extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-05-31 23:15:48 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.1

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@519 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-03-23 18:47:54 +00:00
parent 8377f70bc7
commit c68ecd14e7
94 changed files with 21164 additions and 20883 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
STABLE/changelog.txt
View File

@ -1,66 +1,9 @@
Changes since 1.3.14 Changes since 1.4.0
1. All versions changed to 1.4. 1. Implement NONE policy.
2. Rework of error message generation to make the 'firewall' script 2. Never create rules for <iface>:<subnet> to itself.
smaller.
3. Deimplemented MERGE_HOSTS=No. 3. Always allow intrazone traffic.
4. Generate error for <dev>:<integer> name in interfaces file. 4. Correct building of ECN interface list under ash.
5. Deimplement old ping handling.
6. Deimplement 'routestopped' interface/hosts option.
7. Strip comments from potentially large files while the firewall is
still up and running during 'restart'.
8. Disallow the old port forwarding/redirection syntax.
9. Reorganize shorewall.conf.
10. Added support for LOG target.
11. Move firewall and version (one more time....)
12. Add late DNS reply rule to the common chain.
12. Corrected rule number calculation problem in 'shorewall add' command
processing.
13. Update Documentation for 1.4
14. Remove icmp.def file.
15. Added CONTINUE rule target.
16. Added Andrew Zhoglo's fix for logunclean.
17. Removed 'multi' option.
18. Support 802.11b devices with maclist.
19. Don't detect loopback simply by name.
20. Removed trailing white space from all files.
21. Improved parsing of comma-separated lists.
22. Add ECN Removal support
23. Add TCP ports 445 and 139 to the common silent list.
24. Remove 'check' command support.
25. Restore 'check' command support.
26. Remove unused function find_interface_broadcasts()
27. Remove stale comments in the params file.
28. Silently drop INVALID state packets
29. Ignore the 'default' route when detecting masq'd networks.
30. REALLY process the params file first now (honest).

4034
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

1434
STABLE/documentation/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

189
STABLE/documentation/Install.htm
View File

@ -15,13 +15,13 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and <h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1> Upgrade</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -30,13 +30,13 @@
href="upgrade_issues.htm">Upgrade Issues</a></b></p> href="upgrade_issues.htm">Upgrade Issues</a></b></p>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br> <p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br> <a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br> </a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br> <a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br> <a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br> </a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br> <a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p> <a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p> <p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
@ -48,20 +48,33 @@
attempting to start Shorewall.</b></p> attempting to start Shorewall.</b></p>
<ul> <ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br> <li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br> <br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm <b>Note1: </b>Some SuSE users have encountered a problem whereby
reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel is rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
installed. If this happens, simply use the --nodeps option to rpm (rpm is installed. If this happens, simply use the --nodeps option to rpm
-ivh --nodeps &lt;shorewall rpm&gt;).</li> (rpm -ivh --nodeps &lt;shorewall rpm&gt;).<br>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match <br>
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the installation of Shorewall to fail with the
diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh --nodeps
&lt;shorewall rpm&gt;).<br>
<br>
</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE
RESTORE NETWORK CONNECTIVITY.</b></font></li> NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
</ul> </ul>
@ -69,122 +82,132 @@ RESTORE NETWORK CONNECTIVITY.</b></font></li>
and install script: </p> and install script: </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the <li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li> directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a <li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type <li>If you are using <a href="http://www.suse.com">SuSe</a> then
"./install.sh /etc/init.d"</li> type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script installs init scripts and type "./install.sh &lt;init script
directory&gt;</li> directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match <li>Edit the <a href="#Config_Files"> configuration files</a> to
your configuration.</li> match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to be <li>If the install script was unable to configure Shorewall to be
started automatically at boot, see <a started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li> href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul> </ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file disk, simply replace the "shorwall.lrp" file on the image with the file that
that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p> Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p> and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
and you have entries in the /etc/shorewall/hosts file then please check or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the 1.2 rule forms that are no longer supported under 1.4 (you must use the new
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.</p>
details.</p>
<ul> <ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0 </b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g., Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
"rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby <p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm is installed. If this happens, simply use the --nodeps option to rpm (rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br> -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
  </p> <br>
</li> <b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent on
<li>See if there are any incompatibilities between your configuration the iproute package. Unfortunately, some distributions call this package iproute2
and the new Shorewall version (type "shorewall check") and correct as necessary.</li> which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<li>Restart the firewall (shorewall restart).</li> <br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;). </p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul> </ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed <p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
and are upgrading to a new version using the tarball:</p> are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and
and you have entries in the /etc/shorewall/hosts file then please check you have entries in the /etc/shorewall/hosts file then please check your
your /etc/shorewall/interfaces file to be sure that it contains an entry /etc/shorewall/interfaces file to be sure that it contains an entry for
for each interface mentioned in the hosts file.  Also, there are certain each interface mentioned in the hosts file.  Also, there are certain 1.2
1.2 rule forms that are no longer supported under 1.4 (you must use the rule forms that are no longer supported under 1.4 (you must use the new
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
for details. </p> details. </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the <li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li> directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a <li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li> href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type <li>If you are using<a href="http://www.suse.com"> SuSe</a> then
"./install.sh /etc/init.d"</li> type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script installs init scripts and type "./install.sh &lt;init script
directory&gt;</li> directory&gt;</li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as necessary.</li> and the new Shorewall version (type "shorewall check") and correct as
<li>Restart the firewall by typing "shorewall restart"</li> necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul> </ul>
<a name="LRP_Upgrade"></a>If you already have a running Bering <a name="LRP_Upgrade"></a>If you already have a running Bering
installation and wish to upgrade to a later version of Shorewall:<br> installation and wish to upgrade to a later version of Shorewall:<br>
<br> <br>
    <b>UNDER CONSTRUCTION...</b><br>     <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3> <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to match <p>You will need to edit some or all of the configuration files to match
your setup. In most cases, the <a your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a> QuickStart Guides</a> contain all of the information you need.</p>
contain all of the information you need.</p>
<ul> <ul>
</ul> </ul>
<p><font size="2">Updated 2/27/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="2">Updated 3/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

2471
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

205
STABLE/documentation/ProxyARP.htm
View File

@ -17,163 +17,174 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Proxy ARP</font></h1> <h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers <p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet. without changing their IP addresses and without having to re-subnet.
Before you try to use this technique, I strongly recommend that you read the Before you try to use this technique, I strongly recommend that you read
<a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p> the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<p>The following figure represents a Proxy ARP environment.</p> <p>The following figure represents a Proxy ARP environment.</p>
<blockquote> <blockquote>
<p align="center"><strong> <img src="images/proxyarp.png" <p align="center"><strong> <img src="images/proxyarp.png"
width="519" height="397"> width="519" height="397">
</strong></p> </strong></p>
<blockquote> </blockquote> <blockquote> </blockquote>
</blockquote> </blockquote>
<p align="left">Proxy ARP can be used to make the systems with addresses <p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*) 130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.  Assuming that the upper firewall interface is eth0 and the subnet.  Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries lower interface is eth1, this is accomplished using the following entries
in /etc/shorewall/proxyarp:</p> in /etc/shorewall/proxyarp:</p>
<blockquote> <blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ADDRESS</b></td> <td><b>ADDRESS</b></td>
<td><b>INTERFACE</b></td> <td><b>INTERFACE</b></td>
<td><b>EXTERNAL</b></td> <td><b>EXTERNAL</b></td>
<td><b>HAVEROUTE</b></td> <td><b>HAVEROUTE</b></td>
</tr> </tr>
<tr> <tr>
<td>130.252.100.18</td> <td>130.252.100.18</td>
<td>eth1</td> <td>eth1</td>
<td>eth0</td> <td>eth0</td>
<td>no</td> <td>no</td>
</tr> </tr>
<tr> <tr>
<td>130.252.100.19</td> <td>130.252.100.19</td>
<td>eth1</td> <td>eth1</td>
<td>eth0</td> <td>eth0</td>
<td>no</td> <td>no</td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19  <p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19 
in the above example) are not included in any specification in /etc/shorewall/masq in the above example) are not included in any specification in /etc/shorewall/masq
or /etc/shorewall/nat.</p> or /etc/shorewall/nat.</p>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is <p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
irrelevant. </p> irrelevant. </p>
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their <p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
subnet mask and default gateway configured exactly the same way that subnet mask and default gateway configured exactly the same way that
the Firewall system's eth0 is configured.</p> the Firewall system's eth0 is configured. In other words, they should
be configured just like they would be if they were parallel to the firewall
rather than behind it.<br>
</p>
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es)
(130.252.100.18 and 130.252.100.19 in the above example)  to the external
interface (eth0 in this example) of the firewall.</b></font><br>
</p>
<div align="left"> </div>
<div align="left"> <div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure <p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet. probably be HOURS before that system can communicate with the internet.
There are a couple of things that you can try:<br> There are a couple of things that you can try:<br>
</p> </p>
<ol> <ol>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated, <li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
Vol 1</i> reveals that a <br> Vol 1</i> reveals that a <br>
<br> <br>
"gratuitous" ARP packet should cause the ISP's router to refresh their ARP "gratuitous" ARP packet should cause the ISP's router to refresh their
cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
address for its own IP; in addition to ensuring that the IP address isn't MAC address for its own IP; in addition to ensuring that the IP address isn't
a duplicate...<br> a duplicate...<br>
<br> <br>
"if the host sending the gratuitous ARP has just changed its hardware address..., "if the host sending the gratuitous ARP has just changed its hardware
this packet causes any other host...that has an entry in its cache for the address..., this packet causes any other host...that has an entry in its
old hardware address to update its ARP cache entry accordingly."<br> cache for the old hardware address to update its ARP cache entry accordingly."<br>
<br> <br>
Which is, of course, exactly what you want to do when you switch a host Which is, of course, exactly what you want to do when you switch a host
from being exposed to the Internet to behind Shorewall using proxy ARP (or from being exposed to the Internet to behind Shorewall using proxy ARP (or
static NAT for that matter). Happily enough, recent versions of Redhat's static NAT for that matter). Happily enough, recent versions of Redhat's
iputils package include "arping", whose "-U" flag does just that:<br> iputils package include "arping", whose "-U" flag does just that:<br>
<br> <br>
    <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly proxied     <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly
IP&gt;</i></b></font><br> proxied IP&gt;</i></b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>     <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
<br> <br>
Stevens goes on to mention that not all systems respond correctly to gratuitous Stevens goes on to mention that not all systems respond correctly to gratuitous
ARPs, but googling for "arping -U" seems to support the idea that it works ARPs, but googling for "arping -U" seems to support the idea that it works
most of the time.<br> most of the time.<br>
<br> <br>
To use arping with Proxy ARP in the above example, you would have to:<br> To use arping with Proxy ARP in the above example, you would have to:<br>
<br> <br>
<font color="#009900"><b>    shorewall clear<br> <font color="#009900"><b>    shorewall clear<br>
</b></font>    <font color="#009900"><b>ip addr add 130.252.100.18 dev </b></font>    <font color="#009900"><b>ip addr add 130.252.100.18
eth0<br> dev eth0<br>
    ip addr add 130.252.100.19 dev eth0</b></font><br>     ip addr add 130.252.100.19 dev eth0</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>     <font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>     <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
    <b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>     <b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
    ip addr del 130.252.100.19 dev eth0<br>     ip addr del 130.252.100.19 dev eth0<br>
    shorewall start</font></b><br>     shorewall start</font></b><br>
<br> <br>
</li> </li>
<li>You can call your ISP and ask them to purge the stale ARP cache <li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li> entry but many either can't or won't purge individual entries.</li>
</ol> </ol>
You can determine if your ISP's gateway ARP cache is stale using ping You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a stale and tcpdump. Suppose that we suspect that the gateway router has a stale
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div> ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
<div align="left"> <div align="left">
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre> <pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we <p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
will assume is 130.252.100.254):</p> will assume is 130.252.100.254):</p>
</div> </div>
<div align="left"> <div align="left">
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre> <pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">We can now observe the tcpdump output:</p> <p align="left">We can now observe the tcpdump output:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre> <pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Notice that the source MAC address in the echo request is <p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57 case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words, the was the MAC address of the system on the lower left. In other words, the
gateway's ARP cache still associates 130.252.100.19 with the NIC in that gateway's ARP cache still associates 130.252.100.19 with the NIC in that
system rather than with the firewall's eth0.</p> system rather than with the firewall's eth0.</p>
</div> </div>
<p><font size="2">Last updated 1/26/2003 - </font><font size="2"> <a <p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font <a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

806
STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
View File

@ -13,183 +13,155 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1> <h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
<h2>Background</h2> <h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which The traditional net-tools contain a program called <i>ifconfig</i> which
is used to configure network devices. ifconfig introduced the concept of is used to configure network devices. ifconfig introduced the concept of
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.<br> treats them more or less like real interfaces.<br>
<br> <br>
Example:<br> Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i> The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as addresses. The ip utility does provide for interaction addresses on an interface as objects. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be <i>labeled.</i> <br> with ifconfig in that it allows addresses to be <i>labeled </i>and labels
<br> may take the form of ipconfig virtual interfaces.<br>
Example:<br> <br>
<br> Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0"<br> Note that one <u>cannot</u> type "ip addr show dev eth0:0" because "eth0:0"
is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre> <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not allow "-i" or "-o" command options; as a consequence, Shorewall does not allow
them to be used in the /etc/shorewall/interfaces file.<br> them to be used in the /etc/shorewall/interfaces file.<br>
<br> <br>
<h2>So how do I handle more than one address on an interface?</h2> <h2>So how do I handle more than one address on an interface?</h2>
Depends on what you are trying to do with the interfaces. In the sub-sections The answer depends on what you are trying to do with the interfaces.
that follow, we'll take a look at common scenarios.<br> In the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3> <h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself only If you need to make a rule for traffic to/from the firewall itself that
apply to a particular IP address, simply qualify the $FW zone with the IP only applies to a particular IP address, simply qualify the $FW zone with
address.<br> the IP address.<br>
<br> <br>
Example (allow SSH from net to eth0:0 above):<br> Example (allow SSH from net to eth0:0 above):<br>
<br> <br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> <td valign="top"><b>SOURCE PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT<br> <td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">fw:206.124.146.178<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td> </td>
<td valign="top">net<br> <td valign="top"><br>
</td> </td>
<td valign="top">fw:206.124.146.178<br> </tr>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h3>DNAT</h3> <h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at 192.168.1.3. from that virtual interface to a web server running in my local zone at
That is accomplised by a single rule in the /etc/shorewall/rules file:<br> 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
<br> file:<br>
<br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> <td valign="top"><b>SOURCE PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT<br> <td valign="top">DNAT<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">loc:192.168.1.3<br> <td valign="top">loc:192.168.1.3<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top">-<br> <td valign="top">-<br>
</td> </td>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h3>SNAT</h3> <h3>SNAT</h3>
If you wanted to use eth0:0 as the IP address for outbound connections If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br> from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br> <br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -203,7 +175,7 @@ column as follows:<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">eth0:0<br> <td valign="top">eth0<br>
</td> </td>
<td valign="top">eth1<br> <td valign="top">eth1<br>
</td> </td>
@ -215,51 +187,42 @@ column as follows:<br>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set
<h3>STATIC NAT</h3> ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, 1.3.14, Shorewall can actually create the "label" (virtual interface) so
you would have the following in /etc/shorewall/nat:<br> that you can see the created address using ifconfig. In addition to setting
<br> ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>EXTERNAL<br> <td valign="top"><b>INTERFACE<br>
</b></td> </b></td>
<td valign="top"><b>INTERFACE<br> <td valign="top"><b>SUBNET<br>
</b></td> </b></td>
<td valign="top"><b>INTERNAL<br> <td valign="top"><b>ADDRESS<br>
</b></td> </b></td>
<td valign="top"><b>ALL INTERFACES<br> </tr>
</b></td> <tr>
<td valign="top"><b>LOCAL<br> <td valign="top">eth0:0<br>
</b></td> </td>
</tr> <td valign="top">eth1<br>
<tr> </td>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
<td valign="top">eth0<br> </tr>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall <h3>STATIC NAT</h3>
1.3.14, Shorewall can actually create the "label" (virtual interface) so If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
that you can see the created address using ifconfig. In addition to setting you would have the following in /etc/shorewall/nat:<br>
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE <br>
column as follows:<br>
<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -279,7 +242,7 @@ column as follows:<br>
<tr> <tr>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
<td valign="top">eth0:0<br> <td valign="top">eth0<br>
</td> </td>
<td valign="top">192.168.1.3<br> <td valign="top">192.168.1.3<br>
</td> </td>
@ -292,184 +255,114 @@ column as follows:<br>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
In either case, to create rules that pertain only to this NAT pair, you Shorewall can create the alias (additional address) for you if you set
simply qualify the local zone with the internal IP address.<br> ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
<br> 1.3.14, Shorewall can actually create the "label" (virtual interface) so
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.<br> that you can see the created address using ifconfig. In addition to setting
<br> ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0:0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br>
<br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> <td valign="top"><b>SOURCE PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td> </td>
<td valign="top">net<br> <td valign="top"><br>
</td> </td>
<td valign="top">loc:192.168.1.3<br> </tr>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h3>MULTIPLE SUBNETS</h3> <h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks Sometimes multiple IP addresses are used because there are multiple subnetworks
configured on a LAN segment. This technique does not provide for any security configured on a LAN segment. This technique does not provide for any security
between the subnetworks if the users of the systems have administrative privileges between the subnetworks if the users of the systems have administrative
because in that case, the users can simply manipulate their system's routing privileges because in that case, the users can simply manipulate their system's
table to bypass your firewall/router. Nevertheless, there are cases where routing table to bypass your firewall/router. Nevertheless, there are cases
you simply want to consider the LAN segment itself as a zone and allow your where you simply want to consider the LAN segment itself as a zone and allow
firewall/router to route between the two subnetworks.<br> your firewall/router to route between the two subnetworks.<br>
<br> <br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two is 192.168.20.254. You want to simply route all requests between the two
subnetworks.<br> subnetworks.<br>
<br>
In /etc/shorewall/interfaces:<br>
<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr> <tr>
<td valign="top"><b>ZONE<br> <td valign="top"><b>ZONE<br>
</b></td> </b></td>
@ -487,18 +380,54 @@ privileges).<br>
</td> </td>
<td valign="top">192.168.1.255,192.168.20.255<br> <td valign="top">192.168.1.255,192.168.20.255<br>
</td> </td>
<td valign="top">Note 1:<br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
</blockquote>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
In /etc/shorewall/interfaces:<br>
<br> <br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -506,7 +435,9 @@ privileges).<br>
<tr> <tr>
<td valign="top"><b>ZONE<br> <td valign="top"><b>ZONE<br>
</b></td> </b></td>
<td valign="top"><b>HOSTS<br> <td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td> </b></td>
<td valign="top"><b>OPTIONS<br> <td valign="top"><b>OPTIONS<br>
</b></td> </b></td>
@ -514,15 +445,47 @@ privileges).<br>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.1.0/24<br> <td valign="top">eth1<br>
</td> </td>
<td valign="top"><br> <td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td> </td>
</tr> </tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr> <tr>
<td valign="top">loc2<br> <td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.20.0/24<br> <td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -530,20 +493,129 @@ privileges).<br>
</tbody> </tbody>
</table> </table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the access
between them (the users of the systems do not have administrative privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br> <br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that
you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/5/2003 A - <a <blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/22/2003 A - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> <br>
</p> </p>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

183
STABLE/documentation/errata.htm
View File

@ -24,14 +24,14 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
@ -40,61 +40,64 @@
<p align="center"> <b><u>IMPORTANT</u></b></p> <p align="center"> <b><u>IMPORTANT</u></b></p>
<ol> <ol>
<li> <li>
<p align="left"> <b><u>I</u>f you use a Windows system to download <p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/" <a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved style="text-decoration: none;"> dos2unix</a></u> after you have moved
it to your Linux system.</b></p> it to your Linux system.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can <p align="left"> <b>If you are installing Shorewall for the first
untar the archive, replace the 'firewall' script in the untarred directory time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p> with the one you downloaded below, and then run install.sh.</b></p>
</li> </li>
<li> <li>
<p align="left"> <b>When the instructions say to install a corrected <p align="left"> <b>When the instructions say to install a corrected
firewall script in /usr/share/shorewall/firewall, you may firewall script in /usr/share/shorewall/firewall, you may
rename the existing file before copying in the new file.</b></p> rename the existing file before copying in the new file.</b></p>
</li> </li>
<li> <li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS <p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running For example, do NOT install the 1.3.9a firewall script if you are running
1.3.7c.</font></b><br> 1.3.7c.</font></b><br>
</p> </p>
</li> </li>
</ol> </ol>
<ul> <ul>
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li> <li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
<li><b><a href="#V1.4">Problems in Version 1.4</a></b><br> <li><b><a href="#V1.4">Problems in Version 1.4</a></b><br>
</li> </li>
<li> <b><a <li> <b><a
href="errata_3.html">Problems in Version 1.3</a></b></li> href="errata_3.html">Problems in Version 1.3</a></b></li>
<li> <b><a <li> <b><a
href="errata_2.htm">Problems in Version 1.2</a></b></li> href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li> <b><font <li> <b><font
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li> color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li> <b><font <li> <b><font
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3 color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li> on RH7.2</a></font></b></li>
<li> <b><a <li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
RedHat iptables</a></b></li> iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading <li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li> RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables <li><b><a href="#Multiport">Problems with iptables
version 1.2.7 and MULTIPORT=Yes</a></b></li> version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 <li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10
and NAT</a></b><br> and NAT</a></b><br>
</li> </li>
</ul> </ul>
@ -103,7 +106,16 @@ and NAT</a></b><br>
<h3></h3> <h3></h3>
None.
<h3>1.4.0</h3>
<ul>
<li>When running under certain shells Shorewall will attempt to create
ECN rules even when /etc/shorewall/ecn is empty. You may either just remove
/etc/shorewall/ecn or you can install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.4.0/firewall">this
correct script</a> in /usr/share/shorewall/firewall as described above.<br>
</li>
</ul>
<hr width="100%" size="2"> <hr width="100%" size="2">
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2> <h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
@ -117,51 +129,51 @@ and NAT</a></b><br>
<blockquote> <blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that <p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat prevent it from working with Shorewall. Regrettably,
released this buggy iptables in RedHat 7.2. </p> RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a <p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p> <b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat <p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can has released an iptables-1.2.4 RPM of their own which you can
download from<font color="#ff6633"> <a download from<font color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>. href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works </font>I have installed this RPM on my firewall and it works
fine.</p> fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself, <p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification which corrects a problem with parsing of the --log-level specification
while this <a while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a> href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p> corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p> <p align="left">To install one of the above patches:</p>
<ul> <ul>
<li>cd iptables-1.2.3/extensions</li> <li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li> <li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul> </ul>
</blockquote> </blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 <h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3> and RedHat iptables</h3>
<blockquote> <blockquote>
@ -172,74 +184,81 @@ download from<font color="#ff6633"> <a
<blockquote> <blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre> <pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote> </blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the <p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by the Netfilter 'mangle' table. You can correct the problem by
installing <a installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm"> href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option to of iptables, you will need to specify the --oldpackage option
rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p> to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote> </blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading <h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3> RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict <p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to installed, simply use the "--nodeps" option to
rpm.</p> rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p> <p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with <h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3> iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made <p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to an incompatible change to the syntax used to
specify multiport match rules; as a consequence, specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p> Shorewall 1.3.7a or later or:</p>
<ul> <ul>
<li>set MULTIPORT=No <li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf; or </li> in /etc/shorewall/shorewall.conf; or </li>
<li>if you are running <li>if you are running
Shorewall 1.3.6 you may install Shorewall 1.3.6 you may install
<a <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall"> href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li> as described above.</li>
</ul> </ul>
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br> <h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3> </h3>
/etc/shorewall/nat entries of the following form will result /etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br> in Shorewall being unable to start:<br>
<br> <br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br> Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre> <pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support The solution is to put "no" in the LOCAL column. Kernel
for LOCAL=yes has never worked properly and 2.4.18-10 has disabled support for LOCAL=yes has never worked properly and 2.4.18-10 has
it. The 2.4.19 kernel contains corrected support under a new kernel configuraiton disabled it. The 2.4.19 kernel contains corrected support under a new
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br> kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 2/8/2003 - <p><font size="2"> Last updated 3/21/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br> <br>
</body> </body>
</html> </html>

129
STABLE/documentation/myfiles.htm
View File

File diff suppressed because one or more lines are too long

105
STABLE/documentation/quotes.htm
View File

@ -17,88 +17,93 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1> <h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>"The configuration is intuitive and flexible, and much easier than any
of the other iptables-based firewall programs out there. After sifting through
many other scripts, it is obvious that yours is the most well thought-out
and complete one available." -- BC, USA</p>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables <p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br> and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
</p> </p>
"My case was almost like [the one above]. Well. instead of 'weeks' it was "My case was almost like [the one above]. Well. instead of 'weeks' it was
'months' for me, and I think I needed two minutes more:<br> 'months' for me, and I think I needed two minutes more:<br>
<ul> <ul>
<li>One to see that I had no Internet access from the firewall itself.</li> <li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was enough <li>Other to see that this was the default configuration, and it was
to uncomment a line in /etc/shorewall/policy.<br> enough to uncomment a line in /etc/shorewall/policy.<br>
</li> </li>
</ul> </ul>
Minutes instead of months! Congratulations and thanks for such a simple Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain. and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without <p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your any problems. Your documentation is great and I really appreciate
network configuration info. That really helped me out alot. THANKS!!!" your network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </p> -- MM. </p>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall <p>"[Shorewall is a] great, great project. I've used/tested may firewall
scripts but this one is till now the best." -- B.R, Netherlands scripts but this one is till now the best." -- B.R, Netherlands
</p> </p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone <p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, safe and useful so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </p> involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest <p>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now have release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
7 machines up and running with shorewall on several versions - starting have 7 machines up and running with shorewall on several versions -
with 1.2.2 up to the new 1.2.9 and I never have encountered any problems!" starting with 1.2.2 up to the new 1.2.9 and I never have encountered
-- SM, Germany</p> any problems!" -- SM, Germany</p>
<p>"You have the best support of any other package I've ever used." <p>"You have the best support of any other package I've ever used."
-- SE, US </p> -- SE, US </p>
<p>"Because our company has information which has been classified by the <p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld by by checkpoint, some of them are running....Shorewall." -- Name withheld
request, Europe</p> by request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands <p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of out against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support" -- RM, Austria</p> flexibillity, quality &amp; support" -- RM, Austria</p>
<p>"I have never seen such a complete firewall package that is so easy to <p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and configure. I searched the Debian package system for firewall scripts and
Shorewall won hands down." -- RG, Toronto</p> Shorewall won hands down." -- RG, Toronto</p>
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it <p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about 30 is a wonderful piece of software. I've just sent out an email to about
people recommending it. :-)<br> 30 people recommending it. :-)<br>
While I had previously taken the time (maybe 40 hours) to really understand While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall, scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes." with rulesets and policies that I know make sense, in under 20 minutes."
-- RP, Guatamala<br> -- RP, Guatamala<br>
<br> <br>
 </p>  </p>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 10/9/2002 <p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 3/18/2003
- <a href="support.htm">Tom Eastep</a> </font> - <a href="support.htm">Tom Eastep</a> </font>
</p> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
</body> </body>
</html> </html>

398
STABLE/documentation/seattlefirewall_index.htm
View File

@ -17,7 +17,7 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -28,11 +28,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
@ -49,18 +49,19 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><a </a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1" href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4" src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4"> alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<small><small><small><small><a <small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big> href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big>
<div align="center"> <div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font <h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1> color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
</div> </div>
<p><a href="http://www.shorewall.net" target="_top"> <p><a href="http://www.shorewall.net" target="_top">
@ -78,14 +79,14 @@
<div align="center"><a href="http://1.3/index.htm" target="_top"><font <div align="center"><a href="1.3" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>                   color="#ffffff">Shorewall 1.3 Site is here</font></a>                  
            <br>             <br>
</div> </div>
</td> </td>
</tr> </tr>
@ -106,11 +107,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -154,26 +155,26 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free 2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br> Software Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br> for more details.<br>
<br> <br>
You should have received You should have received
a copy of the GNU General Public License a copy of the GNU General Public License
along with this program; if not, write along with this program; if not, write
to the Free Software Foundation, Inc., 675 to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p> Mass Ave, Cambridge, MA 02139, USA</p>
@ -205,14 +206,15 @@ to the Free Software Foundation, Inc., 675
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo </a>Jacques Nilo
and Eric Wolzak have a LEAF (router/firewall/gateway and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
@ -221,290 +223,68 @@ to the Free Software Foundation, Inc., 675
<p><b>Congratulations to Jacques and Eric on the recent release of <p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br> Bering 1.1!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge <h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
<h2>News</h2> <h2>News</h2>
<p><b>3/17/2003 - Shorewall 1.4.0 </b><b> </b><b><img <p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p> </b><b> </b></p>
Shorewall 1.4 represents This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
the next step in the evolution of Shorewall. The main thrust of the and removes additional warts.<br>
initial release is simply to remove the cruft that has accumulated in <br>
Shorewall over time. <br> <b>Problems Corrected:</b><br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br>
<br>
Function from 1.3 that has been omitted from this version
include:<br>
<ol> <ol>
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported. <li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br> it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
<br> file is empty. That problem has been corrected so that ECN disabling rules
</li> are only added if there are entries in /etc/shorewall/ecn.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br>
<br>
</li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
</li>
</ol> </ol>
Changes for 1.4 include:<br> <b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote>
<ol> <ol>
<li>The /etc/shorewall/shorewall.conf file has been completely <li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
reorganized into logical sections.<br> one group<i> </i>then if there is no explicit Z to Z policy and there are
<br> no rules governing traffic from Z to Z then Shorewall will permit all traffic
</li> between the groups in the zone.</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br> <li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
<br> to handle traffic from a group to itself.</li>
</li> <li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
<li>The firewall script, common functions file and version file specified from Z1 to Z2:</li>
are now installed in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if
you want to 'ping' from the firewall, you will need the appropriate rule
or policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
a) You must be running kernel 2.4.20<br>
b) You must have applied the patch in<br>
http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<br>
</li>
<li value="10">Shorewall now gives a more helpful diagnostic when
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
command is issued.<br>
<br>
</li>
<li>The SHARED_DIR variable has been removed from shorewall.conf.
This variable was for use by package maintainers and was not documented
for general use.<br>
<br>
</li>
<li>Shorewall now ignores 'default' routes when detecting masq'd
networks.<br>
</li>
</ol> </ol>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
target="_top"></a>
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>A roleup of the following bug fixes and other updates:</p>
<ul> <ul>
<li>There is an updated rfc1918 file that reflects the resent <li>There may be no rules created that govern connections from Z1
allocation of 222.0.0.0/8 and 223.0.0.0/8.</li> to Z2.</li>
<li>The documentation for the routestopped file claimed that a <li>Shorewall will not create any infrastructure to handle traffic
comma-separated list could appear in the second column while the code from Z1 to Z2.</li>
only supported a single host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were
not rate-limited. 802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
don't support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate
limited.</li>
<li>The firewall fails to start in the case
where you have "eth0 eth1" in /etc/shorewall/masq and the default route
is through eth1.</li>
</ul> </ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.<br>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
<p>New features include</p>
<ol>
<li>An OLD_PING_HANDLING option has been added
to shorewall.conf. When set to Yes, Shorewall ping handling is
as it has always been (see http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
via rules and policies just like any other connection request.
The FORWARDPING=Yes option in shorewall.conf and the 'noping' and
'filterping' options in /etc/shorewall/interfaces will all generate
an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create
a "label" such as "eth0:0" for IP addresses that it creates under
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
the label instead of just the interface name:<br>
<br>
a) In the INTERFACE column of /etc/shorewall/masq<br>
b) In the INTERFACE column of /etc/shorewall/nat<br>
</li>
<li>Support for OpenVPN Tunnels.<br>
<br>
</li>
<li>Support for VLAN devices with names of the
form $DEV.$VID (e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may
be optionally followed by ":" and either 'F' or 'P' to designate that
the marking will occur in the FORWARD or PREROUTING chains respectively.
If this additional specification is omitted, the chain used to mark packets
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
traffic from only the first subnet defined on that interface. It
did not masquerade traffic from:<br>
<br>
a) The subnets associated with other addresses
on the interface.<br>
b) Subnets accessed through local routers.<br>
<br>
Beginning with Shorewall 1.3.14, if you enter an interface
name in the SUBNET column, shorewall will use the firewall's routing
table to construct the masquerading/SNAT rules.<br>
<br>
Example 1 -- This is how it works in 1.3.14.<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
<br>
When upgrading to Shorewall 1.3.14, if you have multiple
local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change
described above will cause masquerading to occur on subnetworks that you
don't wish to masquerade.<br>
<br>
Example 2 -- Suppose that your current config is as
follows:<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
<br>
In this case, the second entry in /etc/shorewall/masq
is no longer required.<br>
<br>
Example 3 -- What if your current configuration is
like this?<br>
<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
<br>
In this case, you would want to change the entry
in /etc/shorewall/masq to:<br>
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
</ol>
<br>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b></p>
Webmin version 1.060 now has Shorewall support included
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>.<b>
</b>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a bgcolor="#4b017c" valign="top" align="center"> <a
href="http://sourceforge.net">M</a></td> href="http://sourceforge.net">M</a></td>
</tr> </tr>
@ -515,9 +295,9 @@ like this?<br>
</table> </table>
</center> </center>
</div> </div>
@ -526,11 +306,11 @@ like this?<br>
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
@ -546,7 +326,7 @@ like this?<br>
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -561,13 +341,13 @@ like this?<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -581,9 +361,11 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
</body> </body>
</html> </html>

91
STABLE/documentation/shoreline.htm
View File

@ -18,80 +18,80 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1> <h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center"> <img border="3" src="images/TomNTarry.png" <p align="center"> <img border="3" src="images/TomNTarry.png"
alt="Tom on the PCT - 1991" width="316" height="392"> alt="Tom on the PCT - 1991" width="316" height="392">
</p> </p>
<p align="center">Tarry &amp; Tom -- August 2002<br> <p align="center">Tarry &amp; Tom -- August 2002<br>
<br> <br>
</p> </p>
<ul> <ul>
<li>Born 1945 in <a <li>Born 1945 in <a
href="http://www.experiencewashington.com">Washington State</a> .</li> href="http://www.experiencewashington.com">Washington State</a> .</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington <li>BA Mathematics from <a href="http://www.wsu.edu">Washington
State University</a> 1967</li> State University</a> 1967</li>
<li>MA Mathematics from <a <li>MA Mathematics from <a
href="http://www.washington.edu">University of Washington</a> 1969</li> href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a <li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li> href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a> <li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - (now part of the <a href="http://www.hp.com">The New HP</a>) 1980
present</li> - present</li>
<li>Married 1969 - no children.</li> <li>Married 1969 - no children.</li>
</ul> </ul>
<p>I am currently a member of the design team for the next-generation <p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p> operating system from the NonStop Enterprise Division of HP. </p>
<p>I became interested in Internet Security when I established a home office <p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known ipchains and developed the scripts which are now collectively known as
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
Expanding on what I learned from Seattle Firewall, I then designed on what I learned from Seattle Firewall, I then designed and
and wrote Shorewall. </p> wrote Shorewall. </p>
<p>I telework from our <a <p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a> href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
where I live with my wife Tarry.  </p> I live with my wife Tarry.  </p>
<p>Our current home network consists of: </p> <p>Our current home network consists of: </p>
<ul> <ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; <li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp;
20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
Serves as a PPTP server for Road Warrior access. Dual boots <a Serves as a PPTP server for Road Warrior access. Dual boots <a
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li> href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip) <li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
NIC - My personal Linux System which runs Samba configured as NIC - My personal Linux System which runs Samba configured as a
a WINS server. This system also has <a WINS server. This system also has <a
href="http://www.vmware.com/">VMware</a> installed and can run href="http://www.vmware.com/">VMware</a> installed and can run both
both <a href="http://www.debian.org">Debian Woody</a> and <a <a href="http://www.debian.org">Debian Woody</a> and <a
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li> href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC  <li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd), - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
DNS server (Bind 9).</li> DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 <li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3
LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.3.14  LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall 1.4.0 
and a DHCP server.</li> and a DHCP server.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - <li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC
My wife's personal system.</li> - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard <li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My
work system.</li> main work system.</li>
</ul> </ul>
@ -104,25 +104,26 @@ My wife's personal system.</li>
<p><a href="http://www.redhat.com"><img border="0" <p><a href="http://www.redhat.com"><img border="0"
src="images/poweredby.png" width="88" height="31"> src="images/poweredby.png" width="88" height="31">
</a><a href="http://www.compaq.com"><img border="0" </a><a href="http://www.compaq.com"><img border="0"
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25"> src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
</a><a href="http://www.pureftpd.org"><img border="0" </a><a href="http://www.pureftpd.org"><img border="0"
src="images/pure.jpg" width="88" height="31"> src="images/pure.jpg" width="88" height="31">
</a><font size="4"><a href="http://www.apache.org"><img </a><font size="4"><a href="http://www.apache.org"><img
border="0" src="images/apache_pb1.gif" hspace="2" width="170" border="0" src="images/apache_pb1.gif" hspace="2" width="170"
height="20"> height="20">
</a><a href="http://www.mandrakelinux.com"><img </a><a href="http://www.mandrakelinux.com"><img
src="images/medbutton.png" alt="Powered by Mandrake" width="90" src="images/medbutton.png" alt="Powered by Mandrake" width="90"
height="32"> height="32">
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall" </a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
width="125" height="40" hspace="4"> width="125" height="40" hspace="4">
</font></p> </font></p>
<p><font size="2">Last updated 3/7/2003 - </font><font size="2"> <a <p><font size="2">Last updated 3/17/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p> href="support.htm">Tom Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font <font face="Trebuchet MS"><a href="copyright.htm"><font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
M. Eastep.</font></a></font><br> M. Eastep.</font></a></font><br>
<br>
<br> <br>
<br> <br>
</body> </body>

48
STABLE/documentation/shorewall_prerequisites.htm
View File

@ -17,51 +17,53 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1> <h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
Shorewall Requires:<br> Shorewall Requires:<br>
<ul> <ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20-pre6. <li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.20.
<a href="kernel.htm"> Check here for kernel configuration information.</a> With current releases of Shorewall, Traffic Shaping/Control requires at least
If you are looking for a firewall for use with 2.2 kernels, <a 2.4.18.  <a href="kernel.htm"> Check here for kernel configuration
href="http://seawall.sf.net"> see the Seattle Firewall site</a> information.</a> If you are looking for a firewall for use with
.</li> 2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle Firewall
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4 upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a> href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li> and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included with <li>Iproute ("ip" utility). The iproute package is included with
most distributions but may not be installed by default. The official most distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing" download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>. target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li> </li>
<li>A Bourne shell or derivative such as bash or ash. This shell must <li>A Bourne shell or derivative such as bash or ash. This shell must
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i> have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i> }, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li> } and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>The firewall monitoring display is greatly improved if you have <li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li> awk (gawk) installed.</li>
</ul> </ul>
<p align="left"><font size="2">Last updated 2/21/2003 - <a <p align="left"><font size="2">Last updated 3/19/2003 - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br> <br>
<br>
<br> <br>
<br> <br>
<br> <br>

3270
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

418
STABLE/documentation/sourceforge_index.htm
View File

@ -17,7 +17,7 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -28,11 +28,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
@ -49,7 +49,7 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font </a></i></font><font
color="#ffffff">Shorewall 1.4 - <font color="#ffffff">Shorewall 1.4 - <font
size="4">"<i>iptables made easy"</i></font></font><a size="4">"<i>iptables made easy"</i></font></font><a
href="http://www.sf.net"> </a></h1> href="http://www.sf.net"> </a></h1>
@ -68,8 +68,8 @@
<div align="center"><a href="/1.3/index.html" target="_top"><font <div align="center"><a href="/1.3/index.html" target="_top"><font
color="#ffffff">Shorewall 1.3 Site here</font></a></div> color="#ffffff">Shorewall 1.3 Site here</font></a></div>
</td> </td>
</tr> </tr>
@ -89,11 +89,11 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
@ -121,10 +121,10 @@
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is <p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system, based firewall that can be used on a dedicated firewall
a multi-function gateway/router/server or on a standalone system, a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p> GNU/Linux system.</p>
@ -139,27 +139,27 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software 2 of the GNU General Public License</a> as published by the Free
Foundation.<br> Software Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License A PARTICULAR PURPOSE. See the GNU General Public
for more details.<br> License for more details.<br>
<br> <br>
You should have received You should have received
a copy of the GNU General Public License a copy of the GNU General Public License
along with this program; if not, write along with this program; if not, write
to the Free Software Foundation, Inc., 675 to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p> Mass Ave, Cambridge, MA 02139, USA</p>
@ -190,17 +190,17 @@ to the Free Software Foundation, Inc., 675
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques </a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations <b>Congratulations
to Jacques and Eric on the recent release of Bering to Jacques and Eric on the recent release of Bering
1.1!!! <br> 1.1!!! <br>
</b> </b>
@ -222,257 +222,12 @@ Nilo and Eric Wolzak have a LEAF (router/firewall/gatew
<p><b>3/17/2003 - Shorewall 1.4.0  </b><b> </b><b><img <p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><b> </b></p>  </b><b> </b></p>
Shorewall 1.4 represents <b> </b>
the next step in the evolution of Shorewall. The main thrust of the
initial release is simply to remove the cruft that has accumulated in
Shorewall over time. <br>
<br>
<b>IMPORTANT: Shorewall 1.4.0 requires</b> <b>the iproute package
('ip' utility).</b><br>
<br>
Function from 1.3 that has been omitted from this version
include:<br>
<ol>
<li>The MERGE_HOSTS variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with MERGE_HOSTS=Yes.<br>
<br>
</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate an error.<br>
<br>
</li>
<li>Shorewall 1.4 implements behavior consistent with OLD_PING_HANDLING=No.
OLD_PING_HANDLING=Yes will generate an error at startup as will specification
of the 'noping' or 'filterping' interface options.<br>
<br>
</li>
<li>The 'routestopped' option in the /etc/shorewall/interfaces
and /etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.<br>
<br>
</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted.<br>
<br>
</li>
<li>The ALLOWRELATED variable in shorewall.conf is no longer supported.
Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.<br>
<br>
</li>
<li>The icmp.def file has been removed.<br>
</li>
</ol>
Changes for 1.4 include:<br>
<ol>
<li>The /etc/shorewall/shorewall.conf file has been completely
reorganized into logical sections.<br>
<br>
</li>
<li>LOG is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>The firewall script, common functions file and version file
are now installed in /usr/share/shorewall.<br>
<br>
</li>
<li>Late arriving DNS replies are now silently dropped in the
common chain by default.<br>
<br>
</li>
<li>In addition to behaving like OLD_PING_HANDLING=No, Shorewall
1.4 no longer unconditionally accepts outbound ICMP packets. So if you
want to 'ping' from the firewall, you will need the appropriate rule or
policy.<br>
<br>
</li>
<li>CONTINUE is now a valid action for a rule (/etc/shorewall/rules).<br>
<br>
</li>
<li>802.11b devices with names of the form wlan<i>&lt;n&gt;</i>
now support the 'maclist' option.<br>
<br>
</li>
<li value="8">Explicit Congestion Notification (ECN - RFC 3168)
may now be turned off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:<br>
<br>
   a) You must be running kernel 2.4.20<br>
   b) You must have applied the patch in<br>
   http://www.shorewall/net/pub/shorewall/ecn/patch.<br>
   c) You must have iptables 1.2.7a installed.<br>
<br>
</li>
<li>The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.<br>
<br>
</li>
<li value="10">Shorewall now gives a more helpful diagnostic when
the 'ipchains' compatibility kernel module is loaded and a 'shorewall start'
command is issued.<br>
<br>
</li>
<li>The SHARED_DIR variable has been removed from shorewall.conf.
This variable was for use by package maintainers and was not documented
for general use.<br>
<br>
</li>
<li>Shorewall now ignores 'default' routes when detecting masq'd
networks.<br>
</li>
</ol>
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta" target="_top"></a>
<p><b>3/11/2003 - Shoreall 1.3.14a</b><b> </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>A roleup of the following bug fixes and other updates:</p>
<ul>
<li>There is an updated rfc1918 file that reflects the resent
allocation of 222.0.0.0/8 and 223.0.0.0/8. </li>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a
single host or network address. </li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were
not rate-limited. </li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt;
don't support the 'maclist' interface option. </li>
<li>Log messages generated by RFC 1918 filtering are not rate limited. </li>
<li>The firewall fails to start in the case where you have "eth0
eth1" in /etc/shorewall/masq and the default route is through eth1
</li>
</ul>
<p><b>2/8/2003 - Shorewall 1.3.14</b><b> </b></p>
<p>New features include</p>
<ol>
<li>An OLD_PING_HANDLING option has been added to shorewall.conf.
When set to Yes, Shorewall ping handling is as it has always been
(see http://www.shorewall.net/ping.html).<br>
<br>
When OLD_PING_HANDLING=No, icmp echo (ping) is handled
via rules and policies just like any other connection request. The
FORWARDPING=Yes option in shorewall.conf and the 'noping' and 'filterping'
options in /etc/shorewall/interfaces will all generate an error.<br>
<br>
</li>
<li>It is now possible to direct Shorewall to create
a "label" such as  "eth0:0" for IP addresses that it creates under
ADD_IP_ALIASES=Yes and ADD_SNAT_ALIASES=Yes. This is done by specifying
the label instead of just the interface name:<br>
 <br>
   a) In the INTERFACE column of /etc/shorewall/masq<br>
   b) In the INTERFACE column of /etc/shorewall/nat<br>
 </li>
<li>Support for OpenVPN Tunnels.<br>
<br>
</li>
<li>Support for VLAN devices with names of the form
$DEV.$VID (e.g., eth0.0)<br>
<br>
</li>
<li>In /etc/shorewall/tcrules, the MARK value may be
optionally followed by ":" and either 'F' or 'P' to designate that the
marking will occur in the FORWARD or PREROUTING chains respectively.
If this additional specification is omitted, the chain used to mark packets
will be determined by the setting of the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
</li>
<li>When an interface name is entered in the SUBNET
column of the /etc/shorewall/masq file, Shorewall previously masqueraded
traffic from only the first subnet defined on that interface. It
did not masquerade traffic from:<br>
 <br>
   a) The subnets associated with other addresses on the
interface.<br>
   b) Subnets accessed through local routers.<br>
 <br>
Beginning with Shorewall 1.3.14, if you enter an interface
name in the SUBNET column, shorewall will use the firewall's routing
table to construct the masquerading/SNAT rules.<br>
 <br>
Example 1 -- This is how it works in 1.3.14.<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>  [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br></pre>
<pre>  [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
 <br>
When upgrading to Shorewall 1.3.14, if you have multiple
local subnets connected to an interface that is specified in the
SUBNET column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
file will need changing. In most cases, you will simply be able to remove
redundant entries. In some cases though, you might want to change from
using the interface name to listing specific subnetworks if the change described
above will cause masquerading to occur on subnetworks that you don't wish
to masquerade.<br>
 <br>
Example 2 -- Suppose that your current config is as follows:<br>
   <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, the second entry in /etc/shorewall/masq
is no longer required.<br>
 <br>
Example 3 -- What if your current configuration is like
this?<br>
 <br>
<pre>   [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>   [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
 <br>
   In this case, you would want to change the entry in 
/etc/shorewall/masq to:<br>
<pre>   #INTERFACE              SUBNET                  ADDRESS<br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
</li>
</ol>
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0</b><b>
</b></p>
Webmin version 1.060 now has Shorewall support included
as standard. See <a href="http://www.webmin.com">http://www.webmin.com</a>
<b> </b>
@ -502,6 +257,50 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
<p>This release follows up on 1.4.0. It corrects a problem introduced
in 1.4.0 and removes additional warts.<br>
<br>
<b>Problems Corrected:</b><br>
</p>
<ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF),
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn file
is empty. That problem has been corrected so that ECN disabling rules are
only added if there are entries in /etc/shorewall/ecn.</li>
</ol>
<b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be
a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote>
<ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than
one group<i> </i>then if there is no explicit Z to Z policy and there are
no rules governing traffic from Z to Z then Shorewall will permit all traffic
between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules
to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is
specified from Z1 to Z2:</li>
</ol>
<ul>
<li>There may be no rules created that govern connections from Z1
to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li>
</ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
@ -527,7 +326,7 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
<h1 align="center"><a href="http://www.sf.net"><img align="left" <h1 align="center"><a href="http://www.sf.net"><img align="left"
alt="SourceForge Logo" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
</a></h1> </a></h1>
@ -555,13 +354,14 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <br> bgcolor="#4b017c" valign="top" align="center"> <br>
</td>
</tr> </td>
</tr>
@ -573,9 +373,9 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
</table> </table>
</center> </center>
</div> </div>
@ -584,11 +384,11 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
@ -604,7 +404,7 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -618,15 +418,16 @@ as standard. See <a href="http://www.webmin.com">http://www.webmin.
<p align="center"><font size="4" color="#ffffff">Shorewall is free but <p align="center"><font size="4" color="#ffffff">Shorewall is free
if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's href="http://www.starlight.org"><font color="#ffffff">Starlight
Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr>
</tr>
@ -640,10 +441,11 @@ Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 3/17/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br> <br>
</body> </body>
</html> </html>

330
STABLE/documentation/support.htm
View File

@ -18,9 +18,9 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
@ -28,9 +28,9 @@
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img <h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle"> src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
@ -39,32 +39,32 @@
<h2>Before Reporting a Problem or Asking a Question<br> <h2>Before Reporting a Problem or Asking a Question<br>
</h2> </h2>
There are a number There are a number
of sources of Shorewall information. Please try these before you post. of sources of Shorewall information. Please try these before you post.
<ul> <ul>
<li>More than half of the questions posted <li>More than half of the questions posted
on the support list have answers directly accessible from the <a on the support list have answers directly accessible from the
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br> <a href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
</li> </li>
<li> The <a <li> The <a
href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems. href="FAQ.htm">FAQ</a> has solutions to more than 20 common problems.
</li> </li>
<li> The <a <li> The <a
href="troubleshoot.htm">Troubleshooting</a> Information contains href="troubleshoot.htm">Troubleshooting</a> Information contains
a number of tips to help you solve common problems. a number of tips to help you solve common problems.
</li> </li>
<li> The <a <li> The <a
href="errata.htm"> Errata</a> has links to download updated href="errata.htm"> Errata</a> has links to download updated
components. </li> components. </li>
<li> The Site and Mailing <li> The Site and Mailing
List Archives search facility can locate documents and posts List Archives search facility can locate documents and posts
about similar problems: </li> about similar problems: </li>
</ul> </ul>
@ -80,12 +80,12 @@ of sources of Shorewall information. Please try these before you post.
<option value="or">Any </option> <option value="or">Any </option>
<option value="boolean">Boolean </option> <option value="boolean">Boolean </option>
</select> </select>
Format: Format:
<select name="format"> <select name="format">
<option value="builtin-long">Long </option> <option value="builtin-long">Long </option>
<option value="builtin-short">Short </option> <option value="builtin-short">Short </option>
</select> </select>
Sort by: Sort by:
<select name="sort"> <select name="sort">
<option value="score">Score </option> <option value="score">Score </option>
<option value="time">Time </option> <option value="time">Time </option>
@ -94,49 +94,49 @@ of sources of Shorewall information. Please try these before you post.
<option value="revtime">Reverse Time </option> <option value="revtime">Reverse Time </option>
<option value="revtitle">Reverse Title </option> <option value="revtitle">Reverse Title </option>
</select> </select>
</font><input type="hidden" name="config" value="htdig"><input </font><input type="hidden" name="config" value="htdig"><input
type="hidden" name="restrict" value=""><font size="-1"> Include Mailing type="hidden" name="restrict" value=""><font size="-1"> Include Mailing
List Archives: List Archives:
<select size="1" name="exclude"> <select size="1" name="exclude">
<option value="">Yes</option> <option value="">Yes</option>
<option value="[http://lists.shorewall.net/pipermail/.*]">No</option> <option value="[http://lists.shorewall.net/pipermail/.*]">No</option>
</select> </select>
</font><br> </font><br>
Search: <input type="text" size="30" name="words" value=""> <input Search: <input type="text" size="30" name="words" value=""> <input
type="submit" value="Search"><br> type="submit" value="Search"><br>
</form> </form>
</blockquote> </blockquote>
<h2>Problem Reporting Guidelines<br> <h2>Problem Reporting Guidelines<br>
</h2> </h2>
<ul> <ul>
<li>Please remember we only know what is posted <li>Please remember we only know what is posted
in your message. Do not leave out any information that appears to in your message. Do not leave out any information that appears
be correct, or was mentioned in a previous post. There have been to be correct, or was mentioned in a previous post. There have been
countless posts by people who were sure that some part of their countless posts by people who were sure that some part of their
configuration was correct when it actually contained a small error. configuration was correct when it actually contained a small error.
We tend to be skeptics where detail is lacking.<br> We tend to be skeptics where detail is lacking.<br>
<br> <br>
</li> </li>
<li>Please keep in mind that you're asking for <li>Please keep in mind that you're asking for
<strong>free</strong> technical support. Any help we offer <strong>free</strong> technical support. Any help we offer
is an act of generosity, not an obligation. Try to make it easy is an act of generosity, not an obligation. Try to make it easy
for us to help you. Follow good, courteous practices in writing for us to help you. Follow good, courteous practices in writing
and formatting your e-mail. Provide details that we need if you expect and formatting your e-mail. Provide details that we need if you expect
good answers. <em>Exact quoting </em> of error messages, log entries, good answers. <em>Exact quoting </em> of error messages, log entries,
command output, and other output is better than a paraphrase or summary.<br> command output, and other output is better than a paraphrase or summary.<br>
<br> <br>
</li> </li>
<li> Please don't <li> Please
describe your environment and then ask us to send you don't describe your environment and then ask us to send you
custom configuration files. We're here to answer your custom configuration files. We're here to answer your
questions but we can't do your job for you.<br> questions but we can't do your job for you.<br>
<br> <br>
</li> </li>
<li>When reporting a problem, <strong>ALWAYS</strong> <li>When reporting a problem, <strong>ALWAYS</strong>
include this information:</li> include this information:</li>
</ul> </ul>
@ -144,68 +144,68 @@ questions but we can't do your job for you.<br>
<ul> <ul>
<li>the exact version of Shorewall you are running.<br> <li>the exact version of Shorewall you are
<br> running.<br>
<b><font color="#009900">shorewall version</font><br> <br>
</b> <br> <b><font color="#009900">shorewall version</font><br>
</li> </b> <br>
</li>
</ul> </ul>
<ul> <ul>
<li>the exact kernel version you are running<br> <li>the exact kernel version you are running<br>
<br> <br>
<font color="#009900"><b>uname -a<br> <font color="#009900"><b>uname -a<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip addr show<br> <font color="#009900"><b>ip addr show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>the complete, exact output of<br> <li>the complete, exact output of<br>
<br> <br>
<font color="#009900"><b>ip route show<br> <font color="#009900"><b>ip route show<br>
<br> <br>
</b></font></li> </b></font></li>
</ul> </ul>
<ul> <ul>
<li>If your kernel is modularized, the exact <li>If your kernel is modularized, the exact
output from<br> output from<br>
<br> <br>
<font color="#009900"><b>lsmod</b></font><br> <font color="#009900"><b>lsmod</b></font><br>
<br> <br>
</li> </li>
<li>the exact wording of any <code <li>the exact wording of any <code
style="color: green; font-weight: bold;">ping</code> failure responses<br> style="color: green; font-weight: bold;">ping</code> failure responses<br>
<br> <br>
</li> </li>
<li>If you installed Shorewall using one of the QuickStart <li>If you installed Shorewall using one of the QuickStart
Guides, please indicate which one. <br> Guides, please indicate which one. <br>
<br> <br>
</li> </li>
<li><b>If you are running Shorewall under Mandrake using <li><b>If you are running Shorewall under Mandrake
the Mandrake installation of Shorewall, please say so.</b><br> using the Mandrake installation of Shorewall, please say so.</b><br>
<br> </li>
</li>
</ul> </ul>
@ -213,50 +213,51 @@ output from<br>
</ul> </ul>
<ul> <ul>
<li><b>NEVER </b>include the output of "<b><font
color="#009900">iptables -L</font></b>". Instead,<font <ul>
color="#ff0000"><u><i><big> <b>if you are having connection problems of <li><font color="#ff0000"><u><i><big><b>If you are having connection
any kind then:</b></big></i></u></font><br> problems of any kind then:</b></big></i></u></font><br>
<br> <br>
1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br> 1. <b><font color="#009900">/sbin/shorewall/reset</font></b><br>
<br> <br>
2. Try the connection that is failing.<br> 2. Try the connection that is failing.<br>
<br> <br>
3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br> 3.<b><font color="#009900"> /sbin/shorewall status &gt; /tmp/status.txt</font></b><br>
<br> <br>
4. Post the /tmp/status.txt file as an attachment.<br> 4. Post the /tmp/status.txt file as an attachment.<br>
<br> <br>
</li> </li>
<li>As a general </ul>
matter, please <strong>do not edit the diagnostic information</strong> <li>As a general
in an attempt to conceal your IP address, netmask, nameserver addresses, matter, please <strong>do not edit the diagnostic information</strong>
domain name, etc. These aren't secrets, and concealing them often in an attempt to conceal your IP address, netmask, nameserver
misleads us (and 80% of the time, a hacker could derive them anyway addresses, domain name, etc. These aren't secrets, and concealing
from information contained in the SMTP headers of your post).<br> them often misleads us (and 80% of the time, a hacker could derive them
<br> anyway from information contained in the SMTP headers of your post).<br>
<strong></strong></li> <br>
<li>Do you see any "Shorewall" messages ("<b><font <strong></strong></li>
<li>Do you see any "Shorewall" messages ("<b><font
color="#009900">/sbin/shorewall show log</font></b>") when color="#009900">/sbin/shorewall show log</font></b>") when
you exercise the function that is giving you problems? If so, include you exercise the function that is giving you problems? If so,
the message(s) in your post along with a copy of your /etc/shorewall/interfaces include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
file.<br> file.<br>
<br> <br>
</li> </li>
<li>Please include any of the Shorewall configuration files <li>Please include any of the Shorewall configuration files
(especially the /etc/shorewall/hosts file if you have (especially the /etc/shorewall/hosts file if you have
modified that file) that you think are relevant. If you modified that file) that you think are relevant. If you
include /etc/shorewall/rules, please include /etc/shorewall/policy include /etc/shorewall/rules, please include /etc/shorewall/policy
as well (rules are meaningless unless one also knows the policies).<br> as well (rules are meaningless unless one also knows the policies).<br>
<br> <br>
</li> </li>
<li>If an error occurs when you try to "<font <li>If an error occurs when you try to "<font
color="#009900"><b>shorewall start</b></font>", include a color="#009900"><b>shorewall start</b></font>", include a
trace (See the <a href="troubleshoot.htm">Troubleshooting</a> trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
section for instructions).<br> section for instructions).<br>
<br> <br>
</li> </li>
<li><b>The list server limits posts to 120kb so don't post GIFs <li><b>The list server limits posts to 120kb so don't post GIFs
of your network layout, etc. to the Mailing of your network layout, etc. to the Mailing
List -- your post will be rejected.</b></li> List -- your post will be rejected.</b></li>
</ul> </ul>
@ -267,9 +268,9 @@ List -- your post will be rejected.</b></li>
The author gratefully acknowleges that the above list was heavily The author gratefully acknowleges that the above list was heavily
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
found at <a found at <a
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br> href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
</blockquote> </blockquote>
<h2>When using the mailing list, please post in plain text</h2> <h2>When using the mailing list, please post in plain text</h2>
@ -277,18 +278,18 @@ plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</e
A growing number of MTAs serving list subscribers are rejecting A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br> to allow HTML in list posts!!<br>
<br> <br>
I think that blocking all HTML is a Draconian I think that blocking all HTML is a Draconian
way to control spam and that the ultimate losers here are not way to control spam and that the ultimate losers here are not
the spammers but the list subscribers whose MTAs are bouncing the spammers but the list subscribers whose MTAs are bouncing
all shorewall.net mail. As one list subscriber wrote to me privately all shorewall.net mail. As one list subscriber wrote to me privately
"These e-mail admin's need to get a <i>(expletive deleted)</i> life "These e-mail admin's need to get a <i>(expletive deleted)</i> life
instead of trying to rid the planet of HTML based e-mail". Nevertheless, instead of trying to rid the planet of HTML based e-mail". Nevertheless,
to allow subscribers to receive list posts as must as possible, I have to allow subscribers to receive list posts as must as possible, I
now configured the list server at shorewall.net to strip all HTML have now configured the list server at shorewall.net to strip all HTML
from outgoing posts.<br> from outgoing posts.<br>
</blockquote> </blockquote>
<h2>Where to Send your Problem Report or to Ask for Help</h2> <h2>Where to Send your Problem Report or to Ask for Help</h2>
@ -298,42 +299,47 @@ from outgoing posts.<br>
<h4>If you run Shorewall under Bering -- <span <h4>If you run Shorewall under Bering -- <span
style="font-weight: 400;">please post your question or problem style="font-weight: 400;">please post your question or problem
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF
Users mailing list</a>.</span></h4> Users mailing list</a>.</span></h4>
<b>If you run Shorewall under MandrakeSoft Multi <b>If you run Shorewall under MandrakeSoft
Network Firewall (MNF) and you have not purchased an MNF license Multi Network Firewall (MNF) and you have not purchased an MNF
from MandrakeSoft then you can post non MNF-specific Shorewall questions license from MandrakeSoft then you can post non MNF-specific Shorewall
to the </b><a href="mailto:shorewall-users@lists.shorewall.net">Shorewall questions to the </b><a
users mailing list</a>. <b>Do not expect to get free MNF support href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
on the list or forum.</b><br> list</a> or to the <a
href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>. <b>Do not expect to get free MNF support on the list or forum.</b><br>
<p>Otherwise, please post your question or problem to the <a <p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
list</a>.</p> list</a> or to the <a
</blockquote> href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a>.<br>
To Subscribe to the mailing list go to <a
<p>To Subscribe to the mailing list go to <a
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a> href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
.<br> .<br>
</p> </p>
</blockquote>
<p>For information on other Shorewall mailing lists, go to <a <p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br> href="http://lists.shorewall.net/mailing_list.htm">http://lists.shorewall.net/mailing_list.htm</a><br>
</p> </p>
<p align="left"><font size="2">Last Updated 3/14/2003 - Tom Eastep</font></p> <p align="left"><font size="2">Last Updated 3/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font <p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br> <br>
<br>
<br>
<br> <br>
</body> </body>
</html> </html>

380
STABLE/documentation/traffic_shaping.htm
View File

@ -17,14 +17,14 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1> <h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -32,83 +32,84 @@
<p align="left">Shorewall has limited support for traffic shaping/control. <p align="left">Shorewall has limited support for traffic shaping/control.
In order to use traffic shaping under Shorewall, it is essential that In order to use traffic shaping under Shorewall, it is essential that
you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
and Shaping HOWTO</a>, version 0.3.0 or later.</p> and Shaping HOWTO</a>, version 0.3.0 or later. It is also necessary
to be running Linux Kernel 2.4.18 or later.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p> <p align="left">Shorewall traffic shaping support consists of the following:</p>
<ul> <ul>
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf. <li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
Traffic Shaping also requires that you enable packet mangling.</li> Traffic Shaping also requires that you enable packet mangling.</li>
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added <li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added
in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), in Shorewall 1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes),
the setting of this variable determines whether Shorewall clears the traffic the setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop. <br> shaping configuration during Shorewall [re]start and Shorewall stop. <br>
</li> </li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can <li><b>/etc/shorewall/tcrules</b> - A file where you can
specify firewall marking of packets. The firewall mark value may specify firewall marking of packets. The firewall mark value may
be used to classify packets for traffic shaping/control.<br> be used to classify packets for traffic shaping/control.<br>
</li> </li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file <li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which that is sourced by Shorewall during "shorewall start" and which
you can use to define your traffic shaping disciplines and classes. you can use to define your traffic shaping disciplines and classes.
I have provided a <a I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections table-driven CBQ shaping but if you read the traffic shaping sections
of the HOWTO mentioned above, you can probably code your own faster of the HOWTO mentioned above, you can probably code your own
than you can learn how to use my sample. I personally use <a faster than you can learn how to use my sample. I personally use
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). <a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
HTB support may eventually become an integral part of Shorewall HTB support may eventually become an integral part of Shorewall
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20, since HTB is a lot simpler and better-documented than CBQ. As of
HTB is a standard part of the kernel but iproute2 must be patched in 2.4.20, HTB is a standard part of the kernel but iproute2 must be patched
order to use it.<br> in order to use it.<br>
<br> <br>
In tcstart, when you want to run the 'tc' utility, use In tcstart, when you want to run the 'tc' utility, use
the run_tc function supplied by shorewall if you want tc errors the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.<br> to stop the firewall.<br>
<br> <br>
You can generally use off-the-shelf traffic shaping scripts by You can generally use off-the-shelf traffic shaping scripts by
simply copying them to /etc/shorewall/tcstart. I use <a simply copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version) href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address) you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb] then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been script won't work. Traffic shaping occurs after SNAT has already been applied
applied so when traffic shaping happens, all outbound traffic will have so when traffic shaping happens, all outbound traffic will have as a source
as a source address the IP addresss of your firewall's external interface.<br> address the IP addresss of your firewall's external interface.<br>
</li> </li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file <li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping. that is sourced by Shorewall when it is clearing traffic shaping.
This file is normally not required as Shorewall's method of clearing This file is normally not required as Shorewall's method of clearing
qdisc and filter definitions is pretty general.</li> qdisc and filter definitions is pretty general.</li>
</ul> </ul>
Shorewall allows you to start traffic shaping when Shorewall itself Shorewall allows you to start traffic shaping when Shorewall itself
starts or it allows you to bring up traffic shaping when you bring up your starts or it allows you to bring up traffic shaping when you bring up
interfaces.<br> your interfaces.<br>
<br> <br>
To start traffic shaping when Shorewall starts:<br> To start traffic shaping when Shorewall starts:<br>
<ol> <ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li> <li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic <li>Supply an /etc/shorewall/tcstart script to configure your traffic
shaping rules.</li> shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic <li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li> shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can <li>If your tcstart script uses the 'fwmark' classifier, you can
mark packets using entries in /etc/shorewall/tcrules.</li> mark packets using entries in /etc/shorewall/tcrules.</li>
</ol> </ol>
To start traffic shaping when you bring up your network interfaces, To start traffic shaping when you bring up your network interfaces,
you will have to arrange for your traffic shaping configuration script to you will have to arrange for your traffic shaping configuration script
be run at that time. How you do that is distribution dependent and will not to be run at that time. How you do that is distribution dependent and will
be covered here. You then should:<br> not be covered here. You then should:<br>
<ol> <ol>
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li> <li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear <li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear
scripts.</li> scripts.</li>
<li value="4">If your tcstart script uses the 'fwmark' classifier, <li value="4">If your tcstart script uses the 'fwmark' classifier,
you can mark packets using entries in /etc/shorewall/tcrules.</li> you can mark packets using entries in /etc/shorewall/tcrules.</li>
</ol> </ol>
@ -119,179 +120,179 @@ be covered here. You then should:<br>
<p align="center"><img border="0" src="images/QoS.png" width="590" <p align="center"><img border="0" src="images/QoS.png" width="590"
height="764"> height="764">
</p> </p>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3> <h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify <p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides packets for traffic shaping. The /etc/shorewall/tcrules file provides
a means for specifying these marks in a tabular fashion.<br> a means for specifying these marks in a tabular fashion.<br>
</p> </p>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before <p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading packets based on their destination address when SNAT or Masquerading are
are being used. Beginning with Shorewall 1.3.12, you can cause packet being used. Beginning with Shorewall 1.3.12, you can cause packet marking
marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br> in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p> </p>
<p align="left">Columns in the file are as follows:</p> <p align="left">Columns in the file are as follows:</p>
<ul> <ul>
<li>MARK - Specifies the mark value is to be assigned in <li>MARK - Specifies the mark value is to be assigned
case of a match. This is an integer in the range 1-255. Beginning in case of a match. This is an integer in the range 1-255. Beginning
with Shorewall version 1.3.14, this value may be optionally followed by with Shorewall version 1.3.14, this value may be optionally followed by ":"
":" and either 'F' or 'P' to designate that the marking will occur in the and either 'F' or 'P' to designate that the marking will occur in the FORWARD
FORWARD or PREROUTING chains respectively. If this additional specification or PREROUTING chains respectively. If this additional specification is omitted,
is omitted, the chain used to mark packets will be determined by the setting the chain used to mark packets will be determined by the setting of the
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br> MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br> <br>
Example - 5<br> Example - 5<br>
</li> </li>
<li>SOURCE - The source of the packet. If the packet originates <li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is a on the firewall, place "fw" in this column. Otherwise, this is
comma-separated list of interface names, IP addresses, MAC addresses a comma-separated list of interface names, IP addresses, MAC addresses
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br> in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<br> <br>
Examples<br> Examples<br>
    eth0<br>     eth0<br>
    192.168.2.4,192.168.1.0/24<br>     192.168.2.4,192.168.1.0/24<br>
</li> </li>
<li>DEST -- Destination of the packet. Comma-separated <li>DEST -- Destination of the packet. Comma-separated
list of IP addresses and/or subnets.<br> list of IP addresses and/or subnets.<br>
</li> </li>
<li>PROTO - Protocol - Must be the name of a protocol from <li>PROTO - Protocol - Must be the name of a protocol
/etc/protocol, a number or "all"<br> from /etc/protocol, a number or "all"<br>
</li> </li>
<li>PORT(S) - Destination Ports. A comma-separated list <li>PORT(S) - Destination Ports. A comma-separated list
of Port names (from /etc/services), port numbers or port ranges (e.g., of Port names (from /etc/services), port numbers or port ranges
21:22); if the protocol is "icmp", this column is interpreted (e.g., 21:22); if the protocol is "icmp", this column is interpreted
as the destination icmp type(s).<br> as the destination icmp type(s).<br>
</li> </li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. <li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate If omitted, any source port is acceptable. Specified as a comma-separate
list of port names, port numbers or port ranges.</li> list of port names, port numbers or port ranges.</li>
</ul> </ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked <p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with with 1. All packets arriving on eth2 and eth3 should be marked with
2. All packets originating on the firewall itself should be marked with 2. All packets originating on the firewall itself should be marked
3.</p> with 3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr> <tr>
<td><b>MARK</b></td> <td>1</td>
<td><b>SOURCE</b></td> <td>eth1</td>
<td><b>DEST</b></td> <td>0.0.0.0/0</td>
<td><b>PROTO</b></td> <td>all</td>
<td><b>PORT(S)</b></td> <td> </td>
<td><b>CLIENT PORT(S)</b></td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>1</td> <td>2</td>
<td>eth1</td> <td>eth2</td>
<td>0.0.0.0/0</td> <td>0.0.0.0/0</td>
<td>all</td> <td>all</td>
<td> </td> <td> </td>
<td> </td> <td> </td>
</tr> </tr>
<tr> <tr>
<td>2</td> <td valign="top">2<br>
<td>eth2</td> </td>
<td>0.0.0.0/0</td> <td valign="top">eth3<br>
<td>all</td> </td>
<td> </td> <td valign="top">0.0.0.0/0<br>
<td> </td> </td>
</tr> <td valign="top">all<br>
<tr> </td>
<td valign="top">2<br> <td valign="top"><br>
</td> </td>
<td valign="top">eth3<br> <td valign="top"><br>
</td> </td>
<td valign="top">0.0.0.0/0<br> </tr>
</td> <tr>
<td valign="top">all<br> <td>3</td>
</td> <td>fw</td>
<td valign="top"><br> <td>0.0.0.0/0</td>
</td> <td>all</td>
<td valign="top"><br> <td> </td>
</td> <td> </td>
</tr> </tr>
<tr>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating <p align="left">Example 2 - All GRE (protocol 47) packets not originating
on the firewall and destined for 155.186.235.151 should be marked with on the firewall and destined for 155.186.235.151 should be marked
12.</p> with 12.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr> <tr>
<td><b>MARK</b></td> <td>12</td>
<td><b>SOURCE</b></td> <td>0.0.0.0/0</td>
<td><b>DEST</b></td> <td>155.186.235.151</td>
<td><b>PROTO</b></td> <td>47</td>
<td><b>PORT(S)</b></td> <td> </td>
<td><b>CLIENT PORT(S)</b></td> <td> </td>
</tr> </tr>
<tr>
<td>12</td>
<td>0.0.0.0/0</td>
<td>155.186.235.151</td>
<td>47</td>
<td> </td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 <p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
and destined for 155.186.235.151 should be marked with 22.</p> and destined for 155.186.235.151 should be marked with 22.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;"> <table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr> <tr>
<td><b>MARK</b></td> <td>22</td>
<td><b>SOURCE</b></td> <td>192.168.1.0/24</td>
<td><b>DEST</b></td> <td>155.186.235.151</td>
<td><b>PROTO</b></td> <td>tcp</td>
<td><b>PORT(S)</b></td> <td>22</td>
<td><b>CLIENT PORT(S)</b></td> <td> </td>
</tr> </tr>
<tr>
<td>22</td>
<td>192.168.1.0/24</td>
<td>155.186.235.151</td>
<td>tcp</td>
<td>22</td>
<td> </td>
</tr>
</tbody> </tbody>
</table> </table>
<h3>My Setup<br> <h3>My Setup<br>
</h3> </h3>
<p>While I am currently using the HTB version of <a <p>While I am currently using the HTB version of <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown
in the Wondershaper README), I have also run with the following set of in the Wondershaper README), I have also run with the following set of
hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br> hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
</p> </p>
<blockquote> <blockquote>
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre> <pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo "   Added Top Level Class -- rate 384kbit"</pre>
@ -307,30 +308,31 @@ hand-crafted rules in my <b>/etc/shorewall/tcstart</b> file:<br>
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre> <pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
<pre>echo "   Defined fwmark filters"<br></pre> <pre>echo "   Defined fwmark filters"<br></pre>
</blockquote> </blockquote>
<p>My tcrules file that went with this tcstart file is shown in Example 1 <p>My tcrules file that went with this tcstart file is shown in Example 1
above. You can look at <a href="myfiles.htm">my configuration</a> to above. You can look at <a href="myfiles.htm">my configuration</a> to
see why I wanted shaping of this type.<br> see why I wanted shaping of this type.<br>
</p> </p>
<ol> <ol>
<li>I wanted to allow up to 140kbits/second for traffic outbound <li>I wanted to allow up to 140kbits/second for traffic outbound
from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic from my DMZ (note that the ceiling is set to 384kbit so outbound DMZ
can use all available bandwidth if there is no traffic from the local traffic can use all available bandwidth if there is no traffic from the
systems or from my laptop or firewall).</li> local systems or from my laptop or firewall).</li>
<li>My laptop and local systems could use up to 224kbits/second.</li> <li>My laptop and local systems could use up to 224kbits/second.</li>
<li>My firewall could use up to 20kbits/second.</li> <li>My firewall could use up to 20kbits/second.</li>
</ol> </ol>
You see <a href="myfiles.htm">the rest of my Shorewall configuration</a> You see <a href="myfiles.htm">the rest of my Shorewall configuration</a>
to see how this fit in. <br> to see how this fit in. <br>
<p><font size="2">Last Updated 3/5/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last Updated 3/19/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br> <br>
<br> <br>
<br> <br>

437
STABLE/documentation/upgrade_issues.htm
View File

@ -11,6 +11,7 @@
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
@ -18,292 +19,406 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p>For upgrade instructions see the <a <p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.</p> href="Install.htm">Install/Upgrade page</a>.<br>
</p>
<p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you are
currently running. <br>
</p>
<h3> </h3> <h3> </h3>
<h3>Version &gt;= 1.4.0</h3> <h3>Version &gt;= 1.4.1</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 <u>REQUIRES</u></b> <b>the iproute package In the description that follows, the term <i>group </i>refers to a particular
('ip' utility).</b><br> network or subnetwork (which may be 0.0.0.0/0 or it may be a host address)
<br> accessed through a particular interface. Examples:<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
<br>
<ul> <ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options are <li>Beginning with Version 1.4.1, traffic between groups in the same
no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf. zone is accepted by default. Previously, traffic from a zone to itself was
ICMP echo-request (ping) packets are treated just like any other connection treated just like any other traffic; any matching rules were applied followed
request and are subject to rules and policies.</li> by enforcement of the appropriate policy. With 1.4.1 and later versions,
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in unless you have explicit rules for traffic from Z to Z or you have an explicit
/etc/shorewall/interfaces now generate a Shorewall error at startup (they Z to Z policy (where "Z" is some zone) then traffic between the groups in
always have produced warnings in iptables).</li> zone Z will be accepted. If you do have one or more explicit rules for Z
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. to Z or if you have an explicit Z to Z policy then the behavior is as it
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents was in prior versions.</li>
are determined by BOTH the interfaces and hosts files when there are entries
for the zone in both files.</li> </ul>
<li>The <b>routestopped</b> option in the interfaces and hosts file
has been eliminated; use entries in the routestopped file instead.</li> <blockquote>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer <ol>
accepted; you must convert to using the new syntax.</li> <li>If you have a Z Z ACCEPT policy for a zone to allow traffic between
<li value="6">The ALLOWRELATED variable in shorewall.conf is no longer two interfaces to the same zone, that policy can be removed and traffic
supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li> between the interfaces will traverse fewer rules than previously.</li>
<li value="6">Late-arriving DNS replies are not dropped by default; <li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
there is no need for your own /etc/shorewall/common file simply to avoid rules then your configuration should not require any change.</li>
logging these packets.</li> <li>If you are currently relying on a implicit policy (one that has
<li value="6">The 'firewall', 'functions' and 'version' file have been "all" in either the SOURCE or DESTINATION column) to prevent traffic between
moved to /usr/share/shorewall.</li> two interfaces to a zone Z and you have no rules for Z-&gt;Z then you should
<li value="6">The icmp.def file has been removed. If you include it add an explicit DROP or REJECT policy for Z to Z.<br>
from /etc/shorewall/icmpdef, you will need to modify that file.</li> </li>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that </ol>
they arrived on in two cases:</li> </blockquote>
<ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules to
deal with traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between two
subnetworks on the same interface then either:</li>
</ul>
<blockquote>
<ol>
<li>The subnetworks must be in different zones; or</li>
<li>You must use the /etc/shorewall/hosts file to define the subnetworks
as two groups in a single zone.</li>
</ol>
</blockquote>
Example 1 -- Two zones:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre>
</blockquote>
Example 2 -- One zone:
<blockquote>
<pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre>
</blockquote>
Note that in the second example, we don't need any policy since z-&gt;z
traffic is accepted by default. The second technique is preferable if you
want unlimited access between the two subnetworks.<br>
<br>
Sometimes, you want two separate zones on one interface but you don't want
Shorewall to set up any infrastructure to handle traffic between them. <br>
<br>
Example:<br>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved
in any traffic between these two zones. Beginning with Shorewall 1.4.1, you
can prevent Shorewall from setting up any infrastructure to handle traffic
between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote>
Note that NONE policies are generally used in pairs unless there is asymetric
routing where only the traffic on one direction flows through the firewall
and you are using a NONE polciy in the other direction. 
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package iproute2
which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options
are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
are determined by BOTH the interfaces and hosts files when there are entries
for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have
been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<ul>
</ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
</ul> </ul>
<ul> <ul>
</ul>
<h3>Version 1.4.0</h3>
<ul>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li>
</ul>
<blockquote>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to or from <li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not use the destination zone. An explicit policy names both zones and does not
the 'all' reserved word.</li> use the 'all' reserved word.</li>
</ul> </ul>
<ul> <ul>
<li>There are one or more rules for traffic for the source zone to <li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li> DESTINATION columns.</li>
</ul> </ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address </blockquote>
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
</ul>
<ul>
</ul>
<h3>Version &gt;= 1.3.14</h3> <h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a      Beginning in version 1.3.14, Shorewall treats entries in <a
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second) involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
<b>column</b>:<br> <b>column</b>:<br>
<ul> <ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
interface (as shown by "ip addr show <i>interface</i>") and would masquerade on the interface (as shown by "ip addr show <i>interface</i>") and would
traffic from that subnet. Any other subnets that routed through eth1 needed masquerade traffic from that subnet. Any other subnets that routed through
their own entry in /etc/shorewall/masq to be masqueraded or to have SNAT eth1 needed their own entry in /etc/shorewall/masq to be masqueraded
applied.</li> or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface. routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT Traffic originating in ANY of those subnets is masqueraded or has SNAT
applied.</li> applied.</li>
</ul> </ul>
You will need to make a change to your configuration if:<br> You will need to make a change to your configuration if:<br>
<ol> <ol>
<li>You have one or more entries in /etc/shorewall/masq with an interface <li>You have one or more entries in /etc/shorewall/masq with
name in the SUBNET (second) column; and</li> an interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li> <li>That interface connects to more than one subnetwork.</li>
</ol> </ol>
Two examples:<br> Two examples:<br>
<br> <br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>  <b>Example 1</b> -- Suppose that your current config is as follows:<br>
   <br>    <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer <blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br> required.<br>
</blockquote> </blockquote>
<b>Example 2</b>-- What if your current configuration is like this?<br> <b>Example 2</b>-- What if your current configuration is like
this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq <blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br> to:<br>
</blockquote> </blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13" height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request (ping)     Version 1.3.14 also introduced simplified ICMP echo-request
handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf (ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be used is used to specify that the old (pre-1.3.14) ping handling is to be
(If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes used (If the option is not set in your /etc/shorewall/shorewall.conf
is assumed). I don't plan on supporting the old handling indefinitely so then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the
I urge current users to migrate to using the new handling as soon as possible. old handling indefinitely so I urge current users to migrate to using
See the <a href="ping.html">'Ping' handling documentation</a> for details.<br> the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br> to version 1.3.10, you will need to use the '--force' option:<br>
<br> <br>
<blockquote> <blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre> <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.9</h3> <h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your application If you have an application that uses functions from that file, your
will need to be changed to reflect this change of location.<br> application will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3> <h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover <p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8, versions &gt;= 1.3.8. Beginning with version
you must set NEWNOTSYN=Yes in your 1.3.8, you must set NEWNOTSYN=Yes in
/etc/shorewall/shorewall.conf file.</p> your /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3> <h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules will need to include the following
in their /etc/shorewall/icmpdef file (creating rules in their /etc/shorewall/icmpdef
this file if necessary):</p> file (creating this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p> command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to <h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3> Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version <p>To properly upgrade with Shorewall version
1.3.3 and later:</p> 1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have a backup <li>Be sure you have a backup
-- you will need to transcribe any Shorewall -- you will need to transcribe any
configuration changes that you have Shorewall configuration changes that
made to the new configuration.</li> you have made to the new configuration.</li>
<li>Replace the shorwall.lrp <li>Replace the shorwall.lrp
package provided on the Bering floppy package provided on the Bering floppy
with the later one. If you did not obtain with the later one. If you did not
the later version from Jacques's site, obtain the later version from Jacques's
see additional instructions below.</li> site, see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list <li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall file and remove the /var/lib/shorewall
entry if present. Then do not forget entry if present. Then do not forget
to backup root.lrp !</li> to backup root.lrp !</li>
</ol> </ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like <p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to add for setting up a two-interface firewall</a> plus you also need
the following two Bering-specific rules to /etc/shorewall/rules:</p> to add the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote> <blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre> <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote> </blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3> <h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 your firewall setup slightly under Shorewall versions
and 1.3.7</p> 1.3.6 and 1.3.7</p>
<ol> <ol>
<li> <li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br> the following rule<br>
<br> <br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN <font face="Courier">run_iptables -A newnotsyn
# So that the connection tracking table can be rebuilt<br> -j RETURN # So that the connection tracking table can be
                                    # from non-SYN rebuilt<br>
packets after takeover.<br>                                     # from non-SYN
 </font> </p> packets after takeover.<br>
</li>  </font> </p>
<li> </li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common -p tcp <font face="Courier">run_iptables -A common -p
--tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to
connection<br> rebuild connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
</li> </li>
</ol> </ol>
<h3 align="left">Versions &gt;= 1.3.5</h3> <h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no <p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p> longer supported. </p>
<p align="left">Example 1:</p> <p align="left">Example 1:</p>
<div align="left"> <div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre> <pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div> </div>
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
<div align="left"> <div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre> <pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example 2:</p> <p align="left">Example 2:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre> <pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre> <pre> REDIRECT loc 3128 tcp 80</pre>
</div> </div>
<h3 align="left">Version &gt;= 1.3.2</h3> <h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the <p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those applications If you have applications that access these files, those
should be modified accordingly.</p> applications should be modified accordingly.</p>
<p><font size="2"> Last updated 3/6/2003 - <p><font size="2"> Last updated 3/18/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br>
<br>
<br>
<br> <br>
<br> <br>
<br> <br>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.0 VERSION=1.4.1
usage() # $1 = exit status usage() # $1 = exit status
{ {

45
STABLE/firewall
View File

@ -672,6 +672,7 @@ validate_policy()
print_policy() # $1 = source zone, $2 = destination zone print_policy() # $1 = source zone, $2 = destination zone
{ {
[ $command != check ] || \ [ $command != check ] || \
[ $1 = $2 ] || \
[ $1 = all ] || \ [ $1 = all ] || \
[ $2 = all ] || \ [ $2 = all ] || \
echo " Policy for $1 to $2 is $policy" echo " Policy for $1 to $2 is $policy"
@ -708,7 +709,7 @@ validate_policy()
esac esac
case $policy in case $policy in
ACCEPT|REJECT|DROP|CONTINUE) ACCEPT|REJECT|DROP|CONTINUE|NONE)
;; ;;
*) *)
startup_error "Invalid policy $policy" startup_error "Invalid policy $policy"
@ -728,7 +729,7 @@ validate_policy()
chain=${client}2${server} chain=${client}2${server}
all_policy_chains="$all_policy_chains $chain" [ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
eval ${chain}_is_policy=Yes eval ${chain}_is_policy=Yes
eval ${chain}_policy=$policy eval ${chain}_policy=$policy
@ -743,6 +744,7 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${zone}2${zone1}_policychain=$chain eval ${zone}2${zone1}_policychain=$chain
eval ${zone}2${zone1}_policy=$policy
print_policy $zone $zone1 print_policy $zone $zone1
fi fi
done done
@ -753,6 +755,7 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${zone}2${server}_policychain=$chain eval ${zone}2${server}_policychain=$chain
eval ${zone}2${server}_policy=$policy
print_policy $zone $server print_policy $zone $server
fi fi
done done
@ -763,6 +766,7 @@ validate_policy()
if [ -z "$pc" ]; then if [ -z "$pc" ]; then
eval ${client}2${zone}_policychain=$chain eval ${client}2${zone}_policychain=$chain
eval ${client}2${zone}_policy=$policy
print_policy $client $zone print_policy $client $zone
fi fi
done done
@ -1438,7 +1442,7 @@ delete_nat() {
# #
setup_ecn() # $1 = file name setup_ecn() # $1 = file name
{ {
local interfaces local interfaces=""
local hosts local hosts
local h local h
@ -2151,7 +2155,7 @@ process_rule() # $1 = target
else else
serverport= serverport=
[ -z "$serverzone" -o -z "$servers" ] && \ [ -z "$serverzone" -o -z "$servers" ] && \
startup_error "Empty destination zone or qualifier: rule \"$rule\"" fatal_error "Empty destination zone or qualifier: rule \"$rule\""
fi fi
fi fi
@ -2165,6 +2169,11 @@ process_rule() # $1 = target
chain=${source}2${dest} chain=${source}2${dest}
eval policy=\$${chain}_policy
[ $policy = NONE ] && \
fatal_error "Rules may not override a NONE policy: rule \"$rule\""
[ $command = check ] || ensurechain $chain [ $command = check ] || ensurechain $chain
if [ "x$chain" = x${FW}2${FW} ]; then if [ "x$chain" = x${FW}2${FW} ]; then
@ -2683,6 +2692,8 @@ rules_chain() # $1 = source zone, $2 = destination zone
havechain $chain && { echo $chain; return; } havechain $chain && { echo $chain; return; }
[ "$1" = "$2" ] && { echo ACCEPT; return; }
eval chain=\$${chain}_policychain eval chain=\$${chain}_policychain
[ -n "$chain" ] && { echo $chain; return; } [ -n "$chain" ] && { echo $chain; return; }
@ -3670,41 +3681,27 @@ activate_rules()
done done
for zone1 in $zones; do for zone1 in $zones; do
eval policy=\$${zone}2${zone1}_policy
[ "$policy" = NONE ] && continue
eval dest_hosts=\$${zone1}_hosts eval dest_hosts=\$${zone1}_hosts
chain="`rules_chain $zone $zone1`" chain="`rules_chain $zone $zone1`"
echo "$zone $zone1 $chain" >> ${STATEDIR}/chains echo "$zone $zone1 $chain" >> ${STATEDIR}/chains
if havechain ${zone}2${zone1} || havechain ${zone1}2${zone}; then
have_canonical=Yes
else
have_canonical=
fi
for host in $source_hosts; do for host in $source_hosts; do
interface=${host%:*} interface=${host%:*}
subnet=${host#*:} subnet=${host#*:}
chain1=`forward_chain $interface` chain1=`forward_chain $interface`
if [ -n "$have_canonical" ]; then
bounce=yes
else
case $interface in
*+*)
bounce=yes
;;
*)
bounce=
;;
esac
fi
for host1 in $dest_hosts; do for host1 in $dest_hosts; do
interface1=${host1%:*} interface1=${host1%:*}
subnet1=${host1#*:} subnet1=${host1#*:}
if [ $interface != $interface1 -o -n "$bounce" ]; then if [ "$host" != "$host1" ]; then
run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain run_iptables -A $chain1 -s $subnet -o $interface1 -d $subnet1 -j $chain
fi fi
done done

15
STABLE/hosts
View File

@ -1,10 +1,17 @@
# #
# Shorewall 1.4 - /etc/shorewall/hosts # Shorewall 1.4 - /etc/shorewall/hosts
# #
# WARNING: 90% of Shorewall users don't need to add entries to this # THERE ARE TWO CASES WHERE YOU NEED THIS FILE:
# file and 80% of those who try to add such entries get it #
# wrong. Unless you are ABSOLUTELY SURE that you need entries # 1) YOU HAVE MULTIPLE NETWORKS IN THE SAME ZONE CONNECTED TO
# in this file, don't touch it! # A SINGLE INTERFACE AND YOU WANT THE SHOREWALL BOX TO ROUTE
# BETWEEN THESE NETWORKS.
#
# 2) YOU HAVE MORE THAN ONE ZONE CONNECTED THROUGH A SINGLE
# INTERFACE.
#
# IF YOU DON'T HAVE EITHER OF THESE SITUATIONS THEN DON'T TOUCH
# THIS FILE.
# #
# This file is used to define zones in terms of subnets and/or # This file is used to define zones in terms of subnets and/or
# individual IP addresses. Most simple setups don't need to # individual IP addresses. Most simple setups don't need to

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.0 VERSION=1.4.1
usage() # $1 = exit status usage() # $1 = exit status
{ {

21
STABLE/policy
View File

@ -22,7 +22,26 @@
# Shorewall will not start! # Shorewall will not start!
# #
# POLICY Policy if no match from the rules file is found. Must # POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE" # be "ACCEPT", "DROP", "REJECT", "CONTINUE" or "NONE".
#
# ACCEPT - Accept the connection
# DROP - Ignore the connection request
# REJECT - For TCP, send RST. For all other, send
# "port unreachable" ICMP.
# CONTINUE - Pass the connection request past
# any other rules that it might also
# match (where the source or destination
# zone in those rules is a superset of
# the SOURCE or DEST in this policy).
# NONE - Assume that there will never be any
# packets from this SOURCE
# to this DEST. Shorewall will not set up
# any infrastructure to handle such
# packets and you may not have any rules
# with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a
# packet _is_ received, the result is
# undefined.
# #
# LOG LEVEL If supplied, each connection handled under the default # LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no # POLICY is logged at that level. If not supplied, no

99
STABLE/releasenotes.txt
View File

@ -1,94 +1,19 @@
This is a major release of Shorewall. This is a minor release of Shorewall.
Function from 1.3 that has been omitted from this version includes: This release introduces incompatibilities with prior releases. See
http://www.shorewall.net/upgrade_issues.htm.
1) The MERGE_HOSTS variable in shorewall.conf is no longer Changes are:
supported. Shorewall 1.4 behavior is the same as 1.3 with
MERGE_HOSTS=Yes.
2) Interface names of the form <device>:<integer> in a) There is now a new NONE policy specifiable in
/etc/shorewall/interfaces now generate an error. /etc/shorewall/policy. This policy will cause Shorewall to assume that
there will never be any traffic between the source and destination
zones.
3) Shorewall 1.4 implements behavior consistent with b) Shorewall no longer creates rules to govern traffic from an
OLD_PING_HANDLING=No. OLD_PING_HANDLING=Yes will generate an error interface:subnet to itself.
at startup as will specification of the 'noping' or 'filterping'
interface options.
4) The 'routestopped' option in the /etc/shorewall/interfaces and
/etc/shorewall/hosts files is no longer supported and will generate
an error at startup if specified.
5) The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted.
6) The ALLOWRELATED variable in shorewall.conf is no longer
supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.
7) The 'multi' interface option is no longer supported. Shorewall will
generate rules for sending packets back out the same interface
that they arrived on in two cases:
a) There is an _explicit_ policy for the source zone to the
destination zone. An explicit policy names both zones and does not
use the 'all' reserved word.
b) There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all'
reserved word. Exception: If the source and the destination are
the same zone then the rule must be explicit - it must name the zone
in both the SOURCE and DESTINATION columns.
Changes for 1.4 include:
1) shorewall.conf has been completely reorganized into logical
sections.
2) LOG is now a valid action for a rule (/etc/shorewall/rules).
3) The firewall script and version file are now installed in
/usr/share/shorewall.
4. Late arriving DNS replies are now silently dropped in the common
chain by default.
5) In addition to behaving like OLD_PING_HANDLING=No, Shorewall 1.4 no
longer unconditionally accepts outbound ICMP packets. So if you want
to 'ping' from the firewall, you will need the appropriate rule or
policy.
6) CONTINUE is now a valid action for a rule (/etc/shorewall/rules).
7) 802.11b devices with names of the form wlan<n> now support the
'maclist' option.
8) IMPORTANT: Shorewall now REQUIRES the iproute package ('ip'
utility).
9) Explicit Congestion Notification (ECN - RFC 3168) may now be turned
off on a host or network basis using the new /etc/shorewall/ecn
file. To use this facility:
a) You must be running kernel 2.4.20
b) You must have applied the patch in
http://www.shorewall/net/pub/shorewall/ecn/patch.
c) You must have iptables 1.2.7a installed.
10) The /etc/shorewall/params file is now processed first so that
variables may be used in the /etc/shorewall/shorewall.conf file.
11) Packets with state INVALID are now silently dropped.
12) Shorewall now gives a more helpful diagnostic when the 'ipchains'
compatibility kernel module is loaded and a 'shorewall start'
command is issued.
13) The SHARED_DIR variable has been removed from shorewall.conf. This
variable was for use by package maintainers and was not documented
for general use.
14) Shorewall now ignores 'default' routes when detecting masq'd
networks.
c) Intra-zone traffic is always accepted now (exception is (b)
above).. Intrazone policies and rules are no longer allowed.

4
STABLE/rules
View File

@ -15,7 +15,8 @@
# Columns are: # Columns are:
# #
# #
# ACTION ACCEPT, DROP, REJECT, DNAT or REDIRECT # ACTION ACCEPT, DROP, REJECT, DNAT, DNAT-, REDIRECT, CONTINUE
# or LOG.
# #
# ACCEPT -- allow the connection request # ACCEPT -- allow the connection request
# DROP -- ignore the request # DROP -- ignore the request
@ -39,6 +40,7 @@
# connection request will be passed # connection request will be passed
# to the rules defined for that # to the rules defined for that
# (those) zone(s). # (those) zone(s).
# LOG -- Simply log the packet and continue.
# #
# May optionally be followed by ":" and a syslog log # May optionally be followed by ":" and a syslog log
# level (e.g, REJECT:info). This causes the packet to be # level (e.g, REJECT:info). This causes the packet to be

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall %define name shorewall
%define version 1.4.0 %define version 1.4.1
%define release 1 %define release 1
%define prefix /usr %define prefix /usr
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Fri Mar 21 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.1-1
* Mon Mar 17 2003 Tom Eastep <tom@shorewall.net> * Mon Mar 17 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.0-1 - Changed version to 1.4.0-1
* Fri Mar 07 2003 Tom Eastep <tom@shorewall.net> * Fri Mar 07 2003 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.0 VERSION=1.4.1
usage() # $1 = exit status usage() # $1 = exit status
{ {

1434
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

806
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
View File

@ -13,183 +13,155 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%" style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90"> id="AutoNumber1" bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1> <h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
<h2>Background</h2> <h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i> which The traditional net-tools contain a program called <i>ifconfig</i> which
is used to configure network devices. ifconfig introduced the concept of is used to configure network devices. ifconfig introduced the concept of
<i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces have
names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and ifconfig
treats them more or less like real interfaces.<br> treats them more or less like real interfaces.<br>
<br> <br>
Example:<br> Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the <i>ip</i> The ifconfig utility is being gradually phased out in favor of the <i>ip</i>
utility which is part of the <i>iproute </i>package. The ip utility does utility which is part of the <i>iproute </i>package. The ip utility does
not use the concept of aliases or virtual interfaces but rather treats additional not use the concept of aliases or virtual interfaces but rather treats additional
addresses on an interface as addresses. The ip utility does provide for interaction addresses on an interface as objects. The ip utility does provide for interaction
with ifconfig in that it allows addresses to be <i>labeled.</i> <br> with ifconfig in that it allows addresses to be <i>labeled </i>and labels
<br> may take the form of ipconfig virtual interfaces.<br>
Example:<br> <br>
<br> Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre> <pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0"<br> Note that one <u>cannot</u> type "ip addr show dev eth0:0" because "eth0:0"
is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre> <pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either it's The iptables program doesn't support virtual interfaces in either it's
"-i" or "-o" command options; as a consequence, Shorewall does not allow "-i" or "-o" command options; as a consequence, Shorewall does not allow
them to be used in the /etc/shorewall/interfaces file.<br> them to be used in the /etc/shorewall/interfaces file.<br>
<br> <br>
<h2>So how do I handle more than one address on an interface?</h2> <h2>So how do I handle more than one address on an interface?</h2>
Depends on what you are trying to do with the interfaces. In the sub-sections The answer depends on what you are trying to do with the interfaces.
that follow, we'll take a look at common scenarios.<br> In the sub-sections that follow, we'll take a look at common scenarios.<br>
<h3>Separate Rules</h3> <h3>Separate Rules</h3>
If you need to make a rule for traffic to/from the firewall itself only If you need to make a rule for traffic to/from the firewall itself that
apply to a particular IP address, simply qualify the $FW zone with the IP only applies to a particular IP address, simply qualify the $FW zone with
address.<br> the IP address.<br>
<br> <br>
Example (allow SSH from net to eth0:0 above):<br> Example (allow SSH from net to eth0:0 above):<br>
<br> <br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> <td valign="top"><b>SOURCE PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT<br> <td valign="top">DNAT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">fw:206.124.146.178<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td> </td>
<td valign="top">net<br> <td valign="top"><br>
</td> </td>
<td valign="top">fw:206.124.146.178<br> </tr>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h3>DNAT</h3> <h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at 192.168.1.3. from that virtual interface to a web server running in my local zone at
That is accomplised by a single rule in the /etc/shorewall/rules file:<br> 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
<br> file:<br>
<br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> <td valign="top"><b>SOURCE PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">DNAT<br> <td valign="top">DNAT<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">loc:192.168.1.3<br> <td valign="top">loc:192.168.1.3<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top">-<br> <td valign="top">-<br>
</td> </td>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h3>SNAT</h3> <h3>SNAT</h3>
If you wanted to use eth0:0 as the IP address for outbound connections If you wanted to use eth0:0 as the IP address for outbound connections
from your local zone (eth1), then in /etc/shorewall/masq:<br> from your local zone (eth1), then in /etc/shorewall/masq:<br>
<br> <br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>SUBNET<br>
</b></td>
<td valign="top"><b>ADDRESS<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">206.124.146.178<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
1.3.14, Shorewall can actually create the "label" (virtual interface) so
that you can see the created address using ifconfig. In addition to setting
ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -203,7 +175,7 @@ column as follows:<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">eth0:0<br> <td valign="top">eth0<br>
</td> </td>
<td valign="top">eth1<br> <td valign="top">eth1<br>
</td> </td>
@ -215,51 +187,42 @@ column as follows:<br>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set
<h3>STATIC NAT</h3> ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3, 1.3.14, Shorewall can actually create the "label" (virtual interface) so
you would have the following in /etc/shorewall/nat:<br> that you can see the created address using ifconfig. In addition to setting
<br> ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>EXTERNAL<br> <td valign="top"><b>INTERFACE<br>
</b></td> </b></td>
<td valign="top"><b>INTERFACE<br> <td valign="top"><b>SUBNET<br>
</b></td> </b></td>
<td valign="top"><b>INTERNAL<br> <td valign="top"><b>ADDRESS<br>
</b></td> </b></td>
<td valign="top"><b>ALL INTERFACES<br> </tr>
</b></td> <tr>
<td valign="top"><b>LOCAL<br> <td valign="top">eth0:0<br>
</b></td> </td>
</tr> <td valign="top">eth1<br>
<tr> </td>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
<td valign="top">eth0<br> </tr>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
Shorewall can create the alias (additional address) for you if you set
ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall <h3>STATIC NAT</h3>
1.3.14, Shorewall can actually create the "label" (virtual interface) so If you wanted to use static NAT to link eth0:0 with local address 192.168.1.3,
that you can see the created address using ifconfig. In addition to setting you would have the following in /etc/shorewall/nat:<br>
ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE <br>
column as follows:<br>
<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -279,7 +242,7 @@ column as follows:<br>
<tr> <tr>
<td valign="top">206.124.146.178<br> <td valign="top">206.124.146.178<br>
</td> </td>
<td valign="top">eth0:0<br> <td valign="top">eth0<br>
</td> </td>
<td valign="top">192.168.1.3<br> <td valign="top">192.168.1.3<br>
</td> </td>
@ -292,184 +255,114 @@ column as follows:<br>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
In either case, to create rules that pertain only to this NAT pair, you Shorewall can create the alias (additional address) for you if you set
simply qualify the local zone with the internal IP address.<br> ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with Shorewall
<br> 1.3.14, Shorewall can actually create the "label" (virtual interface) so
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a. 192.168.1.3.<br> that you can see the created address using ifconfig. In addition to setting
<br> ADD_IP_ALIASES=Yes, you specify the virtual interface name in the INTERFACE
column as follows:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>EXTERNAL<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>INTERNAL<br>
</b></td>
<td valign="top"><b>ALL INTERFACES<br>
</b></td>
<td valign="top"><b>LOCAL<br>
</b></td>
</tr>
<tr>
<td valign="top">206.124.146.178<br>
</td>
<td valign="top">eth0:0<br>
</td>
<td valign="top">192.168.1.3<br>
</td>
<td valign="top">no<br>
</td>
<td valign="top">no<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair, you
simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br>
<br>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top"><b>ACTION<br> <td valign="top"><b>ACTION<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE<br> <td valign="top"><b>SOURCE<br>
</b></td> </b></td>
<td valign="top"><b>DESTINATION<br> <td valign="top"><b>DESTINATION<br>
</b></td> </b></td>
<td valign="top"><b>PROTOCOL<br> <td valign="top"><b>PROTOCOL<br>
</b></td> </b></td>
<td valign="top"><b>PORT(S)<br> <td valign="top"><b>PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>SOURCE PORT(S)<br> <td valign="top"><b>SOURCE PORT(S)<br>
</b></td> </b></td>
<td valign="top"><b>ORIGINAL DESTINATION<br> <td valign="top"><b>ORIGINAL DESTINATION<br>
</b></td> </b></td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td> </td>
<td valign="top">net<br> <td valign="top"><br>
</td> </td>
<td valign="top">loc:192.168.1.3<br> </tr>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">22<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote> </blockquote>
<h3>MULTIPLE SUBNETS</h3> <h3>MULTIPLE SUBNETS</h3>
Sometimes multiple IP addresses are used because there are multiple subnetworks Sometimes multiple IP addresses are used because there are multiple subnetworks
configured on a LAN segment. This technique does not provide for any security configured on a LAN segment. This technique does not provide for any security
between the subnetworks if the users of the systems have administrative privileges between the subnetworks if the users of the systems have administrative
because in that case, the users can simply manipulate their system's routing privileges because in that case, the users can simply manipulate their system's
table to bypass your firewall/router. Nevertheless, there are cases where routing table to bypass your firewall/router. Nevertheless, there are cases
you simply want to consider the LAN segment itself as a zone and allow your where you simply want to consider the LAN segment itself as a zone and allow
firewall/router to route between the two subnetworks.<br> your firewall/router to route between the two subnetworks.<br>
<br> <br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and eth1:0
is 192.168.20.254. You want to simply route all requests between the two is 192.168.20.254. You want to simply route all requests between the two
subnetworks.<br> subnetworks.<br>
<br>
In /etc/shorewall/interfaces:<br>
<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr> <tr>
<td valign="top"><b>ZONE<br> <td valign="top"><b>ZONE<br>
</b></td> </b></td>
@ -487,18 +380,54 @@ privileges).<br>
</td> </td>
<td valign="top">192.168.1.255,192.168.20.255<br> <td valign="top">192.168.1.255,192.168.20.255<br>
</td> </td>
<td valign="top">Note 1:<br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br>
</blockquote>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note that you do NOT need any entry in /etc/shorewall/policy as Shorewall
1.4.1 and later releases default to allowing intra-zone traffic.<br>
<h4>If you are running Shorewall 1.4.0 or earlier<br>
</h4>
In /etc/shorewall/interfaces:<br>
<br> <br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must specify
the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote> <blockquote>
<table cellpadding="2" cellspacing="0" border="1"> <table cellpadding="2" cellspacing="0" border="1">
@ -506,7 +435,9 @@ privileges).<br>
<tr> <tr>
<td valign="top"><b>ZONE<br> <td valign="top"><b>ZONE<br>
</b></td> </b></td>
<td valign="top"><b>HOSTS<br> <td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td> </b></td>
<td valign="top"><b>OPTIONS<br> <td valign="top"><b>OPTIONS<br>
</b></td> </b></td>
@ -514,15 +445,47 @@ privileges).<br>
<tr> <tr>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.1.0/24<br> <td valign="top">eth1<br>
</td> </td>
<td valign="top"><br> <td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td> </td>
</tr> </tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/policy:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr> <tr>
<td valign="top">loc2<br> <td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST:LIMIT<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td> </td>
<td valign="top">eth0:192.168.20.0/24<br> <td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
@ -530,20 +493,129 @@ privileges).<br>
</tbody> </tbody>
</table> </table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the access
between them (the users of the systems do not have administrative privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br> <br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic that
you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/5/2003 A - <a <blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>DISPLAY<br>
</b></td>
<td valign="top"><b>DESCRIPTION<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">Local<br>
</td>
<td valign="top">Local Zone 1<br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">Local2<br>
</td>
<td valign="top">Local Zone 2<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/interfaces:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>BROADCAST<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">-<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">192.168.1.255,192.168.20.255<br>
</td>
<td valign="top">Note 1:<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
Note 1: If you are running Shorewall 1.3.10 or earlier then you must
specify the <b>multi</b> option.<br>
<br>
In /etc/shorewall/hosts:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>ZONE<br>
</b></td>
<td valign="top"><b>HOSTS<br>
</b></td>
<td valign="top"><b>OPTIONS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth0:192.168.1.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">loc2<br>
</td>
<td valign="top">eth0:192.168.20.0/24<br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
In /etc/shorewall/rules, simply specify ACCEPT rules for the traffic
that you want to permit.<br>
<br>
<p align="left"><font size="2">Last Updated 3/22/2003 A - <a
href="support.htm">Tom Eastep</a></font></p> href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br> <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> <br>
</p> </p>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

189
Shorewall-docs/seattlefirewall_index.htm
View File

@ -17,7 +17,7 @@
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
@ -28,11 +28,11 @@
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
height="90"> height="90">
@ -49,18 +49,18 @@
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><a </a></i></font><a
href="http://www.shorewall.net" target="_top"><img border="1" href="http://www.shorewall.net" target="_top"><img border="1"
src="images/shorewall.jpg" width="119" height="38" hspace="4" src="images/shorewall.jpg" width="119" height="38" hspace="4"
alt="(Shorewall Logo)" align="right" vspace="4"> alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<small><small><small><small><a <small><small><small><small><a
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small><big></big> href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center"> <div align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font <h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1> color="#ffffff"> <small><small><small>"iptables made easy" </small></small></small></font></i></h1>
</div> </div>
@ -80,13 +80,14 @@
<div align="center"><a href="1.3" target="_top"><font <div align="center"><a href="1.3" target="_top"><font
color="#ffffff">Shorewall 1.3 Site is here</font></a>                   color="#ffffff">Shorewall 1.3 Site is here</font></a>
            <br> <br>
</div> </div>
</td> </td>
</tr>
</tr>
@ -107,11 +108,12 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%">
<td width="90%">
@ -155,25 +157,25 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free 2 of the GNU General Public License</a> as published by the Free
Software Foundation.<br> Software Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied WITHOUT ANY WARRANTY; without even the implied
warranty of MERCHANTABILITY or FITNESS FOR warranty of MERCHANTABILITY or FITNESS FOR
A PARTICULAR PURPOSE. See the GNU General Public License A PARTICULAR PURPOSE. See the GNU General Public
for more details.<br> License for more details.<br>
<br> <br>
You should have received You should have received
a copy of the GNU General Public License a copy of the GNU General Public License
along with this program; if not, write along with this program; if not, write
to the Free Software Foundation, Inc., 675 to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p> Mass Ave, Cambridge, MA 02139, USA</p>
@ -206,14 +208,14 @@ Software Foundation.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
</a>Jacques Nilo </a>Jacques
and Eric Wolzak have a LEAF (router/firewall/gateway Nilo and Eric Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features called <i>Bering</i> that features
Shorewall-1.3.14 and Kernel-2.4.20. You can find Shorewall-1.3.14 and Kernel-2.4.20. You can find
their work at: <a their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
@ -223,7 +225,7 @@ Software Foundation.<br>
<p><b>Congratulations to Jacques and Eric on the recent release of <p><b>Congratulations to Jacques and Eric on the recent release of
Bering 1.1!!! </b><br> Bering 1.1!!! </b><br>
</p> </p>
<h2>This is a mirror of the main Shorewall web site at SourceForge <h2>This is a mirror of the main Shorewall web site at SourceForge
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2> (<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
@ -232,58 +234,67 @@ Bering 1.1!!! </b><br>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img <p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><b> </b></p> </b></p>
This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0 This release follows up on 1.4.0. It corrects a problem introduced in 1.4.0
and removes additional warts.<br> and removes additional warts.<br>
<br> <br>
<b>Problems Corrected:</b><br> <b>Problems Corrected:</b><br>
<ol> <ol>
<li>When Shorewall 1.4.0 is run under the ash shell (such as on Bering/LEAF), <li>When Shorewall 1.4.0 is run under the ash shell (such as on
it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn Bering/LEAF), it can attempt to add ECN disabling rules even if the /etc/shorewall/ecn
file is empty. That problem has been corrected so that ECN disabling rules file is empty. That problem has been corrected so that ECN disabling rules
are only added if there are entries in /etc/shorewall/ecn.</li> are only added if there are entries in /etc/shorewall/ecn.</li>
</ol> </ol>
<b>New Features:</b><br> <b>New Features:</b><br>
<blockquote>Note: In the list that follows, the term <i>group </i>refers <blockquote>Note: In the list that follows, the term <i>group </i>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may be to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
a host address) accessed through a particular interface. Examples:<br> be a host address) accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br> <blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br> eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br> eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</blockquote> </blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
</blockquote>
<ol> <ol>
<li>Beginning with Shorewall 1.4.1, if a zone Z comprises more than <li>Beginning with Shorewall 1.4.1, if a zone Z comprises more
one group<i> </i>then if there is no explicit Z to Z policy and there are than one group<i> </i>then if there is no explicit Z to Z policy and there
no rules governing traffic from Z to Z then Shorewall will permit all traffic are no rules governing traffic from Z to Z then Shorewall will permit all
between the groups in the zone.</li> traffic between the groups in the zone.</li>
<li>Beginning with Shorewall 1.4.1, Shorewall will never create rules <li>Beginning with Shorewall 1.4.1, Shorewall will never create
to handle traffic from a group to itself.</li> rules to handle traffic from a group to itself.</li>
<li>A NONE policy is introduced in 1.4.1. When a policy of NONE is <li>A NONE policy is introduced in 1.4.1. When a policy of NONE
specified from Z1 to Z2:</li> is specified from Z1 to Z2:</li>
</ol> </ol>
<ul> <ul>
<li>There may be no rules created that govern connections from Z1 <li>There may be no rules created that govern connections from
to Z2.</li> Z1 to Z2.</li>
<li>Shorewall will not create any infrastructure to handle traffic <li>Shorewall will not create any infrastructure to handle traffic
from Z1 to Z2.</li> from Z1 to Z2.</li>
</ul> </ul>
See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion See the <a href="upgrade_issues.htm">upgrade issues</a> for a discussion
of how these changes may affect your configuration.<br> of how these changes may affect your configuration.<br>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
<td width="88" <td width="88"
bgcolor="#4b017c" valign="top" align="center"> <a bgcolor="#4b017c" valign="top" align="center"> <br>
href="http://sourceforge.net">M</a></td> </td>
</tr> </tr>
@ -295,9 +306,9 @@ of how these changes may affect your configuration.<br>
</table> </table>
</center> </center>
</div> </div>
@ -306,11 +317,11 @@ of how these changes may affect your configuration.<br>
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td width="100%"
style="margin-top: 1px;"> style="margin-top: 1px;">
@ -326,7 +337,8 @@ of how these changes may affect your configuration.<br>
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
@ -341,13 +353,14 @@ of how these changes may affect your configuration.<br>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free
but if you try it and find it useful, please consider making a donation but if you try it and find it useful, please consider making a donation
to <a to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr>
</tr>
@ -363,9 +376,11 @@ Children's Foundation.</font></a> Thanks!</font></p>
<p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 3/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br>
<br>
<br> <br>
<br>
</body> </body>
</html> </html>

133
Shorewall-docs/sourceforge_index.htm
View File

@ -1,29 +1,13 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.3</title> <title>Shoreline Firewall (Shorewall) 1.3</title>
<base target="_self"> <base target="_self">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="4" <table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c"> bgcolor="#4b017c">
@ -95,50 +79,14 @@
<td width="90%"> <td width="90%">
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as  "Shorewall", is <p>The Shoreline Firewall, more commonly known as  "Shorewall", is
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) a <a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall based firewall that can be used on a dedicated firewall
system, a multi-function gateway/router/server or on a standalone system, a multi-function gateway/router/server or on a standalone
GNU/Linux system.</p> GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
<p>This program is free software; you can redistribute it and/or modify
it under the it under the
terms of <a href="http://www.gnu.org/licenses/gpl.html">Version terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free 2 of the GNU General Public License</a> as published by the Free
@ -160,33 +108,7 @@ License for more details.<br>
along with this program; if not, write along with this program; if not, write
to the Free Software Foundation, Inc., 675 to the Free Software Foundation, Inc., 675
Mass Ave, Cambridge, MA 02139, USA</p> Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"> border="0" src="images/leaflogo.gif" width="49" height="36">
@ -200,62 +122,11 @@ License for more details.<br>
<b>Congratulations <b>Congratulations
to Jacques and Eric on the recent release of Bering to Jacques and Eric on the recent release of Bering
1.1!!! <br> 1.1!!! <br>
</b>
<h2>News</h2> <h2>News</h2>
<p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img <p><b>3/24/2003 - Shorewall 1.4.1 </b><b> </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b><b> </b></p>  </b></p>
<b> </b>
<ul>
</ul>
<p>This release follows up on 1.4.0. It corrects a problem introduced <p>This release follows up on 1.4.0. It corrects a problem introduced
in 1.4.0 and removes additional warts.<br> in 1.4.0 and removes additional warts.<br>

372
Shorewall-docs/upgrade_issues.htm
View File

@ -19,14 +19,14 @@
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90"> bgcolor="#400169" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1> <h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -34,138 +34,152 @@
<p>For upgrade instructions see the <a <p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br> href="Install.htm">Install/Upgrade page</a>.<br>
</p> </p>
<p>It is important that you read all of the sections on this page where the <p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you are version number mentioned in the section title is later than what you are
currently running. <br> currently running. <br>
</p> </p>
<h3> </h3> <h3> </h3>
<h3>Version &gt;= 1.4.1</h3> <h3>Version &gt;= 1.4.1</h3>
In the description that follows, the term <i>group </i>refers to a particular
network or subnetwork (which may be 0.0.0.0/0 or it may be a host address)
accessed through a particular interface. Examples:<br>
<blockquote>eth0:0.0.0.0/0<br>
eth2:192.168.1.0/24<br>
eth3:192.0.2.123<br>
</blockquote>
You can use the "shorewall check" command to see the groups associated with
each of your zones.<br>
<br>
<ul> <ul>
<li>Beginning with Version 1.4.1, intra-zone traffic is accepted by default. <li>Beginning with Version 1.4.1, traffic between groups in the same
Previously, traffic from a zone to itself was treated just like any other zone is accepted by default. Previously, traffic from a zone to itself was
traffic; any matching rules were applied followed by enforcement of the appropriate treated just like any other traffic; any matching rules were applied followed
policy. With 1.4.1 and later versions, unless you have explicit rules for by enforcement of the appropriate policy. With 1.4.1 and later versions,
traffic from Z to Z or you have an explicit Z to Z policy (where "Z" is some unless you have explicit rules for traffic from Z to Z or you have an explicit
zone) then traffic within zone Z will be accepted. If you do have one or more Z to Z policy (where "Z" is some zone) then traffic between the groups in
explicit rules for Z to Z or if you have an explicit Z to Z policy then the zone Z will be accepted. If you do have one or more explicit rules for Z
behavior is as it was in prior versions.</li> to Z or if you have an explicit Z to Z policy then the behavior is as it
was in prior versions.</li>
</ul> </ul>
<blockquote> <blockquote>
<ol> <ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic between <li>If you have a Z Z ACCEPT policy for a zone to allow traffic between
two interfaces to the same zone, that policy can be removed and traffic between two interfaces to the same zone, that policy can be removed and traffic
the interfaces will traverse fewer rules than previously.</li> between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z <li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li> rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that has "all" <li>If you are currently relying on a implicit policy (one that has
in either the SOURCE or DESTINATION column) to prevent traffic between two "all" in either the SOURCE or DESTINATION column) to prevent traffic between
interfaces to a zone Z and you have no rules for Z-&gt;Z then you should two interfaces to a zone Z and you have no rules for Z-&gt;Z then you should
add an explicit DROP or REJECT policy for Z to Z.<br> add an explicit DROP or REJECT policy for Z to Z.<br>
</li> </li>
</ol> </ol>
</blockquote> </blockquote>
<ul> <ul>
<li>Beginning with Version 1.4.1, Shorewall will never create rules to <li>Beginning with Version 1.4.1, Shorewall will never create rules to
deal with traffic from a given <i>interface:subnetwork </i>back to itself. deal with traffic from a given group back to itself. The <i>multi</i> interface
The <i>multi</i> interface option is no longer available so if you want to option is no longer available so if you want to route traffic between two
route traffic between two subnetworks on the same interface then either:</li> subnetworks on the same interface then either:</li>
</ul> </ul>
<blockquote> <blockquote>
<ol> <ol>
<li>The subnetworks must be in different zones; or</li> <li>The subnetworks must be in different zones; or</li>
<li>You must use the /etc/shorewall/hosts file to define the subnetworks <li>You must use the /etc/shorewall/hosts file to define the subnetworks
in a single zone.</li> as two groups in a single zone.</li>
</ol> </ol>
</blockquote> </blockquote>
Example 1 -- Two zones:<br> Example 1 -- Two zones:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/policy<br><br>z1 z2 ACCEPT<br>z2 z1 ACCEPT<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.0/24<br>z2 eth1:192.168.2.0/24<br></pre>
</blockquote> </blockquote>
Example 2 -- One zone: Example 2 -- One zone:
<blockquote> <blockquote>
<pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre> <pre><br>/etc/shorewall/zones<br><br>z Zone The Zone<br><br>/etc/shorewall/interfaces<br><br>- eth1 192.168.1.255,192.168.2.255<br><br>/etc/shorewall/hosts<br><br>z eth1:192.168.1.0/24<br>z eth1:192.168.2.0/24<br></pre>
</blockquote> </blockquote>
Note that in the second example, we don't need any policy since z-&gt;z traffic Note that in the second example, we don't need any policy since z-&gt;z
is accepted by default. The second technique is preferable if you want unlimited traffic is accepted by default. The second technique is preferable if you
access between the two subnetworks.<br> want unlimited access between the two subnetworks.<br>
<br> <br>
Sometimes, you want two separate zones on one interface but you don't want Sometimes, you want two separate zones on one interface but you don't want
Shorewall to set up any infrastructure to handle traffic between them. <br> Shorewall to set up any infrastructure to handle traffic between them. <br>
<br> <br>
Example:<br> Example:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre> <pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote> </blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be involved Here, zone z1 is nested in zone z2 and the firewall is not going to be involved
in any traffic between these two zones. Beginning with Shorewall 1.4.1, you in any traffic between these two zones. Beginning with Shorewall 1.4.1, you
can prevent Shorewall from setting up any infrastructure to handle traffic can prevent Shorewall from setting up any infrastructure to handle traffic
between z1 and z2 by using the new NONE policy:<br> between z1 and z2 by using the new NONE policy:<br>
<blockquote> <blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre> <pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote> </blockquote>
Note that NONE policies are generally used in pairs unless there is asymetric Note that NONE policies are generally used in pairs unless there is asymetric
routing where only the traffic on one direction flows through the firewall routing where only the traffic on one direction flows through the firewall
and you are using a NONE polciy in the other direction.  and you are using a NONE polciy in the other direction. 
<h3>Version &gt;= 1.4.0</h3> <h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute <b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br> package ('ip' utility).</b><br>
<br> <br>
<b>Note: </b>Unfortunately, some distributions call this package iproute2 <b>Note: </b>Unfortunately, some distributions call this package iproute2
which will cause the upgrade of Shorewall to fail with the diagnostic:<br> which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br> <br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1 <br>
<br> This may be worked around by using the --nodeps option of rpm (rpm -Uvh
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;).<br> --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
If you are upgrading from a version &lt; 1.4.0, then:<br> If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul> <ul>
<li>The <b>noping </b>and <b>forwardping</b> interface options <li>The <b>noping </b>and <b>forwardping</b> interface options
are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf. are no longer supported nor is the <b>FORWARDPING </b>option in shorewall.conf.
ICMP echo-request (ping) packets are treated just like any other connection ICMP echo-request (ping) packets are treated just like any other connection
request and are subject to rules and policies.</li> request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; <li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li> (they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf. <li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone contents
contents are determined by BOTH the interfaces and hosts files when there are determined by BOTH the interfaces and hosts files when there are entries
are entries for the zone in both files.</li> for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and hosts <li>The <b>routestopped</b> option in the interfaces and hosts
file has been eliminated; use entries in the routestopped file instead.</li> file has been eliminated; use entries in the routestopped file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no <li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no
longer accepted; you must convert to using the new syntax.</li> longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no <li value="6">The ALLOWRELATED variable in shorewall.conf is no
longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li> longer supported. Shorewall 1.4 behavior is the same as 1.3 with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default; <li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to avoid there is no need for your own /etc/shorewall/common file simply to avoid
logging these packets.</li> logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have <li value="6">The 'firewall', 'functions' and 'version' file have
been moved to /usr/share/shorewall.</li> been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include <li value="6">The icmp.def file has been removed. If you include
it from /etc/shorewall/icmpdef, you will need to modify that file.</li> it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<ul> <ul>
</ul> </ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address <li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br> in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li> </li>
</ul> </ul>
@ -176,234 +190,236 @@ it from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<h3>Version 1.4.0</h3> <h3>Version 1.4.0</h3>
<ul> <ul>
<li value="8">The 'multi' interface option is no longer supported.  Shorewall <li value="8">The 'multi' interface option is no longer supported.  Shorewall
will generate rules for sending packets back out the same interface that will generate rules for sending packets back out the same interface that
they arrived on in two cases:</li> they arrived on in two cases:</li>
</ul> </ul>
<blockquote> <blockquote>
<ul> <ul>
<li>There is an <u>explicit</u> policy for the source zone to or from <li>There is an <u>explicit</u> policy for the source zone to or from
the destination zone. An explicit policy names both zones and does not use the destination zone. An explicit policy names both zones and does not
the 'all' reserved word.</li> use the 'all' reserved word.</li>
</ul> </ul>
<ul> <ul>
<li>There are one or more rules for traffic for the source zone to <li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all' reserved or from the destination zone including rules that use the 'all' reserved
word. Exception: if the source zone and destination zone are the same then word. Exception: if the source zone and destination zone are the same then
the rule must be explicit - it must name the zone in both the SOURCE and the rule must be explicit - it must name the zone in both the SOURCE and
DESTINATION columns.</li> DESTINATION columns.</li>
</ul> </ul>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.14</h3> <h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13" height="13">
     Beginning in version 1.3.14, Shorewall treats entries in <a      Beginning in version 1.3.14, Shorewall treats entries in <a
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
involves entries with an <b>interface name</b> in the <b>SUBNET</b> involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
(second) <b>column</b>:<br> <b>column</b>:<br>
<ul> <ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet <li>Prior to 1.3.14, Shorewall would detect the FIRST subnet
on the interface (as shown by "ip addr show <i>interface</i>") and would on the interface (as shown by "ip addr show <i>interface</i>") and would
masquerade traffic from that subnet. Any other subnets that routed through masquerade traffic from that subnet. Any other subnets that routed through
eth1 needed their own entry in /etc/shorewall/masq to be masqueraded or eth1 needed their own entry in /etc/shorewall/masq to be masqueraded
to have SNAT applied.</li> or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's <li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named interface. routing table to determine ALL subnets routed through the named interface.
Traffic originating in ANY of those subnets is masqueraded or has SNAT Traffic originating in ANY of those subnets is masqueraded or has SNAT
applied.</li> applied.</li>
</ul> </ul>
You will need to make a change to your configuration if:<br> You will need to make a change to your configuration if:<br>
<ol> <ol>
<li>You have one or more entries in /etc/shorewall/masq with <li>You have one or more entries in /etc/shorewall/masq with
an interface name in the SUBNET (second) column; and</li> an interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li> <li>That interface connects to more than one subnetwork.</li>
</ol> </ol>
Two examples:<br> Two examples:<br>
<br> <br>
 <b>Example 1</b> -- Suppose that your current config is as follows:<br>  <b>Example 1</b> -- Suppose that your current config is as follows:<br>
   <br>    <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer <blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br> required.<br>
</blockquote> </blockquote>
<b>Example 2</b>-- What if your current configuration is like this?<br> <b>Example 2</b>-- What if your current configuration is like
this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre> <pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq <blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br> to:<br>
</blockquote> </blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre> <pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13"> <img src="images/BD21298_3.gif" alt="" width="13" height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request     Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf (ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to be used is used to specify that the old (pre-1.3.14) ping handling is to be
(If the option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes used (If the option is not set in your /etc/shorewall/shorewall.conf
is assumed). I don't plan on supporting the old handling indefinitely then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting the
so I urge current users to migrate to using the new handling as soon as old handling indefinitely so I urge current users to migrate to using
possible. See the <a href="ping.html">'Ping' handling documentation</a> the new handling as soon as possible. See the <a href="ping.html">'Ping'
for details.<br> handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3> <h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading If you have installed the 1.3.10 Beta 1 RPM and are now upgrading
to version 1.3.10, you will need to use the '--force' option:<br> to version 1.3.10, you will need to use the '--force' option:<br>
<br> <br>
<blockquote> <blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre> <pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote> </blockquote>
<h3>Version &gt;= 1.3.9</h3> <h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions. The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your If you have an application that uses functions from that file, your
application will need to be changed to reflect this change of location.<br> application will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3> <h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover <p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8, versions &gt;= 1.3.8. Beginning with version
you must set NEWNOTSYN=Yes in your 1.3.8, you must set NEWNOTSYN=Yes in
/etc/shorewall/shorewall.conf file.</p> your /etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3> <h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf <p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following rules will need to include the following
in their /etc/shorewall/icmpdef file rules in their /etc/shorewall/icmpdef
(creating this file if necessary):</p> file (creating this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre> <pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def" <p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p> command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to <h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3> Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version <p>To properly upgrade with Shorewall version
1.3.3 and later:</p> 1.3.3 and later:</p>
<ol> <ol>
<li>Be sure you have a backup <li>Be sure you have a backup
-- you will need to transcribe any -- you will need to transcribe any
Shorewall configuration changes that Shorewall configuration changes that
you have made to the new configuration.</li> you have made to the new configuration.</li>
<li>Replace the shorwall.lrp <li>Replace the shorwall.lrp
package provided on the Bering floppy package provided on the Bering floppy
with the later one. If you did not with the later one. If you did not
obtain the later version from Jacques's obtain the later version from Jacques's
site, see additional instructions below.</li> site, see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list <li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall file and remove the /var/lib/shorewall
entry if present. Then do not forget entry if present. Then do not forget
to backup root.lrp !</li> to backup root.lrp !</li>
</ol> </ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like <p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to for setting up a two-interface firewall</a> plus you also need
add the following two Bering-specific rules to /etc/shorewall/rules:</p> to add the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote> <blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre> <pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote> </blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3> <h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for <p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6 your firewall setup slightly under Shorewall versions
and 1.3.7</p> 1.3.6 and 1.3.7</p>
<ol> <ol>
<li> <li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add <p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br> the following rule<br>
<br> <br>
<font face="Courier">run_iptables -A newnotsyn <font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can be -j RETURN # So that the connection tracking table can be
rebuilt<br> rebuilt<br>
                                    # from non-SYN                                     # from non-SYN
packets after takeover.<br> packets after takeover.<br>
 </font> </p>  </font> </p>
</li> </li>
<li> <li>
<p align="left">Create /etc/shorewall/common (if you don't already <p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br> have that file) and include the following:<br>
<br> <br>
<font face="Courier">run_iptables -A common -p <font face="Courier">run_iptables -A common -p
tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept Acks to
to rebuild connection<br> rebuild connection<br>
                                                                                                                                       
#tracking table. <br> #tracking table. <br>
. /etc/shorewall/common.def</font> </p> . /etc/shorewall/common.def</font> </p>
</li> </li>
</ol> </ol>
<h3 align="left">Versions &gt;= 1.3.5</h3> <h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no <p align="left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p> longer supported. </p>
<p align="left">Example 1:</p> <p align="left">Example 1:</p>
<div align="left"> <div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre> <pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div> </div>
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
<div align="left"> <div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre> <pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Example 2:</p> <p align="left">Example 2:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre> <pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div> </div>
<div align="left"> <div align="left">
<p align="left">Must be replaced with:</p> <p align="left">Must be replaced with:</p>
</div> </div>
<div align="left"> <div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre> <pre> REDIRECT loc 3128 tcp 80</pre>
</div> </div>
<h3 align="left">Version &gt;= 1.3.2</h3> <h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the <p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall. 'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those If you have applications that access these files, those
applications should be modified accordingly.</p> applications should be modified accordingly.</p>
<p><font size="2"> Last updated 3/18/2003 - <p><font size="2"> Last updated 3/18/2003 -
<a href="support.htm">Tom Eastep</a></font> </p> <a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font> <p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p> </p>
<br>
<br> <br>
<br> <br>
</body> </body>