have occurred before the packet -traverses one of these chains so rules in /etc/shorewall/rules should be -expressed in terms of the destination system's real IP address as opposed +as the canonical chain from <source zone> to <destination +zone>. Any destination NAT will have occurred before the packet +traverses one of these chains so rules in /etc/shorewall/rules should be +expressed in terms of the destination system's real IP address as opposed to its apparent external address. Similarly, source NAT will occur after - the packet has traversed the appropriate forwarding chain so the rules + the packet has traversed the appropriate forwarding chain so the rules again will be expressed using the source system's real IP address.

    For each record in the /etc/shorewall/policy file, a chain is created. Policies @@ -129,19 +129,19 @@ chains as follows:

  • If the canonical chain exists, packets first traverse that chain.
  • - If the canonical chain and policy chain are different and the packet - does not match a rule in the canonical chain, it then is sent to the + If the canonical chain and policy chain are different and the packet + does not match a rule in the canonical chain, it then is sent to the policy chain.
  • - If the canonical chain does not exist, packets are sent immediately + If the canonical chain does not exist, packets are sent immediately to the policy chain.

    • - The canonical chain from zone za to zone zb will be created only if there -are exception rules defined in /etc/shorewall/rules for packets going from + The canonical chain from zone za to zone zb will be created only if there +are exception rules defined in /etc/shorewall/rules for packets going from za to zb.

    - Shorewall is built on top of the Netfilter kernel facility. Netfilter + Shorewall is built on top of the Netfilter kernel facility. Netfilter implements connection tracking function that allow what is often referred to as "statefull inspection" of packets. This statefull property allows firewall rules to be defined in terms of "connections" rather than in @@ -152,22 +152,22 @@ terms of "packets". With Shorewall, you:

  • Identify the server's zone.
  • - If the POLICY from the client's zone to the server's zone is what you + If the POLICY from the client's zone to the server's zone is what you want for this client/server pair, you need do nothing further.
  • If the POLICY is not what you want, then you must add a rule. That rule is expressed in terms of the client's zone and the server's zone.

    • - Just because connections of a particular type are allowed between zone A + Just because connections of a particular type are allowed between zone A and the firewall and are also allowed between the firewall and zone B DOES NOT mean that these connections are allowed between zone A and zone B. It rather means that you can have a proxy running on the firewall that accepts a connection from zone A and then establishes its own separate connection from the firewall to zone B.

    - If you adopt the default policy of ACCEPT from the local zone to the internet -zone and you are having problems connecting from a local client to an internet + If you adopt the default policy of ACCEPT from the local zone to the internet +zone and you are having problems connecting from a local client to an internet server, adding a rule won't help (see point 3 above).

    Last modified 8/22/2002 - Tom diff --git a/Shorewall-docs/shorewall_logging.html b/Shorewall-docs/shorewall_logging.html index 03ddeae62..4a2fb50b2 100644 --- a/Shorewall-docs/shorewall_logging.html +++ b/Shorewall-docs/shorewall_logging.html @@ -2,45 +2,45 @@ Shorewall Logging - + - + - + - - - + +
    - - + + +

    Logging

    - By default, Shorewall directs NetFilter to log using syslog (8). Syslog + By default, Shorewall directs NetFilter to log using syslog (8). Syslog classifies log messages by a facility and a priority (using the notation facility.priority).

    - The facilities defined by syslog are auth, authpriv, cron, daemon, + The facilities defined by syslog are auth, authpriv, cron, daemon, kern, lpr, mail, mark, news, syslog, user, uucp and local0 through local7.

    Throughout the Shorewall documentation, I will use the term level rather than priority since level is the term used by NetFilter. The syslog documentation uses the term priority.
    - +

    Syslog Levels

    - Syslog levels are a method of describing to syslog (8) the importance - of a message and a number of Shorewall parameters have a syslog level + Syslog levels are a method of describing to syslog (8) the importance + of a message and a number of Shorewall parameters have a syslog level as their value.

    Valid levels are:
    @@ -62,46 +62,46 @@ as their value.
           0       emerg

    - For most Shorewall logging, a level of 6 (info) is appropriate. -Shorewall log messages are generated by NetFilter and are logged using -the kern facility and the level that you specify. If you are unsure -of the level to choose, 6 (info) is a safe bet. You may specify levels + For most Shorewall logging, a level of 6 (info) is appropriate. +Shorewall log messages are generated by NetFilter and are logged using +the kern facility and the level that you specify. If you are unsure +of the level to choose, 6 (info) is a safe bet. You may specify levels by name or by number.

    Syslogd writes log messages to files (typically in /var/log/*) based on their facility and level. The mapping of these facility/level pairs to log files is done in /etc/syslog.conf (5). If you make changes to this file, you must restart syslogd before the changes can take effect.
    - +

    Configuring a Separate Log for Shorewall Messages

    There are a couple of limitations to syslogd-based logging:
    - +
      -
    1. If you give, for example, kern.info it's own log destination then +
    2. If you give, for example, kern.info it's own log destination then that destination will also receive all kernel messages of levels 5 (notice) through 0 (emerg).
      3. -
    3. All kernel.info messages will go to that destination and not just +
    4. All kernel.info messages will go to that destination and not just those from NetFilter.
      5. - +
    Beginning with Shorewall version 1.3.12, if your kernel has ULOG target support (and most vendor-supplied kernels do), you may also specify -a log level of ULOG (must be all caps). When ULOG is used, Shorewall will +a log level of ULOG (must be all caps). When ULOG is used, Shorewall will direct netfilter to log the related messages via the ULOG target which will send them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd and can be configured to log all Shorewall message to their own log file.

    - Note: The ULOG logging mechanism is completely separate from -syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely -no effect on your Shorewall logging (except for Shorewall status messages + Note: The ULOG logging mechanism is completely separate from +syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely +no effect on your Shorewall logging (except for Shorewall status messages which still go to syslog).

    You will need to have the kernel source available to compile ulogd.

    Download the ulod tar file and:
    - +
    1. Be sure that /usr/src/linux is linked to your kernel source tree
      2. @@ -113,7 +113,7 @@ Download the ulod tar file and:
    2. make
    3. make install
      4. - +
    If you are like me and don't have a development environment on your firewall, you can do the first six steps on another system then either NFS mount @@ -121,13 +121,13 @@ your /usr/local/src directory or tar up the /usr/local/src/ulogd-version directory and move it to your firewall system.

    Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:
    - +
    1. syslogfile <file that you wish to log to>
    2. syslogsync 1
      3. - +
    - I also copied the file /usr/local/src/ulogd-version/ulogd.init + I also copied the file /usr/local/src/ulogd-version/ulogd.init to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd" to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system @@ -136,21 +136,21 @@ may need something else done to activate the script.
    You will need to change all instances of log levels (usually 'info') in your configuration files to 'ULOG' - this includes entries in the policy, rules and shorewall.conf files. Here's what I have:
    - + 
    	[root@gateway shorewall]# grep ULOG *
    	policy:loc  fw   REJECT  ULOG
    	policy:net  all  DROP    ULOG   10/sec:40
    	policy:all  all  REJECT  ULOG
    	rules:REJECT:ULOG loc net tcp 6667
    	shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG
    	shorewall.conf:RFC1918_LOG_LEVEL=ULOG
    	[root@gateway shorewall]#
    Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<file that you wish to log to>. This tells the /sbin/shorewall program where to look for the log when processing its "show log", "logwatch" and "monitor" commands.
    - -

    Updated 1/11/2003 - Tom Eastep + +

    Updated 1/11/2003 - Tom Eastep

    - - - -

    Copyright © + + + +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep

    - + diff --git a/Shorewall-docs/shorewall_mirrors.htm b/Shorewall-docs/shorewall_mirrors.htm index 9926d876d..a7e022b62 100644 --- a/Shorewall-docs/shorewall_mirrors.htm +++ b/Shorewall-docs/shorewall_mirrors.htm @@ -1,60 +1,60 @@ - + - + - + - + Shorewall Mirrors - + - - - + +
    +

    Shorewall Mirrors
    - -

    Remember that updates to the mirrors are often delayed + +

    Remember that updates to the mirrors are often delayed for 6-12 hours after an update to the primary rsync site. For HTML content, the main web site (http://shorewall.sf.net) is updated at the same time as the rsync site.

    - +

    The main Shorewall Web Site is http://shorewall.sf.net and is located in California, USA. It is mirrored at:

    - + - +

    The rsync site is mirrored via FTP at:

    - +     - Search results and the mailing list archives are always fetched from the + Search results and the mailing list archives are always fetched from the site in Washington State.
    - +

    Last Updated 3/7/2003 - Tom Eastep

    - +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.


    diff --git a/Shorewall-docs/shorewall_prerequisites.htm b/Shorewall-docs/shorewall_prerequisites.htm index efe2c6189..c6b27fda9 100644 --- a/Shorewall-docs/shorewall_prerequisites.htm +++ b/Shorewall-docs/shorewall_prerequisites.htm @@ -1,34 +1,34 @@ - + - + - + - + Shorewall Prerequisites - + - - - + +
    +

    Shorewall Requirements

    Shorewall Requires:
    - +
    • A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20. With current releases of Shorewall, Traffic Shaping/Control requires at least @@ -43,23 +43,23 @@ With current releases of Shorewall, Traffic Shaping/Control requires at least is available from RedHat and in the Shorewall Errata.
      • -
    • Iproute ("ip" utility). The iproute package is included with -most distributions but may not be installed by default. The official +
    • Iproute ("ip" utility). The iproute package is included with +most distributions but may not be installed by default. The official download site is ftp://ftp.inr.ac.ru/ip-routing. + target="_blank"> ftp://ftp.inr.ac.ru/ip-routing.
      • -
    • A Bourne shell or derivative such as bash or ash. This shell must - have correct support for variable expansion formats ${variable%pattern - }, ${variable%%pattern}, ${variable#pattern +
    • A Bourne shell or derivative such as bash or ash. This shell must + have correct support for variable expansion formats ${variable%pattern + }, ${variable%%pattern}, ${variable#pattern } and ${variable##pattern}.
    • The firewall monitoring display is greatly improved if you have awk (gawk) installed.
      • - +
    - +

    Last updated 3/19/2003 - Tom Eastep

    - +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.


    diff --git a/Shorewall-docs/shorewall_quickstart_guide.htm b/Shorewall-docs/shorewall_quickstart_guide.htm index 06c5478f9..f8a59455a 100644 --- a/Shorewall-docs/shorewall_quickstart_guide.htm +++ b/Shorewall-docs/shorewall_quickstart_guide.htm @@ -1,57 +1,57 @@ - - + + - - + + - - + + - - + + Shorewall QuickStart Guide - - - + + + - + - - - - + + +
    - - + + +

    Shorewall QuickStart Guides (HOWTO's)
    Version 4.0
    - +

    With thanks to Richard who reminded me once again that we must all first walk before we can run.
    The French Translations are courtesy of Patrice Vetsel

    - +

    The Guides

    - +

    These guides provide step-by-step instructions for configuring Shorewall in common firewall setups.

    - +

    The following guides are for users who have a single public IP address:

    - + - +

    The above guides are designed to get your first firewall up and running quickly in the three most common Shorewall configurations.

    - +

    The Shorewall Setup Guide outlines the steps necessary to set up a firewall where there are multiple public IP addresses involved or if you want to learn more about Shorewall than is explained in the single-address guides above.

    - + - +

    Documentation Index

    - +

    The following documentation covers a variety of topics and supplements the QuickStart Guides described above. Please review the appropriate guide before trying to use this documentation directly.

    - + - +

    If you use one of these guides and have a suggestion for improvement please let me know.

    - +

    Last modified 3/12/2003 - Tom Eastep

    - -

    Copyright 2002, 2003 Thomas M. + +

    Copyright 2002, 2003 Thomas M. Eastep


    diff --git a/Shorewall-docs/shorewall_setup_guide.htm b/Shorewall-docs/shorewall_setup_guide.htm index c9b333464..1b79a0265 100644 --- a/Shorewall-docs/shorewall_setup_guide.htm +++ b/Shorewall-docs/shorewall_setup_guide.htm @@ -1,117 +1,117 @@ - + - + - + - + Shorewall Setup Guide - + - +

    Shorewall Setup Guide

    - +

    1.0 Introduction
    2.0 Shorewall Concepts
    3.0 Network Interfaces
    4.0 Addressing, Subnets and Routing

    - -
    + +

    4.1 IP Addresses
    4.2 Subnets
    4.3 Routing
    4.4 Address Resolution Protocol
    4.5 RFC 1918

    - +

    5.0 Setting up your Network

    - -
    + +

    5.1 Routed
    5.2 Non-routed

    - -
    + +

    5.2.1 SNAT
    5.2.2 DNAT
    5.2.3 Proxy ARP
    5.2.4 Static NAT

    - +

    5.3 Rules
    5.4 Odds and Ends

    - +

    6.0 DNS
    7.0 Starting and Stopping the Firewall

    - +

    1.0 Introduction

    - -

    This guide is intended for users who are setting up Shorewall in an environment - where a set of public IP addresses must be managed or who want to know + +

    This guide is intended for users who are setting up Shorewall in an environment + where a set of public IP addresses must be managed or who want to know more about Shorewall than is contained in the single-address guides. Because + href="shorewall_quickstart_guide.htm">single-address guides. Because the range of possible applications is so broad, the Guide will give you general guidelines and will point you to other resources as necessary.

    - +

    -     If you run LEAF Bering, your Shorewall configuration is NOT +     If you run LEAF Bering, your Shorewall configuration is NOT what I release -- I suggest that you consider installing a stock Shorewall lrp from the shorewall.net site before you proceed.

    - +

    Shorewall requires that the iproute/iproute2 package be installed (on RedHat, the package is called iproute). You can tell if this package is installed by the presence of an ip program on your firewall system. As root, you can use the 'which' command to check for this program:

    - + 
         [root@gateway root]# which ip
         /sbin/ip
         [root@gateway root]#
    - -

    I recommend that you first read through the guide to familiarize yourself - with what's involved then go back through it again making your configuration - changes. Points at which configuration changes are recommended are flagged + +

    I recommend that you first read through the guide to familiarize yourself + with what's involved then go back through it again making your configuration + changes. Points at which configuration changes are recommended are flagged with .

    - +

    -     If you edit your configuration files on a Windows system, you - must save them as Unix files if your editor supports that option or you - must run them through dos2unix before trying to use them with Shorewall. - Similarly, if you copy a configuration file from your Windows hard drive - to a floppy disk, you must run dos2unix against the copy before using +     If you edit your configuration files on a Windows system, you + must save them as Unix files if your editor supports that option or you + must run them through dos2unix before trying to use them with Shorewall. + Similarly, if you copy a configuration file from your Windows hard drive + to a floppy disk, you must run dos2unix against the copy before using it with Shorewall.

    - + - +

    2.0 Shorewall Concepts

    - -

    The configuration files for Shorewall are contained in the directory + +

    The configuration files for Shorewall are contained in the directory /etc/shorewall -- for most setups, you will only need to deal with a few of these as described in this guide. Skeleton files are created during the Shorewall Installation Process.

    - -

    As each file is introduced, I suggest that you look through the actual - file on your system -- each file contains detailed configuration instructions + +

    As each file is introduced, I suggest that you look through the actual + file on your system -- each file contains detailed configuration instructions and some contain default entries.

    - -

    Shorewall views the network where it is running as being composed of a - set of zones. In the default installation, the following zone + +

    Shorewall views the network where it is running as being composed of a + set of zones. In the default installation, the following zone names are used:

    - + @@ -131,75 +131,75 @@ names are used:

    - - + +
    dmz Demilitarized Zone
    - -

    Zones are defined in the /etc/shorewall/zones + +

    Zones are defined in the /etc/shorewall/zones file.

    - -

    Shorewall also recognizes the firewall system as its own zone - by default, - the firewall itself is known as fw but that may be changed in + +

    Shorewall also recognizes the firewall system as its own zone - by default, + the firewall itself is known as fw but that may be changed in the /etc/shorewall/shorewall.conf file. In this guide, the default name (fw) will be used.

    - -

    With the exception of fw, Shorewall attaches absolutely no meaning + +

    With the exception of fw, Shorewall attaches absolutely no meaning to zone names. Zones are entirely what YOU make of them. That means that you should not expect Shorewall to do something special "because this is the internet zone" or "because that is the DMZ".

    - +

        Edit the /etc/shorewall/zones file and make any changes necessary.

    - -

    Rules about what traffic to allow and what traffic to deny are expressed + +

    Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.

    - +
    • You express your default policy for connections from one zone to another zone in the /etc/shorewall/policy file.
      • -
    • You define exceptions to those default policies in the +
    • You define exceptions to those default policies in the /etc/shorewall/rules file.
      • - +
    - -

    Shorewall is built on top of the Netfilter + +

    Shorewall is built on top of the Netfilter kernel facility. Netfilter implements a connection - tracking function that allows what is often referred to as stateful - inspection of packets. This stateful property allows firewall rules - to be defined in terms of connections rather than in terms of + href="http://www.cs.princeton.edu/%7Ejns/security/iptables/iptables_conntrack.html">connection + tracking function that allows what is often referred to as stateful + inspection of packets. This stateful property allows firewall rules + to be defined in terms of connections rather than in terms of packets. With Shorewall, you:

    - +
    1. Identify the source zone.
    2. Identify the destination zone.
    3. If the POLICY from the client's zone to the server's zone is what you want for this client/server pair, you need do nothing further.
      4. -
    4. If the POLICY is not what you want, then you must -add a rule. That rule is expressed in terms of the client's zone +
    5. If the POLICY is not what you want, then you must +add a rule. That rule is expressed in terms of the client's zone and the server's zone.
      6. - +
    - +

    Just because connections of a particular type are allowed from zone A to the firewall and are also allowed from the firewall to zone B DOES NOT mean that these connections are allowed - from zone A to zone B. It rather means that you can + color="#ff6633"> DOES NOT mean that these connections are allowed + from zone A to zone B. It rather means that you can have a proxy running on the firewall that accepts a connection from zone A and then establishes its own separate connection from the firewall to zone B.

    - -

    For each connection request entering the firewall, the request is first - checked against the /etc/shorewall/rules file. If no rule in that file - matches the connection request then the first policy in /etc/shorewall/policy - that matches the request is applied. If that policy is REJECT or DROP  + +

    For each connection request entering the firewall, the request is first + checked against the /etc/shorewall/rules file. If no rule in that file + matches the connection request then the first policy in /etc/shorewall/policy + that matches the request is applied. If that policy is REJECT or DROP  the request is first checked against the rules in /etc/shorewall/common.def.

    - +

    The default /etc/shorewall/policy file has the following policies:

    - -
    + +
    @@ -231,13 +231,13 @@ zone B.

    - - + +
    info  
    - +

    The above policy will:

    - +
    1. allow all connection requests from your local network to the internet
      2. @@ -245,101 +245,101 @@ the internet your firewall or local network and log a message at the info level (here is a description of log levels). -
    2. reject all other connection requests and log a message at -the info level. When a request is rejected, the firewall -will return an RST (if the protocol is TCP) or an ICMP port-unreachable +
    3. reject all other connection requests and log a message at +the info level. When a request is rejected, the firewall +will return an RST (if the protocol is TCP) or an ICMP port-unreachable packet for other protocols.
      4. - +
    - +

        At this point, edit your /etc/shorewall/policy and make any changes that you wish.

    - +

    3.0 Network Interfaces

    - -

    For the remainder of this guide, we'll refer to the following - diagram. While it may not look like your own network, it can be used + +

    For the remainder of this guide, we'll refer to the following + diagram. While it may not look like your own network, it can be used to illustrate the important aspects of Shorewall configuration.

    - +

    In this diagram:

    - +
    • The DMZ Zone consists of systems DMZ 1 and DMZ 2. A DMZ is used to isolate your internet-accessible servers from your local systems - so that if one of those servers is compromised, you still have the firewall + so that if one of those servers is compromised, you still have the firewall between the compromised system and your local systems.
      • -
    • The Local Zone consists of systems Local 1, Local 2 and Local +
    • The Local Zone consists of systems Local 1, Local 2 and Local 3.
    • All systems from the ISP outward comprise the Internet Zone.
      • - +
    - +

    - -

    The simplest way to define zones is to simply associate the - zone name (previously defined in /etc/shorewall/zones) with a network + +

    The simplest way to define zones is to simply associate the + zone name (previously defined in /etc/shorewall/zones) with a network interface. This is done in the /etc/shorewall/interfaces file.

    - -

    The firewall illustrated above has three network interfaces. - Where Internet connectivity is through a cable or DSL "Modem", the External - Interface will be the Ethernet adapter that is connected to that -"Modem" (e.g., eth0unless you connect via Point-to-Point - Protocol over Ethernet (PPPoE) or Point-to-Point - Tunneling Protocol (PPTP) in which case the External - Interface will be a ppp interface (e.g., ppp0). If you connect -via a regular modem, your External Interface will also be ppp0. + +

    The firewall illustrated above has three network interfaces. + Where Internet connectivity is through a cable or DSL "Modem", the External + Interface will be the Ethernet adapter that is connected to that +"Modem" (e.g., eth0unless you connect via Point-to-Point + Protocol over Ethernet (PPPoE) or Point-to-Point + Tunneling Protocol (PPTP) in which case the External + Interface will be a ppp interface (e.g., ppp0). If you connect +via a regular modem, your External Interface will also be ppp0. If you connect using ISDN, you external interface will be ippp0.

    - +

        If your external interface is ppp0 or ippp0 then you will want to set CLAMPMSS=yes in /etc/shorewall/shorewall.conf.

    - -

    Your Local Interface will be an Ethernet adapter (eth0, - eth1 or eth2) and will be connected to a hub or switch. Your local computers - will be connected to the same switch (note: If you have only a single - local system, you can connect the firewall directly to the computer using + +

    Your Local Interface will be an Ethernet adapter (eth0, + eth1 or eth2) and will be connected to a hub or switch. Your local computers + will be connected to the same switch (note: If you have only a single + local system, you can connect the firewall directly to the computer using a cross-over cable).

    - -

    Your DMZ Interface will also be an Ethernet adapter + +

    Your DMZ Interface will also be an Ethernet adapter (eth0, eth1 or eth2) and will be connected to a hub or switch. Your DMZ computers will be connected to the same switch (note: If you have only a single DMZ system, you can connect the firewall directly to the computer using a cross-over cable).

    - +

    Do not connect more than one interface to the same hub or switch (even for testing). It won't work the way that you expect it to and you will end up confused and believing that Linux networking doesn't work at all.

    - +

    For the remainder of this Guide, we will assume that:

    - +
      -
    • +

    • The external interface is eth0.

      • -
    • +

    • The Local interface is eth1.

      • -
    • +

    • The DMZ interface is eth2.

      • - +
    - -

    The Shorewall default configuration does not define the contents - of any zone. To define the above configuration using the /etc/shorewall/interfaces + +

    The Shorewall default configuration does not define the contents + of any zone. To define the above configuration using the /etc/shorewall/interfaces file, that file would might contain:

    - -
    + +
    @@ -367,11 +367,11 @@ doesn't work at all.

    - - + +
    detect  
    - +

        Edit the /etc/shorewall/interfaces file and define the network @@ -379,10 +379,10 @@ doesn't work at all.

    If you have a zone that is interfaced through more than one interface, simply include one entry for each interface and repeat the zone name as many times as necessary.

    - +

    Example:

    - -
    + +
    @@ -410,18 +410,18 @@ many times as necessary.

    - - + +
    detect dhcp
    - -
    -

    When you have more than one interface to a zone, you will + +

    +

    When you have more than one interface to a zone, you will usually want a policy that permits intra-zone traffic:

    - -
    -
    + +
    +
    @@ -439,119 +439,119 @@ many times as necessary.

    - - + +
       
    - +

        You may define more complicated zones using the /etc/shorewall/hosts file but in most + href="Documentation.htm#Hosts">/etc/shorewall/hosts file but in most cases, that isn't necessary.

    - +

    4.0 Addressing, Subnets and Routing

    - -

    Normally, your ISP will assign you a set of Public - IP addresses. You will configure your firewall's external interface to - use one of those addresses permanently and you will then have to decide + +

    Normally, your ISP will assign you a set of Public + IP addresses. You will configure your firewall's external interface to + use one of those addresses permanently and you will then have to decide how you are going to use the rest of your addresses. Before we tackle that question though, some background is in order.

    - -

    If you are thoroughly familiar with IP addressing and routing, + +

    If you are thoroughly familiar with IP addressing and routing, you may go to the next section.

    - +

    The following discussion barely scratches the surface of addressing and routing. If you are interested in learning more about this subject, I highly recommend "IP Fundamentals: What Everyone Needs to Know about Addressing & Routing", Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.

    - +

    4.1 IP Addresses

    - -

    IP version 4 (IPv4) addresses are 32-bit numbers. - The notation w.x.y.z refers to an address where the high-order byte has - value "w", the next byte has value "x", etc. If we take the address 192.0.2.14 + +

    IP version 4 (IPv4) addresses are 32-bit numbers. + The notation w.x.y.z refers to an address where the high-order byte has + value "w", the next byte has value "x", etc. If we take the address 192.0.2.14 and express it in hexadecimal, we get:

    - -
    + +

    C0.00.02.0E

    - +

    or looking at it as a 32-bit integer

    - -
    + +

    C000020E

    - +

    4.2 Subnets

    - -

    You will still hear the terms "Class A network", "Class B - network" and "Class C network". In the early days of IP, networks only - came in three sizes (there were also Class D networks but they were used + +

    You will still hear the terms "Class A network", "Class B + network" and "Class C network". In the early days of IP, networks only + came in three sizes (there were also Class D networks but they were used differently):

    - -
    + +

    Class A - netmask 255.0.0.0, size = 2 ** 24

    - +

    Class B - netmask 255.255.0.0, size = 2 ** 16

    - +

    Class C - netmask 255.255.255.0, size = 256

    - -

    The class of a network was uniquely determined by the value - of the high order byte of its address so you could look at an IP address - and immediately determine the associated netmask. The netmask -is a number that when logically ANDed with an address isolates the network + +

    The class of a network was uniquely determined by the value + of the high order byte of its address so you could look at an IP address + and immediately determine the associated netmask. The netmask +is a number that when logically ANDed with an address isolates the network number; the remainder of the address is the host number. For example, in the Class C address 192.0.2.14, the network number is hex C00002 and the host number is hex 0E.

    - -

    As the internet grew, it became clear that such a gross + +

    As the internet grew, it became clear that such a gross partitioning of the 32-bit address space was going to be very limiting (early on, large corporations and universities were assigned their own class A network!). After some false starts, the current technique of subnetting these networks into smaller subnetworks evolved; that technique is referred to as Classless InterDomain Routing (CIDR). Today, any system -that you are likely to work with will understand CIDR and Class-based networking +that you are likely to work with will understand CIDR and Class-based networking is largely a thing of the past.

    - -

    A subnetwork (often referred to as a subnet) is + +

    A subnetwork (often referred to as a subnet) is a contiguous set of IP addresses such that:

    - +
      -
    1. +

    2. The number of addresses in the set is a power of 2; and

      3. -
    3. -

      The first address in the set is a multiple of the set +

    4. +

      The first address in the set is a multiple of the set size.

      5. -
    5. -

      The first address in the subnet is reserved and is referred +

    6. +

      The first address in the subnet is reserved and is referred to as the subnet address.

      7. -
    7. -

      The last address in the subnet is reserved as the subnet's +

    8. +

      The last address in the subnet is reserved as the subnet's broadcast address.

      9. - +
    - -

    As you can see by this definition, in each subnet of size - n there are (n - 2) usable addresses (addresses that -can be assigned to hosts). The first and last address in the subnet -are used for the subnet address and subnet broadcast address respectively. - Consequently, small subnetworks are more wasteful of IP addresses than + +

    As you can see by this definition, in each subnet of size + n there are (n - 2) usable addresses (addresses that +can be assigned to hosts). The first and last address in the subnet +are used for the subnet address and subnet broadcast address respectively. + Consequently, small subnetworks are more wasteful of IP addresses than are large ones.

    - -

    Since n is a power of two, we can easily calculate - the Natural Logarithm (log2) of n. For the more - common subnet sizes, the size and its natural logarithm are given in the + +

    Since n is a power of two, we can easily calculate + the Natural Logarithm (log2) of n. For the more + common subnet sizes, the size and its natural logarithm are given in the following table:

    - -
    + +
    @@ -630,17 +630,17 @@ are used for the subnet address and subnet broadcast address respectively. - - + +
    16 16
    - -

    You will notice that the above table also contains a column - for (32 - log2 n). That number is the Variable Length Subnet + +

    You will notice that the above table also contains a column + for (32 - log2 n). That number is the Variable Length Subnet Mask for a network of size n. From the above table, we can derive the following one which is a little easier to use.

    - -
    + +
    @@ -724,39 +724,39 @@ are used for the subnet address and subnet broadcast address respectively. - - + +
    /8 255.0.0.0
    - -

    Notice that the VLSM is written with a slash ("/") -- you - will often hear a subnet of size 64 referred to as a "slash 26" subnet + +

    Notice that the VLSM is written with a slash ("/") -- you + will often hear a subnet of size 64 referred to as a "slash 26" subnet and one of size 8 referred to as a "slash 29".

    - -

    The subnet's mask (also referred to as its netmask) is - simply a 32-bit number with the first "VLSM" bits set to one and the - remaining bits set to zero. For example, for a subnet of size 64, the + +

    The subnet's mask (also referred to as its netmask) is + simply a 32-bit number with the first "VLSM" bits set to one and the + remaining bits set to zero. For example, for a subnet of size 64, the subnet mask has 26 leading one bits:

    - -
    -

    11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0 + +

    +

    11111111111111111111111111000000 = FFFFFFC0 = FF.FF.FF.C0 = 255.255.255.192

    - -

    The subnet mask has the property that if you logically AND - the subnet mask with an address in the subnet, the result is the subnet - address. Just as important, if you logically AND the subnet mask with - an address outside the subnet, the result is NOT the subnet address. - As we will see below, this property of subnet masks is very useful in + +

    The subnet mask has the property that if you logically AND + the subnet mask with an address in the subnet, the result is the subnet + address. Just as important, if you logically AND the subnet mask with + an address outside the subnet, the result is NOT the subnet address. + As we will see below, this property of subnet masks is very useful in routing.

    - -

    For a subnetwork whose address is a.b.c.d and whose - Variable Length Subnet Mask is /v, we denote the subnetwork + +

    For a subnetwork whose address is a.b.c.d and whose + Variable Length Subnet Mask is /v, we denote the subnetwork as "a.b.c.d/v" using CIDR Notation

    - +

    Example:

    - -
    + +
    @@ -780,15 +780,15 @@ as "a.b.c.d/v" using CIDRNotation. - - + +
    CIDR Notation: 10.10.10.0/25
    - -

    There are two degenerate subnets that need mentioning; namely, + +

    There are two degenerate subnets that need mentioning; namely, the subnet with one member and the subnet with 2 ** 32 members.

    - -
    + +
    @@ -810,448 +810,448 @@ as "a.b.c.d/v" using CIDRNotation. - - + +
    0.0.0.0 0.0.0.0/0
    - -

    So any address a.b.c.d may also be written a.b.c.d/32 + +

    So any address a.b.c.d may also be written a.b.c.d/32 and the set of all possible IP addresses is written 0.0.0.0/0.

    - -

    Later in this guide, you will see the notation a.b.c.d/v - used to describe the ip configuration of a network interface (the 'ip' + +

    Later in this guide, you will see the notation a.b.c.d/v + used to describe the ip configuration of a network interface (the 'ip' utility also uses this syntax). This simply means that the interface is configured with ip address a.b.c.d and with the netmask that corresponds to VLSM /v.

    - +

    Example: 192.0.2.65/29

    - -

        The interface is configured with IP address 192.0.2.65 + +

        The interface is configured with IP address 192.0.2.65 and netmask 255.255.255.248.

    - +

    4.3 Routing

    - -

    One of the purposes of subnetting is that it forms the basis + +

    One of the purposes of subnetting is that it forms the basis for routing. Here's the routing table on my firewall:

    - -
    -
    + +
    +
    [root@gateway root]# netstat -nr
    Kernel IP routing table
    Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface
    192.168.9.1 	0.0.0.0 	255.255.255.255 UH    40  0         0 texas
    206.124.146.177 0.0.0.0 	255.255.255.255 UH    40  0         0 eth1
    206.124.146.180 0.0.0.0 	255.255.255.255 UH    40  0         0 eth3
    192.168.3.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth3
    192.168.2.0 	0.0.0.0 	255.255.255.0   U     40  0         0 eth1
    192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2
    206.124.146.0 	0.0.0.0 	255.255.255.0 	U     40  0         0 eth0
    192.168.9.0     192.0.2.223 	255.255.255.0 	UG    40  0         0 texas
    127.0.0.0 	0.0.0.0 	255.0.0.0 	U     40  0         0 lo
    0.0.0.0 	206.124.146.254 0.0.0.0 	UG    40  0         0 eth0
    [root@gateway root]#
    - -

    The device texas is a GRE tunnel to a peer site in + +

    The device texas is a GRE tunnel to a peer site in the Dallas, Texas area.

    - The first three routes are host routes since they indicate - how to get to a single host. In the 'netstat' output this can be seen - by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the -Flags column. The remainder are 'net' routes since they tell the kernel -how to route packets to a subnetwork. The last route is the default -route and the gateway mentioned in that route is called the default + The first three routes are host routes since they indicate + how to get to a single host. In the 'netstat' output this can be seen + by the "Genmask" (Subnet Mask) of 255.255.255.255 and the "H" in the +Flags column. The remainder are 'net' routes since they tell the kernel +how to route packets to a subnetwork. The last route is the default +route and the gateway mentioned in that route is called the default gateway.

    - +

    When the kernel is trying to send a packet to IP address A, it starts at the top of the routing table and:

    - +
      -
    • +

    • A is logically ANDed with the 'Genmask' value in the table entry.

      • -
    • -

      The result is compared with the 'Destination' value in +

    • +

      The result is compared with the 'Destination' value in the table entry.

      • -
    • -

      If the result and the 'Destination' value are the same, +

    • +

      If the result and the 'Destination' value are the same, then:

      - +
        -
      • - -

        If the 'Gateway' column is non-zero, the packet is +

      • + +

        If the 'Gateway' column is non-zero, the packet is sent to the gateway over the interface named in the 'Iface' column.

        • -
      • - -

        Otherwise, the packet is sent directly to A over +

      • + +

        Otherwise, the packet is sent directly to A over the interface named in the 'iface' column.

        • - +
      • -
    • -

      Otherwise, the above steps are repeated on the next entry +

    • +

      Otherwise, the above steps are repeated on the next entry in the table.

      • - +
    - +

    Since the default route matches any IP address (A land 0.0.0.0 = 0.0.0.0), packets that don't match any of the other routing table entries are sent to the default gateway which is usually a router at your ISP.

    - -

    Lets take an example. Suppose that we want to route a packet - to 192.168.1.5. That address clearly doesn't match any of the host routes - in the table but if we logically and that address with 255.255.255.0, + +

    Lets take an example. Suppose that we want to route a packet + to 192.168.1.5. That address clearly doesn't match any of the host routes + in the table but if we logically and that address with 255.255.255.0, the result is 192.168.1.0 which matches this routing table entry:

    - -
    -
    + +
    +
    192.168.1.0     0.0.0.0 	255.255.255.0 	U     40  0         0 eth2
    - +

    So to route a packet to 192.168.1.5, the packet is sent directly over eth2.

    - -

    One more thing needs to be emphasized -- all outgoing packet - are sent using the routing table and reply packets are not a special + +

    One more thing needs to be emphasized -- all outgoing packet + are sent using the routing table and reply packets are not a special case. There seems to be a common mis-conception whereby people think that request packets are like salmon and contain a genetic code that is magically transferred to reply packets so that the replies follow the reverse route taken by the request. That isn't the case; the replies may take a totally different route back to the client than was taken by the requests -- they are totally independent.

    - +

    4.4 Address Resolution Protocol

    - -

    When sending packets over Ethernet, IP addresses aren't used. - Rather Ethernet addressing is based on Media Access Control (MAC) - addresses. Each Ethernet device has it's own unique  MAC address which - is burned into a PROM on the device during manufacture. You can obtain + +

    When sending packets over Ethernet, IP addresses aren't used. + Rather Ethernet addressing is based on Media Access Control (MAC) + addresses. Each Ethernet device has it's own unique  MAC address which + is burned into a PROM on the device during manufacture. You can obtain the MAC of an Ethernet device using the 'ip' utility:

    - -
    -
    + +
    + 
    [root@gateway root]# ip addr show eth0
    2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc htb qlen 100
    link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff
    inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0
    inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0
    inet 206.124.146.179/24 brd 206.124.146.255 scope global secondary eth0
    [root@gateway root]#
    - -
    + +

    As you can see from the above output, the MAC is 6 bytes (48 bits) wide. A card's MAC is usually also printed on a label attached to the card itself.

    - -
    -

    Because IP uses IP addresses and Ethernet uses MAC addresses, - a mechanism is required to translate an IP address into a MAC address; - that is the purpose of the Address Resolution Protocol (ARP). + +

    +

    Because IP uses IP addresses and Ethernet uses MAC addresses, + a mechanism is required to translate an IP address into a MAC address; + that is the purpose of the Address Resolution Protocol (ARP). Here is ARP in action:

    - -
    -
    -
    + +
    +
    + 
    [root@gateway root]# tcpdump -nei eth2 arp
    tcpdump: listening on eth2
    09:56:49.766757 2:0:8:e3:4c:48 0:6:25:aa:8a:f0 arp 42: arp who-has 192.168.1.19 tell 192.168.1.254
    09:56:49.769372 0:6:25:aa:8a:f0 2:0:8:e3:4c:48 arp 60: arp reply 192.168.1.19 is-at 0:6:25:aa:8a:f0

    2 packets received by filter
    0 packets dropped by kernel
    [root@gateway root]#
    - -

    In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants - to know the MAC of the device with IP address 192.168.1.19. The system - having that IP address is responding that the MAC address of the device + +

    In this exchange, 192.168.1.254 (MAC 2:0:8:e3:4c:48) wants + to know the MAC of the device with IP address 192.168.1.19. The system + having that IP address is responding that the MAC address of the device with IP address 192.168.1.19 is 0:6:25:aa:8a:f0.

    - -

    In order to avoid having to exchange ARP information each - time that an IP packet is to be sent, systems maintain an ARP cache - of IP<->MAC correspondences. You can see the ARP cache on your + +

    In order to avoid having to exchange ARP information each + time that an IP packet is to be sent, systems maintain an ARP cache + of IP<->MAC correspondences. You can see the ARP cache on your system (including your Windows system) using the 'arp' command:

    - -
    -
    + +
    + 
    [root@gateway root]# arp -na
    ? (206.124.146.177) at 00:A0:C9:15:39:78 [ether] on eth1
    ? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
    ? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
    ? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
    ? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
    - -

    The leading question marks are a result of my having specified - the 'n' option (Windows 'arp' doesn't allow that option) which causes - the 'arp' program to forego IP->DNS name translation. Had I not given - that option, the question marks would have been replaced with the FQDN - corresponding to each IP address. Notice that the last entry in the table + +

    The leading question marks are a result of my having specified + the 'n' option (Windows 'arp' doesn't allow that option) which causes + the 'arp' program to forego IP->DNS name translation. Had I not given + that option, the question marks would have been replaced with the FQDN + corresponding to each IP address. Notice that the last entry in the table records the information we saw using tcpdump above.

    - +

    4.5 RFC 1918

    - +

    IP addresses are allocated by the Internet Assigned Number Authority (IANA) - who delegates allocations on a geographic basis to Regional Internet - Registries (RIRs). For example, allocation for the Americas and for + href="http://www.iana.org">Internet Assigned Number Authority (IANA) + who delegates allocations on a geographic basis to Regional Internet + Registries (RIRs). For example, allocation for the Americas and for sub-Sahara Africa is delegated to the American Registry for Internet Numbers -(ARIN). These RIRs may in turn delegate to national registries. Most -of us don't deal with these registrars but rather get our IP addresses + href="http://www.arin.net">American Registry for Internet Numbers +(ARIN). These RIRs may in turn delegate to national registries. Most +of us don't deal with these registrars but rather get our IP addresses from our ISP.

    - +

    It's a fact of life that most of us can't afford as many Public IP addresses as we have devices to assign them to so we end up making use of Private IP addresses. RFC 1918 reserves several IP address ranges for this purpose:

    - -
    + +
         10.0.0.0    - 10.255.255.255
         172.16.0.0  - 172.31.255.255
         192.168.0.0 - 192.168.255.255
    - -
    -

    The addresses reserved by RFC 1918 are sometimes referred - to as non-routable because the Internet backbone routers don't - forward packets which have an RFC-1918 destination address. This is + +

    +

    The addresses reserved by RFC 1918 are sometimes referred + to as non-routable because the Internet backbone routers don't + forward packets which have an RFC-1918 destination address. This is understandable given that anyone can select any of these addresses for their private use.

    - -
    -

    When selecting addresses from these ranges, there's a couple + +

    +

    When selecting addresses from these ranges, there's a couple of things to keep in mind:

    - -
    + +
      -
    • +

    • As the IPv4 address space becomes depleted, more and more - organizations (including ISPs) are beginning to use RFC 1918 addresses + organizations (including ISPs) are beginning to use RFC 1918 addresses in their infrastructure.

      • -
    • -

      You don't want to use addresses that are being used by - your ISP or by another organization with whom you want to establish +

    • +

      You don't want to use addresses that are being used by + your ISP or by another organization with whom you want to establish a VPN relationship.

      • - +
    - -
    -

    So it's a good idea to check with your ISP to see if they - are using (or are planning to use) private addresses before you decide + +

    +

    So it's a good idea to check with your ISP to see if they + are using (or are planning to use) private addresses before you decide the addresses that you are going to use.

    - -
    + +

    5.0 Setting up your Network

    - -
    -

    The choice of how to set up your network depends primarily + +

    +

    The choice of how to set up your network depends primarily on how many Public IP addresses you have vs. how many addressable entities you have in your network. Regardless of how many addresses you have, your ISP will handle that set of addresses in one of two ways:

    - -
    + +
      -
    1. -

      Routed - Traffic to any of your addresses will - be routed through a single gateway address. This will generally - only be done if your ISP has assigned you a complete subnet (/29 or - larger). In this case, you will assign the gateway address as the IP +

    2. +

      Routed - Traffic to any of your addresses will + be routed through a single gateway address. This will generally + only be done if your ISP has assigned you a complete subnet (/29 or + larger). In this case, you will assign the gateway address as the IP address of your firewall/router's external interface.

      3. -
    3. -

      Non-routed - Your ISP will send traffic to each +

    4. +

      Non-routed - Your ISP will send traffic to each of your addresses directly.

      5. - +
    - -
    -

    In the subsections that follow, we'll look at each of these + +

    +

    In the subsections that follow, we'll look at each of these separately.

    - +

    Before we begin, there is one thing for you to check:

    - +

        If you are using the Debian package, please check your shorewall.conf file to ensure that the following are set correctly; if they are not, change them appropriately:

    - +
    • NAT_ENABLED=Yes
    • IP_FORWARDING=On
      • - +
    - -
    + +

    5.1 Routed

    - -
    -

    Let's assume that your ISP has assigned you the subnet -192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses - 192.0.2.64 - 192.0.2.79 and that your firewall's external IP address - is 192.0.2.65. Your ISP has also told you that you should use a netmask - of 255.255.255.0 (so your /28 is part of a larger /24). With this many - IP addresses, you are able to subnet your /28 into two /29's and set + +

    +

    Let's assume that your ISP has assigned you the subnet +192.0.2.64/28 routed through 192.0.2.65. That means that you have IP addresses + 192.0.2.64 - 192.0.2.79 and that your firewall's external IP address + is 192.0.2.65. Your ISP has also told you that you should use a netmask + of 255.255.255.0 (so your /28 is part of a larger /24). With this many + IP addresses, you are able to subnet your /28 into two /29's and set up your network as shown in the following diagram.

    - -
    + +

    - -
    + +

    Here, the DMZ comprises the subnet 192.0.2.64/29 and the Local network is 192.0.2.72/29. The default gateway for hosts in the DMZ would be configured to 192.0.2.66 and the default gateway for hosts in the local network would be 192.0.2.73.

    - -
    -

    Notice that this arrangement is rather wasteful of public - IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet - addresses, 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses -and 192.0.2.66 and 168.0.2.73 for internal addresses on the firewall/router. - Nevertheless, it shows how subnetting can work and if we were dealing - with a /24 rather than a /28 network, the use of 6 IP addresses out + +

    +

    Notice that this arrangement is rather wasteful of public + IP addresses since it is using 192.0.2.64 and 192.0.2.72 for subnet + addresses, 192.0.2.71 and 192.0.2.79 for subnet broadcast addresses +and 192.0.2.66 and 168.0.2.73 for internal addresses on the firewall/router. + Nevertheless, it shows how subnetting can work and if we were dealing + with a /24 rather than a /28 network, the use of 6 IP addresses out of 256 would be justified because of the simplicity of the setup.

    - -
    -

    The astute reader may have noticed that the Firewall/Router's - external interface is actually part of the DMZ subnet (192.0.2.64/29). - What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The + +

    +

    The astute reader may have noticed that the Firewall/Router's + external interface is actually part of the DMZ subnet (192.0.2.64/29). + What if DMZ 1 (192.0.2.67) tries to communicate with 192.0.2.65? The routing table on DMZ 1 will look like this:

    - -
    -
    + +
    +
    Kernel IP routing table
    Destination 	Gateway 	Genmask 	Flags MSS Window irtt Iface
    192.0.2.64 	0.0.0.0 	255.255.255.248 U     40  0         0 eth0
    0.0.0.0 	192.0.2.66	0.0.0.0 	UG    40  0         0 eth0
    - -
    -

    This means that DMZ 1 will send an ARP "who-has 192.0.2.65" - request and no device on the DMZ Ethernet segment has that IP address. - Oddly enough, the firewall will respond to the request with the MAC - address of its DMZ Interface!! DMZ 1 can then send Ethernet frames - addressed to that MAC address and the frames will be received (correctly) + +

    +

    This means that DMZ 1 will send an ARP "who-has 192.0.2.65" + request and no device on the DMZ Ethernet segment has that IP address. + Oddly enough, the firewall will respond to the request with the MAC + address of its DMZ Interface!! DMZ 1 can then send Ethernet frames + addressed to that MAC address and the frames will be received (correctly) by the firewall/router.

    - -
    + +

    It is this rather unexpected ARP behavior on the part of the Linux Kernel that prompts the warning earlier in this guide regarding the connecting of multiple firewall/router interfaces to the same hub or switch. When an ARP request for one of the firewall/router's IP addresses is sent -by another system connected to the hub/switch, all of the firewall's +by another system connected to the hub/switch, all of the firewall's interfaces that connect to the hub/switch can respond! It is then a race as to which "here-is" response reaches the sender first.

    - -
    + +

    5.2 Non-routed

    - -
    + +

    If you have the above situation but it is non-routed, you -can configure your network exactly as described above with one additional +can configure your network exactly as described above with one additional twist; simply specify the "proxyarp" option on all three firewall interfaces in the /etc/shorewall/interfaces file.

    - -
    + +

    Most of us don't have the luxury of having enough public IP addresses to set up our networks as shown in the preceding example (even if the setup is routed).

    - -
    -

    For the remainder of this section, assume that your ISP + +

    +

    For the remainder of this section, assume that your ISP has assigned you IP addresses 192.0.2.176-180 and has told you to use netmask 255.255.255.0 and default gateway 192.0.2.254.

    - -
    -

    Clearly, that set of addresses doesn't comprise a subnetwork - and there aren't enough addresses for all of the network interfaces. - There are four different techniques that can be used to work around + +

    +

    Clearly, that set of addresses doesn't comprise a subnetwork + and there aren't enough addresses for all of the network interfaces. + There are four different techniques that can be used to work around this problem.

    - -
    + +
      -
    • -

      Source Network Address Translation (SNAT). +

    • +

      Source Network Address Translation (SNAT).

      • -
    • -

      Destination Network Address Translation (DNAT) +

    • +

      Destination Network Address Translation (DNAT) also known as Port Forwarding.

      • -
    • +

    • Proxy ARP.

      • -
    • -

      Network Address Translation (NAT) also referred +

    • +

      Network Address Translation (NAT) also referred to as Static NAT.

      • - +
    - -
    + +

    Often a combination of these techniques is used. Each of these will be discussed in the sections that follow.

    - -
    + +

     5.2.1 SNAT

    - -
    -

    With SNAT, an internal LAN segment is configured using RFC - 1918 addresses. When a host A on this internal segment initiates - a connection to host B on the internet, the firewall/router + +

    +

    With SNAT, an internal LAN segment is configured using RFC + 1918 addresses. When a host A on this internal segment initiates + a connection to host B on the internet, the firewall/router rewrites the IP header in the request to use one of your public IP addresses as the source address. When B responds and the response is received by the firewall, the firewall changes the destination address back to the RFC 1918 address of A and forwards the response back to A.

    - -
    -

    Let's suppose that you decide to use SNAT on your local zone - and use public address 192.0.2.176 as both your firewall's external - IP address and the source IP address of internet requests sent from + +

    +

    Let's suppose that you decide to use SNAT on your local zone + and use public address 192.0.2.176 as both your firewall's external + IP address and the source IP address of internet requests sent from that zone.

    - -
    + +

    - -
    The local zone has been subnetted as 192.168.201.0/29 + +
    The local zone has been subnetted as 192.168.201.0/29 (netmask 255.255.255.248).
    - +
     
    - +
        The systems in the local zone would be configured with a default gateway of 192.168.201.1 (the IP address of the firewall's local interface).
    - +
     
    - +
        SNAT is configured in Shorewall using the /etc/shorewall/masq file.
    - -
    -
    + +
    +
    @@ -1265,33 +1265,33 @@ local interface). - - + +
    192.168.201.0/29 192.0.2.176
    - -
    -

    This example used the normal technique of assigning the same - public IP address for the firewall external interface and for SNAT. + +

    +

    This example used the normal technique of assigning the same + public IP address for the firewall external interface and for SNAT. If you wanted to use a different IP address, you would either have to use your distributions network configuration tools to add that IP address to the external interface or you could set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf and Shorewall will add the address for you.

    - -
    + +

    5.2.2 DNAT

    - -
    -

    When SNAT is used, it is impossible for hosts on the internet - to initiate a connection to one of the internal systems since those - systems do not have a public IP address. DNAT provides a way to allow + +

    +

    When SNAT is used, it is impossible for hosts on the internet + to initiate a connection to one of the internal systems since those + systems do not have a public IP address. DNAT provides a way to allow selected connections from the internet.

    - -
    + +

         Suppose that your daughter wants to run a web server on @@ -1299,9 +1299,9 @@ her system "Local 3". You could allow connections to the internet to her server by adding the following entry in /etc/shorewall/rules:

    - -
    -
    + +
    +
    @@ -1323,82 +1323,82 @@ to her server by adding the following entry in - - - + +
    192.0.2.176
    - -
    -

    If one of your daughter's friends at address A wants + +

    +

    If one of your daughter's friends at address A wants to access your daughter's server, she can connect to http://192.0.2.176 (the firewall's external - IP address) and the firewall will rewrite the destination IP address + href="http://192.0.2.176"> http://192.0.2.176 (the firewall's external + IP address) and the firewall will rewrite the destination IP address to 192.168.201.4 (your daughter's system) and forward the request. When your daughter's server responds, the firewall will rewrite the source address back to 192.0.2.176 and send the response back to A.

    - -
    + +

    This example used the firewall's external IP address for DNAT. You can use another of your public IP addresses but Shorewall will not add that address to the firewall's external interface for you.

    - -
    + +

    5.2.3 Proxy ARP

    - -
    + +

    The idea behind proxy ARP is that:

    - -
    + +
      -
    • +

    • A host H behind your firewall is assigned one of -your public IP addresses (A) and is assigned the same netmask +your public IP addresses (A) and is assigned the same netmask (M) as the firewall's external interface.

      • -
    • +

    • The firewall responds to ARP "who has" requests for A.

      • -
    • +

    • When H issues an ARP "who has" request for an address in the subnetwork defined by A and M, the firewall will respond (with the MAC if the firewall interface to H).

      • - +
    - -
    -

    Let suppose that we decide to use Proxy ARP on the DMZ in + +

    +

    Let suppose that we decide to use Proxy ARP on the DMZ in our example network.

    - -
    + +

    - -
    Here, we've assigned the IP addresses 192.0.2.177 to - system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned - an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface + +
    Here, we've assigned the IP addresses 192.0.2.177 to + system DMZ 1 and 192.0.2.178 to DMZ 2. Notice that we've just assigned + an arbitrary RFC 1918 IP address and subnet mask to the DMZ interface on the firewall. That address and netmask isn't relevant - just be sure it doesn't overlap another subnet that you've defined.
    - +
     
    - +
        The Shorewall configuration of Proxy ARP is done using the /etc/shorewall/proxyarp file.
    - -
    -
    + +
    +
    @@ -1420,44 +1420,44 @@ respond (with the MAC if the firewall interface to H).

    - - + +
    eth0 No
    - -
    -

    Because the HAVE ROUTE column contains No, Shorewall will + +

    +

    Because the HAVE ROUTE column contains No, Shorewall will add host routes thru eth2 to 192.0.2.177 and 192.0.2.178.

    - -

    The ethernet interfaces on DMZ 1 and DMZ 2 should be configured - to have the IP addresses shown but should have the same default gateway + +

    The ethernet interfaces on DMZ 1 and DMZ 2 should be configured + to have the IP addresses shown but should have the same default gateway as the firewall itself -- namely 192.0.2.254. In other words, they should be configured just like they would be if they were parallel to the firewall rather than behind it.

    - +

    NOTE: Do not add the Proxy ARP'ed address(es) (192.0.2.177 and 192.0.2.178 in the above example)  to the external interface (eth0 in this example) of the firewall.

    - -
    + +

    - -
    -
    + +
    +

    A word of warning is in order here. ISPs typically configure their routers with a long ARP cache timeout. If you move a system from parallel to your firewall to behind your firewall with Proxy ARP, it will probably be HOURS before that system can communicate with the internet. There are a couple of things that you can try:

    - +
    1. (Courtesy of Bradey Honsinger) A reading of Stevens' TCP/IP Illustrated, Vol 1 reveals that a
      @@ -1471,12 +1471,12 @@ the MAC address for its own IP; in addition to ensuring that the IP address address..., this packet causes any other host...that has an entry in its cache for the old hardware address to update its ARP cache entry accordingly."

      - Which is, of course, exactly what you want to do when you switch a -host from being exposed to the Internet to behind Shorewall using proxy -ARP (or static NAT for that matter). Happily enough, recent versions of + Which is, of course, exactly what you want to do when you switch a +host from being exposed to the Internet to behind Shorewall using proxy +ARP (or static NAT for that matter). Happily enough, recent versions of Redhat's iputils package include "arping", whose "-U" flag does just that:

      -     arping -U -I <net if> <newly +     arping -U -I <net if> <newly proxied IP>
          arping -U -I eth0 66.58.99.83 # for example

      @@ -1487,71 +1487,71 @@ idea that it works most of the time.
    2. You can call your ISP and ask them to purge the stale ARP cache entry but many either can't or won't purge individual entries.
      3. - +
    You can determine if your ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we suspect that the gateway router has a stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:
    - -
    + +
    	tcpdump -nei eth0 icmp
    - -
    + +

    Now from 130.252.100.19, ping the ISP's gateway (which we will assume is 130.252.100.254):

    - -
    + +
    	ping 130.252.100.254
    - -
    + +

    We can now observe the tcpdump output:

    - -
    + +
    	13:35:12.159321 0:4:e2:20:20:33 0:0:77:95:dd:19 ip 98: 192.0.2.177 > 192.0.2.254: icmp: echo request (DF)
    	13:35:12.207615 0:0:77:95:dd:19 0:c0:a8:50:b2:57 ip 98: 192.0.2.254 > 192.0.2.177 : icmp: echo reply
    - -
    -

    Notice that the source MAC address in the echo request is + +

    +

    Notice that the source MAC address in the echo request is different from the destination MAC address in the echo reply!! In this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 was the MAC address of DMZ 1. In other words, the gateway's ARP cache still associates 192.0.2.177 with the NIC in DMZ 1 rather than with the firewall's eth0.

    - -
    + +

    5.2.4 Static NAT

    - -
    -

    With static NAT, you assign local systems RFC 1918 addresses - then establish a one-to-one mapping between those addresses and public + +

    +

    With static NAT, you assign local systems RFC 1918 addresses + then establish a one-to-one mapping between those addresses and public IP addresses. For outgoing connections SNAT (Source Network Address Translation) occurs and on incoming connections DNAT (Destination Network Address Translation) occurs. Let's go back to our earlier example involving your daughter's web server running on system Local 3.

    - -
    + +

    - -
    -

    Recall that in this setup, the local network is using SNAT - and is sharing the firewall external IP (192.0.2.176) for outbound + +

    +

    Recall that in this setup, the local network is using SNAT + and is sharing the firewall external IP (192.0.2.176) for outbound connections. This is done with the following entry in /etc/shorewall/masq:

    - -
    -
    + +
    +
    @@ -1565,23 +1565,23 @@ connections. This is done with the following entry in /etc/shorewall/masq: - - + +
    192.168.201.0/29 192.0.2.176
    - -
    + +

    -     Suppose now that you have decided to give your daughter her - own IP address (192.0.2.179) for both inbound and outbound connections. +     Suppose now that you have decided to give your daughter her + own IP address (192.0.2.179) for both inbound and outbound connections. You would do that by adding an entry in /etc/shorewall/nat.

    - -
    -
    + +
    +
    @@ -1599,28 +1599,28 @@ connections. This is done with the following entry in /etc/shorewall/masq: - - + +
    No No
    - -
    -

    With this entry in place, you daughter has her own IP address + +

    +

    With this entry in place, you daughter has her own IP address and the other two local systems share the firewall's IP address.

    - -
    + +

    -     Once the relationship between 192.0.2.179 and 192.168.201.4 +     Once the relationship between 192.0.2.179 and 192.168.201.4 is established by the nat file entry above, it is no longer appropriate to use a DNAT rule for you daughter's web server -- you would rather just use an ACCEPT rule:

    - -
    -
    + +
    +
    @@ -1642,39 +1642,39 @@ connections. This is done with the following entry in /etc/shorewall/masq: - - + +
       
    - -
    + +

    5.3 Rules

    - -
    + +

    -     With the default policies, your local systems (Local 1-3) -can access any servers on the internet and the DMZ can't access any +     With the default policies, your local systems (Local 1-3) +can access any servers on the internet and the DMZ can't access any other host (including the firewall). With the exception of DNAT rules which cause address translation and allow - the translated connection request to pass through the firewall, the -way to allow connection requests through your firewall is to use ACCEPT + href="#DNAT">DNAT rules which cause address translation and allow + the translated connection request to pass through the firewall, the +way to allow connection requests through your firewall is to use ACCEPT rules.

    - -
    -

    NOTE: Since the SOURCE PORT and ORIG. DEST. Columns aren't + +

    +

    NOTE: Since the SOURCE PORT and ORIG. DEST. Columns aren't used in this section, they won't be shown

    - -
    + +

    You probably want to allow ping between your zones:

    - -
    -
    + +
    +
    @@ -1713,19 +1713,19 @@ way to allow connection requests through your firewall is to use ACCEPT - - + +
    icmp echo-request
    - -
    -

    Let's suppose that you run mail and pop3 servers on DMZ 2 + +

    +

    Let's suppose that you run mail and pop3 servers on DMZ 2 and a Web Server on DMZ 1. The rules that you would need are:

    - -
    -
    + +
    +
    @@ -1809,19 +1809,19 @@ way to allow connection requests through your firewall is to use ACCEPT - - + +
    https # Secure HTTP from the Local Net
    - -
    + +

    If you run a public DNS server on 192.0.2.177, you would need to add the following rules:

    - -
    -
    + +
    +
    @@ -1897,20 +1897,20 @@ way to allow connection requests through your firewall is to use ACCEPT - - + +
    domain # TCP DNS to the Internet
    - -
    -

    You probably want some way to communicate with your firewall - and DMZ systems from the local network -- I recommend SSH which through + +

    +

    You probably want some way to communicate with your firewall + and DMZ systems from the local network -- I recommend SSH which through its scp utility can also do publishing and software update distribution.

    - -
    -
    + +
    +
    @@ -1938,46 +1938,46 @@ way to allow connection requests through your firewall is to use ACCEPT - - + +
    ssh # SSH to the Firewall
    - -
    + +

    5.4 Odds and Ends

    - -
    + +

    The above discussion reflects my personal preference for using Proxy ARP for my servers in my DMZ and SNAT/NAT for my local systems. I prefer to use NAT only in cases where a system that is part of an RFC 1918 subnet needs to have it's own public IP. 

    - -
    + +

    -     If you haven't already, it would be a good idea to browse -through /etc/shorewall/shorewall.conf +     If you haven't already, it would be a good idea to browse +through /etc/shorewall/shorewall.conf just to see if there is anything there that might be of interest. You might also want to look at the other configuration files that you haven't touched yet just to get a feel for the other things that Shorewall can do.

    - -
    + +

    In case you haven't been keeping score, here's the final set of configuration files for our sample network. Only those that were modified from the original installation are shown.

    - -
    + +

    /etc/shorewall/interfaces (The "options" will be very site-specific).

    - -
    -
    + +
    +
    @@ -2005,22 +2005,22 @@ can do.

    - - + +
    detect  
    - -
    -

    The setup described here requires that your network interfaces - be brought up before Shorewall can start. This opens a short window - during which you have no firewall protection. If you replace 'detect' - with the actual broadcast addresses in the entries above, you can bring + +

    +

    The setup described here requires that your network interfaces + be brought up before Shorewall can start. This opens a short window + during which you have no firewall protection. If you replace 'detect' + with the actual broadcast addresses in the entries above, you can bring up Shorewall before you bring up your network interfaces.

    - -
    -
    + +
    +
    @@ -2048,18 +2048,18 @@ can do.

    - - + +
    192.168.202.7  
    - -
    + +

    /etc/shorewall/masq - Local subnet

    - -
    -
    + +
    +
    @@ -2073,18 +2073,18 @@ can do.

    - - + +
    192.168.201.0/29 192.0.2.176
    - -
    + +

    /etc/shorewall/proxyarp - DMZ

    - -
    -
    + +
    +
    @@ -2106,18 +2106,18 @@ can do.

    - - + +
    eth0 No
    - -
    + +

    /etc/shorewall/nat- Daughter's System

    - -
    -
    + +
    +
    @@ -2135,18 +2135,18 @@ can do.

    - - + +
    No No
    - -
    + +

    /etc/shorewall/rules

    - -
    -
    + +
    +
    @@ -2342,187 +2342,187 @@ can do.

    - - + +
    ssh # SSH to the Firewall
    - -
    + +

    6.0 DNS

    - -
    + +

    Given the collection of RFC 1918 and public addresses in this setup, it only makes sense to have separate internal and external DNS servers. You can combine the two into a single BIND 9 server using Views. If you are not interested in Bind 9 views, you can go to the next section.

    - -
    -

    Suppose that your domain is foobar.net and you want the two + +

    +

    Suppose that your domain is foobar.net and you want the two DMZ systems named www.foobar.net and mail.foobar.net and you want the three local systems named "winken.foobar.net, blinken.foobar.net and - nod.foobar.net. You want your firewall to be known as firewall.foobar.net - externally and it's interface to the local network to be know as gateway.foobar.net + nod.foobar.net. You want your firewall to be known as firewall.foobar.net + externally and it's interface to the local network to be know as gateway.foobar.net and its interface to the dmz as dmz.foobar.net. Let's have the DNS server on 192.0.2.177 which will also be known by the name ns1.foobar.net.

    - -
    + +

    The /etc/named.conf file would look like this:

    - -
    -
    -
    + +
    +
    + 
    options {
    	directory "/var/named";
    	listen-on { 127.0.0.1 ; 192.0.2.177; };
    };

    logging {
    	channel xfer-log {
    		file "/var/log/named/bind-xfer.log";
    		print-category yes;
    		print-severity yes;
    		print-time yes;
    		severity info;
    	};
    	category xfer-in { xfer-log; };
    	category xfer-out { xfer-log; };
    	category notify { xfer-log; };
    };
    - -
    + + 
    #
    # This is the view presented to our internal systems
    #

    view "internal" {
    	#
    	# These are the clients that see this view
    	#
    	match-clients { 192.168.201.0/29;
    			192.168.202.0/29;
    			127.0.0/24;
    			192.0.2.176/32; 
    			192.0.2.178/32;
    			192.0.2.179/32;
    			192.0.2.180/32; };
    	#
    	# If this server can't complete the request, it should use outside
    	# servers to do so
    	#
    	recursion yes;

    	zone "." in {
    		type hint;
    		file "int/root.cache";
    	};

    	zone "foobar.net" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "int/db.foobar";
    	};

    	zone "0.0.127.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "int/db.127.0.0";	
    	};

    	zone "201.168.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "int/db.192.168.201";
    	};

    	zone "202.168.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "int/db.192.168.202";
    	};

    	zone "176.2.0.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "db.192.0.2.176";
    	};
     (or status NAT for that matter)
    	zone "177.2.0.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "db.192.0.2.177";
    	};

    	zone "178.2.0.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "db.192.0.2.178";
    	};

    	zone "179.2.0.192.in-addr.arpa" in {
    		type master;
    		notify no;
    		allow-update { none; };
    		file "db.206.124.146.179";
    	};

    };
    #
    # This is the view that we present to the outside world
    #
    view "external" {
    	match-clients { any; };
    	#
    	# If we can't answer the query, we tell the client so
    	#
    	recursion no;

    	zone "foobar.net" in {
    		type master;
    		notify yes;
    		allow-update {none; };
    		allow-transfer { <secondary NS IP>; };
    		file "ext/db.foobar";
    	};

    	zone "176.2.0.192.in-addr.arpa" in {
     		type master;
    		notify yes;
    		allow-update { none; };
    		allow-transfer { <secondary NS IP>; };
    		file "db.192.0.2.176";
    	};

    	zone "177.2.0.192.in-addr.arpa" in {
    		type master;
    		notify yes;
    		allow-update { none; };
    		allow-transfer { <secondary NS IP>; };
    		file "db.192.0.2.177";
    	};

    	zone "178.2.0.192.in-addr.arpa" in {
    		type master;
    		notify yes;
    		allow-update { none; };
    		allow-transfer { <secondary NS IP>; };
    		file "db.192.0.2.178";
    	};

    	zone "179.2.0.192.in-addr.arpa" in {
    		type master;
    		notify yes;
    		allow-update { none; };
    		allow-transfer { <secondary NS IP>; };
    		file "db.192.0.2.179";
    	};
    };
    - -
    -

    Here are the files in /var/named (those not shown are usually + +

    +

    Here are the files in /var/named (those not shown are usually included in your bind disbribution).

    - -

    db.192.0.2.176 - This is the reverse zone for the firewall's + +

    db.192.0.2.176 - This is the reverse zone for the firewall's external interface

    - -
    + +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.176/32
    ; Filename: db.192.0.2.176
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2001102303 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800	IN NS	ns1.foobar.net.
    @	604800	IN NS	<name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's) 
    ; ############################################################
    176.2.0.192.in-addr.arpa. 86400 IN PTR firewall.foobar.net.
    - -
    -
    db.192.0.2.177 - This is the reverse zone for the www/DNS - server -
    + +
    +
    db.192.0.2.177 - This is the reverse zone for the www/DNS + server +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.177/32
    ; Filename: db.192.0.2.177
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2001102303 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800	IN NS	ns1.foobar.net.
    @	604800	IN NS	<name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's) 
    ; ############################################################
    177.2.0.192.in-addr.arpa. 86400 IN PTR www.foobar.net.
    - -
    -
    db.192.0.2.178 - This is the reverse zone for the mail - server -
    + +
    +
    db.192.0.2.178 - This is the reverse zone for the mail + server +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.178/32
    ; Filename: db.192.0.2.178
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2001102303 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800	IN NS	ns1.foobar.net.
    @	604800	IN NS	<name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's) 
    ; ############################################################
    178.2.0.192.in-addr.arpa. 86400 IN PTR mail.foobar.net.
    - -
    -
    db.192.0.2.179 - This is the reverse zone for daughter's - web server's public IP -
    + +
    +
    db.192.0.2.179 - This is the reverse zone for daughter's + web server's public IP +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.0.2.179/32
    ; Filename: db.192.0.2.179
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2001102303 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ) ; minimum (1 day)
    ;
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800	IN NS	ns1.foobar.net.
    @	604800	IN NS	<name of secondary ns>.
    ;
    ; ############################################################
    ; Iverse Address Arpa Records (PTR's) 
    ; ############################################################
    179.2.0.192.in-addr.arpa. 86400 IN PTR nod.foobar.net.
    - -
    + +

    int/db.127.0.0 - The reverse zone for localhost

    - -
    -
    + +
    +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 127.0.0.0/8
    ; Filename: db.127.0.0
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    				2001092901 ; serial
    				10800 ; refresh (3 hour)
    				3600 ; retry (1 hour)
    				604800 ; expire (7 days)
    				86400 ) ; minimum (1 day)
    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800		IN NS	ns1.foobar.net.

    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    1	86400		IN PTR	localhost.foobar.net.
    - -
    -

    int/db.192.168.201 - Reverse zone for the local net. This + +

    +

    int/db.192.168.201 - Reverse zone for the local net. This is only shown to internal clients

    - -
    -
    + +
    +
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.168.201.0/29
    ; Filename: db.192.168.201
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
    				2002032501 ; serial
    				10800 ; refresh (3 hour)
    				3600 ; retry (1 hour)
    				604800 ; expire (7 days)
    				86400 ) ; minimum (1 day)

    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @	604800		IN NS	ns1.foobar.net.

    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    1	86400		IN PTR 	gateway.foobar.net.
    2	86400		IN PTR	winken.foobar.net.
    3	86400		IN PTR	blinken.foobar.net.
    4	86400		IN PTR	nod.foobar.net.
    - -
    -

    int/db.192.168.202 - Reverse zone for the firewall's DMZ + +

    +

    int/db.192.168.202 - Reverse zone for the firewall's DMZ interface

    - -
    -
    -
    + +
    +
    + 
    ; ############################################################
    ; Start of Authority (Inverse Address Arpa) for 192.168.202.0/29
    ; Filename: db.192.168.202
    ; ############################################################
    @ 604800 IN SOA ns1.foobar.net netadmin.foobar.net. (
    				2002032501 ; serial
    				10800 ; refresh (3 hour)
    				3600 ; retry (1 hour)
    				604800 ; expire (7 days)
    				86400 ) ; minimum (1 day)

    ; ############################################################
    ; Specify Name Servers for all Reverse Lookups (IN-ADDR.ARPA)
    ; ############################################################
    @		604800	IN NS	ns1.foobar.net.

    ; ############################################################
    ; Iverse Address Arpa Records (PTR's)
    ; ############################################################
    1 		86400 IN PTR	dmz.foobar.net.
    - -
    + +

    int/db.foobar - Forward zone for use by internal clients.

    - -
    -
    + +
    +
    ;##############################################################
    ; Start of Authority for foobar.net.
    ; Filename: db.foobar
    ;##############################################################
    @ 604800 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2002071501 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ); minimum (1 day)
    ;############################################################
    ; foobar.net Nameserver Records (NS)
    ;############################################################
    @ 		604800	IN NS	ns1.foobar.net.

    ;############################################################
    ; Foobar.net Office Records (ADDRESS)
    ;############################################################
    localhost	86400 	IN A 	127.0.0.1

    firewall	86400	IN A	192.0.2.176
    www		86400	IN A	192.0.2.177
    ns1 		86400	IN A 	192.0.2.177
    www		86400	IN A	192.0.2.177

    gateway		86400	IN A 	192.168.201.1
    winken		86400	IN A 	192.168.201.2
    blinken		86400	IN A	192.168.201.3
    nod		86400	IN A	192.168.201.4
    - -
    + +

    ext/db.foobar - Forward zone for external clients

    - -
    -
    -
    + +
    +
    + 
    ;##############################################################
    ; Start of Authority for foobar.net.
    ; Filename: db.foobar
    ;##############################################################
    @ 86400 IN SOA ns1.foobar.net. netadmin.foobar.net. (
    			2002052901 ; serial
    			10800 ; refresh (3 hour)
    			3600 ; retry (1 hour)
    			604800 ; expire (7 days)
    			86400 ); minimum (1 day)
    ;############################################################
    ; Foobar.net Nameserver Records (NS)
    ;############################################################
    @		86400	IN NS	ns1.foobar.net.
    @		86400	IN NS	<secondary NS>.
    ;############################################################
    ; Foobar.net 	Foobar Wa Office Records (ADDRESS)
    ;############################################################
    localhost	86400	IN A	127.0.0.1
    ;
    ; The firewall itself
    ;
    firewall	86400	IN A	192.0.2.176
    ;
    ; The DMZ
    ;
    ns1		86400	IN A	192.0.2.177
    www		86400	IN A	192.0.2.177
    mail		86400	IN A	192.0.2.178
    ;
    ; The Local Network
    ;
    nod		86400	IN A	192.0.2.179

    ;############################################################
    ; Current Aliases for foobar.net (CNAME)
    ;############################################################

    ;############################################################
    ; foobar.net MX Records (MAIL EXCHANGER)
    ;############################################################
    foobar.net.	86400	IN A	192.0.2.177
    		86400 	IN MX 0 mail.foobar.net.
    		86400	IN MX 1 <backup MX>.
    - -
    -

    7.0 Starting and Stopping + +
    +

    7.0 Starting and Stopping Your Firewall

    - -
    -

    The installation procedure configures + +

    +

    The installation procedure configures your system to start Shorewall at system boot.

    - -
    -

    The firewall is started using the "shorewall start" command + +

    +

    The firewall is started using the "shorewall start" command and stopped using "shorewall stop". When the firewall is stopped, routing is enabled on those hosts that have an entry in /etc/shorewall/routestopped. A - running firewall may be restarted using the "shorewall restart" command. - If you want to totally remove any trace of Shorewall from your Netfilter + href="Documentation.htm#Routestopped">/etc/shorewall/routestopped. A + running firewall may be restarted using the "shorewall restart" command. + If you want to totally remove any trace of Shorewall from your Netfilter configuration, use "shorewall clear".

    - -
    + +

    -     Edit the /etc/shorewall/routestopped file and configure those - systems that you want to be able to access the firewall when it is +     Edit the /etc/shorewall/routestopped file and configure those + systems that you want to be able to access the firewall when it is stopped.

    - -
    -

    WARNING: If you are connected to your firewall from - the internet, do not issue a "shorewall stop" command unless you have + +

    +

    WARNING: If you are connected to your firewall from + the internet, do not issue a "shorewall stop" command unless you have added an entry for the IP address that you are connected from to /etc/shorewall/routestopped. - Also, I don't recommend using "shorewall restart"; it is better to create - an alternate configuration - and test it using the "shorewall + href="Documentation.htm#Routestopped">/etc/shorewall/routestopped. + Also, I don't recommend using "shorewall restart"; it is better to create + an alternate configuration + and test it using the "shorewall try" command.

    - +

    Last updated 3/21/2003 - Tom Eastep

    - +

    Copyright 2002, 2003 Thomas M. Eastep


    diff --git a/Shorewall-docs/sourceforge_index.htm b/Shorewall-docs/sourceforge_index.htm index be7961910..2464b1331 100644 --- a/Shorewall-docs/sourceforge_index.htm +++ b/Shorewall-docs/sourceforge_index.htm @@ -1,279 +1,150 @@ - - - - - - - Shoreline Firewall (Shorewall) 1.3 - - - - - - - - - - + - + - + - + - - - - - - - + + + + + + +
    - - - - - - - - - - + height="90"> + + + + + + + + + +

    Shorwall Logo - + Shorewall 1.4 - "iptables made easy"

    - - - - - - - - - - - - + + + + + + + + + + + + - +
    - - - - -
    - -
    - + + + + +
    + +
    + - + - + - + - + - + - - - - - - - - - + + + + + + + + +
    - - - - - - - - - - - - +

    What is it?

    - - - - - - - - - - - - - +

    The Shoreline Firewall, more commonly known as  "Shorewall", is a Netfilter (iptables) based firewall that can be used on a dedicated firewall system, a multi-function gateway/router/server or on a standalone GNU/Linux system.

    - - - - - - - - - - - - - -

    This program is free software; you can redistribute it and/or modify +

    This program is free software; you can redistribute it and/or modify it under the terms of Version 2 of the GNU General Public License as published by the Free Software Foundation.
    - +
    - + This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR - A PARTICULAR PURPOSE. See the GNU General Public + A PARTICULAR PURPOSE. See the GNU General Public License for more details.
    - +
    - - You should have received + + You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA

    - - - - - - - - - - - - -

    Copyright 2001, 2002, 2003 Thomas M. Eastep

    - - - - - - - - - - - - -

    - - Jacques + + Jacques Nilo and Eric Wolzak have a LEAF (router/firewall/gateway - on a floppy, CD or compact flash) distribution + on a floppy, CD or compact flash) distribution called Bering that features Shorewall-1.3.14 and Kernel-2.4.20. You can find their work at: http://leaf.sourceforge.net/devel/jnilo

    - Congratulations - to Jacques and Eric on the recent release of Bering + Congratulations + to Jacques and Eric on the recent release of Bering 1.1!!!
    -     - - - - -

    News

    - - - - - - - - - - - - - - - +

    3/24/2003 - Shorewall 1.4.1 (New) -  

    - - - - - - - - - - - - -
      - - - - - - - - - -
    - - - - - - - - - +  

    +

    This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0 and removes additional warts.

    Problems Corrected:

      -
    1. When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), +
    2. When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file is empty. That problem has been corrected so that ECN disabling rules are only added if there are entries in /etc/shorewall/ecn.
    New Features:
    - -
    Note: In the list that follows, the term group refers -to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be + +
    Note: In the list that follows, the term group refers +to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be a host address) accessed through a particular interface. Examples:
    - +
    eth0:0.0.0.0/0
    eth2:192.168.1.0/24
    eth3:192.0.2.123
    @@ -281,7 +152,7 @@ a host address) accessed through a particular interface. Examples:
    You can use the "shorewall check" command to see the groups associated with each of your zones.
    - +
    1. Beginning with Shorewall 1.4.1, if a zone Z comprises more than one group then if there is no explicit Z to Z policy and there are @@ -292,7 +163,7 @@ to handle traffic from a group to itself.
    2. A NONE policy is introduced in 1.4.1. When a policy of NONE is specified from Z1 to Z2:
    - +
    • There may be no rules created that govern connections from Z1 to Z2.
      • @@ -302,147 +173,147 @@ from Z1 to Z2. See the upgrade issues for a discussion of how these changes may affect your configuration.

      More News

      - - - - - - - - - - - - - + + + + + + + + + + + + +

      - - - - - - - + + + + + + +

      SourceForge Logo

      - - - - - - - + + + + + + +

      - - - - - - - + + + + + + +

      This site is hosted by the generous folks at SourceForge.net

      - - - - - - - + + + + + + +

      Donations

      - - + +

    - +
    - +
    - +
    - - - - + + + + - + - + - + - + - - - - - - - - - + + + + + + + + +
    - - - - - - - - - - + style="margin-top: 1px;"> + + + + + + + + + +

    - +

    - - - - - - - - - - - - - + + + + + + + + + + + + +

    Shorewall is free but if you try it and find it useful, please consider making a donation to Starlight + href="http://www.starlight.org">Starlight Children's Foundation. Thanks!

    - +
    - - - - -

    Updated 3/21/2003 - Tom Eastep - + + + + +

    Updated 3/21/2003 - Tom Eastep +


    diff --git a/Shorewall-docs/spam_filters.htm b/Shorewall-docs/spam_filters.htm index 11ba8eb3d..41f9cd513 100644 --- a/Shorewall-docs/spam_filters.htm +++ b/Shorewall-docs/spam_filters.htm @@ -1,32 +1,32 @@ - + - + - + - + SPAM Filters - + - - - + +
    +

    SPAM Filters
    - +


    (SpamAssassin Logo)

    - +

    Like all of you, I'm concerned about the increasing volume of Unsolicited - Commercial Email (UCE or SPAM). I am therefore sympathetic with those of -you who are installing SPAM filters on your mail servers. A couple of recent + Commercial Email (UCE or SPAM). I am therefore sympathetic with those of +you who are installing SPAM filters on your mail servers. A couple of recent incidents involving mis-configured filters have prompted me to establish this page to spell out what I will do when these filters bounce list postings.

    - +

    When your SPAM filter bounces/rejects list mail and I can identify who you are, I will:

    - +
    1. immediately turn off delivery to you from all Shorewall lists to which you subscribe.
    2. try to send you an email from a source other than shorewall.net
      3. - +
    - +

    When you have corrected the problem, please let me know and I will re-enable delivery (or you can reenable delivery yourself).

    @@ -58,10 +58,10 @@ which you subscribe. rejected as spam but fail to provide any clue about the original addressee!!! If I don't know who you are, I can't tell you about the problem...

    - +

    Last Updated 1/29/2003 - Tom Eastep

    - -

    Copyright + +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.



    diff --git a/Shorewall-docs/standalone.htm b/Shorewall-docs/standalone.htm index 1029c35e2..401184f28 100644 --- a/Shorewall-docs/standalone.htm +++ b/Shorewall-docs/standalone.htm @@ -1,98 +1,98 @@ - + - + - + - + Standalone Firewall - + - - - + +
    +

    Standalone Firewall
    - +

    Version 2.0.1

    - +

    Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the documentation.

    - +

    This guide doesn't attempt to acquaint you with all of the features of Shorewall. It rather focuses on what is required to configure Shorewall in one of its most common configurations:

    - +
    • Linux system
    • Single external IP address
    • Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...
      • - +
    - +

    Shorewall requires that you have the iproute/iproute2 package installed (on RedHat, the package is called iproute). You can tell if this package is installed by the presence of an ip program on your firewall system. As root, you can use the 'which' command to check for this program:

    - + 
         [root@gateway root]# which ip
         /sbin/ip
         [root@gateway root]#
    - +

    I recommend that you read through the guide first to familiarize yourself with what's involved then go back through it again making your configuration changes.  Points at which configuration changes are recommended are flagged with .

    - +

        If you edit your configuration files on a Windows system, you must save them as Unix files if your editor supports that option or you must run them through dos2unix before trying to use them. Similarly, if you copy a configuration file from your Windows hard drive to a floppy disk, you must run dos2unix against the copy before using it with Shorewall.

    - + - +

    Shorewall Concepts

    - +

        The configuration files for Shorewall are contained in the directory /etc/shorewall -- for simple setups, you only need to deal with a few of these as described in this guide. After you have installed Shorewall, download the one-interface sample, - un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall - (they will replace files with the same names that were placed in /etc/shorewall + href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample, + un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall + (they will replace files with the same names that were placed in /etc/shorewall during Shorewall installation).

    - +

    As each file is introduced, I suggest that you look through the actual file on your system -- each file contains detailed configuration instructions and default entries.

    - +

    Shorewall views the network where it is running as being composed of a set of zones. In the one-interface sample configuration, only one zone is defined:

    - + @@ -104,38 +104,38 @@ one zone is defined:

    - - + +
    net The Internet
    - +

    Shorewall zones are defined in /etc/shorewall/zones.

    - +

    Shorewall also recognizes the firewall system as its own zone - by default, the firewall itself is known as fw.

    - +

    Rules about what traffic to allow and what traffic to deny are expressed in terms of zones.

    - + - +

    For each connection request entering the firewall, the request is first checked against the /etc/shorewall/rules file. If no rule in that file matches the connection request then the first policy in /etc/shorewall/policy that matches the request is applied. If that policy is REJECT or DROP  the request is first checked against the rules in /etc/shorewall/common (the samples provide that file for you).

    - +

    The /etc/shorewall/policy file included with the one-interface sample has the following policies:

    - -
    + +
    @@ -168,27 +168,27 @@ has the following policies:

    - - + +
    info  
    - +

    The above policy will:

    - +
    1. allow all connection requests from the firewall to the internet
    2. drop (ignore) all connection requests from the internet to your firewall
    3. reject all other connection requests (Shorewall requires this catchall policy).
      4. - +
    - +

    At this point, edit your /etc/shorewall/policy and make any changes that you wish.

    - +

    External Interface

    - +

    The firewall has a single network interface. Where Internet connectivity is through a cable or DSL "Modem", the External Interface will be the ethernet adapter (eth0) that is connected to that @@ -198,64 +198,64 @@ has the following policies:

    Interface will be a ppp0. If you connect via a regular modem, your External Interface will also be ppp0. If you connect using ISDN, your external interface will be ippp0.

    - +

    -     The Shorewall one-interface sample configuration assumes that +     The Shorewall one-interface sample configuration assumes that the external interface is eth0. If your configuration is different, you will have to modify the sample /etc/shorewall/interfaces file accordingly. While you are there, you may wish to review the list of options that are specified for the interface. Some hints:

    - +
      -
    • +

    • If your external interface is ppp0 or ippp0, you can replace the "detect" in the second column with "-".

      • -
    • +

    • If your external interface is ppp0 or ippp0 or if you have a static IP address, you can remove "dhcp" from the option list.

      • - +
    - -
    + +

    IP Addresses

    - -
    + +

    RFC 1918 reserves several Private IP address ranges for use in private networks:

    - -
    + +
         10.0.0.0    - 10.255.255.255
         172.16.0.0  - 172.31.255.255
         192.168.0.0 - 192.168.255.255
    - +

    These addresses are sometimes referred to as non-routable because the Internet backbone routers will not forward a packet whose destination address is reserved by RFC 1918. In some cases though, ISPs are assigning these addresses then using Network Address Translation to rewrite packet headers when forwarding to/from the internet.

    - +

         Before starting Shorewall, you should look at the IP address of your external interface and if it is one of the above ranges, you should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.

    - -
    + +

    Enabling other Connections

    - -
    + +

    If you wish to enable connections from the internet to your firewall, the general format is:

    - -
    -
    + +
    +
    @@ -277,19 +277,19 @@ should remove the 'norfc1918' option from the entry in /etc/shorewall/interf - - + +
       
    - -
    + +

    Example - You want to run a Web Server and a POP3 Server on your firewall system:

    - -
    -
    + +
    +
    @@ -320,25 +320,25 @@ on your firewall system:

    - - + +
       
    - -
    -

    If you don't know what port and protocol a particular + +

    +

    If you don't know what port and protocol a particular application uses, see here.

    - -
    + +

    Important: I don't recommend enabling telnet to/from the internet because it uses clear text (even for login!). If you want shell access to your firewall from the internet, use SSH:

    - -
    -
    + +
    +
    @@ -360,39 +360,39 @@ application uses, see here.

    - - + +
       
    - -
    + +

        At this point, edit /etc/shorewall/rules to add other connections as desired.

    - -
    + +

    Starting and Stopping Your Firewall

    - -
    + +

    Arrow -     The installation procedure configures - your system to start Shorewall at system boot but beginning with Shorewall - version 1.3.9 startup is disabled so that your system won't try to start - Shorewall before configuration is complete. Once you have completed configuration +     The installation procedure configures + your system to start Shorewall at system boot but beginning with Shorewall + version 1.3.9 startup is disabled so that your system won't try to start + Shorewall before configuration is complete. Once you have completed configuration of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.

    - +

    IMPORTANT: Users of the .deb package must edit /etc/default/shorewall and set 'startup=1'.

    - -
    + +

    The firewall is started using the "shorewall start" command and stopped using "shorewall stop". When the firewall is stopped, routing is enabled on those hosts that have an entry in here.

    If you want to totally remove any trace of Shorewall from your Netfilter configuration, use "shorewall clear".

    - -
    + +

    WARNING: If you are connected to your firewall from the internet, do not issue a "shorewall stop" command unless you have added an entry for the IP address that you are connected from to /etc/shorewall/routestopped. + href="Documentation.htm#Routestopped">/etc/shorewall/routestopped. Also, I don't recommend using "shorewall restart"; it is better to create an alternate configuration and test it using the "shorewall try" command.

    - +

    Last updated 2/21/2003 - Tom Eastep

    - -

    Copyright 2002, 2003 + +

    Copyright 2002, 2003 Thomas M. Eastep



    diff --git a/Shorewall-docs/starting_and_stopping_shorewall.htm b/Shorewall-docs/starting_and_stopping_shorewall.htm index 4936e8b4d..50f99a757 100644 --- a/Shorewall-docs/starting_and_stopping_shorewall.htm +++ b/Shorewall-docs/starting_and_stopping_shorewall.htm @@ -1,45 +1,45 @@ - + - + - + - + Starting and Stopping Shorewall - - - + + + - + - - - + - - - + + +
    - - + + + +

    Starting/Stopping and Monitoring the Firewall

    - +
    - - - - + + + +

    If you have a permanent internet connection such as DSL or Cable, I recommend that you start the firewall automatically at boot. Once you have installed "firewall" in your init.d directory, simply @@ -48,110 +48,110 @@ in run levels 2-5 and stop it in run levels 1 and 6. If you want to configure your firewall differently from this default, you can use the "--level" option in chkconfig (see "man chkconfig") or using your favorite graphical run-level editor.

    - - - - - - - - + + + + + + + +

    Important Notes:

    - +
      -
    1. Shorewall startup is disabled by default. Once you have -configured your firewall, you can enable startup by removing the file -/etc/shorewall/startup_disabled. Note: Users of the .deb package must +
    2. Shorewall startup is disabled by default. Once you have +configured your firewall, you can enable startup by removing the file +/etc/shorewall/startup_disabled. Note: Users of the .deb package must edit /etc/default/shorewall and set 'startup=1'.
      3. -
    3. If you use dialup, you may want to start the firewall - in your /etc/ppp/ip-up.local script. I recommend just placing +
    4. If you use dialup, you may want to start the firewall + in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall restart" in that script.
      5. - +
    - -

    + +

    - - - - -

    You can manually start and stop Shoreline Firewall using the "shorewall" + + + + +

    You can manually start and stop Shoreline Firewall using the "shorewall" shell program:

    - - + +
    • shorewall start - starts the firewall
    • shorewall stop - stops the firewall
      • -
    • shorewall restart - stops the firewall (if it's +
    • shorewall restart - stops the firewall (if it's running) and then starts it again
    • shorewall reset - reset the packet and byte counters in the firewall
      • -
    • shorewall clear - remove all rules and chains +
    • shorewall clear - remove all rules and chains installed by Shoreline Firewall
      • -
    • shorewall refresh - refresh the rules involving the broadcast +
    • shorewall refresh - refresh the rules involving the broadcast addresses of firewall interfaces, the black list, traffic control rules and ECN control rules.
      • - +
    - If you include the keyword debug as the first argument, then + If you include the keyword debug as the first argument, then a shell trace of the command is produced as in:
    - + 
    	shorewall debug start 2> /tmp/trace
    - - - - + + + +

    The above command would trace the 'start' command and place the trace information in the file /tmp/trace

    - -

    The Shorewall State Diagram is shown at the + +

    The Shorewall State Diagram is shown at the bottom of this page.

    - +

    The "shorewall" program may also be used to monitor the firewall.

    - - + +
      -
    • shorewall status - produce a verbose report about the +
    • shorewall status - produce a verbose report about the firewall (iptables -L -n -v)
    • shorewall show chain - produce a verbose report about chain (iptables -L chain -n -v)
      • -
    • shorewall show nat - produce a verbose report about the +
    • shorewall show nat - produce a verbose report about the nat table (iptables -t nat -L -n -v)
      • -
    • shorewall show tos - produce a verbose report about the +
    • shorewall show tos - produce a verbose report about the mangle table (iptables -t mangle -L -n -v)
    • shorewall show log - display the last 20 packet log entries.
    • shorewall show connections - displays the IP connections currently being tracked by the firewall.
      • -
    • shorewall - show +
    • shorewall + show tc - displays information about the traffic control/shaping configuration.
    • shorewall monitor [ delay ] - Continuously display the firewall status, last 20 log entries and nat. When the log entry display changes, an audible alarm is sounded.
      • -
    • shorewall hits - Produces several reports about the Shorewall +
    • shorewall hits - Produces several reports about the Shorewall packet log messages in the current /var/log/messages file.
      • -
    • shorewall version - Displays the installed version +
    • shorewall version - Displays the installed version number.
      • -
    • shorewall check - Performs a cursory validation of the +
    • shorewall check - Performs a cursory validation of the zones, interfaces, hosts, rules and policy files.

      - The "check" command is totally unsuppored + The "check" command is totally unsuppored and does not parse and validate the generated iptables commands. Even -though the "check" command completes successfully, the configuration -may fail to start. Problem reports that complain about errors that the 'check' +though the "check" command completes successfully, the configuration +may fail to start. Problem reports that complain about errors that the 'check' command does not detect will not be accepted.

      See the recommended way to make configuration changes described below.

      • -
    • shorewall try configuration-directory [ timeout +
    • shorewall try configuration-directory [ timeout ] - Restart shorewall using the specified configuration and if an error occurs or if the timeout option is given and the new configuration has been up for that many seconds then shorewall is @@ -162,121 +162,121 @@ restarted using the standard configuration.
    • shorewall logwatch (added in version 1.3.2) - Monitors the LOGFILE and produces an audible alarm when new Shorewall messages are logged.
      • - +
    - Finally, the "shorewall" program may be used to dynamically alter + Finally, the "shorewall" program may be used to dynamically alter the contents of a zone.
    - +
    • shorewall add interface[:host] zone - Adds the specified interface (and host if included) to the specified zone.
      • -
    • shorewall delete interface[:host] zone - - Deletes the specified interface (and host if included) from the specified +
    • shorewall delete interface[:host] zone - + Deletes the specified interface (and host if included) from the specified zone.
      • - +
    - +
    Examples:
    - +
    shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1
    - shorewall delete ipsec0:192.0.2.24 -vpn1 -- deletes the address 192.0.2.24 from interface ipsec0 + shorewall delete ipsec0:192.0.2.24 +vpn1 -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1
    - - -

    The shorewall start, shorewall restart, shorewall check, and + + +

    The shorewall start, shorewall restart, shorewall check, and shorewall try commands allow you to specify which Shorewall configuration + href="configuration_file_basics.htm#Configs"> Shorewall configuration to use:

    - - -
    - - + + +
    + +

    shorewall [ -c configuration-directory ] {start|restart|check}
    shorewall try configuration-directory

    - - -

    If a configuration-directory is specified, each time that Shorewall - is going to use a file in /etc/shorewall it will first look in the -configuration-directory . If the file is present in the configuration-directory, -that file will be used; otherwise, the file in /etc/shorewall will be + + +

    If a configuration-directory is specified, each time that Shorewall + is going to use a file in /etc/shorewall it will first look in the +configuration-directory . If the file is present in the configuration-directory, +that file will be used; otherwise, the file in /etc/shorewall will be used.

    - - - - + + + +

    When changing the configuration of a production firewall, I recommend the following:

    - - - - + + + +
      - +
    • mkdir /etc/test
      • - +
    • cd /etc/test
      • - -
    • <copy any files that you need to change from + +
    • <copy any files that you need to change from /etc/shorewall to . and change them here>
    • shorewall -c . check
    • <correct any errors found by check and check again>
      • - - + +
    • /sbin/shorewall try .
      • - +
    - - + +

    If the configuration starts but doesn't work, just "shorewall restart" to restore the old configuration. If the new configuration fails to start, the "try" command will automatically start the old one for you.

    - - - - + + + +

    When the new configuration works then just

    - - - - + + + +
      - +
    • cp * /etc/shorewall
      • - +
    • cd
      • - +
    • rm -rf /etc/test
      • - +
    - - - - + + + +

    The Shorewall State Diargram is depicted below.

    - +
    (State Diagram)
    - +

     

    - You will note that the commands that result in state transitions -use the word "firewall" rather than "shorewall". That is because the actual - transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall + You will note that the commands that result in state transitions +use the word "firewall" rather than "shorewall". That is because the actual + transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall on Debian); /sbin/shorewall runs 'firewall" according to the following table:

    - + @@ -323,16 +323,16 @@ use the word "firewall" rather than "shorewall". That is because the actual If timeout then firewall restart (standard configuration)
    - - + +

    - -

    Updated 2/27/2003 - Tom Eastep + +

    Updated 2/27/2003 - Tom Eastep

    - - - + + +

    Copyright © 2001, 2002, 2003 Thomas M. Eastep.

    diff --git a/Shorewall-docs/support.htm b/Shorewall-docs/support.htm index 203d346b4..eae1129ef 100644 --- a/Shorewall-docs/support.htm +++ b/Shorewall-docs/support.htm @@ -1,91 +1,91 @@ - - - + + + - - - + + + Shorewall Support Guide - - + + - - - - - + + + +
    - - - - - + + + + + +

    Shorewall Support Guide

    - - + +

    Before Reporting a Problem or Asking a Question

    - There are a number + There are a number of sources of Shorewall information. Please try these before you post. - - + +
      -
    • More than half of the questions posted - on the support list have answers directly accessible from the +
    • More than half of the questions posted + on the support list have answers directly accessible from the Documentation Index
    • The FAQ has solutions to more than 20 common problems.
      • - +
    • The Troubleshooting Information contains - a number of tips to help you solve common problems. + a number of tips to help you solve common problems.
      • - +
    • The Errata has links to download updated + href="errata.htm"> Errata has links to download updated components.
      • - +
    • The Site and Mailing List Archives search facility can locate documents and posts about similar problems:
      • - +
    - - + +

    Site and Mailing List Archive Search

    - -
    + +
    Match: - + - Format: + Format: - Sort by: + Sort by: Include Mailing - List Archives: + type="hidden" name="restrict" value=""> Include Mailing + List Archives: