extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Add Corporate Network Example

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@664 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-16 18:59:33 +00:00
parent c89d302114
commit cbc3ac56b1
68 changed files with 25528 additions and 24849 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
Shorewall-docs/6to4.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -29,15 +29,15 @@
</h3>
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of Shorewall
only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6 security
measures.</h3>
only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6
security measures.</h3>
<p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
to another IPv6 network over an IPv4 infrastructure</p>
to another IPv6 network over an IPv4 infrastructure</p>
<p>More information on Linux and IPv6 can be found in the <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>. Details
on how to setup a 6to4 tunnels are described in the section <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
Details on how to setup a 6to4 tunnels are described in the section <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels</a>.</p>
@ -50,17 +50,17 @@ on how to setup a 6to4 tunnels are described in the section <a
</p>
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to be
able to communicate with the systems in the 2002:488:999::/64 network. This
is accomplished through use of the /etc/shorewall/tunnels file and the "ip"
utility for network interface and routing configuration.</p>
able to communicate with the systems in the 2002:488:999::/64 network. This
is accomplished through use of the /etc/shorewall/tunnels file and the "ip"
utility for network interface and routing configuration.</p>
<p align="left">Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
/etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There
is no need to declare a zone to represent the remote IPv6 network. This remote
network is not visible on IPv4 interfaces and to iptables. All that is visible
on the IPv4 level is an IPv4 stream which contains IPv6 traffic. Separate
IPv6 interfaces and ip6tables rules need to be defined to handle this traffic.
</p>
/etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There
is no need to declare a zone to represent the remote IPv6 network. This
remote network is not visible on IPv4 interfaces and to iptables. All that
is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
this traffic. </p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
@ -128,8 +128,8 @@ IPv6 interfaces and ip6tables rules need to be defined to handle this traffic.
</blockquote>
<p>On both systems, restart Shorewall and issue the configuration commands
as listed above. The systems in both IPv6 subnetworks can now talk to each
other using IPv6.</p>
as listed above. The systems in both IPv6 subnetworks can now talk to each
other using IPv6.</p>
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -139,5 +139,6 @@ other using IPv6.</p>
<br>
<br>
<br>
<br>
</body>
</html>

293
Shorewall-docs/CorpNetwork.htm Normal file
View File

@ -0,0 +1,293 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Corporate Shorewall Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Graeme Boyle">
</head>
<body>
<script><!--
function PrivoxyWindowOpen(){return(null);}
//--></script>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and
Internal Servers</font></h1>
</td>
</tr>
</tbody>
</table>
<blockquote> </blockquote>
<h1>Corporate Network</h1>
<p><font size="4" color="#ff0000"><b>Notes</b></font><big><font
color="#ff0000"><b>:</b></font></big></p>
<blockquote>
<ul>
<li><b>This configuration is used on a corporate network that
has a Linux (RedHat 8.0) server with three interfaces, running Shorewall
1.4.5 release,</b></li>
<li><b>Make sure you know what public IP addresses are currently
being used and verify these </b><i>before</i><b> starting.</b></li>
<li><b>Verify you DNS settings </b><i>before</i><b> starting any
Shorewall configuration especially if you have split DNS.</b></li>
<li><b>System names and Internet IP addresses have been changed
to protect the innocent.</b></li>
</ul>
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This configuration
uses a combination of Static NAT and Proxy ARP. This is generally not
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see
here won't apply to your setup so beware of copying parts of this
configuration and expecting them to work for you. What you copy may
or may not work in your configuration.<br>
</small></b></big><br>
</p>
<p> I have a T1 with 64 static IP addresses (63.123.106.65-127/26). The
internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
have an IPSec tunnel connecting our offices in Germany to our offices
in the US. I host two Microsoft Exchange servers for two different companies
behind the firewall hence, the two Exchange servers in the diagram below.</p>
<p> Summary:<br>
</p>
<ul>
<li>SNAT for all systems connected to the LAN
- Internal addresses 10.10.x.x to external address 63.123.106.127.</li>
<li>Static NAT for <i>Polaris</i> (Exchange Server
#2). Internal address 10.10.1.8 and external address 63.123.106.70.</li>
<li>Static NAT for <i>Sims</i> (Inventory Management server).
Internal address 10.10.1.56 and external address 63.123.106.75.<br>
</li>
<li>Static NAT for <i>Project</i> (Project Web
Server). Internal address 10.10.1.55 and external
address 63.123.106.84.</li>
<li>Static NAT for <i>Fortress</i> (Exchange
Server). Internal address 10.10.1.252 and external
address 63.123.106.93.</li>
<li>Static NAT for <i>BBSRV</i> (Blackberry Server).
Internal address 10.10.1.230 and external address
63.123.106.97.</li>
<li>Static NAT for <i>Intweb</i> (Intranet Web
Server). Internal address 10.10.1.60 and external
address 63.123.106.115.</li>
</ul>
<p> The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
RH8.0.</p>
<p> The Firewall is also a proxy server running Privoxy 3.0.</p>
<p> The single system in the DMZ (address 63.123.106.80) runs sendmail,
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0).
That server is managed through Proxy ARP.</p>
<p> All administration and publishing is done using ssh/scp. I have X installed
on the firewall and the system in the DMZ. X applications tunnel
through SSH to Hummingbird Exceed running on a PC located in the LAN.
Access to the firewall using SSH is restricted to systems in the LAN, DMZ
or the system Kaos which is on the Internet and managed by me.</p>
<p align="center"> <img border="0"
src="images/CorpNetwork.gif" width="770" height="1000"
alt="(Corporate Network Diagram)">
</p>
<p> </p>
<p>The Ethernet 0 interface in the Server is configured with IP
address 63.123.106.68, netmask 255.255.255.192. The server's default
gateway is 63.123.106.65, the Router connected to my network and
the ISP. This is the same default gateway used by the firewall
itself. On the firewall, Shorewall automatically
adds a host route to 63.123.106.80 through Ethernet
2 (192.168.21.1) because of the entry in
/etc/shorewall/proxyarp (see below). I modified the start, stop and
init scripts to include the fixes suggested when having an IPSec tunnel.</p>
<p><b>Some Mistakes I Made:</b></p>
<p>Yes, believe it or not, I made some really basic mistakes when building
this firewall. Firstly, I had the new firewall setup in parallel with
the old firewall so that there was no interruption of service to my users.
During my out-bound testing, I set up systems on the LAN to utilize the
firewall which worked fine. When testing my NAT connections, from the
outside, these would fail and I could not understand why. Eventually,
I changed the default route on the internal system I was trying to access,
to point to the new firewall and "bingo", everything worked as expected.
This oversight delayed my deployment by a couple of days not to mention
level of frustration it produced. </p>
<p>Another problem that I encountered was in setting up the Proxyarp system
in the DMZ. Initially I forgot to remove the entry for the eth2 from
the /etc/shorewall/masq file. Once my file settings were correct, I started
verifying that the ARP caches on the firewall, as well as the outside
system "kaos", were showing the correct Ethernet MAC address. However,
in testing remote access, I could access the system in the DMZ only from
the firewall and LAN but not from the Internet. The message I received
was "connection denied" on all protocols. What I did not realize was that
a "helpful" administrator that had turned on an old system and assigned
the same address as the one I was using for Proxyarp without notifying
me. How did I work this out. I shutdown the system in the DMZ, rebooted
the router and flushed the ARP cache on the firewall and kaos. Then, from
kaos, I started pinging that IP address and checked the updated ARP cache
and lo-and-behold a different MAC address showed up. High levels of frustration
etc., etc. The administrator will <i>not</i> be doing that again! :-)</p>
<p><b>Lessons Learned:</b></p>
<ul>
<li>Read the documentation.</li>
<li>Draw your network topology before starting.</li>
<li>Understand what services you are going to allow in and out of
the firewall, whether they are TCP or UDP packets and make a note
of these port numbers.</li>
<li>Try to get quiet time to build the firewall - you need to focus
on the job at hand.</li>
<li>When asking for assistance, be honest and include as much detail
as requested. Don't try and hide IP addresses etc., you will probably
screw up the logs and make receiving assistance harder.</li>
<li>Read the documentation.</li>
</ul>
<p><b>Futures:</b></p>
<p>This is by no means the final configuration. In the near future, I will
be moving more systems from the LAN to the DMZ. I will also be watching
the logs for port scan programs etc. but, this should be standard security
maintenance.</p>
<p>Here are copies of my files. I have removed most of the internal
documentation for the purpose of this space however, my system still has
the original files with all the comments and I highly recommend you do
the same.</p>
</blockquote>
<h3>Shorewall.conf</h3>
<blockquote>
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
</blockquote>
<h3>Zones File</h3>
<blockquote>
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
face="Courier" size="2"><br></font></pre>
</blockquote>
<h3>Interfaces File: </h3>
<blockquote>
<p> ##############################################################################<br>
#ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br>
vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</p>
</blockquote>
<h3>Routestopped File:</h3>
<blockquote>
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
face="Courier" size="2"> </font></pre>
</blockquote>
<h3>Policy File:</h3>
<blockquote>
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>Masq File: </h3>
<blockquote>
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 163.123.106.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>NAT File: </h3>
<blockquote>
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>63.123.106.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>63.123.106.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>63.123.106.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>63.123.106.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>63.123.106.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>63.123.106.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>Proxy ARP File:</h3>
<blockquote>
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>63.123.106.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
</blockquote>
<h3>Tunnels File:</h3>
<blockquote>
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
<blockquote>
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:63.123.106.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
<h3>Start File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
</blockquote>
<h3>Stop File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
</blockquote>
<h3>Init File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
</blockquote>
<p><font size="2">Last updated 7/16/2003</font>
<script><!--
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
//</script><br>
</p>
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep and
Graeme Boyle</a></small><br>
</p>
<br>
</body>
</html>

1182
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

64
Shorewall-docs/ECN.html
View File

@ -2,14 +2,17 @@
<html>
<head>
<title>Shorewall and ECN</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td
@ -20,41 +23,44 @@
</tbody>
</table>
<br>
Explicit Congestion Notification (ECN) is described in RFC 3168 and is a
proposed internet standard. Unfortunately, not all sites support ECN and
when a TCP connection offering ECN is sent to sites that don't support it,
the result is often that the connection request is ignored.<br>
<br>
To allow ECN to be used, Shorewall allows you to enable ECN on your Linux
<br>
Explicit Congestion Notification (ECN) is described in RFC 3168 and is a
proposed internet standard. Unfortunately, not all sites support ECN and when
a TCP connection offering ECN is sent to sites that don't support it, the
result is often that the connection request is ignored.<br>
<br>
To allow ECN to be used, Shorewall allows you to enable ECN on your Linux
systems then disable it in your firewall when the destination matches a list
that you create (the /etc/shorewall/ecn file).<br>
<br>
You enable ECN by<br>
<br>
<br>
You enable ECN by<br>
<br>
<blockquote>
<pre><b><font color="#009900">echo 1 &gt; /proc/sys/net/ipv4/tcp_ecn</font></b></pre>
</blockquote>
You must arrange for that command to be executed at system boot. Most distributions
</blockquote>
You must arrange for that command to be executed at system boot. Most distributions
have a method for doing that -- on RedHat, you make an entry in /etc/sysctl.conf.<br>
<br>
<br>
<blockquote>
<pre><b><font color="#009900">net.ipv4.tcp_ecn = 1<br><br></font></b></pre>
</blockquote>
Entries in /etc/shorewall/ecn have two columns as follows:<br>
<br>
INTERFACE&nbsp;&nbsp;&nbsp; - The name of an interface on your system<br>
<br>
HOST(S)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; - An address (host or subnet)
</blockquote>
Entries in /etc/shorewall/ecn have two columns as follows:<br>
<br>
INTERFACE&nbsp;&nbsp;&nbsp; - The name of an interface on your system<br>
<br>
HOST(S)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; - An address (host or subnet)
of a system or group of systems accessed through the &nbsp;interface in the
first column. You may include a comma-separated list of such addresses in
this column. <br>
<br>
Example: Your external interface is eth0 and you want to disable ECN for
<br>
Example: Your external interface is eth0 and you want to disable ECN for
tcp connections to 192.0.2.0/24:<br>
<br>
In /etc/shorewall/ecn:<br>
<br>
<br>
In /etc/shorewall/ecn:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -70,14 +76,16 @@ In /etc/shorewall/ecn:<br>
<td valign="top">192.0.2.0/24<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom Eastep</a></font>
</blockquote>
<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</body>
</html>

629
Shorewall-docs/FAQ.htm
View File

File diff suppressed because it is too large Load Diff

7
Shorewall-docs/Forum.html
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -26,11 +26,13 @@
</table>
<h3><font color="#ff6633"></font></h3>
<h1>REPORTING A PROBLEM OR ASKING FOR HELP? If you haven't already, please
read the <a href="support.htm">Shorewall Support Guide</a>.</h1>
<p><a href="http://www.developercube.com/forum/index.php?c=8">Shorewall Support
Forum</a><br>
</p>
</p>
<p><font size="2">Updated 3/6/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -38,5 +40,6 @@ Forum</a><br>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2003 Thomas M. Eastep.</font></a></p>
<br>
<br>
</body>
</html>

497
Shorewall-docs/GnuCopyright.htm
View File

@ -1,282 +1,341 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Copyright</title>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h2 align="center"><font color="#FFFFFF">GNU Free Documentation License</font></h2>
<h2 align="center"><font color="#ffffff">GNU Free Documentation License</font></h2>
</td>
</tr>
</tbody>
</table>
<p>Version 1.1, March 2000 </p>
<pre>Copyright (C) 2000 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
</pre>
<pre>Copyright (C) 2000 Free Software Foundation, Inc.<br>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA<br>Everyone is permitted to copy and distribute verbatim copies<br>of this license document, but changing it is not allowed.<br></pre>
<p><strong>0. PREAMBLE</strong> </p>
<p>The purpose of this License is to make a manual, textbook, or other written
document &quot;free&quot; in the sense of freedom: to assure everyone the effective
document "free" in the sense of freedom: to assure everyone the effective
freedom to copy and redistribute it, with or without modifying it, either
commercially or noncommercially. Secondarily, this License preserves for the
author and publisher a way to get credit for their work, while not being
commercially or noncommercially. Secondarily, this License preserves for
the author and publisher a way to get credit for their work, while not being
considered responsible for modifications made by others. </p>
<p>This License is a kind of &quot;copyleft&quot;, which means that derivative works of
the document must themselves be free in the same sense. It complements the GNU
General Public License, which is a copyleft license designed for free software.
</p>
<p>We have designed this License in order to use it for manuals for free
software, because free software needs free documentation: a free program should
come with manuals providing the same freedoms that the software does. But this
License is not limited to software manuals; it can be used for any textual work,
regardless of subject matter or whether it is published as a printed book. We
recommend this License principally for works whose purpose is instruction or
reference. </p>
<p>This License is a kind of "copyleft", which means that derivative works
of the document must themselves be free in the same sense. It complements
the GNU General Public License, which is a copyleft license designed for
free software. </p>
<p>We have designed this License in order to use it for manuals for free software,
because free software needs free documentation: a free program should come
with manuals providing the same freedoms that the software does. But this
License is not limited to software manuals; it can be used for any textual
work, regardless of subject matter or whether it is published as a printed
book. We recommend this License principally for works whose purpose is instruction
or reference. </p>
<p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
<p>This License applies to any manual or other work that contains a notice
placed by the copyright holder saying it can be distributed under the terms of
this License. The &quot;Document&quot;, below, refers to any such manual or work. Any
member of the public is a licensee, and is addressed as &quot;you&quot;. </p>
<p>A &quot;Modified Version&quot; of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or
translated into another language. </p>
<p>A &quot;Secondary Section&quot; is a named appendix or a front-matter section of the
Document that deals exclusively with the relationship of the publishers or
authors of the Document to the Document's overall subject (or to related
placed by the copyright holder saying it can be distributed under the terms
of this License. The "Document", below, refers to any such manual or work.
Any member of the public is a licensee, and is addressed as "you". </p>
<p>A "Modified Version" of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or translated
into another language. </p>
<p>A "Secondary Section" is a named appendix or a front-matter section of
the Document that deals exclusively with the relationship of the publishers
or authors of the Document to the Document's overall subject (or to related
matters) and contains nothing that could fall directly within that overall
subject. (For example, if the Document is in part a textbook of mathematics, a
Secondary Section may not explain any mathematics.) The relationship could be a
matter of historical connection with the subject or with related matters, or of
legal, commercial, philosophical, ethical or political position regarding them.
</p>
<p>The &quot;Invariant Sections&quot; are certain Secondary Sections whose titles are
designated, as being those of Invariant Sections, in the notice that says that
the Document is released under this License. </p>
<p>The &quot;Cover Texts&quot; are certain short passages of text that are listed, as
Front-Cover Texts or Back-Cover Texts, in the notice that says that the Document
is released under this License. </p>
<p>A &quot;Transparent&quot; copy of the Document means a machine-readable copy,
represented in a format whose specification is available to the general public,
whose contents can be viewed and edited directly and straightforwardly with
generic text editors or (for images composed of pixels) generic paint programs
or (for drawings) some widely available drawing editor, and that is suitable for
input to text formatters or for automatic translation to a variety of formats
suitable for input to text formatters. A copy made in an otherwise Transparent
file format whose markup has been designed to thwart or discourage subsequent
modification by readers is not Transparent. A copy that is not &quot;Transparent&quot; is
called &quot;Opaque&quot;. </p>
subject. (For example, if the Document is in part a textbook of mathematics,
a Secondary Section may not explain any mathematics.) The relationship could
be a matter of historical connection with the subject or with related matters,
or of legal, commercial, philosophical, ethical or political position regarding
them. </p>
<p>The "Invariant Sections" are certain Secondary Sections whose titles are
designated, as being those of Invariant Sections, in the notice that says
that the Document is released under this License. </p>
<p>The "Cover Texts" are certain short passages of text that are listed,
as Front-Cover Texts or Back-Cover Texts, in the notice that says that the
Document is released under this License. </p>
<p>A "Transparent" copy of the Document means a machine-readable copy, represented
in a format whose specification is available to the general public, whose
contents can be viewed and edited directly and straightforwardly with generic
text editors or (for images composed of pixels) generic paint programs or
(for drawings) some widely available drawing editor, and that is suitable
for input to text formatters or for automatic translation to a variety of
formats suitable for input to text formatters. A copy made in an otherwise
Transparent file format whose markup has been designed to thwart or discourage
subsequent modification by readers is not Transparent. A copy that is not
"Transparent" is called "Opaque". </p>
<p>Examples of suitable formats for Transparent copies include plain ASCII
without markup, Texinfo input format, LaTeX input format, SGML or XML using a
publicly available DTD, and standard-conforming simple HTML designed for human
modification. Opaque formats include PostScript, PDF, proprietary formats that
can be read and edited only by proprietary word processors, SGML or XML for
which the DTD and/or processing tools are not generally available, and the
machine-generated HTML produced by some word processors for output purposes
only. </p>
<p>The &quot;Title Page&quot; means, for a printed book, the title page itself, plus such
following pages as are needed to hold, legibly, the material this License
requires to appear in the title page. For works in formats which do not have any
title page as such, &quot;Title Page&quot; means the text near the most prominent
appearance of the work's title, preceding the beginning of the body of the text.
</p>
without markup, Texinfo input format, LaTeX input format, SGML or XML using
a publicly available DTD, and standard-conforming simple HTML designed for
human modification. Opaque formats include PostScript, PDF, proprietary formats
that can be read and edited only by proprietary word processors, SGML or
XML for which the DTD and/or processing tools are not generally available,
and the machine-generated HTML produced by some word processors for output
purposes only. </p>
<p>The "Title Page" means, for a printed book, the title page itself, plus
such following pages as are needed to hold, legibly, the material this License
requires to appear in the title page. For works in formats which do not have
any title page as such, "Title Page" means the text near the most prominent
appearance of the work's title, preceding the beginning of the body of the
text. </p>
<p><strong>2. VERBATIM COPYING</strong> </p>
<p>You may copy and distribute the Document in any medium, either commercially
or noncommercially, provided that this License, the copyright notices, and the
license notice saying this License applies to the Document are reproduced in all
copies, and that you add no other conditions whatsoever to those of this
License. You may not use technical measures to obstruct or control the reading
or further copying of the copies you make or distribute. However, you may accept
compensation in exchange for copies. If you distribute a large enough number of
copies you must also follow the conditions in section 3. </p>
<p>You may also lend copies, under the same conditions stated above, and you may
publicly display copies. </p>
or noncommercially, provided that this License, the copyright notices, and
the license notice saying this License applies to the Document are reproduced
in all copies, and that you add no other conditions whatsoever to those of
this License. You may not use technical measures to obstruct or control the
reading or further copying of the copies you make or distribute. However,
you may accept compensation in exchange for copies. If you distribute a large
enough number of copies you must also follow the conditions in section 3.
</p>
<p>You may also lend copies, under the same conditions stated above, and
you may publicly display copies. </p>
<p><strong>3. COPYING IN QUANTITY</strong> </p>
<p>If you publish printed copies of the Document numbering more than 100, and
the Document's license notice requires Cover Texts, you must enclose the copies
in covers that carry, clearly and legibly, all these Cover Texts: Front-Cover
Texts on the front cover, and Back-Cover Texts on the back cover. Both covers
must also clearly and legibly identify you as the publisher of these copies. The
front cover must present the full title with all words of the title equally
prominent and visible. You may add other material on the covers in addition.
Copying with changes limited to the covers, as long as they preserve the title
of the Document and satisfy these conditions, can be treated as verbatim copying
in other respects. </p>
<p>If the required texts for either cover are too voluminous to fit legibly, you
should put the first ones listed (as many as fit reasonably) on the actual
<p>If you publish printed copies of the Document numbering more than 100,
and the Document's license notice requires Cover Texts, you must enclose
the copies in covers that carry, clearly and legibly, all these Cover Texts:
Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover.
Both covers must also clearly and legibly identify you as the publisher of
these copies. The front cover must present the full title with all words
of the title equally prominent and visible. You may add other material on
the covers in addition. Copying with changes limited to the covers, as long
as they preserve the title of the Document and satisfy these conditions,
can be treated as verbatim copying in other respects. </p>
<p>If the required texts for either cover are too voluminous to fit legibly,
you should put the first ones listed (as many as fit reasonably) on the actual
cover, and continue the rest onto adjacent pages. </p>
<p>If you publish or distribute Opaque copies of the Document numbering more
than 100, you must either include a machine-readable Transparent copy along with
each Opaque copy, or state in or with each Opaque copy a publicly-accessible
computer-network location containing a complete Transparent copy of the
Document, free of added material, which the general network-using public has
access to download anonymously at no charge using public-standard network
protocols. If you use the latter option, you must take reasonably prudent steps,
when you begin distribution of Opaque copies in quantity, to ensure that this
Transparent copy will remain thus accessible at the stated location until at
least one year after the last time you distribute an Opaque copy (directly or
through your agents or retailers) of that edition to the public. </p>
than 100, you must either include a machine-readable Transparent copy along
with each Opaque copy, or state in or with each Opaque copy a publicly-accessible
computer-network location containing a complete Transparent copy of the Document,
free of added material, which the general network-using public has access
to download anonymously at no charge using public-standard network protocols.
If you use the latter option, you must take reasonably prudent steps, when
you begin distribution of Opaque copies in quantity, to ensure that this Transparent
copy will remain thus accessible at the stated location until at least one
year after the last time you distribute an Opaque copy (directly or through
your agents or retailers) of that edition to the public. </p>
<p>It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give them a
chance to provide you with an updated version of the Document. </p>
Document well before redistributing any large number of copies, to give them
a chance to provide you with an updated version of the Document. </p>
<p><strong>4. MODIFICATIONS</strong> </p>
<p>You may copy and distribute a Modified Version of the Document under the
conditions of sections 2 and 3 above, provided that you release the Modified
Version under precisely this License, with the Modified Version filling the role
of the Document, thus licensing distribution and modification of the Modified
Version to whoever possesses a copy of it. In addition, you must do these things
in the Modified Version: </p>
<p>&nbsp;</p>
Version under precisely this License, with the Modified Version filling the
role of the Document, thus licensing distribution and modification of the
Modified Version to whoever possesses a copy of it. In addition, you must
do these things in the Modified Version: </p>
<p> </p>
<ul>
<li><strong>A.</strong> Use in the Title Page (and on the covers, if any) a
title distinct from that of the Document, and from those of previous versions
(which should, if there were any, be listed in the History section of the
Document). You may use the same title as a previous version if the original
publisher of that version gives permission. </li>
<li><strong>A.</strong> Use in the Title Page (and on the covers, if any)
a title distinct from that of the Document, and from those of previous
versions (which should, if there were any, be listed in the History section
of the Document). You may use the same title as a previous version if the
original publisher of that version gives permission. </li>
<li><strong>B.</strong> List on the Title Page, as authors, one or more
persons or entities responsible for authorship of the modifications in the
Modified Version, together with at least five of the principal authors of the
Document (all of its principal authors, if it has less than five). </li>
<li><strong>C.</strong> State on the Title page the name of the publisher of
the Modified Version, as the publisher. </li>
persons or entities responsible for authorship of the modifications in
the Modified Version, together with at least five of the principal authors
of the Document (all of its principal authors, if it has less than five).
</li>
<li><strong>C.</strong> State on the Title page the name of the publisher
of the Modified Version, as the publisher. </li>
<li><strong>D.</strong> Preserve all the copyright notices of the Document.
</li>
<li><strong>E.</strong> Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices. </li>
<li><strong>F.</strong> Include, immediately after the copyright notices, a
license notice giving the public permission to use the Modified Version under
the terms of this License, in the form shown in the Addendum below. </li>
<li><strong>G.</strong> Preserve in that license notice the full lists of
Invariant Sections and required Cover Texts given in the Document's license
notice. </li>
<li><strong>F.</strong> Include, immediately after the copyright notices,
a license notice giving the public permission to use the Modified Version
under the terms of this License, in the form shown in the Addendum below.
</li>
<li><strong>G.</strong> Preserve in that license notice the full lists
of Invariant Sections and required Cover Texts given in the Document's
license notice. </li>
<li><strong>H.</strong> Include an unaltered copy of this License. </li>
<li><strong>I.</strong> Preserve the section entitled &quot;History&quot;, and its
<li><strong>I.</strong> Preserve the section entitled "History", and its
title, and add to it an item stating at least the title, year, new authors,
and publisher of the Modified Version as given on the Title Page. If there is
no section entitled &quot;History&quot; in the Document, create one stating the title,
year, authors, and publisher of the Document as given on its Title Page, then
add an item describing the Modified Version as stated in the previous
sentence. </li>
<li><strong>J.</strong> Preserve the network location, if any, given in the
Document for public access to a Transparent copy of the Document, and likewise
the network locations given in the Document for previous versions it was based
on. These may be placed in the &quot;History&quot; section. You may omit a network
location for a work that was published at least four years before the Document
itself, or if the original publisher of the version it refers to gives
permission. </li>
<li><strong>K.</strong> In any section entitled &quot;Acknowledgements&quot; or
&quot;Dedications&quot;, preserve the section's title, and preserve in the section all
the substance and tone of each of the contributor acknowledgements and/or
dedications given therein. </li>
and publisher of the Modified Version as given on the Title Page. If there
is no section entitled "History" in the Document, create one stating the
title, year, authors, and publisher of the Document as given on its Title
Page, then add an item describing the Modified Version as stated in the
previous sentence. </li>
<li><strong>J.</strong> Preserve the network location, if any, given in
the Document for public access to a Transparent copy of the Document, and
likewise the network locations given in the Document for previous versions
it was based on. These may be placed in the "History" section. You may
omit a network location for a work that was published at least four years
before the Document itself, or if the original publisher of the version
it refers to gives permission. </li>
<li><strong>K.</strong> In any section entitled "Acknowledgements" or
"Dedications", preserve the section's title, and preserve in the section
all the substance and tone of each of the contributor acknowledgements
and/or dedications given therein. </li>
<li><strong>L.</strong> Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers or the equivalent
are not considered part of the section titles. </li>
<li><strong>M.</strong> Delete any section entitled &quot;Endorsements&quot;. Such a
section may not be included in the Modified Version. </li>
<li><strong>N.</strong> Do not retitle any existing section as &quot;Endorsements&quot;
<li><strong>M.</strong> Delete any section entitled "Endorsements". Such
a section may not be included in the Modified Version. </li>
<li><strong>N.</strong> Do not retitle any existing section as "Endorsements"
or to conflict in title with any Invariant Section. </li>
</ul>
<p>If the Modified Version includes new front-matter sections or appendices that
qualify as Secondary Sections and contain no material copied from the Document,
you may at your option designate some or all of these sections as invariant. To
do this, add their titles to the list of Invariant Sections in the Modified
Version's license notice. These titles must be distinct from any other section
titles. </p>
<p>You may add a section entitled &quot;Endorsements&quot;, provided it contains nothing
<p>If the Modified Version includes new front-matter sections or appendices
that qualify as Secondary Sections and contain no material copied from the
Document, you may at your option designate some or all of these sections
as invariant. To do this, add their titles to the list of Invariant Sections
in the Modified Version's license notice. These titles must be distinct from
any other section titles. </p>
<p>You may add a section entitled "Endorsements", provided it contains nothing
but endorsements of your Modified Version by various parties--for example,
statements of peer review or that the text has been approved by an organization
as the authoritative definition of a standard. </p>
<p>You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list of Cover
Texts in the Modified Version. Only one passage of Front-Cover Text and one of
Back-Cover Text may be added by (or through arrangements made by) any one
entity. If the Document already includes a cover text for the same cover,
previously added by you or by arrangement made by the same entity you are acting
on behalf of, you may not add another; but you may replace the old one, on
explicit permission from the previous publisher that added the old one. </p>
<p>The author(s) and publisher(s) of the Document do not by this License give
permission to use their names for publicity for or to assert or imply
passage of up to 25 words as a Back-Cover Text, to the end of the list of
Cover Texts in the Modified Version. Only one passage of Front-Cover Text
and one of Back-Cover Text may be added by (or through arrangements made
by) any one entity. If the Document already includes a cover text for the
same cover, previously added by you or by arrangement made by the same entity
you are acting on behalf of, you may not add another; but you may replace
the old one, on explicit permission from the previous publisher that added
the old one. </p>
<p>The author(s) and publisher(s) of the Document do not by this License
give permission to use their names for publicity for or to assert or imply
endorsement of any Modified Version. </p>
<p><strong>5. COMBINING DOCUMENTS</strong> </p>
<p>You may combine the Document with other documents released under this
License, under the terms defined in section 4 above for modified versions,
provided that you include in the combination all of the Invariant Sections of
all of the original documents, unmodified, and list them all as Invariant
Sections of your combined work in its license notice. </p>
<p>You may combine the Document with other documents released under this License,
under the terms defined in section 4 above for modified versions, provided
that you include in the combination all of the Invariant Sections of all
of the original documents, unmodified, and list them all as Invariant Sections
of your combined work in its license notice. </p>
<p>The combined work need only contain one copy of this License, and multiple
identical Invariant Sections may be replaced with a single copy. If there are
multiple Invariant Sections with the same name but different contents, make the
title of each such section unique by adding at the end of it, in parentheses,
the name of the original author or publisher of that section if known, or else a
unique number. Make the same adjustment to the section titles in the list of
Invariant Sections in the license notice of the combined work. </p>
<p>In the combination, you must combine any sections entitled &quot;History&quot; in the
various original documents, forming one section entitled &quot;History&quot;; likewise
combine any sections entitled &quot;Acknowledgements&quot;, and any sections entitled
&quot;Dedications&quot;. You must delete all sections entitled &quot;Endorsements.&quot; </p>
identical Invariant Sections may be replaced with a single copy. If there
are multiple Invariant Sections with the same name but different contents,
make the title of each such section unique by adding at the end of it, in
parentheses, the name of the original author or publisher of that section
if known, or else a unique number. Make the same adjustment to the section
titles in the list of Invariant Sections in the license notice of the combined
work. </p>
<p>In the combination, you must combine any sections entitled "History" in
the various original documents, forming one section entitled "History"; likewise
combine any sections entitled "Acknowledgements", and any sections entitled
"Dedications". You must delete all sections entitled "Endorsements." </p>
<p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
<p>You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this License
in the various documents with a single copy that is included in the collection,
provided that you follow the rules of this License for verbatim copying of each
of the documents in all other respects. </p>
<p>You may extract a single document from such a collection, and distribute it
individually under this License, provided you insert a copy of this License into
the extracted document, and follow this License in all other respects regarding
verbatim copying of that document. </p>
provided that you follow the rules of this License for verbatim copying of
each of the documents in all other respects. </p>
<p>You may extract a single document from such a collection, and distribute
it individually under this License, provided you insert a copy of this License
into the extracted document, and follow this License in all other respects
regarding verbatim copying of that document. </p>
<p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
<p>A compilation of the Document or its derivatives with other separate and
independent documents or works, in or on a volume of a storage or distribution
medium, does not as a whole count as a Modified Version of the Document,
provided no compilation copyright is claimed for the compilation. Such a
compilation is called an &quot;aggregate&quot;, and this License does not apply to the
other self-contained works thus compiled with the Document, on account of their
being thus compiled, if they are not themselves derivative works of the
Document. </p>
<p>If the Cover Text requirement of section 3 is applicable to these copies of
the Document, then if the Document is less than one quarter of the entire
aggregate, the Document's Cover Texts may be placed on covers that surround only
the Document within the aggregate. Otherwise they must appear on covers around
the whole aggregate. </p>
medium, does not as a whole count as a Modified Version of the Document, provided
no compilation copyright is claimed for the compilation. Such a compilation
is called an "aggregate", and this License does not apply to the other self-contained
works thus compiled with the Document, on account of their being thus compiled,
if they are not themselves derivative works of the Document. </p>
<p>If the Cover Text requirement of section 3 is applicable to these copies
of the Document, then if the Document is less than one quarter of the entire
aggregate, the Document's Cover Texts may be placed on covers that surround
only the Document within the aggregate. Otherwise they must appear on covers
around the whole aggregate. </p>
<p><strong>8. TRANSLATION</strong> </p>
<p>Translation is considered a kind of modification, so you may distribute
translations of the Document under the terms of section 4. Replacing Invariant
Sections with translations requires special permission from their copyright
holders, but you may include translations of some or all Invariant Sections in
addition to the original versions of these Invariant Sections. You may include a
translation of this License provided that you also include the original English
version of this License. In case of a disagreement between the translation and
the original English version of this License, the original English version will
prevail. </p>
holders, but you may include translations of some or all Invariant Sections
in addition to the original versions of these Invariant Sections. You may
include a translation of this License provided that you also include the
original English version of this License. In case of a disagreement between
the translation and the original English version of this License, the original
English version will prevail. </p>
<p><strong>9. TERMINATION</strong> </p>
<p>You may not copy, modify, sublicense, or distribute the Document except as
expressly provided for under this License. Any other attempt to copy, modify,
sublicense or distribute the Document is void, and will automatically terminate
your rights under this License. However, parties who have received copies, or
rights, from you under this License will not have their licenses terminated so
long as such parties remain in full compliance. </p>
<p>You may not copy, modify, sublicense, or distribute the Document except
as expressly provided for under this License. Any other attempt to copy,
modify, sublicense or distribute the Document is void, and will automatically
terminate your rights under this License. However, parties who have received
copies, or rights, from you under this License will not have their licenses
terminated so long as such parties remain in full compliance. </p>
<p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
<p>The Free Software Foundation may publish new, revised versions of the GNU
Free Documentation License from time to time. Such new versions will be similar
in spirit to the present version, but may differ in detail to address new
problems or concerns. See http://www.gnu.org/copyleft/. </p>
<p>Each version of the License is given a distinguishing version number. If the
Document specifies that a particular numbered version of this License &quot;or any
later version&quot; applies to it, you have the option of following the terms and
conditions either of that specified version or of any later version that has
been published (not as a draft) by the Free Software Foundation. If the Document
does not specify a version number of this License, you may choose any version
ever published (not as a draft) by the Free Software Foundation. </p>
<p align="left">&nbsp;</p>
<p>The Free Software Foundation may publish new, revised versions of the
GNU Free Documentation License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
address new problems or concerns. See http://www.gnu.org/copyleft/. </p>
<p>Each version of the License is given a distinguishing version number.
If the Document specifies that a particular numbered version of this License
"or any later version" applies to it, you have the option of following the
terms and conditions either of that specified version or of any later version
that has been published (not as a draft) by the Free Software Foundation.
If the Document does not specify a version number of this License, you may
choose any version ever published (not as a draft) by the Free Software Foundation.
</p>
<p align="left"> </p>
<br>
</body>
</html>

19
Shorewall-docs/IPIP.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -43,7 +43,7 @@ directory (usually /usr/share/doc/shorewall-&lt;version&gt;/).</p>
<p align="center"> <img border="0" src="images/TwoNets1.png" width="745"
height="427">
</p>
</p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able
to communicate with the systems in the 10.0.0.0/8 network. This is accomplished
@ -86,8 +86,8 @@ it in /etc/shorewall/zones on both systems as follows.</p>
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -205,8 +205,8 @@ zone. In /etc/shorewall/interfaces:</p>
are secured so that root can execute them. </p>
<p align="left"> You will need to allow traffic between the "vpn" zone and
the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
the "loc" zone on both systems -- if you simply want to admit all traffic
in both directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -234,9 +234,9 @@ traffic in both directions, you can use the policy file:</p>
</table>
</blockquote>
<p>On both systems, restart Shorewall and run the modified tunnel script
with the "start" argument on each system. The systems in the two masqueraded
subnetworks can now talk to each other</p>
<p>On both systems, restart Shorewall and run the modified tunnel script with
the "start" argument on each system. The systems in the two masqueraded subnetworks
can now talk to each other</p>
<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -244,5 +244,6 @@ subnetworks can now talk to each other</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
<br>
<br>
</body>
</html>

92
Shorewall-docs/IPSEC.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -34,9 +34,9 @@
FreeS/Wan on the same system unless you are prepared to suffer the consequences.
If you start or restart Shorewall with an IPSEC tunnel active, the proxied
IP addresses are mistakenly assigned to the IPSEC tunnel device (ipsecX)
rather than to the interface that you specify in the INTERFACE column
of /etc/shorewall/proxyarp. I haven't had the time to debug this problem
so I can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
rather than to the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven't had the time to debug this problem so
I can't say if it is a bug in the Kernel or in FreeS/Wan. </p>
<p>You <b>might</b> be able to work around this problem using the following
(I haven't tried it):</p>
@ -115,9 +115,9 @@ so I can't say if it is a bug in the Kernel or in FreeS/Wan.
</blockquote>
<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
then the tunnels file entry on the <u><b>other</b></u> endpoint should
specify a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the
GATEWAY address should specify the external address of the NAT gateway.<br>
then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec</i> and the GATEWAY
address should specify the external address of the NAT gateway.<br>
</p>
<p align="left">You need to define a zone for the remote subnet or include
@ -195,14 +195,14 @@ created a zone called "vpn" to represent the remote subnet.</p>
</table>
</blockquote>
<p align="left"> Once you have these entries in place, restart Shorewall (type
shorewall restart); you are now ready to configure the tunnel in <a
<p align="left"> Once you have these entries in place, restart Shorewall
(type shorewall restart); you are now ready to configure the tunnel in <a
href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a> .</p>
<h2><a name="VPNHub"></a>VPN Hub</h2>
Shorewall can be used in a VPN Hub environment where multiple remote networks
are connected to a gateway running Shorewall. This environment is shown in
this diatram.<br>
are connected to a gateway running Shorewall. This environment is shown
in this diatram.<br>
<div align="center"><img src="images/ThreeNets.png"
alt="(Three networks linked with IPSEC)" width="750" height="781">
@ -211,7 +211,7 @@ this diatram.<br>
<p align="left">We want systems in the 192.168.1.0/24 sub-network to be able
to communicate with systems in the 10.0.0.0/16 and 10.1.0.0/16 networks
and we want the 10.0.0.0/16 and 10.1.0.0/16 networks to be able to communicate.</p>
and we want the 10.0.0.0/16 and 10.1.0.0/16 networks to be able to communicate.</p>
<p align="left">To make this work, we need to do several things:</p>
@ -219,11 +219,11 @@ and we want the 10.0.0.0/16 and 10.1.0.0/16 networks to be able to communicate.<
(allow the ESP and AH protocols and UDP Port 500). </p>
<p align="left">b) Allow traffic through the tunnels two/from the local zone
(192.168.1.0/24).<br>
(192.168.1.0/24).<br>
</p>
<p align="left">c) Deny traffic through the tunnels between the two remote
networks.<br>
networks.<br>
</p>
<p align="left">Opening the firewall for the IPSEC tunnels is accomplished
@ -287,14 +287,14 @@ networks.<br>
<p align="left"></p>
<p align="left"><b>Note: </b>If either of the endpoints is behind a NAT gateway
then the tunnels file entry on the <u><b>other</b></u> endpoint should
specify a tunnel type of <i>ipsecnat</i> rather than <i>ipsec<br>
then the tunnels file entry on the <u><b>other</b></u> endpoint should specify
a tunnel type of <i>ipsecnat</i> rather than <i>ipsec<br>
</i> and the GATEWAY address should specify the external address of the
NAT gateway.<br>
NAT gateway.<br>
</p>
<p align="left">On each system, we will create a zone to represent the remote
networks. On System A:<br>
networks. On System A:<br>
</p>
<blockquote>
@ -345,7 +345,7 @@ networks. On System A:<br>
</blockquote>
<p align="left">At system A, ipsec0 represents two zones so we have the following
in /etc/shorewall/interfaces:</p>
in /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -370,7 +370,7 @@ in /etc/shorewall/interfaces:</p>
</blockquote>
<p align="left">The /etc/shorewall/hosts file on system A defines the two
VPN zones:<br>
VPN zones:<br>
</p>
<blockquote>
@ -403,7 +403,7 @@ VPN zones:<br>
</blockquote>
<p align="left">At systems B and C, ipsec0 represents a single zone so we
have the following in /etc/shorewall/interfaces:</p>
have the following in /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -426,11 +426,12 @@ have the following in /etc/shorewall/interfaces:</p>
</tbody>
</table>
<br>
</blockquote>
<p align="left">On systems A, you will need to allow traffic between the "vpn1"
zone and the "loc" zone as well as between "vpn2" and the "loc" zone
-- if you simply want to admit all traffic in both directions, you
can use the following policy file entries on all three gateways:</p>
</blockquote>
<p align="left">On systems A, you will need to allow traffic between the
"vpn1" zone and the "loc" zone as well as between "vpn2" and the
"loc" zone -- if you simply want to admit all traffic in both directions,
you can use the following policy file entries on all three gateways:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -476,11 +477,12 @@ can use the following policy file entries on all three gateways:</p>
</tbody>
</table>
</blockquote>
</blockquote>
<p align="left">On systems B and C, you will need to allow traffic between
the "vpn" zone and the "loc" zone -- if you simply want to admit all
traffic in both directions, you can use the following policy file entries
on all three gateways:</p>
the "vpn" zone and the "loc" zone -- if you simply want to admit
all traffic in both directions, you can use the following policy file
entries on all three gateways:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -509,12 +511,13 @@ on all three gateways:</p>
</blockquote>
<p align="left">Once you have the Shorewall entries added, restart Shorewall
on each gateway (type shorewall restart); you are now ready to configure
the tunnels in <a href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a>
on each gateway (type shorewall restart); you are now ready to configure
the tunnels in <a href="http://www.xs4all.nl/%7Efreeswan/"> FreeS/WAN</a>
.</p>
Note that to allow traffic between the networks attached to systems B and
C, it is necessary to simply add two additional entries to the /etc/shorewall/policy
file on system A.<br>
C, it is necessary to simply add two additional entries to the /etc/shorewall/policy
file on system A.<br>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -542,14 +545,14 @@ file on system A.<br>
</tbody>
</table>
<br>
</blockquote>
</blockquote>
<h2><font color="#660066"><a name="RoadWarrior"></a> </font>Mobile System
(Road Warrior)</h2>
(Road Warrior)</h2>
<p>Suppose that you have a laptop system (B) that you take with you when you
travel and you want to be able to establish a secure connection back to your
local network.</p>
<p>Suppose that you have a laptop system (B) that you take with you when
you travel and you want to be able to establish a secure connection back
to your local network.</p>
<p align="center"><strong><font face="Century Gothic, Arial, Helvetica">
<img src="images/Mobile.png" width="677" height="426">
@ -612,8 +615,8 @@ system.</p>
<h2><a name="Dynamic"></a>Dynamic RoadWarrior Zones</h2>
Beginning with Shorewall release 1.3.10, you can define multiple VPN
zones and add and delete remote endpoints dynamically using /sbin/shorewall.
In /etc/shorewall/zones:<br>
zones and add and delete remote endpoints dynamically using /sbin/shorewall.
In /etc/shorewall/zones:<br>
<br>
<blockquote>
@ -707,8 +710,8 @@ comes down. For example, when 134.28.54.2 connects for the vpn2 zone the
</blockquote>
<h3>Limitations of Dynamic Zones</h3>
If you include a dynamic zone in the exclude list of a DNAT rule, the dynamically-added
hosts are not excluded from the rule.<br>
If you include a dynamic zone in the exclude list of a DNAT rule, the
dynamically-added hosts are not excluded from the rule.<br>
<br>
Example with dyn=dynamic zone:<br>
<br>
@ -755,7 +758,7 @@ comes down. For example, when 134.28.54.2 connects for the vpn2 zone the
</table>
</blockquote>
Dynamic changes to the zone <b>dyn</b> will have no effect on the above
rule.
rule.
<p><font size="2">Last updated 6/10//2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
@ -763,5 +766,6 @@ rule.
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

93
Shorewall-docs/Install.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -30,8 +30,8 @@
href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p>
<div align="left"><b>Before attempting installation, I strongly urge you to
read and print a copy of the <a
<div align="left"><b>Before attempting installation, I strongly urge you
to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b><br>
</div>
@ -48,11 +48,11 @@ read and print a copy of the <a
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to
version 1.2.4 either from the <a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a>
before attempting to start Shorewall.</b></p>
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
@ -75,12 +75,12 @@ before attempting to start Shorewall.</b></p>
<br>
</li>
<li>Edit the <a href="#Config_Files"> configuration files</a>
to match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
<u>NOT</u> SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND.
SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU
ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL
NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall
clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
to match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
<u>NOT</u> SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START.
IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR
SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE
A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
@ -99,33 +99,33 @@ the directory name as in "shorewall-1.1.10").</li>
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then
type "./install.sh /etc/init.d"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a>
then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your
distribution installs init scripts and type "./install.sh
&lt;init script directory&gt;</li>
&lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a>
to match your configuration.</li>
to match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to
be started automatically at boot, see <a
<li>If the install script was unable to configure Shorewall
to be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file
that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
Guide</a> for information about further steps required.</p>
that you downloaded. See the <a href="two-interface.htm">two-interface
QuickStart Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
or and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
@ -149,26 +149,26 @@ or and you have entries in the /etc/shorewall/hosts file then please check
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;). </p>
This may be worked around by using the --nodeps option of rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;). </p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct
as necessary.</li>
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
are upgrading to a new version using the tarball:</p>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and
you have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for
each interface mentioned in the hosts file.  Also, there are certain 1.2
rule forms that are no longer supported under 1.4 (you must use the new
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
details. </p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file.  Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
for details. </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -181,28 +181,28 @@ the directory name as in "shorewall-3.0.1").</li>
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then
type "./install.sh /etc/init.d"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a>
then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your
distribution installs init scripts and type "./install.sh
&lt;init script directory&gt;</li>
&lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct
as necessary.</li>
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul>
<a name="LRP_Upgrade"></a>If you already have a running Bering
installation and wish to upgrade to a later version of Shorewall:<br>
<a name="LRP_Upgrade"></a>If you already have a running
Bering installation and wish to upgrade to a later version of Shorewall:<br>
<br>
    <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to match
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
<p>You will need to edit some or all of the configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<ul>
@ -216,5 +216,6 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

37
Shorewall-docs/MAC_Validation.html
View File

@ -12,7 +12,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -37,24 +37,24 @@
<ol>
<li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When this
option is specified, all traffic arriving on the interface is subjet to MAC
verification.</li>
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet
to MAC verification.</li>
<li>The <b>maclist </b>option in <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is specified for a subnet, all traffic from that subnet is subject to MAC
verification.</li>
is specified for a subnet, all traffic from that subnet is subject to
MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL
</b>variables in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC verification.
and determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
requests that fail verification are to be logged. If set the the empty
value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
not logged.<br>
value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
not logged.<br>
</li>
</ol>
@ -89,10 +89,10 @@ details about my setup):</h3>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like
a wireless router with DHCP relay. When forwarding DHCP traffic, it uses
the MAC address of the host (TIPPER) but for other forwarded traffic it uses
it's own MAC address. Consequently, I list the IP addresses of both devices
in /etc/shorewall/maclist.<br>
a wireless router with DHCP relay. When forwarding DHCP traffic, it uses the
MAC address of the host (TIPPER) but for other forwarded traffic it uses it's
own MAC address. Consequently, I list the IP addresses of both devices in
/etc/shorewall/maclist.<br>
<h3>Example 2: Router in Wireless Zone</h3>
Suppose now that I add a second wireless segment to my wireless
@ -103,11 +103,11 @@ in /etc/shorewall/maclist.<br>
<pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that all
traffic being sent to my firewall from the 192.168.4.0/24 segment will
be forwarded by the router so that traffic's MAC address will be that
of the router (00:06:43:45:C6:15) and not that of the host sending the
traffic.
and from the second wireless segment (192.168.4.0/24). Remember that
all traffic being sent to my firewall from the 192.168.4.0/24 segment
will be forwarded by the router so that traffic's MAC address will be
that of the router (00:06:43:45:C6:15) and not that of the host sending
the traffic.
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
@ -119,5 +119,6 @@ traffic.
<br>
<br>
<br>
<br>
</body>
</html>

72
Shorewall-docs/NAT.htm
View File

@ -12,46 +12,47 @@
</head>
<body>
<blockquote>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Static NAT</font></h1>
<h1 align="center"><font color="#ffffff">Static Nat</font></h1>
</td>
</tr>
</tbody>
</table>
</table>
<br>
<br>
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static
NAT. Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<p>Static NAT is a way to make systems behind a firewall and configured
<blockquote> </blockquote>
<p>Static NAT is a way to make systems behind a firewall and configured
with private IP addresses (those reserved for private use in RFC1918)
appear to have public IP addresses. Before you try to use this technique,
I strongly recommend that you read the <a
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<p>The following figure represents a static NAT environment.</p>
<blockquote> </blockquote>
<p>The following figure represents a static NAT environment.</p>
<blockquote>
<p align="center"><strong> <img src="images/staticnat.png"
width="435" height="397">
</strong></p>
<blockquote> </blockquote>
</blockquote>
<p align="left">Static NAT can be used to make the systems with the 10.1.1.*
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
file would make the lower left-hand system appear to have IP address
130.252.100.18 and the right-hand one to have IP address 130.252.100.19.</p>
<p align="left">Static NAT can be used to make the systems with the 10.1.1.*
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
file would make the lower left-hand system appear to have IP address 130.252.100.18
and the right-hand one to have IP address 130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>EXTERNAL</b></td>
@ -76,36 +77,35 @@ and the right-hand one to have IP address 130.252.100.19.</p>
</tr>
</tbody>
</table>
</table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used
to specify whether access to the external IP from all firewall interfaces
should undergo NAT (Yes or yes) or if only access from the interface in
the INTERFACE column should undergo NAT. If you leave this column empty,
"Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used
to specify whether access to the external IP from all firewall interfaces
should undergo NAT (Yes or yes) or if only access from the interface in
the INTERFACE column should undergo NAT. If you leave this column empty,
"Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the
<p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
if you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
<b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6 can only add
external addresses to an interface that is configured with a single subnetwork
-- if your external interface has addresses in more than one subnetwork,
external addresses to an interface that is configured with a single subnetwork
-- if your external interface has addresses in more than one subnetwork,
Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
determine whether packets originating on the firewall itself and destined
for the EXTERNAL address are redirected to the internal ADDRESS. If
this column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also
contains "Yes" or "yes") then such packets are redirected; otherwise,
this column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN
also contains "Yes" or "yes") then such packets are redirected; otherwise,
such packets are not redirected. The LOCAL column was added in version
1.1.8.</p>
</blockquote>
<blockquote> </blockquote>
@ -113,5 +113,7 @@ such packets are not redirected. The LOCAL column was added in version
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
</body>
</html>

1273
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

11
Shorewall-docs/OPENVPN.html
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -78,8 +78,8 @@ the GPL</a>. OpenVPN can be downloaded from <a
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -235,8 +235,8 @@ gateway. If you change the port used by OpenVPN to 7777, you can define
</blockquote>
<p align="left">You will need to allow traffic between the "vpn" zone and
the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
the "loc" zone on both systems -- if you simply want to admit all traffic
in both directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -279,5 +279,6 @@ traffic in both directions, you can use the policy file:</p>
<br>
<br>
<br>
<br>
</body>
</html>

96
Shorewall-docs/PPTP.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -27,23 +27,26 @@
</tbody>
</table>
<h4>NOTE: I am no longer attempting to maintain MPPE patches for current
Linux kernel's and pppd. I recommend that you refer to the following URLs
for information about installing MPPE into your kernel and pppd.</h4>
<h4>NOTE: I am no longer attempting to maintain MPPE patches for current Linux
kernel's and pppd. I recommend that you refer to the following URLs for information
about installing MPPE into your kernel and pppd.</h4>
<h4>The <a href="http://pptpclient.sourceforge.net">Linux PPTP client project
</a>has a nice GUI for configuring and managing VPN connections where your
Linux system is the PPTP client. This is what I currently use. I am no longer
running PoPToP but rather I use the PPTP Server included with XP Professional
(see <a href="#ServerBehind">PPTP Server running behind your Firewall</a>
below).</h4>
    <a href="http://pptpclient.sourceforge.net">http://pptpclient.sourceforge.net</a>
    <a href="http://pptpclient.sourceforge.net">http://pptpclient.sourceforge.net</a>
(Everything you need to run a PPTP client).<br>
    <a href="http://www.poptop.org">http://www.poptop.org</a> (The 'kernelmod'
    <a href="http://www.poptop.org">http://www.poptop.org</a> (The 'kernelmod'
package can be used to quickly install MPPE into your kernel without rebooting).<br>
<h4>I am leaving the instructions for building MPPE-enabled kernels and pppd
in the text below for those who may wish to obtain the relevant current patches
and "roll their own".<br>
</h4>
</h4>
<hr width="100%" size="2">
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
@ -56,12 +59,11 @@ and "roll their own".<br>
</ul>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your
Firewall</h2>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall</h2>
<p>I will try to give you an idea of how to set up a PPTP server on your
firewall system. This isn't a detailed HOWTO but rather an example of how
I have set up a working PPTP server on my own firewall.</p>
<p>I will try to give you an idea of how to set up a PPTP server on your firewall
system. This isn't a detailed HOWTO but rather an example of how I have set
up a working PPTP server on my own firewall.</p>
<p>The steps involved are:</p>
@ -91,7 +93,7 @@ I have set up a working PPTP server on my own firewall.</p>
</ul>
<p>You may also want the following patch if you want to require remote hosts
to use encryption:</p>
to use encryption:</p>
<ul>
<li><a
@ -113,7 +115,7 @@ to use encryption:</p>
</ul>
<p>You will need to install the resulting binary on your firewall system.
To do that, I NFS mount my source filesystem and use "make install" from
To do that, I NFS mount my source filesystem and use "make install" from
the ppp-2.4.1 directory.</p>
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
@ -146,9 +148,9 @@ the ppp-2.4.1 directory.</p>
<h3><a name="Samba"></a>Configuring Samba</h3>
<p>You will need a WINS server (Samba configured to run as a WINS server
is fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
is:</p>
<p>You will need a WINS server (Samba configured to run as a WINS server is
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3)
is:</p>
<blockquote>
<pre>[global]<br> workgroup = TDM-NSTOP<br> netbios name = WOOKIE<br> server string = GNU/Linux Box<br> encrypt passwords = Yes<br> log file = /var/log/samba/%m.log<br> max log size = 0<br> socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192<br> os level = 65<br> domain master = True<br> preferred master = True<br> dns proxy = No<br> wins support = Yes<br> printing = lprng<br><br>[homes]<br> comment = Home Directories<br> valid users = %S<br> read only = No<br> create mask = 0664<br> directory mask = 0775<br><br>[printers]<br> comment = All Printers<br> path = /var/spool/samba<br> printable = Yes</pre>
@ -186,11 +188,11 @@ is:</p>
<ul>
<li>System 192.168.1.3 acts as a WINS server so I have included that
IP as the 'ms-wins' value.</li>
IP as the 'ms-wins' value.</li>
<li>I have pointed the remote clients at my DNS server -- it has external
address 206.124.146.177.</li>
<li>I am requiring 128-bit stateless compression (my kernel is built
with the 'require-mppe.diff' patch mentioned above.</li>
with the 'require-mppe.diff' patch mentioned above.</li>
</ul>
@ -204,9 +206,9 @@ with the 'require-mppe.diff' patch mentioned above.</li>
</blockquote>
<p>I am the only user who connects to the server but I may connect either
with or without a domain being specified. The system I connect from is my
laptop so I give it the same IP address when tunneled in at it has when I
use its wireless LAN card around the house.</p>
with or without a domain being specified. The system I connect from is my
laptop so I give it the same IP address when tunneled in at it has when
I use its wireless LAN card around the house.</p>
<p>You will also want the following in /etc/modules.conf:</p>
@ -229,11 +231,11 @@ use its wireless LAN card around the house.</p>
<ul>
<li>I specify the /etc/ppp/options.poptop file as my ppp options file
(I have several).</li>
(I have several).</li>
<li>The local IP is the same as my internal interface's (192.168.1.254).</li>
<li>I have assigned a remote IP range that overlaps my local network.
This, together with 'proxyarp' in my /etc/ppp/options.poptop file make
the remote hosts look like they are part of the local subnetwork.</li>
This, together with 'proxyarp' in my /etc/ppp/options.poptop file make
the remote hosts look like they are part of the local subnetwork.</li>
</ul>
@ -440,8 +442,8 @@ the remote hosts look like they are part of the local subnetwork.</li>
</table>
</blockquote>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10 and
later)<br>
<p align="left"><b>/etc/shoreawll/tunnels (For Shorewall versions 1.3.10
and later)<br>
</b></p>
<blockquote>
@ -474,7 +476,7 @@ later)<br>
<p align="left"><br>
Note: I have multiple ppp interfaces on my firewall. If you have a single
ppp interface, you probably want:</p>
ppp interface, you probably want:</p>
<h4>/etc/shorewall/interfaces:</h4>
@ -513,10 +515,10 @@ ppp interface, you probably want:</p>
<p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind
your Firewall</h2>
your Firewall</h2>
<p>If you have a single external IP address, add the following to your
/etc/shorewall/rules file:</p>
<p>If you have a single external IP address, add the following to your /etc/shorewall/rules
file:</p>
<font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -555,8 +557,8 @@ your Firewall</h2>
</table>
<p>If you have multiple external IP address and you want to forward a single
<i>&lt;external address&gt;, </i>add the following to your /etc/shorewall/rules
file:</p>
<i>&lt;external address&gt;, </i>add the following to your /etc/shorewall/rules
file:</p>
<p> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
@ -597,11 +599,11 @@ file:</p>
</p>
<h2 align="center"><a name="ClientsBehind"></a>3. PPTP Clients Running Behind
your Firewall</h2>
your Firewall</h2>
<p>You shouldn't have to take any special action for this case unless you
wish to connect multiple clients to the same external server. In that case,
you will need to follow the instructions at <a
wish to connect multiple clients to the same external server. In that case,
you will need to follow the instructions at <a
href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>.
I recommend that you also add these two lines to your /etc/shorewall/modules
file: </p>
@ -611,16 +613,15 @@ you will need to follow the instructions at <a
loadmodule ip_nat_pptp </p>
</blockquote>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your
Firewall.</h2>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.</h2>
<p align="left">The PPTP GNU/Linux client is available at <a
href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.   
Rather than use the configuration script that comes with the client, I built
my own. I also build my own kernel <a href="#PatchKernel">as described above</a>
rather than using the mppe package that is available with the client. My
/etc/ppp/options file is mostly unchanged from what came with the client (see
below).</p>
Rather than use the configuration script that comes with the client, I
built my own. I also build my own kernel <a href="#PatchKernel">as described
above</a> rather than using the mppe package that is available with the
client. My /etc/ppp/options file is mostly unchanged from what came with
the client (see below).</p>
<p>The key elements of this setup are as follows: </p>
@ -770,14 +771,14 @@ below).</p>
<br>
</blockquote>
<p>I use the combination of interface and hosts file to define the 'cpq'
zone because I also run a PPTP server on my firewall (see above). Using this
technique allows me to distinguish clients of my own PPTP server from arbitrary
<p>I use the combination of interface and hosts file to define the 'cpq' zone
because I also run a PPTP server on my firewall (see above). Using this
technique allows me to distinguish clients of my own PPTP server from arbitrary
hosts at Compaq; I assign addresses in 192.168.1.0/24 to my PPTP clients
and Compaq doesn't use that RFC1918 Class C subnet. </p>
<p>I use this script in /etc/init.d to control the client. The reason that
I disable ECN when connecting is that the Compaq tunnel servers don't do
I disable ECN when connecting is that the Compaq tunnel servers don't do
ECN yet and reject the initial TCP connection request if I enable ECN :-(
</p>
@ -923,5 +924,6 @@ ECN yet and reject the initial TCP connection request if I enable ECN :-(
<br>
<br>
<br>
<br>
</body>
</html>

28
Shorewall-docs/ProxyARP.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -92,24 +92,25 @@ rather than behind it.<br>
(130.252.100.18 and 130.252.100.19 in the above example)  to the external
interface (eth0 in this example) of the firewall.</b></font><br>
</p>
<div align="left"> </div>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet.
parallel to your firewall to behind your firewall with Proxy ARP, it
will probably be HOURS before that system can communicate with the internet.
There are a couple of things that you can try:<br>
</p>
<ol>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
Vol 1</i> reveals that a <br>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
Illustrated, Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
MAC address for its own IP; in addition to ensuring that the IP address isn't
a duplicate...<br>
MAC address for its own IP; in addition to ensuring that the IP address
isn't a duplicate...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its
@ -124,9 +125,9 @@ iputils package include "arping", whose "-U" flag does just that:<br>
proxied IP&gt;</i></b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly to gratuitous
ARPs, but googling for "arping -U" seems to support the idea that it works
most of the time.<br>
Stevens goes on to mention that not all systems respond correctly to
gratuitous ARPs, but googling for "arping -U" seems to support the idea
that it works most of the time.<br>
<br>
To use arping with Proxy ARP in the above example, you would have to:<br>
<br>
@ -174,9 +175,9 @@ dev eth0<br>
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words, the
gateway's ARP cache still associates 130.252.100.19 with the NIC in that
system rather than with the firewall's eth0.</p>
was the MAC address of the system on the lower left. In other words,
the gateway's ARP cache still associates 130.252.100.19 with the NIC
in that system rather than with the firewall's eth0.</p>
</div>
<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
@ -186,5 +187,6 @@ dev eth0<br>
<br>
<br>
<br>
<br>
</body>
</html>

9
Shorewall-docs/SeattleInTheSpring.html
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -32,10 +32,10 @@
<b>March 6, 2003 - Nice day for a walk....</b><br>
<br>
<img src="images/P1000050.jpg" alt="" width="640" height="480">
<br>
<br>
<br>
<img src="images/P1000049.jpg" alt="" width="480" height="640">
<br>
<br>
<img src="images/P1000049.jpg" alt="" width="480" height="640">
<p><b>The view from my office window -- think I'll go out and enjoy the deck
(Yes -- that is snow on the deck...)</b>.<br>
@ -48,5 +48,6 @@
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
</body>
</html>

12
Shorewall-docs/Shorewall_CA_html.html
View File

@ -12,11 +12,10 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
(CA) Certificate</font></h1>
</td>
@ -72,8 +71,8 @@ so that it will accept any certificate signed by me. <br>
<li>If you install my CA certificate then you assume that I am trustworthy
and that Shorewall running on your firewall won't redirect HTTPS requests
intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of your
bank.</li>
your browser with a bogus certificate claiming that my server is that of
your bank.</li>
<li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://mail.shorewall.net,
the server you are connecting to might not be mine.</li>
@ -85,8 +84,9 @@ won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas
M. Eastep.</font></a></font></p>
size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas M.
Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>

7
Shorewall-docs/Shorewall_CVS_Access.html
View File

@ -12,7 +12,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -27,8 +27,8 @@
<br>
Lots of people try to download the entire Shorewall website for off-line
browsing, including the CVS portion. In addition to being an enormous volume
of data (HTML versions of all versions of all Shorewall files), all of
the pages in Shorewall CVS access are cgi-generated which places a tremendous
of data (HTML versions of all versions of all Shorewall files), all of the
pages in Shorewall CVS access are cgi-generated which places a tremendous
load on my little server. I have therefore resorted to making CVS access
password controlled. When you are asked to log in, enter "Shorewall" (NOTE
THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
@ -52,5 +52,6 @@ the pages in Shorewall CVS access are cgi-generated which places a tremendous
<br>
<br>
<br>
<br>
</body>
</html>

6
Shorewall-docs/Shorewall_Doesnt.html
View File

@ -16,13 +16,14 @@
</small> <small> </small>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that Shorewall
<b>Cannot</b> Do</font></small></h1>
<small> </small></td>
<small>
</small></td>
</tr>
</tbody>
@ -46,5 +47,6 @@
</p>
<br>
<br>
<br>
</body>
</html>

102
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -11,20 +11,23 @@
<body>
<table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#400169">
bgcolor="#3366ff">
<tbody>
<tr>
<td valign="middle" width="33%" bgcolor="#400169"><a
<td valign="middle" width="33%" bgcolor="#3366ff"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4">
</a><br>
</td>
<td valign="middle" height="90" align="center" width="34%"><font
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
<td valign="middle" height="90" align="center"
width="34%">
<h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
<h1> </h1>
</td>
<td valign="middle" height="90" width="33%" align="right"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4">
<td valign="middle" height="90" width="33%"
align="right"><a href="http://www.squid-cache.org/"><img
src="images/cache_now.gif" alt="" width="100" height="31" hspace="4">
</a><br>
</td>
</tr>
@ -36,7 +39,7 @@
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<a href="#DMZ"></a><br>
<br>
<img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
@ -44,35 +47,36 @@
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
to run as a transparent proxy as described at <a
to run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the files
/etc/shorewall/start and /etc/shorewall/init -- if you don't have those
files, siimply create them.<br>
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the
files /etc/shorewall/start and /etc/shorewall/init -- if you don't have
those files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ zone
or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP addresses.<br>
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ
zone or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP
addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on your
Squid server.<br>
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on
your Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier
than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf
than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
@ -82,9 +86,9 @@ NAT_ENABLED=Yes<br>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running
in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in
the DMZ</a></li>
in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running
in the DMZ</a></li>
</ol>
@ -94,7 +98,7 @@ the DMZ</a></li>
http server (206.124.146.177)
to a Squid
transparent proxy running on the firewall and listening on port
3128. Squid will of course require access to remote web servers.<br>
3128. Squid will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
@ -141,23 +145,23 @@ the DMZ</a></li>
<br>
</blockquote>
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:<br>
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case,
you must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br>
rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to a
Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on port
3128. Your local interface is eth1. There may also be a web server running
on 192.168.1.3. It is assumed that web access is already enabled from
the local zone to the internet.<br>
You want to redirect all local www connection requests to
a Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on
port 3128. Your local interface is eth1. There may also be a web server
running on 192.168.1.3. It is assumed that web access is already enabled
from the local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic
@ -187,7 +191,7 @@ it</b>.<br>
<ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
please upgrade to Shorewall 1.4.2 or later.<br>
please upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
@ -255,8 +259,8 @@ please upgrade to Shorewall 1.4.2 or later.<br>
</table>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have the
following policy in place of the above rule:<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have
the following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -299,8 +303,8 @@ please upgrade to Shorewall 1.4.2 or later.<br>
</blockquote>
<ul>
<li>On 192.168.1.3, arrange for the following command to be
executed after networking has come up<br>
<li>On 192.168.1.3, arrange for the following command to
be executed after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li>
@ -321,9 +325,9 @@ executed after networking has come up<br>
<blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address 192.0.2.177.
You want to run both a web server and Squid on that system. Your DMZ
interface is eth1 and your local interface is eth2.<br>
You have a single Linux system in your DMZ with IP address
192.0.2.177. You want to run both a web server and Squid on that system.
Your DMZ interface is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
@ -397,7 +401,8 @@ interface is eth1 and your local interface is eth2.<br>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
C) Run Shorewall 1.3.14 or later and add the following entry in
/etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
@ -504,8 +509,8 @@ interface is eth1 and your local interface is eth2.<br>
</blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for the
following command to be executed after networking has come up<br>
<li>On 192.0.2.177 (your Web/Squid server), arrange for
the following command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
@ -528,7 +533,10 @@ following command to be executed after networking has come up<br>
<p><font size="-1"> Updated 6/27/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2003 Thomas M. Eastep.</font></a><br>
<a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
</body>
</html>

83
Shorewall-docs/Shorewall_and_Aliased_Interfaces.html
View File

@ -12,10 +12,11 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Aliased Interfaces</font></h1>
</td>
</tr>
@ -26,27 +27,27 @@
<h2>Background</h2>
The traditional net-tools contain a program called <i>ifconfig</i>
which is used to configure network devices. ifconfig introduced the concept
of <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces
have names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0) and
ifconfig treats them more or less like real interfaces.<br>
which is used to configure network devices. ifconfig introduced the concept
of <i>aliased </i>or <i>virtial </i>interfaces. These virtual interfaces
have names of the form <i>interface</i>:<i>integer </i>(e.g., eth0:0)
and ifconfig treats them more or less like real interfaces.<br>
<br>
Example:<br>
<pre>[root@gateway root]# ifconfig eth0:0<br>eth0:0 Link encap:Ethernet HWaddr 02:00:08:3:FA:55<br> inet addr:206.124.146.178 Bcast:206.124.146.255 Mask:255.255.255.0<br> UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br> Interrupt:11 Base address:0x2000<br>[root@gateway root]# <br></pre>
The ifconfig utility is being gradually phased out in favor of the
<i>ip</i> utility which is part of the <i>iproute </i>package. The ip
utility does not use the concept of aliases or virtual interfaces but rather
treats additional addresses on an interface as objects. The ip utility
does provide for interaction with ifconfig in that it allows addresses
to be <i>labeled </i>and labels may take the form of ipconfig virtual interfaces.<br>
<i>ip</i> utility which is part of the <i>iproute </i>package. The ip utility
does not use the concept of aliases or virtual interfaces but rather treats
additional addresses on an interface as objects. The ip utility does provide
for interaction with ifconfig in that it allows addresses to be <i>labeled
</i>and labels may take the form of ipconfig virtual interfaces.<br>
<br>
Example:<br>
<br>
<pre>[root@gateway root]# ip addr show dev eth0<br>2: eth0: &lt;BROADCAST,MULTICAST,UP&gt; mtu 1500 qdisc htb qlen 100<br> link/ether 02:00:08:e3:fa:55 brd ff:ff:ff:ff:ff:ff<br> inet 206.124.146.176/24 brd 206.124.146.255 scope global eth0<br> inet 206.124.146.178/24 brd 206.124.146.255 scope global secondary eth0:0<br>[root@gateway root]# <br></pre>
Note that one <u>cannot</u> type "ip addr show dev eth0:0" because
"eth0:0" is a label for a particular address rather than a device name.<br>
"eth0:0" is a label for a particular address rather than a device name.<br>
<pre>[root@gateway root]# ip addr show dev eth0:0<br>Device "eth0:0" does not exist.<br>[root@gateway root]#<br></pre>
The iptables program doesn't support virtual interfaces in either
@ -109,8 +110,8 @@ with the IP address.<br>
<h3>DNAT</h3>
Suppose that I had set up eth0:0 as above and I wanted to port forward
from that virtual interface to a web server running in my local zone at
192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
from that virtual interface to a web server running in my local zone
at 192.168.1.3. That is accomplised by a single rule in the /etc/shorewall/rules
file:<br>
<br>
@ -185,11 +186,11 @@ with the IP address.<br>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you
set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface)
so that you can see the created address using ifconfig. In addition to
setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface name in
the INTERFACE column as follows:<br>
set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning
with Shorewall 1.3.14, Shorewall can actually create the "label" (virtual
interface) so that you can see the created address using ifconfig. In
addition to setting ADD_SNAT_ALIASES=Yes, you specify the virtual interface
name in the INTERFACE column as follows:<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
@ -214,12 +215,13 @@ the INTERFACE column as follows:<br>
</tbody>
</table>
</blockquote>
Shorewall can also set up SNAT to round-robin over a range of IP addresses.
Shorewall can also set up SNAT to round-robin over a range of IP addresses.
Do do that, you specify a range of IP addresses in the ADDRESS column. If
you specify a label in the INTERFACE column, Shorewall will use that label
for the first address of the range and will increment the label by one for
each subsequent label.<br>
<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
@ -243,11 +245,11 @@ each subsequent label.<br>
</tbody>
</table>
</blockquote>
The above would create three IP addresses:<br>
<br>
&nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
&nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
&nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
The above would create three IP addresses:<br>
<br>
&nbsp;&nbsp;&nbsp; eth0:0 = 206.124.146.178<br>
&nbsp;&nbsp;&nbsp; eth0:1 = 206.124.146.179<br>
&nbsp;&nbsp;&nbsp; eth0:2 = 206.124.146.180<br>
<h3>STATIC NAT</h3>
If you wanted to use static NAT to link eth0:0 with local address
@ -287,11 +289,11 @@ The above would create three IP addresses:<br>
<br>
</blockquote>
Shorewall can create the alias (additional address) for you if you
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the "label" (virtual interface)
so that you can see the created address using ifconfig. In addition to
setting ADD_IP_ALIASES=Yes, you specify the virtual interface name in the
INTERFACE column as follows:<br>
set ADD_IP_ALIASES=Yes in /etc/shorewall/shorewall.conf. Beginning with
Shorewall 1.3.14, Shorewall can actually create the "label" (virtual
interface) so that you can see the created address using ifconfig. In
addition to setting ADD_IP_ALIASES=Yes, you specify the virtual interface
name in the INTERFACE column as follows:<br>
<br>
<blockquote>
@ -327,7 +329,7 @@ INTERFACE column as follows:<br>
<br>
</blockquote>
In either case, to create rules that pertain only to this NAT pair,
you simply qualify the local zone with the internal IP address.<br>
you simply qualify the local zone with the internal IP address.<br>
<br>
Example: You want to allow SSH from the net to 206.124.146.178 a.k.a.
192.168.1.3.<br>
@ -384,9 +386,9 @@ you simply qualify the local zone with the internal IP address.<br>
as a zone and allow your firewall/router to route between the two subnetworks.<br>
<br>
Example 1: &nbsp;Local interface eth1 interfaces to 192.168.1.0/24
and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to simply route all requests between
the two subnetworks.<br>
and 192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254
and eth1:0 is 192.168.20.254. You want to simply route all requests between
the two subnetworks.<br>
<h4>If you are running Shorewall 1.4.1 or Later</h4>
In /etc/shorewall/interfaces:<br>
@ -527,11 +529,11 @@ the two subnetworks.<br>
</table>
<br>
</blockquote>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and 192.168.20.0/24.
The primary IP address of eth1 is 192.168.1.254 and eth1:0 is 192.168.20.254.
You want to make these subnetworks into separate zones and control the
access between them (the users of the systems do not have administrative
privileges).<br>
Example 2: Local interface eth1 interfaces to 192.168.1.0/24 and
192.168.20.0/24. The primary IP address of eth1 is 192.168.1.254 and
eth1:0 is 192.168.20.254. You want to make these subnetworks into separate
zones and control the access between them (the users of the systems do
not have administrative privileges).<br>
<br>
In /etc/shorewall/zones:<br>
<br>
@ -645,6 +647,7 @@ the two subnetworks.<br>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</p>
<br>
</body>
</html>

22
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -20,18 +20,20 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%"
height="90">
<td
width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
<td
width="100%" bgcolor="#ffffff">
<ul>
<li> <a
@ -47,7 +49,8 @@
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
@ -94,7 +97,10 @@ Site</a></li>
target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
<li><a href="http://argentina.shorewall.net"
target="_top">Argentina</a></li>
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">Brazil</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
@ -141,5 +147,7 @@ Site</a></li>
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</body>
</html>

21
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -12,15 +12,15 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base
target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#4b017c" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%"
@ -47,13 +47,15 @@
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li>
<b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
@ -93,7 +95,10 @@
target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net" target="_top">Argentina</a><br>
<li><a href="http://argentina.shorewall.net"
target="_top">Argentina</a></li>
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">Brazil</a><br>
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
@ -140,5 +145,7 @@
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</body>
</html>

24
Shorewall-docs/VPN.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -34,22 +34,21 @@ is shown in the following diagram:</p>
<p align="center"><img border="0" src="images/VPN.png" width="568"
height="796">
</p>
</p>
<p align="left">A system with an RFC 1918 address needs to access a remote
network through a remote gateway. For this example, we will assume that
the local system has IP address 192.168.1.12 and that the remote gateway
has IP address 192.0.2.224.</p>
network through a remote gateway. For this example, we will assume that the
local system has IP address 192.168.1.12 and that the remote gateway has
IP address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall requirements
beyond the default loc-&gt;net ACCEPT policy. There is one restriction however:
Only one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the 'Patch-o-matic' patches available
at <a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
unless you patch your kernel from the 'Patch-o-matic' patches available at
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<p align="left">If IPSEC is being used then only one system may connect to
the remote gateway and there are firewall configuration requirements as
follows:</p>
the remote gateway and there are firewall configuration requirements as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -89,16 +88,19 @@ follows:</p>
</table>
</blockquote>
<p>If you want to be able to give access to all of your local systems to
the remote network, you should consider running a VPN client on your firewall.
<p>If you want to be able to give access to all of your local systems to the
remote network, you should consider running a VPN client on your firewall.
As starting points, see <a
href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<p> </p>
<br>
<br>
</body>
</html>

8
Shorewall-docs/blacklisting_support.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -31,8 +31,7 @@
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration
parameters:</p>
<p>Shorewall static blacklisting support has the following configuration parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped
@ -73,7 +72,7 @@ listed IP addresses to be rejected by the firewall.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul>
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in
/etc/shorewall/interfaces.<br>
<p>Example 1:</p>
@ -95,5 +94,6 @@ Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in
<br>
<br>
<br>
<br>
</body>
</html>

108
Shorewall-docs/configuration_file_basics.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -28,7 +28,7 @@
</table>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your configuration
files on a system running Microsoft Windows, you <u>must</u>
files on a system running Microsoft Windows, you <u>must</u>
run them through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
before you use them with Shorewall.</b></p>
@ -38,8 +38,8 @@ files on a system running Microsoft Windows, you <u>must</u>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<ul>
<li>/etc/shorewall/shorewall.conf - used to set
several firewall parameters.</li>
<li>/etc/shorewall/shorewall.conf - used to
set several firewall parameters.</li>
<li>/etc/shorewall/params - use this file to
set shell variables that you will expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's
@ -47,7 +47,7 @@ set shell variables that you will expand in other files.</li>
<li>/etc/shorewall/policy - establishes firewall
high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the
interfaces on the firewall system.</li>
interfaces on the firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones
in terms of individual hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall
@ -57,8 +57,9 @@ interfaces on the firewall system.</li>
<li>/etc/shorewall/modules - directs the firewall
to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
are exceptions to the overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT
rules.</li>
<li>/etc/shorewall/proxyarp - defines use of
Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4
@ -68,18 +69,18 @@ of packets for later use by traffic control/shaping or policy
routing.</li>
<li>/etc/shorewall/tos - defines rules for setting
the TOS field in packet headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE
and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/tunnels - defines IPSEC,
GRE and IPIP tunnels with end-points on the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted
IP/subnet/MAC addresses.</li>
<li>/etc/shorewall/init - commands that you wish to execute at the
beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/init - commands that you wish to execute at
the beginning of a "shorewall start" or "shorewall restart".</li>
<li>/etc/shorewall/start - commands that you wish to execute at
the completion of a "shorewall start" or "shorewall restart"</li>
<li>/etc/shorewall/stop - commands that you wish to execute at the
beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute at
the completion of a "shorewall stop".</li>
<li>/etc/shorewall/stop - commands that you wish to execute at
the beginning of a "shorewall stop".</li>
<li>/etc/shorewall/stopped - commands that you wish to execute
at the completion of a "shorewall stop".</li>
<li>/etc/shorewall/ecn - disable Explicit Congestion Notification (ECN
- RFC 3168) to remote hosts or networks.<br>
</li>
@ -90,8 +91,8 @@ the completion of a "shorewall start" or "shorewall restart"</li>
<p>You may place comments in configuration files by making the first non-whitespace
character a pound sign ("#"). You may also place comments
at the end of any line, again by delimiting the comment from
the rest of the line with a pound sign.</p>
at the end of any line, again by delimiting the comment from the
rest of the line with a pound sign.</p>
<p>Examples:</p>
@ -110,11 +111,11 @@ the rest of the line with a pound sign.</p>
<h2><a name="INCLUDE"></a>IN<small><small></small></small>CLUDE Directive</h2>
Beginning with Shorewall version 1.4.2, any file may contain INCLUDE directives.
An INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
An INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command.<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested INCLUDE directives
are ignored with a warning message.<big><big><br>
@ -186,8 +187,8 @@ directory if one has been specified for the command.<br>
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
using DNS names in Shorewall configuration files. If you use DNS
names and you are called out of bed at 2:00AM because Shorewall won't
start as a result of DNS problems then don't say that you were not
forewarned. <br>
start as a result of DNS problems then don't say that you were not forewarned.
<br>
</b></p>
<p align="left"><b>    -Tom<br>
@ -197,8 +198,8 @@ forewarned. <br>
configuration files may be specified as either IP addresses or DNS
Names.<br>
<br>
DNS names in iptables rules aren't nearly as useful as
they first appear. When a DNS name appears in a rule, the iptables
DNS names in iptables rules aren't nearly as useful
as they first appear. When a DNS name appears in a rule, the iptables
utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So changes in the DNS-&gt;IP address
relationship that occur after the firewall has started have absolutely
@ -217,16 +218,16 @@ forewarned. <br>
before starting your DNS server then your firewall won't start.<br>
</li>
<li>Factors totally outside your control (your ISP's
router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior to
starting your firewall.<br>
router is down for example), can prevent your firewall from starting.</li>
<li>You must bring up your network interfaces prior
to starting your firewall.<br>
</li>
</ul>
<p align="left"> Each DNS name much be fully qualified and include a minumum
of two periods (although one may be trailing). This restriction
is imposed by Shorewall to insure backward compatibility with existing
of two periods (although one may be trailing). This restriction is
imposed by Shorewall to insure backward compatibility with existing
configuration files.<br>
<br>
Examples of valid DNS names:<br>
@ -259,9 +260,9 @@ is imposed by Shorewall to insure backward compatibility with existing
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can precede
the item with "!" to specify the complement of the item. For example,
!192.168.1.4 means "any host but 192.168.1.4". There must be no white space
following the "!".</p>
the item with "!" to specify the complement of the item. For example,
!192.168.1.4 means "any host but 192.168.1.4". There must be no white space
following the "!".</p>
<h2><a name="Lists"></a>Comma-separated Lists</h2>
@ -272,10 +273,10 @@ following the "!".</p>
<li>Must not have any embedded white space.<br>
Valid: routefilter,dhcp,norfc1918<br>
Invalid: routefilter,     dhcp,    
norfc1818</li>
<li>If you use line continuation to break a comma-separated
list, the continuation line(s) must begin in column 1 (or
there would be embedded white space)</li>
norfc1818</li>
<li>If you use line continuation to break a
comma-separated list, the continuation line(s) must begin
in column 1 (or there would be embedded white space)</li>
<li>Entries in a comma-separated list may appear
in any order.</li>
@ -284,24 +285,24 @@ norfc1818</li>
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use either
an integer or a service name from /etc/services. </p>
an integer or a service name from /etc/services. </p>
<h2><a name="Ranges"></a>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For
example, if you want to forward the range of tcp ports 4000 through
4100 to local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
port number</i>&gt;:&lt;<i>high port number</i>&gt;. For example,
if you want to forward the range of tcp ports 4000 through 4100 to
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
</p>
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
If you omit the low port number, a value of zero is assumed; if you omit
the high port number, a value of 65535 is assumed.<br>
If you omit the low port number, a value of zero is assumed; if you
omit the high port number, a value of 65535 is assumed.<br>
<h2><a name="Variables"></a>Using Shell Variables</h2>
<p>You may use the /etc/shorewall/params file to set shell variables
that you can then use in some of the other configuration files.</p>
that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
@ -336,14 +337,14 @@ example, if you want to forward the range of tcp ports 4000 through
<p>Media Access Control (MAC) addresses can be used to specify packet
source in several of the configuration files. To use this
feature, your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
included.</p>
feature, your kernel must have MAC Address Match support
(CONFIG_IP_NF_MATCH_MAC) included.</p>
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a unique
MAC address.<br>
MAC address.<br>
<br>
In GNU/Linux, MAC addresses are usually written
as a series of 6 hex numbers separated by colons. Example:<br>
as a series of 6 hex numbers separated by colons. Example:<br>
<br>
     [root@gateway root]# ifconfig eth0<br>
     eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
@ -393,15 +394,16 @@ shorewall start or shorewall restart command (e.g., <i><b>shorewall
-c /etc/testconfig restart</b></i> )</li>
</ol>
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and if
an error occurs to automatically restart the standard configuration.<br>
The <a href="starting_and_stopping_shorewall.htm"><b>try</b> command</a>
allows you to attempt to restart using an alternate configuration and if an
error occurs to automatically restart the standard configuration.<br>
<p><font size="2"> Updated 6/29/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
</p>
<br>
</body>
</html>

3
Shorewall-docs/copyright.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -41,5 +41,6 @@ A copy of the license is included in the section entitled "<a
 </p>
</blockquote>
<br>
<br>
</body>
</html>

21
Shorewall-docs/dhcp.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -31,16 +31,17 @@
<ul>
<li>
<p align="left">Specify the "dhcp" option on each interface to be
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your
firewall system. </p>
<p align="left">Specify the "dhcp" option on each interface to be served
by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your firewall
system. </p>
</li>
<li>
<p align="left">When starting "dhcpd", you need to list those interfaces
on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.
</p>
</li>
</ul>
<h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
@ -53,14 +54,14 @@ on the run line. On a RedHat system, this is done by modifying /etc/sysconfi
system. </p>
</li>
<li>
<p align="left">If you know that the dynamic address is always going
to be in the same subnet, you can specify the subnet address in the interface's
<p align="left">If you know that the dynamic address is always going to
be in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. </p>
</li>
<li>
<p align="left">If you don't know the subnet address in advance, you
should specify "detect" for the interface's subnet address in the <a
<p align="left">If you don't know the subnet address in advance, you should
specify "detect" for the interface's subnet address in the <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
and start Shorewall after the interface has started. </p>
</li>
@ -70,6 +71,7 @@ and start Shorewall after the interface has started. </p>
command to be executed when a new dynamic IP address gets assigned to
the interface. Check your DHCP client's documentation. </p>
</li>
</ul>
<p align="left"><font size="2">Last updated 11/03/2002 - <a
@ -78,5 +80,6 @@ the interface. Check your DHCP client's documentation. </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

34
Shorewall-docs/download.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -53,13 +53,13 @@ for the configuration that most closely matches your own.<br>
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store
init scripts in /etc/init.d and that include chkconfig or
insserv). If you find that it works in other cases, let <a
init scripts in /etc/init.d and that include chkconfig
or insserv). If you find that it works in other cases, let <a
href="mailto:teastep@shorewall.net"> me</a> know so that
I can mention them here. See the <a href="Install.htm">Installation
Instructions</a> if you have problems installing the RPM.</li>
<li>If you are running LRP, download the .lrp
file (you might also want to download the .tgz so you will
file (you might also want to download the .tgz so you will
have a copy of the documentation).</li>
<li>If you run <a
href="http://www.debian.org"><b>Debian</b></a> and would
@ -89,8 +89,9 @@ have a copy of the documentation).</li>
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
configuration of your firewall, you can enable startup by removing
the file /etc/shorewall/startup_disabled.</b></font></p>
<p><b></b></p>
@ -168,6 +169,17 @@ have a copy of the documentation).</li>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td valign="top">Brazil<br>
</td>
<td valign="top">securityopensource.org.br<br>
</td>
<td valign="top"><a
href="http://shorewall.securityopensource.org.br/pub/shorewall/">Browse</a><br>
</td>
<td valign="top">N/A<br>
</td>
</tr>
<tr>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
@ -198,13 +210,13 @@ find there will work at all.<br>
<blockquote>
<p align="left">Periodic snapshots from CVS may be found at <a
href="http://shorewall.net/pub/shorewall/Snapshots/">http://shorewall.net/pub/shorewall/Snapshots</a>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been installed
and run at shorewall.net.<br>
(<a href="ftp://shorewall.net/pub/shorewall/Snapshots/" target="_top">FTP</a>).
These snapshots have undergone initial testing and will have been installed
and run at shorewall.net.<br>
</p>
</blockquote>
<p align="left"><font size="2">Last Updated 6/19/2003 - <a
<p align="left"><font size="2">Last Updated 7/15/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
@ -216,5 +228,7 @@ and run at shorewall.net.<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

105
Shorewall-docs/errata.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252">
<title>Shorewall 1.4 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
@ -18,7 +19,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -44,9 +45,9 @@
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
@ -58,9 +59,9 @@ the archive, replace the 'firewall' script in the untarred directory
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script if
you are running 1.3.7c.</font></b><br>
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are
running 1.3.7c.</font></b><br>
</p>
</li>
@ -81,17 +82,17 @@ you are running 1.3.7c.</font></b><br>
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat
iptables</a></b></li>
href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with
iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#Multiport">Problems
with iptables version 1.2.7 and MULTIPORT=Yes</a></b></li>
<li><b><a href="#NAT">Problems with RH Kernel
2.4.18-10 and NAT</a></b></li>
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and REJECT
(also applies to 2.4.21-RC1) <img src="images/new10.gif" alt="(New)"
width="28" height="12" border="0">
<li><b><a href="#REJECT">Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
alt="(New)" width="28" height="12" border="0">
</a><br>
</b></li>
@ -106,11 +107,11 @@ iptables</a></b></li>
<ul>
<li>Shorewall is ignoring records in /etc/shorewall/routestopped that
have an empty second column (HOSTS). This problem may be corrected by installing
have an empty second column (HOSTS). This problem may be corrected by installing
<a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described above.</li>
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
as described above.</li>
<li>The INCLUDE directive doesn't work when placed in the /etc/shorewall/zones
file. This problem may be corrected by installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/functions"
@ -127,8 +128,8 @@ file. This problem may be corrected by installing <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by installing
<a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described above.<br>
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
@ -138,8 +139,8 @@ described above.<br>
<ul>
<li> If you have zone names that are 5 characters long, you may experience
problems starting Shorewall because the --log-prefix in a logging rule
is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
problems starting Shorewall because the --log-prefix in a logging rule is
too long. Upgrade to Version 1.4.4a to fix this problem..</li>
</ul>
@ -148,10 +149,11 @@ is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
<ul>
<li>The LOGMARKER variable introduced in version 1.4.3 was intended
to allow integration of Shorewall with Fireparse (http://www.firewparse.com).
Unfortunately, LOGMARKER only solved part of the integration problem. I
have implimented a new LOGFORMAT variable which will replace LOGMARKER which
has completely solved this problem and is currently in production with fireparse
here at shorewall.net. The updated files may be found at <a
Unfortunately, LOGMARKER only solved part of the integration problem.
I have implimented a new LOGFORMAT variable which will replace LOGMARKER
which has completely solved this problem and is currently in production
with fireparse here at shorewall.net. The updated files may be found at
<a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
See the 0README.txt file for details.<br>
@ -162,12 +164,12 @@ has completely solved this problem and is currently in production with firepars
<h3>1.4.2</h3>
<ul>
<li>When an 'add' or 'delete' command is executed, a temporary directory
created in /tmp is not being removed. This problem may be corrected by
installing <a
<li>When an 'add' or 'delete' command is executed, a temporary
directory created in /tmp is not being removed. This problem may be corrected
by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall as
described above. <br>
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
as described above. <br>
</li>
</ul>
@ -175,9 +177,9 @@ described above. <br>
<h3>1.4.1a, 1.4.1 and 1.4.0</h3>
<ul>
<li>Some TCP requests are rejected in the 'common' chain with an
ICMP port-unreachable response rather than the more appropriate TCP RST
response. This problem is corrected in <a
<li>Some TCP requests are rejected in the 'common' chain with
an ICMP port-unreachable response rather than the more appropriate TCP
RST response. This problem is corrected in <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.1a/common.def"
target="_top">this updated common.def file</a> which may be installed in
/etc/shorewall/common.def.<br>
@ -234,7 +236,7 @@ to create ECN rules even when /etc/shorewall/ecn is empty. You may either
corrected 1.2.3 rpm which you can download here</a>  and
I have also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
@ -262,8 +264,8 @@ I have also built an <a
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18 and
RedHat iptables</h3>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
@ -288,7 +290,7 @@ RedHat iptables</h3>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the
"--nodeps" option to rpm.</p>
"--nodeps" option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
@ -299,12 +301,12 @@ RedHat iptables</h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules;
as a consequence, if you install iptables 1.2.7 you must
be running Shorewall 1.3.7a or later or:</p>
as a consequence, if you install iptables 1.2.7 you
must be running Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
in /etc/shorewall/shorewall.conf;
<li>set
MULTIPORT=No in /etc/shorewall/shorewall.conf;
or </li>
<li>if you
are running Shorewall 1.3.6 you may
@ -327,26 +329,27 @@ or </li>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column.
Kernel support for LOCAL=yes has never worked properly and 2.4.18-10
has disabled it. The 2.4.19 kernel contains corrected support
under a new kernel configuraiton option; see <a
has disabled it. The 2.4.19 kernel contains corrected support under
a new kernel configuraiton option; see <a
href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and REJECT
(also applies to 2.4.21-RC1)</b></h3>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and
REJECT (also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with tcp-reset"
is broken. The symptom most commonly seen is that REJECT rules act just like
DROP rules when dealing with TCP. A kernel patch and precompiled modules to
fix this problem are available at <a
is broken. The symptom most commonly seen is that REJECT rules act just
like DROP rules when dealing with TCP. A kernel patch and precompiled modules
to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>
<hr>
<p><font size="2"> Last updated 6/13/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><font size="2"> Last updated 6/13/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</p>
<br>
</body>
</html>

239
Shorewall-docs/errata_1.htm
View File

@ -1,215 +1,196 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Errata for Version 1</title>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Errata for Version 1</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Errata for Version 1.1</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall Errata for Version
1.1</font></h1>
</td>
</tr>
</tbody>
</table>
<h3 align="Left"><font color="#660066"><u>To those of you who downloaded the 1.1.13 updated firewall script prior
to Sept 20, 2001:</u></font></h3>
<h3 align="left"><font color="#660066"><u>To those of you who downloaded
the 1.1.13 updated firewall script prior to Sept 20, 2001:</u></font></h3>
<blockquote>
<p align="Left">Prior
to 20:00 20 Sept 2001 GMT, the link under 1.1.13 pointed to a broken version
of the firewall script. This has now been corrected. I apologize for any confusion
this may have caused.</p>
<blockquote>
<p align="left">Prior to 20:00 20 Sept 2001 GMT, the link under 1.1.13
pointed to a broken version of the firewall script. This has now been corrected.
I apologize for any confusion this may have caused.</p>
</blockquote>
<h3 align="Left">Version 1.1.18</h3>
<h3 align="left">Version 1.1.18</h3>
<blockquote>
<p align="Left">In the original .lrp, /etc/init.d/shorewall was not
<blockquote>
<p align="left">In the original .lrp, /etc/init.d/shorewall was not
secured for execute access. I have replaced the incorrect .lrp
(shorwall-1.1.18.lrp) with a corrected one (shorwall-1.1.18a.lrp).</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.17</font></h3>
<h3 align="left"><font color="#660066"> Version 1.1.17</font></h3>
<blockquote>
<blockquote>
<p align="left">In shorewall.conf, ADD_IP_ALIASES was incorrectly
spelled IP_ADD_ALIASAES. There is a corrected version of the
file <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
<p align="Left">In
shorewall.conf, ADD_IP_ALIASES was incorrectly spelled
IP_ADD_ALIASAES. There is a corrected version of the file <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.17/shorewall.conf">here.</a></p>
<p align="Left">This
problem is also corrected in version 1.1.18.</p>
<p align="left">This problem is also corrected in version 1.1.18.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.16</font></h3>
<h3 align="left"><font color="#660066"> Version 1.1.16</font></h3>
<blockquote>
<p align="Left">
The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly spelled IP_ADD_ALIASES
in the firewall script. To correct this problem, install the <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall">
corrected firewall script</a>
in the location pointed to by the symbolic link /etc/shorewall/firewall.</p>
<blockquote>
<p align="left"> The ADD_IP_ALIASES variable added in 1.1.16 was incorrectly
spelled IP_ADD_ALIASES in the firewall script. To correct this problem,
install the <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.16/firewall"> corrected
firewall script</a> in the location pointed to by the symbolic link
/etc/shorewall/firewall.</p>
<p align="Left">
This problem is also corrected in version 1.1.17.</p>
<p align="left"> This problem is also corrected in version 1.1.17.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.14-1.1.15</font></h3>
<h3 align="left"><font color="#660066"> Version 1.1.14-1.1.15</font></h3>
<blockquote>
<p align="Left">
There are no corrections for these versions.</p>
<blockquote>
<p align="left"> There are no corrections for these versions.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.13</font></h3>
<h3 align="left"><font color="#660066"> Version 1.1.13</font></h3>
<blockquote>
<p align="Left">
The firewall fails to start if a rule with the following format is given:</p>
<blockquote>
<p align="left"> The firewall fails to start if a rule with the following
format is given:</p>
<p align="Left">
&lt;disposition&gt;    z1:www.xxx.yyy.zzz    z2    proto    p1,p2,p3</p>
<p align="left"> &lt;disposition&gt;    z1:www.xxx.yyy.zzz    z2   
proto    p1,p2,p3</p>
<p align="Left">
To correct this problem, install <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall">
this corrected firewall script</a>
in the location pointed to by the symbolic link /etc/shorewall/firewall. </p>
<p align="left"> To correct this problem, install <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.13/firewall"> this
corrected firewall script</a> in the location pointed to by the symbolic
link /etc/shorewall/firewall. </p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.12</font></h3>
<h3 align="left"><font color="#660066"> Version 1.1.12</font></h3>
<blockquote>
<p align="left"> The LRP version of Shorewall 1.1.12 has the incorrect
/etc/shorewall/functions file. This incorrect file results in many error
messages of the form:</p>
<blockquote>
<p align="Left">
The LRP version of Shorewall 1.1.12 has the incorrect /etc/shorewall/functions
file. This incorrect file results in many error messages of the form:</p>
<blockquote>
<p align="Left">
separate_list: not found</p>
<p align="left"> separate_list: not found</p>
</blockquote>
<p align="Left"><a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions">
The correct file may be obtained here</a>
. This problem is also corrected in version 1.1.13.</p>
<p align="left"><a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.12/functions"> The
correct file may be obtained here</a> . This problem is also corrected
in version 1.1.13.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.11</font></h3>
<h3 align="left"><font color="#660066"> Version 1.1.11</font></h3>
<blockquote>
<p align="Left">
There are no known problems with this version.</p>
<blockquote>
<p align="left"> There are no known problems with this version.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.10</font></h3>
<h3 align="left"><font color="#660066"> Version 1.1.10</font></h3>
<blockquote>
<p align="Left">
If the following conditions were met:<br>
<blockquote>
<p align="left"> If the following conditions were met:<br>
</p>
<ol>
<li>
<p align="Left">
A LAN segment attached to the firewall was served by a DHCP server
running on the firewall.</p>
<p align="left"> A LAN segment attached to the firewall was served
by a DHCP server running on the firewall.</p>
</li>
<li>
<p align="Left">
There were entries in /etc/shorewall/hosts that referred to the
interface to that LAN segment.</p>
<p align="left"> There were entries in /etc/shorewall/hosts that referred
to the interface to that LAN segment.</p>
</li>
</ol>
<p align="Left">
then up until now it has been necessary to include entries for 0.0.0.0
and 255.255.255.255 for that interface in /etc/shorewall/hosts. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall">
This version of the firewall script</a>
makes those additions unnecessary provided that you simply include
"dhcp" in the options for the interface in /etc/shorewall/interfaces.
Install the script into the location pointed to by the symbolic link
/etc/shorewall/firewall.</p>
<p align="left"> then up until now it has been necessary to include entries
for 0.0.0.0 and 255.255.255.255 for that interface in /etc/shorewall/hosts.
<a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.10/firewall">
This version of the firewall script</a> makes those additions unnecessary
provided that you simply include "dhcp" in the options for the interface
in /etc/shorewall/interfaces. Install the script into the location pointed
to by the symbolic link /etc/shorewall/firewall.</p>
<p align="Left">
This problem has also been corrected in version 1.1.11.</p>
<p align="left"> This problem has also been corrected in version 1.1.11.</p>
</blockquote>
<h3 align="Left"><font color="#660066">
Version 1.1.9</font></h3>
<h3 align="left"><font color="#660066"> Version 1.1.9</font></h3>
<ul>
<li>The shorewall "hits" command lists extraneous service names in the final
report. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall">
This version of the shorewall script</a>
corrects this problem.<br>
<li>The shorewall "hits" command lists extraneous service names in
the final report. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall"> This
version of the shorewall script</a> corrects this problem.<br>
</li>
</ul>
<h3 align="Left">Version 1.1.8</h3>
<h3 align="left">Version 1.1.8</h3>
<ul>
<li>Under some circumstances, the "dhcp" option on an interface triggers
a bug in the firewall script that results in a "chain already exists"
error. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall">
This version of the firewall script</a>
corrects this problem. Install it into the location pointed to by
the symbolic link /etc/shorewall/firewall.<br>
error. <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall"> This
version of the firewall script</a> corrects this problem. Install
it into the location pointed to by the symbolic link /etc/shorewall/firewall.<br>
<br>
This problem is also corrected in version 1.1.9.<br>
</li>
</ul>
<h3 align="Left">Version 1.1.7</h3>
<h3 align="left">Version 1.1.7</h3>
<ul>
<li>If the /etc/shorewall/rules template from version 1.1.7 is used, a warning
message appears during firewall startup:<br>
<li>If the /etc/shorewall/rules template from version 1.1.7 is used,
a warning message appears during firewall startup:<br>
<br>
    Warning: Invalid Target - rule "@ icmp-unreachable packet."
ignored<br>
<br>
This warning may be eliminated by replacing the "@" in column 1 of
line 17 with "#"</li>
</ul>
<blockquote>
<p align="Left">
This problem is also corrected in version 1.1.8</p>
<blockquote>
<p align="left"> This problem is also corrected in version 1.1.8</p>
</blockquote>
<p align="left"><font size="2">
Last updated 12/21/2001 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<p align="left"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p align="left"><font size="2"> Last updated 12/21/2001 - </font><font
size="2"> <a href="support.htm">Tom Eastep</a></font> </p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
</body>
</html>

544
Shorewall-docs/errata_2.htm
View File

@ -2,152 +2,143 @@
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.2 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" height="90" bgcolor="#400169">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" height="90" bgcolor="#3366ff">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall 1.2 Errata</font></h1>
<h1 align="center"><font color="#ffffff">Shorewall 1.2 Errata</font></h1>
</td>
</tr>
</table>
<p align="center">
<font face="Century Gothic, Arial, Helvetica">
</tbody>
</table>
<p align="center"> <font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p>
<p align="center">
<b><u>If you use a Windows system to download a corrected script, be sure to
run the script through <a href="http://www.megaloman.com/%7Ehany/software/hd2u/">
dos2unix</a>
<p align="center"> <b><u>If you use a Windows system to download a
corrected script, be sure to run the script through <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
after you have moved it to your Linux system.</u></b></p>
<p align="center">
<p align="center"> <u><b>When the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, use the 'cp' (or 'scp')
utility to overwrite the existing file. DO NOT REMOVE OR RENAME THE
OLD /etc/shorewall/firewall before you do that. /etc/shorewall/firewall
is a symbolic link that points to the 'shorewall' file used by your
system initialization scripts to start Shorewall during boot and it
is that file that must be overwritten with the corrected script. </b></u></p>
<u><b>When the instructions say to install a corrected firewall script in
/etc/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the
existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
before you do that. /etc/shorewall/firewall is a symbolic link that points
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot and it is that file that must be overwritten
with the corrected script. </b></u></p>
<ul>
<ul>
<li>
<h3 align="Left"><font color="#660066">
<a href="errata_1.htm">
Problems in Version 1.1</a></font></h3>
<h3 align="left"><font color="#660066"> <a href="errata_1.htm"> Problems
in Version 1.1</a></font></h3>
</li>
<li>
<h3 align="Left"><a href="#V1.2">Problems in Version 1.2</a></h3>
<h3 align="left"><a href="#V1.2">Problems in Version 1.2</a></h3>
</li>
<li>
<h3 align="Left"><font color="#660066"><a href="#iptables">
Problem with iptables version 1.2.3</a></font></h3>
<h3 align="left"><font color="#660066"><a href="#iptables"> Problem
with iptables version 1.2.3</a></font></h3>
</li>
<li>
<h3 align="Left"><a href="#Debug">Problems with kernel 2.4.18 and
<h3 align="left"><a href="#Debug">Problems with kernel 2.4.18 and
RedHat iptables</a></h3>
</li>
</ul>
<hr>
<h3 align="Left"><a name="V1.2"></a>Problems in Version 1.2</h3>
</ul>
<h3 align="Left">Version 1.2.13</h3>
<hr>
<h3 align="left"><a name="V1.2"></a>Problems in Version 1.2</h3>
<ul>
<h3 align="left">Version 1.2.13</h3>
<ul>
<li>
<p align="Left">Some users have reported problems installing the RPM
<p align="left">Some users have reported problems installing the RPM
on SuSE 7.3 where rpm reports a conflict with kernel &lt;= 2.2 even
though a 2.4 kernel RPM is installed. To get around this problem, use
the --nodeps option to rpm (e.g., &quot;rpm -ivh --nodeps
shorewall-1.2-13.noarch.rpm&quot;).<br>
though a 2.4 kernel RPM is installed. To get around this problem,
use the --nodeps option to rpm (e.g., "rpm -ivh --nodeps
shorewall-1.2-13.noarch.rpm").<br>
<br>
The problem stems from the fact that SuSE does not
include a package named &quot;kernel&quot; but rather has a number of packages
that provide the virtual package &quot;kernel&quot;. Since virtual packages have
The problem stems from the fact that SuSE does not include
a package named "kernel" but rather has a number of packages that
provide the virtual package "kernel". Since virtual packages have
no version associated with them, a conflict results. Since the
workaround is simple, I don't intend to change the Shorewall package.</p>
</li>
<li>
<p align="Left">Shorewall accepts invalid rules of the form:<br>
<p align="left">Shorewall accepts invalid rules of the form:<br>
<br>
<font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt; all &lt;port number&gt; -
&lt;original ip address&gt;<br>
<font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt;
all &lt;port number&gt; - &lt;original ip address&gt;<br>
<br>
</font>The &lt;port number&gt; is ignored with the result that <u>all</u>
connection requests from the &lt;src&gt; zone whose original destination IP
address matches the last column are forwarded to the &lt;dest&gt; zone, IP
address &lt;ip addr&gt;.&nbsp;
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall">
</font>The &lt;port number&gt; is ignored with the result that
<u>all</u> connection requests from the &lt;src&gt; zone whose
original destination IP address matches the last column are forwarded
to the &lt;dest&gt; zone, IP address &lt;ip addr&gt;. 
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall">
This corrected firewall script</a> correctly generates an error when
such a rule is encountered.</p>
</li>
</ul>
<h3 align="Left">Version 1.2.11</h3>
</ul>
<ul>
<h3 align="left">Version 1.2.11</h3>
<ul>
<li>
<p align="Left">The 'try' command is broken.</li>
<p align="left">The 'try' command is broken. </p>
</li>
<li>
<p align="left">The usage text printed by the shorewall utility
doesn't show the optional timeout for the 'try' command. </p>
</li>
</ul>
<p align="Left">The usage text printed by the shorewall utility
doesn't show the optional timeout for the 'try' command.</li>
</ul>
<p align="Left">Both problems are corrected by
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
<p align="left">Both problems are corrected by <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
this new version of /sbin/shorewall</a>.</p>
<h3 align="Left">Sample Configurations:</h3>
<h3 align="left">Sample Configurations:</h3>
<ul>
<ul>
<li>
<p align="Left">There have been several problems with SSH, DNS and
<p align="left">There have been several problems with SSH, DNS and
ping in the two- and three-interface examples. Before reporting
problems with these services, please verify that you have the latest
version of the appropriate sample 'rules' file.</li>
</ul>
version of the appropriate sample 'rules' file. </p>
</li>
</ul>
<h3 align="Left">All Versions through 1.2.10</h3>
<h3 align="left">All Versions through 1.2.10</h3>
<ul>
<ul>
<li>
<p align="Left">The <a href="PPTP.htm#ServerFW">documentation for
<p align="left">The <a href="PPTP.htm#ServerFW">documentation for
running PoPToP on the firewall system</a> contained an incorrect entry
in the /etc/shorewall/hosts file. The corrected entry (underlined) is
shown here:</li>
</ul>
<blockquote>
in the /etc/shorewall/hosts file. The corrected entry (underlined)
is shown here: </p>
</li>
</ul>
<blockquote>
<blockquote>
<table border="2">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>HOST(S)</b></td>
@ -161,279 +152,274 @@ dos2unix</a>
<tr>
<td>loc</td>
<td>ppp+:192.168.1.0/24</td>
<td>&nbsp;</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<h3 align="Left">All Versions through 1.2.8</h3>
<h3 align="left">All Versions through 1.2.8</h3>
<ul>
<ul>
<li>
<p align="Left">The shorewall.conf file and the documentation
<p align="left">The shorewall.conf file and the documentation
incorrectly refer to a parameter in /etc/shorewall/shorewall.conf
called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a href="Documentation.htm#Conf">see
the corrected online documentation</a>). Users of the rpm should
change the name (and possibly the value) of this parameter so that
Shorewall interacts properly with the SysV init scripts. The
documentation on this web site has been corrected and
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf">
called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a
href="Documentation.htm#Conf">see the corrected online documentation</a>).
Users of the rpm should change the name (and possibly the value)
of this parameter so that Shorewall interacts properly with the
SysV init scripts. The documentation on this web site has been
corrected and <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf">
here's a corrected version of shorewall.conf</a>.</p>
</li>
<li>
<p align="Left">The documentation indicates that a comma-separated
<p align="left">The documentation indicates that a comma-separated
list of IP/subnet addresses may appear in an entry in the hosts file.
This is not the case; if you want to specify multiple addresses for a
zone, you need to have a separate entry for each address.</p>
This is not the case; if you want to specify multiple addresses
for a zone, you need to have a separate entry for each address.</p>
</li>
</ul>
<h3 align="Left">Version 1.2.7</h3>
</ul>
<p align="Left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
<h3 align="left">Version 1.2.7</h3>
<p>If you have installed and started version 1.2.7 then before trying
<p align="left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
<p>If you have installed and started version 1.2.7 then before trying
to restart under 1.2.8:</p>
<ol>
<ol>
<li>Look at your /etc/shorewall/shorewall.conf file and note the directory
named in the STATEDIR variable. If that variable is empty, assume
/var/state/shorewall.</li>
named in the STATEDIR variable. If that variable is empty, assume /var/state/shorewall.</li>
<li>Remove the file 'lock' in the directory determined in step 1.</li>
</ol>
<p>You may now restart using 1.2.8.</p>
<h3 align="Left">Version 1.2.6</h3>
</ol>
<ul>
<p>You may now restart using 1.2.8.</p>
<h3 align="left">Version 1.2.6</h3>
<ul>
<li>
<p align="Left">GRE and IPIP tunnels are broken.</li>
<p align="left">GRE and IPIP tunnels are broken. </p>
</li>
<li>
<p align="Left">The following rule results in a start error:<br>
<p align="left">The following rule results in a start error:<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
icmp</li>
</ul>
    ACCEPT    z1    z2    icmp </p>
</li>
</ul>
<p align="Left">To correct the above problems, install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this
corrected firewall script</a> in&nbsp; /etc/shorewall/firewall..<h3 align="Left">Version 1.2.5</h3>
<p align="left">To correct the above problems, install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this
corrected firewall script</a> in  /etc/shorewall/firewall..</p>
<h3 align="left">Version 1.2.5</h3>
<ul>
<ul>
<li>
<p align="Left">The new ADDRESS column in /etc/shorewall/masq cannot
contain a $-variable name.</li>
<p align="left">The new ADDRESS column in /etc/shorewall/masq cannot
contain a $-variable name. </p>
</li>
<li>
<p align="Left">Errors result if $FW appears in the
/etc/shorewall/policy file.</li>
<p align="left">Errors result if $FW appears in the /etc/shorewall/policy
file. </p>
</li>
<li>
<p align="left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
results in an error at start time. </p>
</li>
</ul>
<p align="Left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
results in an error at start time.</li>
</ul>
<p align="Left">To correct the above problems, install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall.<p align="Left">&nbsp;<ul>
<p align="left">To correct the above problems, install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall.</p>
<p align="left"> </p>
<ul>
<li>
<p align="left">The /sbin/shorewall script produces error messages
saying that 'mygrep' cannot be found. <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
Here is the correct version of /sbin/shorewall.</a> </p>
</li>
</ul>
<p align="Left">The /sbin/shorewall script produces error messages
saying that 'mygrep' cannot be found.
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
Here is the correct version of /sbin/shorewall.</a></li>
</ul>
<h3 align="left">Version 1.2.4</h3>
<h3 align="Left">Version 1.2.4</h3>
<ul>
<li><p align="Left">This version will not install &quot;out of the box&quot; without
modification. Before attempting to start the
firewall, please change the STATEDIR in /etc/shorewall/shorewall.conf to
refer to /var/lib/shorewall. This only applies to fresh installations -- if
you are upgrading from a previous version of Shorewall, version 1.2.4 will
work without modification.</li>
</ul>
<h3 align="Left">Version 1.2.3</h3>
<ul>
<ul>
<li>
<p align="Left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted
hosts aren't logged. Install <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall.</li>
</ul>
<blockquote>
<p align="left">This version will not install "out of the box" without
modification. Before attempting to start the firewall, please change
the STATEDIR in /etc/shorewall/shorewall.conf to refer to /var/lib/shorewall.
This only applies to fresh installations -- if you are upgrading from
a previous version of Shorewall, version 1.2.4 will work without modification.
</p>
</li>
</ul>
<h3 align="left">Version 1.2.3</h3>
<ul>
<li>
<p align="left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted
hosts aren't logged. Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall. </p>
</li>
</ul>
<blockquote>
<p>Alternatively, edit /etc/shorewall/firewall and change line 1564 from:</p>
</blockquote>
<pre> run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<blockquote>
<pre> run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<blockquote>
<p>to</p>
</blockquote>
<pre> run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<h3 align="Left">Version 1.2.2</h3>
<pre> run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<ul>
<li>The &quot;shorewall status&quot; command hangs after
it displays the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's
a corrected /sbin/shorewall.</a> if&nbsp; you want to simply modify your copy of
/sbin/shorewall, then at line 445 change this:</li>
</ul>
<h3 align="left">Version 1.2.2</h3>
<div align="left">
<ul>
<li>The "shorewall status" command hangs after it displays
the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's
a corrected /sbin/shorewall.</a> if  you want to simply modify
your copy of /sbin/shorewall, then at line 445 change this:</li>
<pre align="Left"> status)
clear</pre>
</ul>
<div align="left">
<pre align="Left"> status)<br> clear</pre>
</div>
<blockquote>
<p align="Left">to this:</p>
<blockquote>
<p align="left">to this:</p>
</blockquote>
<div align="left">
<pre align="Left"> status)
get_config
clear</pre>
<div align="left">
<pre align="Left"> status)<br> get_config<br> clear</pre>
</div>
<ul>
<li>The &quot;shorewall monitor&quot; command
doesn't show the icmpdef chain - <a href="pub/shorewall/errata/1.2.2/shorewall">this
corrected /sbin/shorewall</a> fixes that problem as well as the status
problem described above.</li>
</ul>
<ul>
<li>In all 1.2.x versions, the 'CLIENT PORT(S)'
column in /etc/shorewall/tcrules is ignored. This is corrected in <a href="/pub/shorewall/errata/1.2.2/firewall">this
updated firewall script</a>.&nbsp; Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for
<ul>
<li>The "shorewall monitor" command doesn't show the icmpdef chain
- <a href="pub/shorewall/errata/1.2.2/shorewall">this corrected /sbin/shorewall</a>
fixes that problem as well as the status problem described above.</li>
</ul>
<ul>
<li>In all 1.2.x versions, the 'CLIENT PORT(S)' column in /etc/shorewall/tcrules
is ignored. This is corrected in <a
href="/pub/shorewall/errata/1.2.2/firewall">this updated firewall script</a>. 
Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for
spotting this bug.</li>
</ul>
<h3 align="Left">Version 1.2.1</h3>
</ul>
<ul>
<li>The new <i>logunclean </i>interface option is not
described in the help text in /etc/shorewall/interfaces. An <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated
<h3 align="left">Version 1.2.1</h3>
<ul>
<li>The new <i>logunclean </i>interface option is not described
in the help text in /etc/shorewall/interfaces. An <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated
interfaces file</a> is available.</li>
<li>When REJECT is specified in a TCP rule, Shorewall
correctly replies with a TCP RST packet. Previous versions of the
firewall script are broken in the case of a REJECT policy, however; in
REJECT policy chains, all requests are currently replied to with an
ICMP port-unreachable packet. <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This
corrected firewall script</a> replies to TCP requests with TCP RST in
REJECT policy chains. Place the script in /etc/shorewall/firewall.</li>
</ul>
<li>When REJECT is specified in a TCP rule, Shorewall correctly
replies with a TCP RST packet. Previous versions of the firewall
script are broken in the case of a REJECT policy, however; in REJECT
policy chains, all requests are currently replied to with an ICMP
port-unreachable packet. <a
href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This
corrected firewall script</a> replies to TCP requests with TCP
RST in REJECT policy chains. Place the script in /etc/shorewall/firewall.</li>
<h3 align="Left">Version 1.2.0</h3>
</ul>
<blockquote>
<h3 align="left">Version 1.2.0</h3>
<p align="Left"><b>Note: </b>If you are upgrading from one of the Beta
RPMs to 1.2.0, you must use the &quot;--oldpackage&quot; option to rpm
<blockquote>
<p align="left"><b>Note: </b>If you are upgrading from one of the Beta
RPMs to 1.2.0, you must use the "--oldpackage" option to rpm
(e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).</p>
<p align="Left">The tunnel script released in version 1.2.0 contained
errors -- a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected
<p align="left">The tunnel script released in version 1.2.0 contained
errors -- a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected
script</a> is available.</p>
</blockquote>
<hr>
<hr>
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
iptables version 1.2.3</font></h3>
<h3 align="Left"><a name="iptables"></a><font color="#660066">
Problem with iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat released
this buggy iptables in RedHat 7.2. </p>
<blockquote>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also built
an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="left"><font face="Century Gothic, Arial, Helvetica"
color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat has released
an iptables-1.2.4 RPM of their own which you can download from<font
face="Century Gothic, Arial, Helvetica" color="#ff6633"> <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM on my firewall and it works fine.</p>
<p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built
an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If
you are currently running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="Left"><font face="Century Gothic, Arial, Helvetica" color="#FF6633"><b>Update
11/9/2001: </b></font>RedHat has
released an iptables-1.2.4 RPM of their own which you can download from<font face="Century Gothic, Arial, Helvetica" color="#FF6633">
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM
on my firewall and it works fine.</p>
<p align="left">To install one of the above patches:</p>
<p align="Left">If you
would like to patch iptables 1.2.3 yourself, the patches are available
for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification while
this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="Left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernel 2.4.18
<h3><a name="Debug"></a>Problems with kernel 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18
may experience the following:</p>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may
experience the following:</p>
<blockquote>
<pre># shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
</pre>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter 'mangle' table. You can correct the problem by installing
<a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
&quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
"iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2">
Last updated 5/24/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</font></p>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2"> Last updated
5/24/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>
</html>

227
Shorewall-docs/errata_3.html
View File

@ -2,36 +2,28 @@
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall 1.3 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</table>
@ -39,8 +31,6 @@
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u>
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
@ -48,31 +38,26 @@
it to your Linux system.</b></p>
</li>
<li>
<p align="left"> <b>If you are installing Shorewall for the
first time and plan to use the .tgz and install.sh script, you can
untar the archive, replace the 'firewall' script in the untarred directory
<p align="left"> <b>If you are installing Shorewall for the first
time and plan to use the .tgz and install.sh script, you can untar
the archive, replace the 'firewall' script in the untarred directory
with the one you downloaded below, and then run install.sh.</b></p>
</li>
<li>
<p align="left"> <b>If you are running a Shorewall version earlier
than 1.3.11, when the instructions say to install a corrected
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
than 1.3.11, when the instructions say to install a corrected firewall
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
are symbolic links that point to the 'shorewall' file used by
your system initialization scripts to start Shorewall during
boot. It is that file that must be overwritten with the corrected
are symbolic links that point to the 'shorewall' file used by your
system initialization scripts to start Shorewall during boot.
It is that file that must be overwritten with the corrected
script. Beginning with Shorewall 1.3.11, you may rename the existing file
before copying in the new file.</b></p>
</li>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW.
For example, do NOT install the 1.3.9a firewall script if you are running
@ -94,8 +79,7 @@ before copying in the new file.</b></p>
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
on RH7.2</a></font></b></li>
<li> <b><a
href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
href="#Debug">Problems with kernels &gt;= 2.4.18 and RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading
RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables
@ -109,7 +93,6 @@ RedHat iptables</a></b></li>
<hr>
<h2 align="left"><small></small><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3>Version 1.3.14</h3>
<ul>
@ -122,9 +105,10 @@ RedHat iptables</a></b></li>
<ul>
<li>The documentation for the routestopped file claimed that a comma-separated
list could appear in the second column while the code only supported a single
host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not rate-limited.</li>
list could appear in the second column while the code only supported a
single host or network address.</li>
<li>Log messages produced by 'logunclean' and 'dropunclean' were not
rate-limited.</li>
<li>802.11b devices with names of the form <i>wlan</i>&lt;n&gt; don't
support the 'maclist' interface option.</li>
<li>Log messages generated by RFC 1918 filtering are not rate limited.</li>
@ -144,8 +128,8 @@ in /etc/shorewall/masq and the default route is through eth1.<br>
<li>The 'shorewall add' command produces an error message referring
to 'find_interfaces_by_maclist'.</li>
<li>The 'shorewall delete' command can leave behind undeleted rules.</li>
<li>The 'shorewall add' command can fail with "iptables: Index of insertion
too big".<br>
<li>The 'shorewall add' command can fail with "iptables: Index of
insertion too big".<br>
</li>
</ul>
@ -182,8 +166,8 @@ support, post on the users list and I can provide you with a patched version.<
<ul>
<li>The .lrp was missing the /etc/shorewall/routestopped file
-- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects
this problem.<br>
-- a new lrp (shorwall-1.3.12a.lrp) has been released which corrects this
problem.<br>
</li>
</ul>
@ -234,11 +218,11 @@ a fix.<br>
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
version of the firewall script</a> may help. Please report any cases
where installing this script in /usr/lib/shorewall/firewall solved
your connection problems. Beginning with version 1.3.10, it is safe
to save the old version of /usr/lib/shorewall/firewall before copying
in the new one since /usr/lib/shorewall/firewall is the real script
now and not just a symbolic link to the real script.<br>
where installing this script in /usr/lib/shorewall/firewall solved your
connection problems. Beginning with version 1.3.10, it is safe to save
the old version of /usr/lib/shorewall/firewall before copying in the
new one since /usr/lib/shorewall/firewall is the real script now and
not just a symbolic link to the real script.<br>
</li>
</ul>
@ -301,73 +285,58 @@ loc dmz:10.1.1.1:24 tcp 25 - 10.1.1.1")<br>
problems.
<h3>Version 1.3.7b</h3>
<p>DNAT rules where the source zone is 'fw' ($FW)
result in an error message. Installing
<a
<p>DNAT rules where the source zone is 'fw' ($FW) result in an error
message. Installing <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version 1.3.7a</h3>
<p>"shorewall refresh" is not creating the proper
rule for FORWARDPING=Yes. Consequently, after
"shorewall refresh", the firewall will not forward
icmp echo-request (ping) packets. Installing
<p>"shorewall refresh" is not creating the proper rule for FORWARDPING=Yes.
Consequently, after "shorewall refresh", the firewall will not
forward icmp echo-request (ping) packets. Installing
<a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
this corrected firewall script</a> in /var/lib/shorewall/firewall
as described above corrects this
problem.</p>
<h3>Version &lt;= 1.3.7a</h3>
<p>If "norfc1918" and "dhcp" are both specified as
options on a given interface then RFC 1918
checking is occurring before DHCP checking. This
means that if a DHCP client broadcasts using an
RFC 1918 source address, then the firewall will
<p>If "norfc1918" and "dhcp" are both specified as options on a
given interface then RFC 1918 checking is occurring before DHCP
checking. This means that if a DHCP client broadcasts using
an RFC 1918 source address, then the firewall will
reject the broadcast (usually logging it). This
has two problems:</p>
<ol>
<li>If the firewall
is running a DHCP server, the
client won't be able to obtain an IP address
lease from that server.</li>
is running a DHCP server, the client
won't be able to obtain an IP address lease from
that server.</li>
<li>With this order
of checking, the "dhcp" option
cannot be used as a noise-reduction
measure where there are both dynamic and static
clients on a LAN segment.</li>
cannot be used as a noise-reduction measure where there are both
dynamic and static clients on a LAN segment.</li>
</ol>
<p> <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
This version of the 1.3.7a firewall script </a>
corrects the problem. It must be
installed in /var/lib/shorewall as
described above.</p>
corrects the problem. It must be installed
in /var/lib/shorewall as described
above.</p>
<h3>Version 1.3.7</h3>
<p>Version 1.3.7 dead on arrival -- please use
version 1.3.7a and check your version against
these md5sums -- if there's a difference, please
<p>Version 1.3.7 dead on arrival -- please use version 1.3.7a and check
your version against these md5sums -- if there's a difference, please
download again.</p>
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
<p>In other words, type "md5sum &lt;<i>whatever package you downloaded</i>&gt;
@ -380,15 +349,11 @@ described above.</p>
<ul>
<li>
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
an error occurs when the firewall script attempts to
add an SNAT alias. </p>
</li>
<li>
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables
1.2.7. </p>
@ -398,9 +363,8 @@ described above.</p>
<p align="left">These problems are fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p>
this correct firewall script</a> which must be installed in /var/lib/shorewall/
as described above. These problems are also corrected in version 1.3.7.</p>
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
@ -419,7 +383,7 @@ described above.</p>
This is fixed in <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
/var/lib/shorewall/ as described above.</p>
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
@ -445,8 +409,7 @@ described above.</p>
<h3 align="left">Version 1.3.5</h3>
<p align="left">REDIRECT rules are broken in this version. Install
<a
<p align="left">REDIRECT rules are broken in this version. Install <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version
@ -455,29 +418,29 @@ described above.</p>
<h3 align="left">Version 1.3.n, n &lt; 4</h3>
<p align="left">The "shorewall start" and "shorewall restart" commands
to not verify that the zones named in the /etc/shorewall/policy
file have been previously defined in the /etc/shorewall/zones
file. The "shorewall check" command does perform this verification
so it's a good idea to run that command after you have made configuration
to not verify that the zones named in the /etc/shorewall/policy file
have been previously defined in the /etc/shorewall/zones file.
The "shorewall check" command does perform this verification so
it's a good idea to run that command after you have made configuration
changes.</p>
<h3 align="left">Version 1.3.n, n &lt; 3</h3>
<p align="left">If you have upgraded from Shorewall 1.2 and after
"Activating rules..." you see the message: "iptables: No chains/target/match
<p align="left">If you have upgraded from Shorewall 1.2 and after "Activating
rules..." you see the message: "iptables: No chains/target/match
by that name" then you probably have an entry in /etc/shorewall/hosts
that specifies an interface that you didn't include
in /etc/shorewall/interfaces. To correct this problem, you
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3
and later versions produce a clearer error message in
this case.</p>
and later versions produce a clearer error message in this
case.</p>
<h3 align="left">Version 1.3.2</h3>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct
version has a size of 38126 bytes.</p>
<p align="left">Until approximately 2130 GMT on 17 June 2002, the download
sites contained an incorrect version of the .lrp file. That file
can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<ul>
<li>The code to detect a duplicate interface
@ -495,8 +458,6 @@ it behaved just like "NAT_BEFORE_RULES=Yes".</li>
<ul>
<li>
<p align="left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This <a
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
@ -513,10 +474,10 @@ it behaved just like "NAT_BEFORE_RULES=Yes".</li>
(i.e., each packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy
chain is sometimes generated for a CONTINUE policy.</li>
<li>When an option is given for more than
one interface in /etc/shorewall/interfaces then depending
on the option, Shorewall may ignore all but the first
appearence of the option. For example:<br>
<li>When an option is given for more
than one interface in /etc/shorewall/interfaces then
depending on the option, Shorewall may ignore all but
the first appearence of the option. For example:<br>
<br>
net    eth0    dhcp<br>
loc    eth1    dhcp<br>
@ -567,21 +528,18 @@ The "shorewall version" command will tell you which version
iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p>
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2. </p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have
also built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm"> iptables-1.2.4
rpm which you can download here</a>. If you are currently running
RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can
@ -590,7 +548,6 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
</font>I have installed this RPM on my firewall and it works
fine.</p>
<p align="left">If you would like to patch iptables 1.2.3 yourself,
the patches are available for download. This <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
@ -599,71 +556,54 @@ iptables-1.2.4 rpm which you can download here</a>. If you are currently
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
may experience the following:</p>
<blockquote>
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.<br>Aborted (core dumped)<br></pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem
by installing <a
the Netfilter 'mangle' table. You can correct the problem by
installing <a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version
of iptables, you will need to specify the --oldpackage option
to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
</blockquote>
<h3><a name="SuSE"></a>Problems installing/upgrading
RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
installed, simply use the "--nodeps" option to
rpm.</p>
<p>If you find that rpm complains about a conflict with kernel &lt;=
2.2 yet you have a 2.4 kernel installed, simply use the "--nodeps"
option to rpm.</p>
<p>Installing: rpm -ivh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<p>Upgrading: rpm -Uvh --nodeps <i>&lt;shorewall rpm&gt;</i></p>
<h3><a name="Multiport"></a><b>Problems with iptables version 1.2.7 and
MULTIPORT=Yes</b></h3>
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must be running
Shorewall 1.3.7a or later or:</p>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as
a consequence, if you install iptables 1.2.7 you must
be running Shorewall 1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No
@ -679,8 +619,8 @@ to rpm (e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm")
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
</h3>
/etc/shorewall/nat entries of the following form will result
in Shorewall being unable to start:<br>
/etc/shorewall/nat entries of the following form will
result in Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
@ -692,8 +632,8 @@ support for LOCAL=yes has never worked properly and 2.4.18-10 has
disabled it. The 2.4.19 kernel contains corrected support under a new
kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<p><font size="2"> Last updated 3/8/2003 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font size="2"> Last updated 3/8/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
@ -711,5 +651,6 @@ kernel configuraiton option; see <a href="Documentation.htm#NAT">http://www.s
<br>
<br>
<br>
<br>
</body>
</html>

89
Shorewall-docs/fallback.htm
View File

@ -1,74 +1,77 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Fallback and Uninstall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Fallback and Uninstall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Fallback and Uninstall</font></h1>
<h1 align="center"><font color="#ffffff">Fallback and Uninstall</font></h1>
</td>
</tr>
</tbody>
</table>
<p><strong>Shorewall includes
a </strong><a href="#fallback"><strong>fallback script</strong></a><strong>
and an </strong><a href="#uninstall"><strong>uninstall script</strong></a><strong>.</strong></p>
<p><strong>Shorewall includes a </strong><a href="#fallback"><strong>fallback
script</strong></a><strong> and an </strong><a href="#uninstall"><strong>uninstall
script</strong></a><strong>.</strong></p>
<h2><a name="fallback"></a>Falling Back to the Previous Version of Shorewall
using the Fallback Script</h2>
<p>If you install Shorewall and discover that
it doesn't work for you, you can fall back to your previously
installed version. To do that:</p>
<p>If you install Shorewall and discover that it doesn't work for you, you
can fall back to your previously installed version. To do that:</p>
<ul>
<li>cd to the distribution directory for the version
of Seattle Firewall <u>that you are
currently running </u>(NOT the version
<li>cd to the distribution directory for the version of Seattle
Firewall <u>that you are currently running </u>(NOT the version
that you want to fall back to).</li>
<li>Type &quot;./fallback.sh&quot;</li>
<li>Type "./fallback.sh"</li>
</ul>
<h3><strong><u>Warning:</u> The fallback script
will replace /etc/shorewall/policy, /etc/shorewall/rules, /etc/shorewall/interfaces,
/etc/shorewall/nat, /etc/shorewall/proxyarp and /etc/shorewall/masq with the version of
these files from before the current version was installed. Any
changes to any of these files will be lost.</strong></h3>
<h3><strong><u>Warning:</u> The fallback script will replace /etc/shorewall/policy,
/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat, /etc/shorewall/proxyarp
and /etc/shorewall/masq with the version of these files from before the current
version was installed. Any changes to any of these files will be lost.</strong></h3>
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using
rpm</h2>
<p>If your previous version of Shorewall was
installed using RPM, you may fall back to that version by typing
&quot;rpm -Uvh --force &lt;old rpm&gt;&quot; at a root shell
prompt (Example: &quot;rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm&quot; would fall back to the 3.1-0
version of Shorewall).</p>
<p>If your previous version of Shorewall was installed using RPM, you may
fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;" at
a root shell prompt (Example: "rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm"
would fall back to the 3.1-0 version of Shorewall).</p>
<h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
<p>If you no longer wish to use Shorewall, you
may remove it by:</p>
<p>If you no longer wish to use Shorewall, you may remove it by:</p>
<ul>
<li>cd to the distribution directory for the version
of Shorewall that you have installed.</li>
<li>type &quot;./uninstall.sh&quot;</li>
<li>cd to the distribution directory for the version of Shorewall
that you have installed.</li>
<li>type "./uninstall.sh"</li>
</ul>
<p>If you installed using an rpm, at a root shell prompt
type &quot;rpm -e shorewall&quot;.</p>
<p>If you installed using an rpm, at a root shell prompt type "rpm -e shorewall".</p>
<p><font size="2">Last updated 3/26/2001 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>
<p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
</body>
</html>

3
Shorewall-docs/gnu_mailman.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -75,5 +75,6 @@ included with Mailman-2.1.
<br>
<br>
<br>
<br>
</body>
</html>

BIN
Shorewall-docs/images/CorpNetwork.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

89
Shorewall-docs/kernel.htm
View File

@ -1,32 +1,46 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Kernel Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Kernel Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Kernel Configuration</font></h1>
<h1 align="center"><font color="#ffffff">Kernel Configuration</font></h1>
</td>
</tr>
</tbody>
</table>
<p>For information regarding configuring and building GNU/Linux kernels, see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
<p>For information regarding configuring and building GNU/Linux kernels,
see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
<p>Here's a screen shot of my Network Options Configuration:</p>
<blockquote>
<p>&nbsp;<img border="0" src="images/netopts.jpg" width="609" height="842"></p>
</blockquote>
<p>While not all of the options that I've selected are required, they should be
sufficient for most applications. Here's an excerpt from the corresponding .config
file (Note: If you are running a kernel older than 2.4.17, be sure to select
CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
<blockquote>
<font SIZE="2">
<p> <img border="0" src="images/netopts.jpg" width="609" height="842">
</p>
</blockquote>
<p>While not all of the options that I've selected are required, they should
be sufficient for most applications. Here's an excerpt from the corresponding
.config file (Note: If you are running a kernel older than 2.4.17, be sure
to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
<blockquote> <font size="2">
<p>#<br>
# Networking options<br>
#<br>
@ -55,16 +69,18 @@ CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
# CONFIG_ARPD is not set<br>
CONFIG_INET_ECN=y<br>
CONFIG_SYN_COOKIES=y</p>
</font>
</blockquote>
</font> </blockquote>
<p>Here's a screen shot of my Netfilter configuration:</p>
<blockquote>
<p><img border="0" src="images/menuconfig.jpg" width="609" height="842"></p>
</blockquote>
<blockquote>
<p><img border="0" src="images/menuconfig.jpg" width="609"
height="842">
</p>
</blockquote>
<p>Here's an excerpt from the corresponding .config file.</p>
<blockquote>
<p><font size="2">#<br>
# IP: Netfilter Configuration<br>
@ -97,13 +113,16 @@ CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
CONFIG_IP_NF_TARGET_TCPMSS=y<br>
# CONFIG_IPV6 is not set</font><font face="Courier"><br>
</font></p>
</blockquote>
<p>Note that I have built everything I need into the kernel except for the FTP
connection tracking and NAT modules. I have also run successfully with all of
the options selected above built as modules:</p>
</blockquote>
<p>Note that I have built everything I need into the kernel except for the
FTP connection tracking and NAT modules. I have also run successfully with
all of the options selected above built as modules:</p>
<blockquote>
<p><img border="0" src="images/menuconfig1.jpg" width="609" height="842"></p>
<p><img border="0" src="images/menuconfig1.jpg" width="609"
height="842">
</p>
<p><font size="2">#<br>
# IP: Netfilter Configuration<br>
@ -136,11 +155,11 @@ the options selected above built as modules:</p>
CONFIG_IP_NF_TARGET_TCPMSS=m<br>
# CONFIG_IPV6 is not set<br>
</font></p>
</blockquote>
</blockquote>
<p><font size="2">Last updated 3/10/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>
<p><font size="2">Last updated 3/10/2002 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
</body>
</html>

79
Shorewall-docs/mailing_list.htm
View File

@ -16,7 +16,7 @@
</head>
<body>
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
<table height="90" bgcolor="#3366ff" id="AutoNumber1" width="100%"
style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
border="0">
<tbody>
@ -50,12 +50,14 @@
height="84" alt="(Postfix Logo)">
</a><br>
<div align="left"><a href="http://www.spamassassin.org"><img
src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
border="0">
</a> </div>
<br>
<div align="right"><b><font color="#ffffff"><br>
</font></b><br>
</div>
@ -75,14 +77,14 @@
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tmeastep
at hotmail dot com.</p>
<p align="left">You can report such problems by sending mail to tmeastep at
hotmail dot com.</p>
<h2>A Word about the SPAM Filters at Shorewall.net <a
href="http://osirusoft.com/"> </a></h2>
<p>Please note that the mail server at shorewall.net
checks incoming mail:<br>
<p>Please note that the mail server at shorewall.net checks
incoming mail:<br>
</p>
<ol>
@ -92,8 +94,8 @@ checks incoming mail:<br>
</li>
<li>to ensure that the sender address is fully
qualified.</li>
<li>to verify that the sender's domain has an
A or MX record in DNS.</li>
<li>to verify that the sender's domain has
an A or MX record in DNS.</li>
<li>to ensure that the host name in the HELO/EHLO
command is a valid fully-qualified DNS name that resolves.</li>
@ -101,19 +103,19 @@ checks incoming mail:<br>
<h2>Please post in plain text</h2>
A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as
to blacklist shorewall.net "for continuous abuse" because it has been
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all HTML is a Draconian way to
control spam and that the ultimate losers here are not the spammers
but the list subscribers whose MTAs are bouncing all shorewall.net
mail. As one list subscriber wrote to me privately "These e-mail admin's
need to get a <i>(explitive deleted)</i> life instead of trying to rid
the planet of HTML based e-mail". Nevertheless, to allow subscribers to
receive list posts as must as possible, I have now configured the list
server at shorewall.net to strip all HTML from outgoing posts. This
means that HTML-only posts will be bounced by the list server.<br>
control spam and that the ultimate losers here are not the spammers
but the list subscribers whose MTAs are bouncing all shorewall.net
mail. As one list subscriber wrote to me privately "These e-mail admin's
need to get a <i>(explitive deleted)</i> life instead of trying to rid
the planet of HTML based e-mail". Nevertheless, to allow subscribers
to receive list posts as must as possible, I have now configured the
list server at shorewall.net to strip all HTML from outgoing posts.
This means that HTML-only posts will be bounced by the list server.<br>
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
</p>
@ -157,30 +159,30 @@ means that HTML-only posts will be bounced by the list server.<br>
name="words" value=""> <input type="submit" value="Search"> </p>
</form>
<h2 align="left"><font color="#ff0000">Please do not try to download the
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
won't stand the traffic. If I catch you, you will be blacklisted.<br>
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
stand the traffic. If I catch you, you will be blacklisted.<br>
</font></h2>
<h2 align="left">Shorewall CA Certificate</h2>
If you want to trust X.509 certificates issued
by Shoreline Firewall (such as the one used on my web site), you
may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
by Shoreline Firewall (such as the one used on my web site),
you may <a href="Shorewall_CA_html.html">download and install my CA certificate</a>
in your browser. If you don't wish to trust my certificates
then you can either use unencrypted access when subscribing to Shorewall
mailing lists or you can use secure access (SSL) and accept the
server's certificate when prompted by your browser.<br>
then you can either use unencrypted access when subscribing to
Shorewall mailing lists or you can use secure access (SSL) and
accept the server's certificate when prompted by your browser.<br>
<h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users
to get answers to questions and to report problems. Information
of general interest to the Shorewall user community is also posted
to this list.</p>
of general interest to the Shorewall user community is also
posted to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see
the <a href="http://www.shorewall.net/support.htm">problem
reporting guidelines</a>.</b></p>
reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list:<br>
</p>
@ -200,9 +202,9 @@ reporting guidelines</a>.</b></p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
may be found at <a
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
list may be found at <a
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left">Shorewall Announce Mailing List</h2>
@ -267,17 +269,17 @@ may be found at <a
<p align="left">Down at the bottom of that page is the following text:
" To <b>unsubscribe</b> from <i>&lt;list name&gt;</i>, get
a password reminder, or change your subscription options enter
your subscription email address:". Enter your email address
in the box and click on the "<b>Unsubscribe</b> or edit options"
button.</p>
a password reminder, or change your subscription options
enter your subscription email address:". Enter your email
address in the box and click on the "<b>Unsubscribe</b> or edit
options" button.</p>
</li>
<li>
<p align="left">There will now be a box where you can enter your password
and click on "Unsubscribe"; if you have forgotten your password,
there is another button that will cause your password to be
emailed to you.</p>
emailed to you.</p>
</li>
</ul>
@ -290,9 +292,10 @@ emailed to you.</p>
<p align="left"><font size="2">Last updated 7/7/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</body>
</html>

57
Shorewall-docs/myfiles.htm
View File

@ -6,6 +6,7 @@
content="text/html; charset=windows-1252">
<title>My Shorewall Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
@ -16,7 +17,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -36,8 +37,8 @@
<p><big><font color="#ff0000"><b>Warning 1: </b></font><b><small>I</small></b></big><big><b><small>
use a combination of Static NAT and Proxy ARP, neither of which are
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see
here won't apply to your setup so beware of copying parts of this configuration
If you have just a single public IP address, most of what you see here
won't apply to your setup so beware of copying parts of this configuration
and expecting them to work for you. What you copy may or may not work
in your configuration.<br>
</small></b></big></p>
@ -73,21 +74,21 @@ and a Wireless network connected to eth3 (192.168.3.0/24).</p>
use the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
wireless card) has proved very unsatisfactory (lots of lost connections).
By replacing the WAC11 with the WET11 wireless bridge, I have virtually
eliminated these problems (Being an old radio tinkerer (K7JPV), I was
also able to eliminate the disconnects by hanging a piece of aluminum foil
on the family room wall. Needless to say, my wife Tarry rejected that as
a permanent solution :-).</li>
eliminated these problems (Being an old radio tinkerer (K7JPV), I was also
able to eliminate the disconnects by hanging a piece of aluminum foil on
the family room wall. Needless to say, my wife Tarry rejected that as a
permanent solution :-).</li>
</ul>
<p> The firewall runs on a 256MB PII/233 with RH9.0.</p>
<p> Wookie and the Firewall both run Samba and the Firewall acts as a
WINS server.<br>
<p> Wookie and the Firewall both run Samba and the Firewall acts as a WINS
server.<br>
</p>
<p>Wookie is in its own 'whitelist' zone called 'me' which is
embedded in the local zone.</p>
<p>Wookie is in its own 'whitelist' zone called 'me' which is embedded
in the local zone.</p>
<p>The wireless network connects to eth3 via a LinkSys WAP11.  In additional
to using the rather weak WEP 40-bit encryption (64-bit with the 24-bit
@ -97,23 +98,23 @@ would probably add IPSEC or something similar to my WiFi-&gt;local connections
</p>
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and
an FTP server (Pure-ftpd). The system also runs fetchmail to fetch
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an
FTP server (Pure-ftpd). The system also runs fetchmail to fetch
our email from our old and current ISPs. That server is managed through
Proxy ARP.</p>
<p> The firewall system itself runs a DHCP server that serves the local
network. It also runs Postfix which is configured as a Virus
and Spam filter with all incoming mail then being forwarded to the MTA
in the DMZ.</p>
network. It also runs Postfix which is configured as a Virus and
Spam filter with all incoming mail then being forwarded to the MTA in
the DMZ.</p>
<p> All administration and publishing is done using ssh/scp. I have X installed
on the firewall but no X server or desktop is installed. X applications
tunnel through SSH to XWin.exe running on Ursa. The server does have a desktop
environment installed and that desktop environment is available via XDMCP
from the local zone. For the most part though, X tunneled through SSH is
used for server administration and the server runs at run level 3 (multi-user
console mode on RedHat).</p>
tunnel through SSH to XWin.exe running on Ursa. The server does have a
desktop environment installed and that desktop environment is available
via XDMCP from the local zone. For the most part though, X tunneled through
SSH is used for server administration and the server runs at run level 3
(multi-user console mode on RedHat).</p>
<p> I run an SNMP server on my firewall to serve <a
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
@ -128,11 +129,12 @@ console mode on RedHat).</p>
<p>The ethernet interface in the Server is configured with IP address
206.124.146.177, netmask 255.255.255.0. The server's default gateway
is 206.124.146.254 (Router at my ISP. This is the same default
gateway used by the firewall itself). On the firewall,
is 206.124.146.254 (Router at my ISP. This is the same
default gateway used by the firewall itself). On the firewall,
Shorewall automatically adds a host route to
206.124.146.177 through eth1 (192.168.2.1) because of
the entry in /etc/shorewall/proxyarp (see below).</p>
206.124.146.177 through eth1 (192.168.2.1) because
of the entry in /etc/shorewall/proxyarp (see
below).</p>
<p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
access.<br>
@ -164,8 +166,8 @@ TEXAS=<i>&lt;ip address of gateway in Dallas&gt;</i><br>LOG=info<br></pre>
<h3>Interfaces File: </h3>
<blockquote>
<p> This is set up so that I can start the firewall before bringing up my
Ethernet interfaces. </p>
<p> This is set up so that I can start the firewall before bringing up
my Ethernet interfaces. </p>
</blockquote>
<blockquote>
@ -240,5 +242,6 @@ Ethernet interfaces. </p>
<br>
<br>
<br>
<br>
</body>
</html>

29
Shorewall-docs/ping.html
View File

@ -12,7 +12,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -23,15 +23,15 @@
</tbody>
</table>
<br>
Shorewall 'Ping' management has evolved over time with the latest change
coming in Shorewall version 1.4.0. To find out which version of Shorewall
you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall
version</b></font>". If that command gives you an error, it's time to upgrade
since you have a very old version of Shorewall installed (1.2.4 or earlier).<br>
<h2>Shorewall Versions &gt;= 1.4.0</h2>
In Shoreall 1.4.0 and later version, ICMP echo-request's are treated just
like any other connection request.<br>
like any other connection request.<br>
<br>
In order to accept ping requests from zone z1 to zone z2 where the policy
for z1 to z2 is not ACCEPT, you need a rule in /etc/shoreall/rules of the
@ -70,11 +70,11 @@ then you need a rule of the form:<br>
</blockquote>
<h2>Shorewall Versions &gt;= 1.3.14 &nbsp;and &lt; 1.4.0 with OLD_PING_HANDLING=No
in /etc/shorewall/shorewall.conf</h2>
in /etc/shorewall/shorewall.conf</h2>
In 1.3.14, Ping handling was put under control of the rules and policies
just like any other connection request. In order to accept ping requests
from zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you
need a rule in /etc/shoreall/rules of the form:<br>
need a rule in /etc/shoreall/rules of the form:<br>
<blockquote>ACCEPT&nbsp;&nbsp;&nbsp; <i>z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
</i>icmp&nbsp;&nbsp;&nbsp; 8<br>
@ -140,7 +140,7 @@ and simple routing.</li>
for the interface that receives the ping request then the request will
be responded to with an ICMP echo-reply.</li>
<li>If <b>noping</b> is specified for the interface that receives
the ping request then the request is ignored.</li>
the ping request then the request is ignored.</li>
<li>If <b>filterping </b>is specified for the interface then the
request is passed to the rules/policy evaluation.</li>
@ -158,8 +158,8 @@ request is passed to the rules/policy evaluation.</li>
Example 1. Accept pings from the net to the dmz (pings are responded
to with an ICMP echo-reply):<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
icmp&nbsp;&nbsp;&nbsp; 8<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
dmz&nbsp;&nbsp;&nbsp; icmp&nbsp;&nbsp;&nbsp; 8<br>
<br>
Example 2. Drop pings from the net to the firewall<br>
<br>
@ -167,8 +167,8 @@ request is passed to the rules/policy evaluation.</li>
icmp&nbsp;&nbsp;&nbsp; 8<br>
<h3>Policy Evaluation</h3>
If no applicable rule is found, then the policy for the source to the
destination is applied.<br>
If no applicable rule is found, then the policy for the source to
the destination is applied.<br>
<ol>
<li>If the relevant policy is ACCEPT then the request is responded
@ -176,7 +176,7 @@ request is passed to the rules/policy evaluation.</li>
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
then the request is responded to with an ICMP echo-reply.</li>
<li>Otherwise, the relevant REJECT or DROP policy is used and the
request is either rejected or simply ignored.</li>
request is either rejected or simply ignored.</li>
</ol>
@ -185,6 +185,7 @@ request is either rejected or simply ignored.</li>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
</p>
<br>
</body>
</html>

46
Shorewall-docs/ports.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -54,8 +54,8 @@
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably want
to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if you will
return long replies to queries or if you need to enable ZONE transfers. In
If you are configuring a server, only open TCP Port 53 if you
will return long replies to queries or if you need to enable ZONE transfers. In
the latter case, be sure that your server is properly configured.</p>
</blockquote>
@ -81,23 +81,30 @@ to open TCP Port 53 as well.<br>
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
</blockquote>
<p>SMTP</p>
<p>SMTP (Email)</p>
<blockquote>
<p> TCP Port 25.</p>
</blockquote>
<p>RealPlayer<br>
</p>
</p>
<blockquote>
<p>UDP Port 6790 inbound<br>
</p>
</blockquote>
</blockquote>
<p>POP3</p>
<blockquote>
<p>TCP Port 110.</p>
</blockquote>
<p>TCP Port 110 (Secure = TCP Port 995)<br>
</p>
</blockquote>
<p>IMAP<br>
</p>
<blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
</blockquote>
<p>TELNET</p>
@ -130,15 +137,15 @@ to open TCP Port 53 as well.<br>
href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p>
<p>For a client, you must open outbound TCP port 21 and be sure that your
kernel is compiled to support FTP connection tracking. If you build this
support as a module, Shorewall will automatically load the module from
/var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
kernel is compiled to support FTP connection tracking. If you build
this support as a module, Shorewall will automatically load the module
from /var/lib/&lt;<i>kernel version</i>&gt;/kernel/net/ipv4/netfilter. <br>
</p>
<p>If you run an FTP server on a nonstandard port or you need to access
such a server, then you must specify that port in /etc/shorewall/modules.
For example, if you run an FTP server that listens on port 49 then you would
have:<br>
For example, if you run an FTP server that listens on port 49 then you
would have:<br>
</p>
<blockquote>
@ -192,7 +199,9 @@ starts, then you should include the port list in /etc/modules.conf:<br>
<p>Traceroute</p>
<blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1<br>
ICMP type 8 ('ping')<br>
</p>
</blockquote>
<p>NFS<br>
@ -225,16 +234,9 @@ starts, then you should include the port list in /etc/modules.conf:<br>
<p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 5/5/2003 - </font><font size="2"> <a
<p><font size="2">Last updated 7/16/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

54
Shorewall-docs/quotes.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -26,16 +26,17 @@
</tbody>
</table>
<font size="3">"I have fought with IPtables for untold hours. First I tried
the SuSE firewall, which worked for 80% of what I needed. Then gShield, which
also worked for 80%. Then I set out to write my own IPtables parser in shell
and awk, which was a lot of fun but never got me past the "hey, cool" stage.
Then I discovered Shorewall. After about an hour, everything just worked.
I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
<font size="3">"I have fought with IPtables for untold hours. First I
tried the SuSE firewall, which worked for 80% of what I needed. Then gShield,
which also worked for 80%. Then I set out to write my own IPtables parser
in shell and awk, which was a lot of fun but never got me past the "hey,
cool" stage. Then I discovered Shorewall. After about an hour, everything
just worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
<p>"The configuration is intuitive and flexible, and much easier than any
of the other iptables-based firewall programs out there. After sifting through
many other scripts, it is obvious that yours is the most well thought-out
and complete one available." -- BC, USA</p>
of the other iptables-based firewall programs out there. After sifting through
many other scripts, it is obvious that yours is the most well thought-out
and complete one available." -- BC, USA</p>
<p>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
@ -46,16 +47,16 @@ was 'months' for me, and I think I needed two minutes more:<br>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>Other to see that this was the default configuration, and it was
enough to uncomment a line in /etc/shorewall/policy.<br>
enough to uncomment a line in /etc/shorewall/policy.<br>
</li>
</ul>
Minutes instead of months! Congratulations and thanks for such a simple
and well documented thing for something as huge as iptables." -- JV, Spain.
and well documented thing for something as huge as iptables." -- JV, Spain.
<p>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1 without
any problems. Your documentation is great and I really appreciate your
network configuration info. That really helped me out alot. THANKS!!!"
network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </p>
<p>"[Shorewall is a] great, great project. I've used/tested may firewall
@ -63,37 +64,37 @@ network configuration info. That really helped me out alot. THANKS!!!"
</p>
<p>"Never in my +12 year career as a sys admin have I witnessed someone
so relentless in developing a secure, state of the art, safe and useful
product as the Shorewall firewall package for no cost or obligation involved."
-- Mario Kerecki, Toronto </p>
so relentless in developing a secure, state of the art, safe and
useful product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </p>
<p>"one time more to report, that your great shorewall in the latest release
1.2.9 is working fine for me with SuSE Linux 7.3! I now have 7 machines
up and running with shorewall on several versions - starting with 1.2.2
up to the new 1.2.9 and I never have encountered any problems!" --
SM, Germany</p>
up to the new 1.2.9 and I never have encountered any problems!" -- SM,
Germany</p>
<p>"You have the best support of any other package I've ever used."
-- SE, US </p>
<p>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make
use of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</p>
by request, Europe</p>
<p>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support" -- RM, Austria</p>
out against a lot of commercial stuff i´ve been working with in terms
of flexibillity, quality &amp; support" -- RM, Austria</p>
<p>"I have never seen such a complete firewall package that is so easy to
configure. I searched the Debian package system for firewall scripts and
Shorewall won hands down." -- RG, Toronto</p>
<p>"My respects... I've just found and installed Shorewall 1.3.3-1 and it
is a wonderful piece of software. I've just sent out an email to about 30
people recommending it. :-)<br>
is a wonderful piece of software. I've just sent out an email to about
30 people recommending it. :-)<br>
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
@ -112,5 +113,6 @@ by request, Europe</p>
<br>
<br>
<br>
<br>
</body>
</html>

78
Shorewall-docs/samba.htm
View File

@ -1,41 +1,51 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Samba</title>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Samba</title>
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Samba</font></h1>
<h1 align="center"><font color="#ffffff">Samba</font></h1>
</td>
</tr>
</tbody>
</table>
<p>If you wish to run Samba on your firewall and access shares between the
firewall and local hosts, you need the following rules:</p>
<h4>/etc/shorewall/rules:</h4>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
PROTO</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</font>
</tr>
<tr>
<td>ACCEPT</td>
@ -43,8 +53,8 @@ firewall and local hosts, you need the following rules:</p>
<td>loc</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
@ -52,8 +62,8 @@ firewall and local hosts, you need the following rules:</p>
<td>loc</td>
<td>tcp</td>
<td>137,139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
@ -62,7 +72,7 @@ firewall and local hosts, you need the following rules:</p>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
@ -70,8 +80,8 @@ firewall and local hosts, you need the following rules:</p>
<td>fw</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
@ -79,8 +89,8 @@ firewall and local hosts, you need the following rules:</p>
<td>fw</td>
<td>tcp</td>
<td>137,139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>ACCEPT</td>
@ -89,10 +99,16 @@ firewall and local hosts, you need the following rules:</p>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
<td> </td>
</tr>
</table>
</blockquote>
<p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font></body></html>
</tbody>
</table>
</blockquote>
<p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<br>
</body>
</html>

292
Shorewall-docs/seattlefirewall_index.htm
View File

@ -9,37 +9,46 @@
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
<base
target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
<table cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
bgcolor="#3366ff">
<tbody>
<tr>
<td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img
<td width="33%" height="90"
valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%" align="center">
<td valign="middle" width="34%" align="center"
bgcolor="#ffffff">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
<div align="center">
<img
src="images/Logo1.png" alt="(Shorewall Logo)" width="341" height="80">
</div>
</td>
<td valign="middle">
<td valign="middle" width="33%">
<h1 align="center"><a href="http://www.shorewall.net"
target="_top"><img border="0" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1>
<br>
</td>
@ -52,7 +61,11 @@
<div align="center">
<div align="center"> </div>
<center>
<div align="center"> </div>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
@ -61,9 +74,12 @@
<tr>
<td width="90%">
<div align="center">
<br>
</div>
<h2 align="left">What is it?</h2>
@ -71,6 +87,7 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
@ -80,6 +97,7 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
@ -89,10 +107,10 @@ General Public License</a> as published by the Free Software
<br>
This program is distributed in
the hope that it will be useful, but
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY
the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
@ -102,7 +120,8 @@ the implied warranty of MERCHANTABILITY
of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
@ -118,19 +137,33 @@ Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
</li>
</ul>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the
<a href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that
most closely match your environment and follow the step by
step instructions.<br>
New to Shorewall? Start by selecting
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most closely match your environment and follow the step
by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will not
apply directly to your setup. If you want to use the documentation
If so, the documentation<b> </b>on this site will
not apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
@ -142,44 +175,56 @@ most closely match your environment and follow the step by
<p><b></b></p>
<ol>
</ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.<br>
<p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<blockquote>
<p><b><a href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a><br>
<a href="ftp://shorewall.net/pub/shorewall/testing"
target="_top">ftp://shorewall.net/pub/shorewall/testing</a><br>
</b></p>
</blockquote>
<blockquote><b><a
href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
ftp://shorewall.net/pub/shorewall/testing</a><br>
</b></blockquote>
<blockquote> </blockquote>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
start errors when started using the "service" mechanism has been worked
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column of a
DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the nat
table (one for each element in the list). Shorewall now correctly creates
a single DNAT rule with multiple "--to-destination" clauses.<br>
<li>Where a list of IP addresses appears in the DEST column
of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in
the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing a "-"
were mis-handled when they appeared in the DEST column of a rule.<br>
<li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected. Corrections
involve the handling of "z1!z2" in the SOURCE column as well as lists in
the ORIGINAL DESTINATION column.<br>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
</li>
</ol>
@ -189,19 +234,19 @@ the ORIGINAL DESTINATION column.<br>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
detected by Shorewall (see below).<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have
been removed from /etc/shorewall/shorewall.conf. These capabilities are
now automatically detected by Shorewall (see below).<br>
</li>
</ol>
@ -210,22 +255,22 @@ removed from /etc/shorewall/shorewall.conf. These capabilities are now automatic
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option may
be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
for packets arriving on the associated interface.<br>
<li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
ranges.<br>
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
address ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other than the
first one on an interface.<br>
<li>Shorewall can now add IP addresses to subnets other than
the first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses
over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
@ -234,9 +279,10 @@ over a set of servers. Servers may be specified in a range of addresses
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects whether
these capabilities are present in the current kernel. The output of the
start, restart and check commands have been enhanced to report the outcome:<br>
options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the
outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
@ -245,12 +291,12 @@ start, restart and check commands have been enhanced to report the outcome:<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection tracking
table. Shorewall automatically detects the availability of this extension
and reports its availability in the output of the start, restart and check
commands.<br>
<li>Support for the Connection Tracking Match Extension has
been added. This extension is available in recent kernel/iptables releases
and allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
@ -259,18 +305,18 @@ allows for rules which match against elements in netfilter's connection trackin
   Connection Tracking Match: Available<br>
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall is
changed in the following ways:</li>
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering in
the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to
check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br>
chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br>
<br>
</li>
@ -282,7 +328,7 @@ defaulted to) in the DNAT rule.<br>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
]<br>
<br>
Examples:<br>
<br>
@ -302,22 +348,23 @@ defaulted to) in the DNAT rule.<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash), then
the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
and for /1 networks. Bash should produce correct information for all valid
IP addresses.<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall. <br>
<li>An 'iprange' command has been added to /sbin/shorewall.
<br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct an
efficient set of rules that accept connections from a range of network addresses.<br>
and host addresses. The command can be useful if you need to construct an
efficient set of rules that accept connections from a range of network addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
then the range may not span 128.0.0.0.<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or
dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
@ -336,7 +383,8 @@ then the range may not span 128.0.0.0.<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.<br>
<li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
@ -347,40 +395,49 @@ then the range may not span 128.0.0.0.<br>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;" now
correctly traces the attempt.</li>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones
file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second
column are no longer ignored.<br>
file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No problems
have been encountered with this set of software. The Shorewall version
is 1.4.4b plus the accumulated changes for 1.4.5.<br>
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No
problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
@ -390,6 +447,7 @@ in the connection request does not match any of the addresses listed.</li>
<p><b></b></p>
<ol>
@ -408,26 +466,26 @@ in the connection request does not match any of the addresses listed.</li>
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway
</a>Jacques Nilo and Eric
Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.4.2 and Kernel-2.4.20. You
can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
called <i>Bering</i> that
features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric on the
recent release of Bering 1.2!!! </b><br>
<b>Congratulations to Jacques and Eric on
the recent release of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#4b017c"
<td width="88" bgcolor="#3366ff"
valign="top" align="center">
@ -443,17 +501,19 @@ recent release of Bering 1.2!!! </b><br>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font
face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font face="Arial"
size="-1"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font>
</p>
<font
face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<font face="Arial" size="-1"> <input type="text"
name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form>
@ -478,7 +538,7 @@ recent release of Bering 1.2!!! </b><br>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
bgcolor="#3366ff">
<tbody>
@ -500,9 +560,10 @@ recent release of Bering 1.2!!! </b><br>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you try
it and find it useful, please consider making a donation
<font size="+2"> Shorewall is free but if you
try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
@ -517,9 +578,8 @@ it and find it useful, please consider making a donation
</table>
<p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<p><font size="2">Updated 7/16/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>
</html>

29
Shorewall-docs/shoreline.htm
View File

@ -17,7 +17,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -46,8 +46,8 @@
href="http://www.washington.edu">University of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers,
Incorporated</a> (now part of the <a
<li><a href="http://www.tandem.com">Tandem
Computers, Incorporated</a> (now part of the <a
href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
@ -58,21 +58,21 @@
<p>I became interested in Internet Security when I established a home office
in 1999 and had DSL service installed in our home. I investigated
ipchains and developed the scripts which are now collectively known
as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
ipchains and developed the scripts which are now collectively
known as <a href="http://seawall.sourceforge.net"> Seattle Firewall</a>.
Expanding on what I learned from Seattle Firewall, I then
designed and wrote Shorewall. </p>
<p>I telework from our <a
href="http://lists.shorewall.net/SeattleInTheSpring.html">home</a> in <a
href="http://www.cityofshoreline.com">Shoreline, Washington</a>
where I live with my wife Tarry.  </p>
href="http://www.cityofshoreline.com">Shoreline, Washington</a> where
I live with my wife Tarry.  </p>
<p>Our current home network consists of: </p>
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM,
40GB &amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal
40GB &amp; 20GB IDE HDs and LNE100TX (Tulip) NIC - My personal
Windows system. Serves as a PPTP server for Road Warrior access. Dual
boots <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD,
@ -83,16 +83,16 @@ Samba. This system also has <a href="http://www.vmware.com/">VMware</a>
machines.</li>
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD,
EEPRO100 NIC  - Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache),
FTP (Pure_ftpd), DNS server (Bind 9).</li>
FTP (Pure_ftpd), DNS server (Bind 9).</li>
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI
HD - 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
HD - 3 LNE100TX  (Tulip) and 1 TLAN NICs  - Firewall running Shorewall
1.4.6Beta1, a DHCP server and Samba configured as a WINS server..</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139
NIC - My wife's personal system.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD,
RTL8139 NIC - My wife's personal system.</li>
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB
HD, built-in EEPRO100, EEPRO100 in expansion base - My work system.</li>
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC and
LinkSys WET11 - Our Laptop.<br>
<li>XP 2200 Laptop, WinXP SP1, 512MB RAM, 40GB HD, built-in NIC
and LinkSys WET11 - Our Laptop.<br>
</li>
</ul>
@ -133,5 +133,6 @@ HD - 3 LNE100TX
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
<br>
<br>
<br>
</body>
</html>

46
Shorewall-docs/shorewall_extension_scripts.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -31,19 +31,22 @@
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism.<br>
</p>
</p>
<p><font color="#ff0000"><b>Caution: <br>
</b></font></p>
<ol>
<li><font color="#ff0000"><b>Be sure that you actually need to use an extension
script to do what you want. Shorewall has a wide range of features that cover
most requirements.</b></font></li>
<li><font color="#ff0000"><b>Be sure that you actually need to use an
extension script to do what you want. Shorewall has a wide range of features
that cover most requirements.</b></font></li>
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON
THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE DOING
WITH RESPECT TO iptables/Netfilter</b></font></li>
SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE
DOING WITH RESPECT TO iptables/Netfilter</b></font></li>
</ol>
<p>The following scripts can be supplied:</p>
<ul>
@ -53,8 +56,8 @@ WITH RESPECT TO iptables/Netfilter</b></font></li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before
the common and/or blacklst chains have been rebuilt.</li>
<li>refresh -- invoked while the firewall is being refreshed but
before the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
@ -70,18 +73,18 @@ WITH RESPECT TO iptables/Netfilter</b></font></li>
<p>The /etc/shorewall/common file receives special treatment. If this file
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in
the file /etc/shorewall/common.def which may be used as a starting
point for making your own customized file.</p>
rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p>
<p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly, you
should use run_ip. These functions accept the same arguments as the underlying
command but cause the firewall to be stopped if an error occurs during processing
of the command.</p>
function run_iptables. Similarly, rather than running "ip" directly, you
should use run_ip. These functions accept the same arguments as the underlying
command but cause the firewall to be stopped if an error occurs during
processing of the command.</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to use
the following technique</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to
use the following technique</p>
<p> /etc/shorewall/common:</p>
@ -90,9 +93,9 @@ the following technique</p>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique
allows you to add new rules while still getting the benefit of the latest
common.def file.</p>
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p>Remember that /etc/shorewall/common defines rules that are only applied
if the applicable policy is DROP or REJECT. These rules are NOT applied
@ -110,5 +113,6 @@ common.def file.</p>
<br>
<br>
<br>
<br>
</body>
</html>

11
Shorewall-docs/shorewall_features.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -63,14 +63,14 @@ use all types in the same firewall):
</ul>
</li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
IP addresses and subnetworks is supported.</li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of
individual IP addresses and subnetworks is supported.</li>
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
<ul>
<li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring with an audible alarm
when an "interesting" packet is detected.</li>
<li>Supports status monitoring with an audible
alarm when an "interesting" packet is detected.</li>
<li>Wide variety of informational commands.</li>
</ul>
@ -114,5 +114,6 @@ Address <b>Verification</b><br>
</p>
<br>
<br>
<br>
</body>
</html>

167
Shorewall-docs/shorewall_firewall_structure.htm
View File

@ -16,11 +16,12 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Firewall Structure</font></h1>
<h1 align="center"><font color="#ffffff">Firewall Structure (Under
Construction)</font></h1>
</td>
</tr>
@ -28,25 +29,25 @@
</table>
<p> Shorewall views the network in which it is running as a set of
<i> zones. </i>Shorewall itself defines exactly one zone called "fw" which
refers to the firewall system itself . The /etc/shorewall/zones file is
used to define additional zones and the example file provided with Shorewall
defines the zones:</p>
<i> zones. </i>Shorewall itself defines exactly one zone called "fw" which
refers to the firewall system itself . The /etc/shorewall/zones file
is used to define additional zones and the example file provided with
Shorewall defines the zones:</p>
<ol>
<li> net -- the (untrusted) internet.</li>
<li> dmz - systems that must be accessible from the internet
and from the local network.  These systems cannot be trusted completely since
their servers may have been compromised through a security exploit.</li>
and from the local network.  These systems cannot be trusted completely
since their servers may have been compromised through a security exploit.</li>
<li> loc - systems in your local network(s). These systems
must be protected from the internet and from the DMZ and in some cases,
from each other.</li>
must be protected from the internet and from the DMZ and in some
cases, from each other.</li>
</ol>
<p><b>Note: </b><a href="#Conf">You can specify the name of the firewall zone</a>.
For ease of description in this documentation, it is assumed that the firewall
zone is named "fw".</p>
<p><b>Note: </b><a href="#Conf">You can specify the name of the firewall
zone</a>. For ease of description in this documentation, it is assumed
that the firewall zone is named "fw".</p>
<p>It can't be stressed enough that with the exception of the firewall zone,
Shorewall itself attaches no meaning to zone names. Zone names are simply
@ -55,12 +56,12 @@ zone is named "fw".</p>
<p>While zones are normally disjoint (no two zones have a host in common),
there are cases where nested or overlapping zone definitions are appropriate.</p>
<p>Netfilter has the concept of <i>tables</i> and <i>chains. </i>For the
purpose of this document, we will consider Netfilter to have three tables:</p>
<p>Netfilter has the concept of <i>tables</i> and <i>chains. </i>For the purpose
of this document, we will consider Netfilter to have three tables:</p>
<ol>
<li>Filter table -- this is the main table for packet filtering and can
be displayed with the command "shorewall show".</li>
<li>Filter table -- this is the main table for packet filtering and
can be displayed with the command "shorewall show".</li>
<li>Nat table -- used for all forms of Network Address Translation (NAT);
SNAT, DNAT and MASQUERADE.</li>
<li>Mangle table -- used to modify fields in the packet header.<br>
@ -166,8 +167,8 @@ purpose of this document, we will consider Netfilter to have three tables:</p>
<p><br>
<br>
In the text that follows, the paragraph numbers correspond to the box number
in the diagram above.<br>
In the text that follows, the paragraph numbers correspond to the box
number in the diagram above.<br>
</p>
<ol>
@ -177,31 +178,32 @@ purpose of this document, we will consider Netfilter to have three tables:</p>
option and if iptables/netfilter doesn't support the connection tracking
match extension, then the packet is sent down the <b>man1918</b> chain which
will drop the packet if its destination IP address is reserved (as specified
in the /etc/shorewall/rfc1918 file). Next the packet passes through the<b>
pretos</b> chain to set its TOS field as specified in the /etc/shorewall/tos
file. Finally, if traffic control/shaping is being used, the packet is sent
through the<b> tcpre</b> chain to be marked for later use in policy routing
or traffic control.<br>
in the /etc/shorewall/rfc1918 file). Next the packet passes through the<b>
pretos</b> chain to set its TOS field as specified in the /etc/shorewall/tos
file. Finally, if traffic control/shaping is being used, the packet is
sent through the<b> tcpre</b> chain to be marked for later use in policy
routing or traffic control.<br>
<br>
Next, if the packet isn't part of an established connection, it passes
through the<i> nat</i> table's PREROUTING chain (you can see the nat table
by typing "shorewall show nat"). If you are doing both static nat and port
forwarding, the order in which chains are traversed is dependent on the
setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is on
then packets will ender a chain called<b> <i>interface_</i>in</b> where
by typing "shorewall show nat"). If you are doing both static nat and
port forwarding, the order in which chains are traversed is dependent on
the setting of NAT_BEFORE_RULES in shorewall.conf. If NAT_BEFORE_RULES is
on then packets will ender a chain called<b> <i>interface_</i>in</b> where
<i>interface</i> is the name of the interface on which the packet entered.
Here it's destination IP is compared to each of the <i>EXTERNAL</i> IP addresses
from /etc/shorewall/nat that correspond to this interface; if there is
a match, DNAT is applied and the packet header is modified to the IP in
the <i>INTERNAL</i> column of the nat file record. If the destination address
doesn't match any of the rules in the <b><i>interface_</i>in</b> chain then
the packet enters a chain called <b><i>sourcezone</i>_dnat</b> where <i>sourcezone</i>
is the source zone of the packet. There it is compared for a match against
each of the DNAT records in the rules file that specify <i> sourcezone
</i>as the source zone. If a match is found, the destination IP address
(and possibly the destination port) is modified based on the rule matched.
If NAT_BEFORE_RULES is off, then the order of traversal of the <b><i> interface_</i>in</b>
and <b><i>sourcezone</i>_dnat</b> is reversed.<br>
Here it's destination IP is compared to each of the <i>EXTERNAL</i> IP
addresses from /etc/shorewall/nat that correspond to this interface; if
there is a match, DNAT is applied and the packet header is modified to
the IP in the <i>INTERNAL</i> column of the nat file record. If the destination
address doesn't match any of the rules in the <b><i>interface_</i>in</b>
chain then the packet enters a chain called <b><i>sourcezone</i>_dnat</b>
where <i>sourcezone</i> is the source zone of the packet. There it is compared
for a match against each of the DNAT records in the rules file that specify
<i> sourcezone </i>as the source zone. If a match is found, the
destination IP address (and possibly the destination port) is modified based
on the rule matched. If NAT_BEFORE_RULES is off, then the order of traversal
of the <b><i> interface_</i>in</b> and <b><i>sourcezone</i>_dnat</b> is
reversed.<br>
<br>
</li>
<li>Depending on whether the packet is destined for the firewall itself
@ -216,30 +218,32 @@ all rules in /etc/shorewall/tcrules that do not specify Prerouting (:P) are
processed in a chain called <br>
<br>
</li>
<ol>
</ol>
<li>Traffic is next sent to an<i> interface </i>chain in the main Netfilter
table (called 'filter'). If the traffic is destined for the firewall itself,
the name of the interface chain is formed by appending "_in" to the interface
name. So traffic on eth0 destined for the firewall will enter a chain called
<i>eth0_in</i>. The interface chain for traffic that will be routed
to another system is formed by appending "_fwd" to the interface name.
So traffic from eth1 that is going to be forwarded enters a chain called<i>
eth1_fwd</i>. Interfaces described with the wild-card character ("+")
in /etc/shorewall/interfaces, share input chains. if <i>ppp+ </i>appears
in /etc/shorewall/interfaces then all PPP interfaces (ppp0, ppp1, ...) will
share the interface chains <i>ppp_in</i> and <i>ppp_fwd</i>. In other words,
"+" is deleted from the name before forming the input chain names.<br>
table (called 'filter'). If the traffic is destined for the firewall
itself, the name of the interface chain is formed by appending "_in" to
the interface name. So traffic on eth0 destined for the firewall will
enter a chain called <i>eth0_in</i>. The interface chain for traffic
that will be routed to another system is formed by appending "_fwd" to
the interface name. So traffic from eth1 that is going to be forwarded
enters a chain called<i> eth1_fwd</i>. Interfaces described with the wild-card
character ("+") in /etc/shorewall/interfaces, share input chains. if <i>ppp+
</i>appears in /etc/shorewall/interfaces then all PPP interfaces (ppp0,
ppp1, ...) will share the interface chains <i>ppp_in</i> and <i>ppp_fwd</i>.
In other words, "+" is deleted from the name before forming the input chain
names.<br>
<br>
While the use of interfacechains may seem wasteful in simple environments,
While the use of interfacechains may seem wasteful in simple environments,
in complex setups it substantially reduces the number of rules that each
packet must traverse.  </li>
</ol>
<p> Traffic directed from a zone to the firewall itself is sent through a
chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from
<p> Traffic directed from a zone to the firewall itself is sent through
a chain named &lt;<i>zone name&gt;</i>2fw. For example, traffic inbound from
the internet and addressed to the firewall is sent through a chain named
net2fw. Similarly, traffic originating in the firewall and being sent
to a host in a given zone is sent through a chain named fw2<i>&lt;zone
@ -247,8 +251,8 @@ name&gt;. </i>For example, traffic originating in the firewall and
destined for a host in the local network is sent through a chain named
<i>fw2loc.</i> <font face="Century Gothic, Arial, Helvetica">  </font></p>
<p> Traffic being forwarded between two zones (or from one interface to a
zone to another interface to that zone) is sent through a chain named <i>
<p> Traffic being forwarded between two zones (or from one interface to
a zone to another interface to that zone) is sent through a chain named <i>
&lt;source zone&gt;</i>2<i> &lt;destination zone&gt;</i>. So for example,
traffic originating in a local system and destined for a remote web server
is sent through chain <i>loc2net. </i>This chain is referred to
@ -262,53 +266,53 @@ be expressed in terms of the destination system's real IP address as opposed
<p> For each record in the /etc/shorewall/policy file, a chain is created.
Policies in that file are expressed in terms of a source zone and destination
zone where these zones may be a zone defined in /etc/shorewall/zones, "fw"
or "all". Policies specifying the pseudo-zone "all" matches all defined
zone where these zones may be a zone defined in /etc/shorewall/zones,
"fw" or "all". Policies specifying the pseudo-zone "all" matches all defined
zones and "fw". These chains are referred to as <i>Policy Chains.</i> Notice
that for an ordered pair of zones (za,zb), the canonical chain (za2zb)
may also be the policy chain for the pair or the policy chain may be a
different chain (za2all, for example). Packets from one zone to another
will traverse chains as follows:</p>
may also be the policy chain for the pair or the policy chain may be
a different chain (za2all, for example). Packets from one zone to another
will traverse chains as follows:</p>
<ol>
<li> If the canonical chain exists, packets first traverse that
chain.</li>
<li> If the canonical chain and policy chain are different and
the packet does not match a rule in the canonical chain, it then is sent
to the policy chain.</li>
<li> If the canonical chain exists, packets first traverse
that chain.</li>
<li> If the canonical chain and policy chain are different
and the packet does not match a rule in the canonical chain, it then
is sent to the policy chain.</li>
<li> If the canonical chain does not exist, packets are sent
immediately to the policy chain.</li>
immediately to the policy chain.</li>
</ol>
<p> The canonical chain from zone za to zone zb will be created only if there
are exception rules defined in /etc/shorewall/rules for packets going from
za to zb.</p>
<p> The canonical chain from zone za to zone zb will be created only if
there are exception rules defined in /etc/shorewall/rules for packets going
from za to zb.</p>
<p> Shorewall is built on top of the Netfilter kernel facility. Netfilter
implements connection tracking function that allow what is often referred
to as "statefull inspection" of packets. This statefull property allows
firewall rules to be defined in terms of "connections" rather than
in terms of "packets". With Shorewall, you:</p>
firewall rules to be defined in terms of "connections" rather than in
terms of "packets". With Shorewall, you:</p>
<ol>
<li> Identify the client's zone.</li>
<li> Identify the server's zone.</li>
<li> If the POLICY from the client's zone to the server's zone
is what you want for this client/server pair, you need do nothing further.</li>
<li> If the POLICY is not what you want, then you must add a
rule. That rule is expressed in terms of the client's zone and the
server's zone.</li>
<li> If the POLICY is not what you want, then you must add
a rule. That rule is expressed in terms of the client's zone and
the server's zone.</li>
</ol>
<p> Just because connections of a particular type are allowed between zone
A and the firewall and are also allowed between the firewall and zone B
<font color="#ff6633"><b><u> DOES NOT mean that these connections are
allowed between zone A and zone B</u></b></font>. It rather means that
you can have a proxy running on the firewall that accepts a connection
from zone A and then establishes its own separate connection from the firewall
to zone B.</p>
A and the firewall and are also allowed between the firewall and zone
B <font color="#ff6633"><b><u> DOES NOT mean that these connections
are allowed between zone A and zone B</u></b></font>. It rather means
that you can have a proxy running on the firewall that accepts a connection
from zone A and then establishes its own separate connection from the
firewall to zone B.</p>
<p> If you adopt the default policy of ACCEPT from the local zone to the
internet zone and you are having problems connecting from a local client
@ -323,5 +327,6 @@ from zone A and then establishes its own separate connection from the firewall
<br>
<br>
<br>
<br>
</body>
</html>

38
Shorewall-docs/shorewall_logging.html
View File

@ -12,12 +12,10 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1>
</td>
</tr>
@ -88,19 +86,19 @@ file, you must restart syslogd before the changes can take effect.<br>
Beginning with Shorewall version 1.3.12, if your kernel has ULOG
target support (and most vendor-supplied kernels do), you may also specify
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
direct netfilter to log the related messages via the ULOG target which will
send them to a process called 'ulogd'. The ulogd program is available from
http://www.gnumonks.org/projects/ulogd and can be configured to log all
Shorewall message to their own log file.<br>
direct netfilter to log the related messages via the ULOG target which
will send them to a process called 'ulogd'. The ulogd program is available
from http://www.gnumonks.org/projects/ulogd and can be configured to log
all Shorewall message to their own log file.<br>
<br>
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from
syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely
no effect on your Shorewall logging (except for Shorewall status messages
which still go to syslog).<br>
<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
You will need to have the kernel source available to compile ulogd.<br>
<br>
Download the ulod tar file and:<br>
<ol>
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
@ -115,9 +113,9 @@ Download the ulod tar file and:<br>
</li>
</ol>
If you are like me and don't have a development environment on your firewall,
you can do the first six steps on another system then either NFS mount
your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
If you are like me and don't have a development environment on your
firewall, you can do the first six steps on another system then either
NFS mount your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
directory and move it to your firewall system.<br>
<br>
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
@ -129,9 +127,9 @@ your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
</ol>
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system
may need something else done to activate the script.<br>
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
something else done to activate the script.<br>
<br>
You will need to change all instances of log levels (usually 'info') in
your configuration files to 'ULOG' - this includes entries in the policy,
@ -140,17 +138,15 @@ rules and shorewall.conf files. Here's what I have:<br>
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc&nbsp; fw&nbsp;&nbsp; REJECT&nbsp; ULOG<br> policy:net&nbsp; all&nbsp; DROP&nbsp;&nbsp;&nbsp; ULOG&nbsp;&nbsp;&nbsp;10/sec:40<br> policy:all&nbsp; all&nbsp; REJECT&nbsp; ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i>&lt;file
that you wish to log to&gt;</i>. This tells the /sbin/shorewall program
where to look for the log when processing its "show log", "logwatch" and
"monitor" commands.<br>
where to look for the log when processing its "show log", "logwatch" and "monitor"
commands.<br>
<p><font size="2"> Updated 1/11/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
</p>
<br>
</body>
</html>

23
Shorewall-docs/shorewall_mirrors.htm
View File

@ -16,10 +16,11 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td>
</tr>
@ -37,12 +38,12 @@
and is located in California, USA. It is mirrored at:</p>
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net"> http://slovakia.shorewall.net</a>
(Slovak Republic).</li>
<li><a target="_top" href="http://slovakia.shorewall.net">
http://slovakia.shorewall.net</a> (Slovak Republic).</li>
<li> <a href="http://www.infohiiway.com/shorewall"
target="_top"> http://shorewall.infohiiway.com</a> (Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net"> http://germany.shorewall.net</a>
(Hamburg, Germany)</li>
<li><a target="_top" href="http://germany.shorewall.net">
http://germany.shorewall.net</a> (Hamburg, Germany)</li>
<li><a target="_top"
href="http://france.shorewall.net">http://france.shorewall.net</a>
(Paris, France)</li>
@ -51,7 +52,9 @@
<li><a href="http://shorewall.greshko.com" target="_top">http://shorewall.greshko.com</a>
(Taipei, Taiwan)</li>
<li><a href="http://argentina.shorewall.net" target="_top">http://argentina.shorewall.net</a>
(Argentina)<br>
(Argentina)</li>
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">http://shorewall.securityopensource.org.br</a> (Brazil)<br>
</li>
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
(Washington State, USA)<br>
@ -76,15 +79,15 @@
(Paris, France)</li>
<li><a href="ftp://shorewall.greshko.com/pub/shorewall"
target="_top">ftp://shorewall.greshko.com</a> (Taipei, Taiwan)</li>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall" target="_blank">ftp://ftp.shorewall.net
</a>(Washington State, USA)<br>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall"
target="_blank">ftp://ftp.shorewall.net </a>(Washington State, USA)<br>
</li>
</ul>
Search results and the mailing list archives are always fetched from
the site in Washington State.<br>
<p align="left"><font size="2">Last Updated 6/19/2003 - <a
<p align="left"><font size="2">Last Updated 7/15/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
@ -98,5 +101,7 @@
<br>
<br>
<br>
<br>
<br>
</body>
</html>

11
Shorewall-docs/shorewall_prerequisites.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -32,10 +32,10 @@
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 -
2.4.20. With current releases of Shorewall, Traffic Shaping/Control requires
at least 2.4.18.  <a href="kernel.htm"> Check here for kernel
configuration information.</a> If you are looking for a firewall
for use with 2.2 kernels, <a href="http://seawall.sf.net"> see
the Seattle Firewall site</a> .</li>
at least 2.4.18.  <a href="kernel.htm"> Check here for kernel configuration
information.</a> If you are looking for a firewall for use with
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle
Firewall site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the
<a href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING:
</b></font>The buggy iptables version 1.2.3 is included in RedHat
@ -81,5 +81,6 @@ have awk (gawk) installed.</li>
<br>
<br>
<br>
<br>
</body>
</html>

51
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -18,7 +18,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -61,9 +61,9 @@ we must all first walk before we can run.<br>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See
Index Below) outlines the steps necessary to set up a firewall
where <b>there are multiple public IP addresses involved or
if you want to learn more about Shorewall than is explained in
the single-address guides above.</b></p>
where <b>there are multiple public IP addresses involved
or if you want to learn more about Shorewall than is explained
in the single-address guides above.</b></p>
<ul>
@ -72,9 +72,9 @@ we must all first walk before we can run.<br>
<h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
described above</b>. Please review the appropriate guide before
trying to use this documentation directly.</p>
the <a href="shorewall_quickstart_guide.htm">QuickStart
Guides</a> described above</b>. Please review the appropriate
guide before trying to use this documentation directly.</p>
<ul>
<li><a
@ -162,10 +162,13 @@ a test configuration)</a></li>
href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="CorpNetwork.htm">Corporate
Network Example</a> (Contributed by a Graeme Boyle)<br>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling by
host or subnet</a></li>
host or subnet</a></li>
<li><a href="errata.htm">Errata</a><br>
</li>
<li><font color="#000099"><a
@ -187,7 +190,8 @@ host or subnet</a></li>
href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC Verification</a></li>
<li><a href="MAC_Validation.html">MAC
Verification</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall
@ -229,6 +233,7 @@ host or subnet</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
@ -243,23 +248,27 @@ host or subnet</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
NAT</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds
and Ends</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li>
</ul>
</li>
@ -285,7 +294,7 @@ host or subnet</a></li>
<li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it doesn't
work)</a><br>
work)</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
@ -299,8 +308,8 @@ work)</a><br>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="6to4.htm">6t04</a><br>
</li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from
a system behind your firewall to a remote network.</li>
<li><a href="VPN.htm">IPSEC/PPTP</a>
from a system behind your firewall to a remote network.</li>
</ul>
</li>
@ -312,10 +321,12 @@ work)</a><br>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 7/6/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 7/16/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p>
</p>
<br>
<br>
</body>
</html>

565
Shorewall-docs/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

248
Shorewall-docs/sourceforge_index.htm
View File

@ -9,38 +9,31 @@
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base target="_self">
<base
target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#4b017c">
bgcolor="#3366ff">
<tbody>
<tr>
<td width="33%" height="90" valign="middle"
align="left"><a href="http://www.cityofshoreline.com"><img
<td width="33%" height="90"
valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%" align="center">
<h1><font color="#ffffff">Shorewall 1.4</font><i><font
color="#ffffff"> <small><small><small>"iptables made easy"</small></small></small></font></i></h1>
<td valign="middle"
bgcolor="#ffffff" width="34%" align="center">
<img
src="images/Logo1.png" alt="(Shorewall Logo)" width="341" height="80">
</td>
<td valign="middle">
<h1 align="center"><a href="http://www.shorewall.net"
target="_top"><br>
</a></h1>
<br>
<td valign="top" width="33"><br>
</td>
</tr>
@ -64,6 +57,7 @@
<h2 align="left">What is it?</h2>
@ -84,18 +78,18 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed in
the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the
implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU
General Public License for more details.<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
<br>
@ -116,6 +110,19 @@ GNU General Public License</a> as published by the Free Software
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
</li>
</ul>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the
<a
@ -129,7 +136,7 @@ GNU General Public License</a> as published by the Free Software
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will
not apply directly to your setup. If you want to use the documentation
not apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
@ -138,39 +145,48 @@ not apply directly to your setup. If you want to use the documentation
<h2><b>News</b></h2>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.
<p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b> </p>
<blockquote><b><a
href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
ftp://shorewall.net/pub/shorewall/testing</a></b></blockquote>
ftp://shorewall.net/pub/shorewall/testing</a></b></blockquote>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
start errors when started using the "service" mechanism has been worked
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column of a
DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the nat
table (one for each element in the list). Shorewall now correctly creates
a single DNAT rule with multiple "--to-destination" clauses.<br>
<li>Where a list of IP addresses appears in the DEST column of
a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the
nat table (one for each element in the list). Shorewall now correctly creates
a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing a "-"
were mis-handled when they appeared in the DEST column of a rule.<br>
<li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li value="4">A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
<li value="4">A number of problems with rule parsing have been
corrected. Corrections involve the handling of "z1!z2" in the SOURCE column
as well as lists in the ORIGINAL DESTINATION column.<br>
</li>
</ol>
@ -180,19 +196,19 @@ as lists in the ORIGINAL DESTINATION column.<br>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
This capability was never documented and has been removed in 1.4.6 to
allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from /etc/shorewall/shorewall.conf. These capabilities are now automatically
detected by Shorewall (see below).<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have
been removed from /etc/shorewall/shorewall.conf. These capabilities are
now automatically detected by Shorewall (see below).<br>
</li>
</ol>
@ -201,22 +217,22 @@ removed from /etc/shorewall/shorewall.conf. These capabilities are now automatic
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option may
be specified in /etc/shorewall/interfaces and overrides the setting NEWNOTSYN=No
for packets arriving on the associated interface.<br>
<li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for address
ranges.<br>
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
address ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other than the
first one on an interface.<br>
<li>Shorewall can now add IP addresses to subnets other than
the first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses
over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
@ -225,8 +241,8 @@ over a set of servers. Servers may be specified in a range of addresses
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects whether
these capabilities are present in the current kernel. The output of the
options have been removed and have been replaced by code that detects whether
these capabilities are present in the current kernel. The output of the
start, restart and check commands have been enhanced to report the outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
@ -237,11 +253,11 @@ start, restart and check commands have been enhanced to report the outcome:<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases and
allows for rules which match against elements in netfilter's connection tracking
table. Shorewall automatically detects the availability of this extension
and reports its availability in the output of the start, restart and check
commands.<br>
added. This extension is available in recent kernel/iptables releases
and allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
@ -250,18 +266,18 @@ allows for rules which match against elements in netfilter's connection trackin
   Connection Tracking Match: Available<br>
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall is
changed in the following ways:</li>
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering in
the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter rules;
one in the nat table and one in the filter table. If the Connection Tracking
Match Extension is available, the rule in the filter table is extended to
check that the original destination address was the same as specified (or
defaulted to) in the DNAT rule.<br>
chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is extended
to check that the original destination address was the same as specified
(or defaulted to) in the DNAT rule.<br>
<br>
</li>
@ -273,7 +289,7 @@ defaulted to) in the DNAT rule.<br>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
]<br>
<br>
Examples:<br>
<br>
@ -293,10 +309,10 @@ defaulted to) in the DNAT rule.<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash), then
the ipcalc command produces incorrect information for IP addresses 128.0.0.0-1
and for /1 networks. Bash should produce correct information for all valid
IP addresses.<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall. <br>
@ -304,11 +320,12 @@ defaulted to) in the DNAT rule.<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct an
efficient set of rules that accept connections from a range of network addresses.<br>
and host addresses. The command can be useful if you need to construct
an efficient set of rules that accept connections from a range of network
addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
then the range may not span 128.0.0.0.<br>
then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
@ -327,7 +344,8 @@ then the range may not span 128.0.0.0.<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry in /etc/shorewall/hosts.<br>
<li>A list of host/net addresses is now allowed in an entry in
/etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
@ -341,37 +359,44 @@ then the range may not span 128.0.0.0.<br>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;" now
correctly traces the attempt.</li>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones
file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty second
column are no longer ignored.<br>
file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with "!'
rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p>
The firewall at shorewall.net has been upgraded to the 2.4.21
kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.
kernel and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
@ -385,14 +410,17 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
<ol>
</ol>
<p><b></b></p>
<p><b></b></p>
@ -400,12 +428,14 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
<blockquote>
<ol>
</ol>
</blockquote>
@ -419,33 +449,36 @@ version is 1.4.4b plus the accumulated changes for 1.4.5.
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
<h2><b> </b></h2>
<b> </b>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric Wolzak
have a LEAF (router/firewall/gateway
</a>Jacques Nilo and Eric
Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that features
Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
called <i>Bering</i> that
features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques
and Eric on the recent release of Bering 1.2!!!
</b><br>
and Eric on the recent release of Bering
1.2!!! </b><br>
@ -459,12 +492,14 @@ You can find their work at: <a
<h4><b> </b></h4>
<b> </b>
<h2><b>This site is hosted by the generous folks at <a
href="http://www.sf.net">SourceForge.net</a> </b></h2>
<b> </b>
@ -472,18 +507,22 @@ You can find their work at: <a
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td width="88" bgcolor="#4b017c"
<h2><b><a name="Donations"></a>Donations</b></h2>
<b>
</b></td>
<td width="88" bgcolor="#3366ff"
valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily
@ -508,6 +547,7 @@ You can find their work at: <a
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
@ -531,7 +571,7 @@ You can find their work at: <a
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#4b017c">
bgcolor="#3366ff">
<tbody>
@ -553,12 +593,13 @@ You can find their work at: <a
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you try it
and find it useful, please consider making a donation
to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Foundation.</font></a> Thanks!</font></font></p>
<font size="+2">Shorewall is free but if you try
it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
</td>
@ -572,6 +613,7 @@ You can find their work at: <a
<p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</p>
<br>
</body>
</html>

62
Shorewall-docs/standalone.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90">
id="AutoNumber6" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -45,16 +45,16 @@
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
if this package is installed by the presence of an <b>ip</b> program
on your firewall system. As root, you can use the 'which' command to
check for this program:</p>
if this package is installed by the presence of an <b>ip</b> program on
your firewall system. As root, you can use the 'which' command to check
for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you read through the guide first to familiarize yourself
with what's involved then go back through it again making your configuration
changes.  Points at which configuration changes are recommended are
flagged with <img border="0" src="images/BD21298_.gif" width="13"
changes.  Points at which configuration changes are recommended are flagged
with <img border="0" src="images/BD21298_.gif" width="13"
height="13">
.</p>
@ -68,8 +68,9 @@ disk, you must run dos2unix against the copy before using it with Shorewall.</p
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows
Version of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
</ul>
@ -118,11 +119,11 @@ one zone is defined:</p>
in terms of zones.</p>
<ul>
<li>You express your default policy for connections from one zone
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
<li>You express your default policy for connections from one
zone to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>file.</li>
<li>You define exceptions to those default policies in the <a
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
@ -133,8 +134,8 @@ one zone is defined:</p>
the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample
has the following policies:</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -179,9 +180,9 @@ has the following policies:</p>
<ol>
<li>allow all connection requests from the firewall to the internet</li>
<li>drop (ignore) all connection requests from the internet to
your firewall</li>
<li>reject all other connection requests (Shorewall requires this
catchall policy).</li>
your firewall</li>
<li>reject all other connection requests (Shorewall requires
this catchall policy).</li>
</ol>
@ -235,8 +236,8 @@ option list. </p>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose
destination address is reserved by RFC 1918. In some cases though,
ISPs are assigning these addresses then using <i>Network Address Translation
destination address is reserved by RFC 1918. In some cases though, ISPs
are assigning these addresses then using <i>Network Address Translation
</i>to rewrite packet headers when forwarding to/from the internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
@ -285,8 +286,8 @@ ISPs are assigning these addresses then using <i>Network Address Translat
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server and a POP3 Server
on your firewall system:</p>
<p align="left">Example - You want to run a Web Server and a POP3 Server on
your firewall system:</p>
</div>
<div align="left">
@ -329,13 +330,13 @@ on your firewall system:</p>
<div align="left">
<p align="left">If you don't know what port and protocol a particular application
uses, see <a href="ports.htm">here</a>.</p>
uses, see <a href="ports.htm">here</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If you
want shell access to your firewall from the internet, use SSH:</p>
the internet because it uses clear text (even for login!). If you want
shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -386,7 +387,7 @@ want shell access to your firewall from the internet, use SSH:</p>
version 1.3.9 startup is disabled so that your system won't try to start
Shorewall before configuration is complete. Once you have completed configuration
of your firewall, you can enable Shorewall startup by removing the file
/etc/shorewall/startup_disabled.<br>
/etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
@ -396,8 +397,8 @@ want shell access to your firewall from the internet, use SSH:</p>
<div align="left">
<p align="left">The firewall is started using the "shorewall start" command
and stopped using "shorewall stop". When the firewall is stopped,
routing is enabled on those hosts that have an entry in <a
and stopped using "shorewall stop". When the firewall is stopped, routing
is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart" command.
If you want to totally remove any trace of Shorewall from your Netfilter
@ -407,9 +408,9 @@ routing is enabled on those hosts that have an entry in <a
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless you have
added an entry for the IP address that you are connected from to
<a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
added an entry for the IP address that you are connected from to <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to create
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
@ -429,5 +430,6 @@ routing is enabled on those hosts that have an entry in <a
<br>
<br>
<br>
<br>
</body>
</html>

176
Shorewall-docs/standalone_fr.html
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#400169" height="90">
id="AutoNumber6" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -32,58 +32,58 @@
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française
intelligible par tous (et par moi). Les termes techniques sont la plupart
du temps conservés sous leur forme originale et mis entre parenthèses car
vous pouvez les retrouver dans le reste des documentations ainsi que dans
les fichiers de configuration. N?hésitez pas à me contacter afin d?améliorer
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
(merci à JMM pour sa relecture et ses commentaires pertinents, ainsi qu'à
Tom EASTEP pour son formidable outil et sa disponibilité)</i><i>.</i></small></p>
traduction exacte du texte, mais plutôt à en faire une version française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
dans le reste des documentations ainsi que dans les fichiers de configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall (écluse)
pour un petit réseau est une chose assez simple, si vous comprenez les bases
et suivez la documentation.</p>
pour un petit réseau est une chose assez simple, si vous comprenez les bases
et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
focalise sur ce qui est nécessaire pour configurer Shorewall, dans son utilisation
la plus courante :</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
utilisation la plus courante :</p>
<ul>
<li>Un système Linux</li>
<li>Une seule adresse IP externe</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
rtc...</li>
rtc...</li>
</ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
le changements dans votre configuration. Les points, où les changements dans
la configuration sont recommandées, sont signalés par une <img
vous familiariser avec ce qu'il va se passer, et de revenir au début en
effectuant le changements dans votre configuration. Les points, où les changements
dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette
option sinon vous devez les faire passer par dos2unix avant d'essayer de
les utiliser. De la même manière, si vous copiez un fichier de configuration
depuis votre disque dur Windows vers une disquette, vous devez lancer dos2unix
sur la copie avant de l'utiliser avec Shorewall.</p>
option sinon vous devez les faire passer par dos2unix avant d'essayer de les
utiliser. De la même manière, si vous copiez un fichier de configuration depuis
votre disque dur Windows vers une disquette, vous devez lancer dos2unix sur
la copie avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
@ -93,7 +93,7 @@ of dos2unix</a></li>
alt="">
Les fichiers de configuration pour Shorewall sont situés dans le répertoire
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shorewall
@ -101,12 +101,12 @@ un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shor
installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
physiquement présents sur votre système -- chacun des fichiers contient des
instructions de configuration détaillées et des entrées par défaut.</p>
physiquement présents sur votre système -- chacun des fichiers contient
des instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique interface,
une seule zone est définie :</p>
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique
interface, une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
@ -126,30 +126,31 @@ une seule zone est d
<p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première politique
dans /etc/shorewall/policy qui y correspond est appliquée. Si cette politique
est REJECT ou DROP la requête est alors comparée par rapport aux règles contenues
dans /etc/shorewall/common (l'archive d'exemple vous fournit ce fichier).</p>
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p>
a les politiques suivantes :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -200,33 +201,33 @@ a les politiques suivantes :</p>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
vers votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
de cette politique).</li>
de cette politique).</li>
</ol>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désirez.</p>
que vous désirez.</p>
<h2 align="left">Interface Externe</h2>
<p align="left">Le firewall possède une seule interface réseau. Lorsque la
connexion Internet passe par un modem câble ou par un routeur ADSL (pas un
simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
(PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
connexion Internet passe par un modem câble ou par un routeur ADSL (pas
un simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
(PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
sera<b> ippp0.</b></p>
sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
L'exemple de configuration de Shorewall pour une interface suppose que
votre interface externe est <b>eth0</b>. Si votre configuration est différente,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
spécifiées pour l'interface. Quelques astuces :</p>
spécifiées pour l'interface. Quelques astuces :</p>
<ul>
<li>
@ -237,7 +238,7 @@ sp
<li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
de la liste d'option. </p>
de la liste d'option. </p>
</li>
</ul>
@ -247,8 +248,8 @@ de la liste d'option. </p>
</div>
<div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée (<i>Private</i>IP)
pour l'utilisation dans des réseaux privés :</p>
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -256,16 +257,16 @@ pour l'utilisation dans des r
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les paquets
dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
externe et si elle est comprise dans une des plages précédentes, vous devriez
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
externe et si elle est comprise dans une des plages précédentes, vous devriez
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div>
<div align="left">
@ -274,7 +275,7 @@ enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
<div align="left">
<p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
vers votre firewall, le format général est :</p>
vers votre firewall, le format général est :</p>
</div>
<div align="left">
@ -309,8 +310,8 @@ vers votre firewall, le format g
</div>
<div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un serveur
POP3 sur votre système de firewall :</p>
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
serveur POP3 sur votre système de firewall :</p>
</div>
<div align="left">
@ -357,14 +358,14 @@ POP3 sur votre syst
<div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une application
particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
telnet depuis ou vers l'Internet car il utilise du texte en clair (même pour
le login et le mot de passe !). Si vous voulez avoir un accès au shell de
votre firewall depuis Internet, utilisez SSH :</p>
telnet depuis ou vers l'Internet car il utilise du texte en clair (même
pour le login et le mot de passe !). Si vous voulez avoir un accès au shell
de votre firewall depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
@ -406,7 +407,7 @@ votre firewall depuis Internet, utilisez SSH :</p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
A ce point, éditez /etc/shorewall/rules pour rajouter les autres connexions
désirées.</p>
désirées.</p>
</div>
<div align="left">
@ -419,33 +420,33 @@ d
La <a href="Install.htm">procédure d'installation </a> configure votre
système pour lancer Shorewall au boot du système, mais au début avec la version
1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en aurez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
avec que la configuration soit finie. Une fois que vous en aurez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
routage est autorisé sur les hôtes qui possèdent une entrée dans <a
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
de Netfilter, utilisez "shorewall clear".</p>
firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre
configuration de Netfilter, utilisez "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall depuis
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
@ -455,7 +456,8 @@ il est plus int
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
M. Eastep</font></a></p>
<br>
<br>
<br>
<br>

104
Shorewall-docs/starting_and_stopping_shorewall.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -30,21 +30,21 @@
<p> If you have a permanent internet connection such as DSL or Cable,
I recommend that you start the firewall automatically at boot.
Once you have installed "firewall" in your init.d directory, simply
type "chkconfig --add firewall". This will start the firewall
in run levels 2-5 and stop it in run levels 1 and 6. If you want to
configure your firewall differently from this default, you can use
the "--level" option in chkconfig (see "man chkconfig") or using your
favorite graphical run-level editor.</p>
Once you have installed "firewall" in your init.d directory, simply
type "chkconfig --add firewall". This will start the firewall
in run levels 2-5 and stop it in run levels 1 and 6. If you want
to configure your firewall differently from this default, you can
use the "--level" option in chkconfig (see "man chkconfig") or using
your favorite graphical run-level editor.</p>
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
</p>
<ol>
<li>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the file
/etc/shorewall/startup_disabled. Note: Users of the .deb package must
edit /etc/default/shorewall and set 'startup=1'.<br>
configured your firewall, you can enable startup by removing the file
/etc/shorewall/startup_disabled. Note: Users of the .deb package must
edit /etc/default/shorewall and set 'startup=1'.<br>
</li>
<li>If you use dialup, you may want to start the firewall
in your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
@ -64,8 +64,8 @@ edit /etc/default/shorewall and set 'startup=1'.<br>
running) and then starts it again</li>
<li>shorewall reset - reset the packet and byte counters
in the firewall</li>
<li>shorewall clear - remove all rules and chains installed
by Shoreline Firewall</li>
<li>shorewall clear - remove all rules and chains
installed by Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the
broadcast addresses of firewall interfaces, <a
href="blacklisting_support.htm">the black list</a>, <a
@ -73,13 +73,13 @@ broadcast addresses of firewall interfaces, <a
href="ECN.html">ECN control rules</a>.</li>
</ul>
If you include the keyword <i>debug</i> as the first argument, then
a shell trace of the command is produced as in:<br>
If you include the keyword <i>debug</i> as the first argument,
then a shell trace of the command is produced as in:<br>
<pre> <font color="#009900"><b>shorewall debug start 2&gt; /tmp/trace</b></font><br></pre>
<p>The above command would trace the 'start' command and place the trace information
in the file /tmp/trace<br>
<p>The above command would trace the 'start' command and place the trace
information in the file /tmp/trace<br>
</p>
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
@ -90,7 +90,7 @@ in the file /tmp/trace<br>
<ul>
<li>shorewall status - produce a verbose report about the
firewall (iptables -L -n -v)</li>
firewall (iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report
about <i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about
@ -101,44 +101,46 @@ the mangle table (iptables -t mangle -L -n -v)</li>
entries.</li>
<li>shorewall show connections - displays the IP connections
currently being tracked by the firewall.</li>
<li>shorewall show
tc - displays
<li>shorewall
show tc - displays
information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the
firewall status, last 20 log entries and nat. When the log
entry display changes, an audible alarm is sounded.</li>
<li>shorewall monitor [ delay ] - Continuously display
the firewall status, last 20 log entries and nat. When the
log entry display changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the
Shorewall packet log messages in the current /var/log/messages
file.</li>
<li>shorewall version - Displays the installed version
number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation of the
zones, interfaces, hosts, rules and policy files.<br>
<li>shorewall check - Performs a <u>cursory</u> validation of
the zones, interfaces, hosts, rules and policy files.<br>
<br>
<font size="4" color="#ff6666"><b>The "check" command is totally unsuppored
and does not parse and validate the generated iptables commands.
and does not parse and validate the generated iptables commands.
Even though the "check" command completes successfully, the configuration
may fail to start. Problem reports that complain about errors that the 'check'
command does not detect will not be accepted.<br>
may fail to start. Problem reports that complain about errors that the 'check'
command does not detect will not be accepted.<br>
<br>
See the recommended way to make configuration changes described below.</b></font><br>
See the recommended way to make configuration changes described
below.</b></font><br>
<br>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
] - Restart shorewall using the specified configuration and if
an error occurs or if the<i> timeout </i> option is given and the
new configuration has been up for that many seconds then shorewall
is restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and
shorewall save implement <a href="blacklisting_support.htm">dynamic
blacklisting</a>.</li>
an error occurs or if the<i> timeout </i> option is given and the new
configuration has been up for that many seconds then shorewall is
restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept
and shorewall save implement <a
href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors
the <a href="#Conf">LOGFILE </a>and produces an audible alarm when
new Shorewall messages are logged.</li>
the <a href="#Conf">LOGFILE </a>and produces an audible alarm
when new Shorewall messages are logged.</li>
</ul>
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of commands
Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of commands
for dealing with IP addresses and IP address ranges:<br>
<ul>
<li>shorewall ipcalc [ <i>address mask </i>| <i>address/vlsm</i> ] - displays
the network address, broadcast address, network in CIDR notation and netmask
@ -147,13 +149,15 @@ corresponding to the input[s].</li>
range of IP addresses into the equivalent list of network/host addresses.
<br>
</li>
</ul>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
Finally, the "shorewall" program may be used to dynamically alter the
contents of a zone.<br>
<ul>
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>-
Adds the specified interface (and host if included) to the specified zone.</li>
Adds the specified interface (and host if included) to the specified
zone.</li>
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone
</i>- Deletes the specified interface (and host if included) from
the specified zone.</li>
@ -165,8 +169,8 @@ the specified zone.</li>
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0
from zone vpn1<br>
vpn1</b></font> -- deletes the address 192.0.2.24 from interface ipsec0
from zone vpn1<br>
</blockquote>
</blockquote>
@ -182,9 +186,9 @@ from zone vpn1<br>
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
is going to use a file in /etc/shorewall it will first look in the
<i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will be
used.</p>
<i>configuration-directory</i> . If the file is present in the <i>configuration-directory</i>,
that file will be used; otherwise, the file in /etc/shorewall will
be used.</p>
<p> When changing the configuration of a production firewall, I recommend
the following:</p>
@ -202,8 +206,9 @@ from /etc/shorewall to . and change them here&gt;</li>
</ul>
<p> If the configuration starts but doesn't work, just "shorewall restart"
to restore the old configuration. If the new configuration fails to
start, the "try" command will automatically start the old one for you.</p>
to restore the old configuration. If the new configuration fails
to start, the "try" command will automatically start the old one for
you.</p>
<p> When the new configuration works then just </p>
@ -225,8 +230,8 @@ from /etc/shorewall to . and change them here&gt;</li>
<p>  <br>
</p>
You will note that the commands that result in state transitions
use the word "firewall" rather than "shorewall". That is because the actual
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
use the word "firewall" rather than "shorewall". That is because the
actual transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
on Debian); /sbin/shorewall runs 'firewall" according to the following
table:<br>
<br>
@ -290,5 +295,6 @@ table:<br>
</p>
<br>
<br>
<br>
</body>
</html>

104
Shorewall-docs/support.htm
View File

@ -12,15 +12,17 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td
width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
@ -30,11 +32,11 @@
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number of sources of Shorewall information. Please
There are a number of sources of Shorewall information. Please
try these before you post.
<ul>
<li>Shorewall versions
earlier that 1.3.0 are no longer supported.<br>
earlier that 1.3.0 are no longer supported.<br>
</li>
<li>More than half of the questions posted on the support
list have answers directly accessible from the <a
@ -48,13 +50,13 @@ earlier that 1.3.0 are no longer supported.<br>
<li>
The <a href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
Information contains a number of tips to
help you solve common problems. </li>
help you solve common problems. </li>
<li>
The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
The <a href="http://www.shorewall.net/errata.htm"> Errata</a>
has links to download updated components. </li>
<li>
The Site and Mailing List Archives search facility can
locate documents and posts about similar problems:
locate documents and posts about similar problems:
</li>
</ul>
@ -105,28 +107,28 @@ locate documents and posts about similar problems:
</h2>
<ul>
<li>Please remember we only know
what is posted in your message. Do not leave out any information
that appears to be correct, or was mentioned in a previous
post. There have been countless posts by people who were sure
that some part of their configuration was correct when it actually
contained a small error. We tend to be skeptics where detail
is lacking.<br>
<li>Please remember we only
know what is posted in your message. Do not leave out any
information that appears to be correct, or was mentioned
in a previous post. There have been countless posts by people
who were sure that some part of their configuration was correct
when it actually contained a small error. We tend to be skeptics
where detail is lacking.<br>
<br>
</li>
<li>Please keep in mind that
you're asking for <strong>free</strong> technical
support. Any help we offer is an act of generosity, not an obligation.
support. Any help we offer is an act of generosity, not an obligation.
Try to make it easy for us to help you. Follow good, courteous
practices in writing and formatting your e-mail. Provide details that
we need if you expect good answers. <em>Exact quoting </em> of
error messages, log entries, command output, and other output is better
than a paraphrase or summary.<br>
practices in writing and formatting your e-mail. Provide details
that we need if you expect good answers. <em>Exact quoting </em>
of error messages, log entries, command output, and other output is
better than a paraphrase or summary.<br>
<br>
</li>
<li>
Please don't describe your environment and then
ask us to send you custom configuration files.
ask us to send you custom configuration files.
We're here to answer your questions but we can't
do your job for you.<br>
<br>
@ -142,8 +144,8 @@ ask us to send you custom configuration files.
<li>the exact version of Shorewall
you are running.<br>
<br>
<b><font color="#009900">shorewall
version</font><br>
<b><font
color="#009900">shorewall version</font><br>
</b> <br>
</li>
@ -186,8 +188,8 @@ ask us to send you custom configuration files.
<ul>
<li><big><font color="#ff0000"><u><i><big><b>THIS IS
IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem
is that some type of connection to/from or through your firewall isn't working
IMPORTANT!</b></big></i></u></font><big><big><big> </big>If your problem is
that some type of connection to/from or through your firewall isn't working
then please perform the following four steps:</big></big></big><br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
@ -216,12 +218,12 @@ then please perform the following four steps:</big></big></big><br>
</ul>
<li>As a general matter, please <strong>do not edit the diagnostic
information</strong> in an attempt to conceal your IP address,
netmask, nameserver addresses, domain name, etc. These aren't
secrets, and concealing them often misleads us (and 80% of the time,
a hacker could derive them anyway from information contained
in the SMTP headers of your post).<br>
<li>As a general matter, please <strong>do not edit the
diagnostic information</strong> in an attempt to conceal
your IP address, netmask, nameserver addresses, domain name,
etc. These aren't secrets, and concealing them often misleads us
(and 80% of the time, a hacker could derive them anyway from
information contained in the SMTP headers of your post).<br>
<br>
<strong></strong></li>
<li>Do you see any "Shorewall" messages
@ -239,16 +241,17 @@ your /etc/shorewall/interfaces file.<br>
one also knows the policies).<br>
<br>
</li>
<li>If an error occurs when you try to
"<font color="#009900"><b>shorewall start</b></font>", include
<li>If an error occurs when you try
to "<font color="#009900"><b>shorewall start</b></font>", include
a trace (See the <a
href="http://www.shorewall.net/troubleshoot.htm">Troubleshooting</a>
section for instructions).<br>
<br>
</li>
<li><b>The list server limits posts to 120kb so
don't post GIFs of your network layout,
etc. to the Mailing List -- your post will be rejected.</b></li>
<li><b>The list server limits posts to 120kb
so don't post GIFs of your network
layout, etc. to the Mailing List -- your post will be
rejected.</b></li>
</ul>
@ -260,25 +263,25 @@ your /etc/shorewall/interfaces file.<br>
<h2>When using the mailing list, please post in plain text</h2>
<blockquote> A growing number of MTAs serving list subscribers are rejecting
all HTML traffic. At least one MTA has gone so far as to blacklist
shorewall.net "for continuous abuse" because it has been my policy
to allow HTML in list posts!!<br>
<blockquote> A growing number of MTAs serving list subscribers are
rejecting all HTML traffic. At least one MTA has gone so far as to
blacklist shorewall.net "for continuous abuse" because it has been
my policy to allow HTML in list posts!!<br>
<br>
I think that blocking all
HTML is a Draconian way to control spam and that the
ultimate losers here are not the spammers but the list subscribers
HTML is a Draconian way to control spam and that the ultimate
losers here are not the spammers but the list subscribers
whose MTAs are bouncing all shorewall.net mail. As one list
subscriber wrote to me privately "These e-mail admin's need
to get a <i>(expletive deleted)</i> life instead of trying to rid
the planet of HTML based e-mail". Nevertheless, to allow subscribers
to receive list posts as must as possible, I have now configured
the list server at shorewall.net to strip all HTML from outgoing
posts.<br>
to get a <i>(expletive deleted)</i> life instead of trying to
rid the planet of HTML based e-mail". Nevertheless, to allow
subscribers to receive list posts as must as possible, I have now
configured the list server at shorewall.net to strip all HTML from
outgoing posts.<br>
<br>
<big><font color="#cc0000"><b>If you run your own outgoing mail server
and it doesn't have a valid DNS PTR record, your email won't reach the lists
unless/until the postmaster notices that your posts are being rejected.
and it doesn't have a valid DNS PTR record, your email won't reach the
lists unless/until the postmaster notices that your posts are being rejected.
To avoid this problem, you should configure your MTA to forward posts to
shorewall.net through an MTA that <u>does</u> have a valid PTR record (such
as the one at your ISP). </b></font></big><br>
@ -317,6 +320,7 @@ as the one at your ISP). </b></font></big><br>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
</p>
<br>
</body>
</html>

237
Shorewall-docs/three-interface.htm
View File

@ -16,10 +16,11 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber5" bgcolor="#400169" height="90">
id="AutoNumber5" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
</td>
</tr>
@ -43,7 +44,7 @@
<li>Single public IP address.</li>
<li>DMZ connected to a separate ethernet interface.</li>
<li>Connection through DSL, Cable Modem, ISDN, Frame
Relay, dial-up, ...</li>
Relay, dial-up, ...</li>
</ul>
@ -56,16 +57,16 @@ Relay, dial-up, ...</li>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
program on your firewall system. As root, you can use the 'which' command
to check for this program:</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>I recommend that you first read through the guide to familiarize yourself
with what's involved then go back through it again making your
configuration changes. Points at which configuration changes are
recommended are flagged with <img border="0"
src="images/BD21298_.gif" width="13" height="13">
with what's involved then go back through it again making your configuration
changes. Points at which configuration changes are recommended
are flagged with <img border="0" src="images/BD21298_.gif"
width="13" height="13">
. Configuration notes that are unique to LEAF/Bering are marked with <img
src="images/leaflogo.gif" alt="(LEAF Logo)" width="49" height="36">
</p>
@ -75,16 +76,16 @@ configuration changes. Points at which configuration changes are
system, you must save them as Unix files if your editor supports
that option or you must run them through dos2unix before trying to
use them. Similarly, if you copy a configuration file from your Windows
hard drive to a floppy disk, you must run dos2unix against the copy
before using it with Shorewall.</p>
hard drive to a floppy disk, you must run dos2unix against the copy before
using it with Shorewall.</p>
<ul>
<li><a
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul>
@ -94,8 +95,8 @@ of dos2unix</a></li>
alt="">
    The configuration files for Shorewall are contained in the
directory /etc/shorewall -- for simple setups, you will only need to
deal with a few of these as described in this guide. After you have
<a href="Install.htm">installed Shorewall</a>, <b>download the <a
deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www.shorewall.net/pub/shorewall/Samples/">three-interface
sample</a>, un-tar it (tar -zxvf three-interfaces.tgz) and and copy
the files to /etc/shorewall (the files will replace files with the
@ -152,8 +153,8 @@ in the <a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.<
<p>For each connection request entering the firewall, the request is first
checked against the /etc/shorewall/rules file. If no rule in that
file matches the connection request then the first policy in /etc/shorewall/policy
that matches the request is applied. If that policy is REJECT
or DROP  the request is first checked against the rules in /etc/shorewall/common
that matches the request is applied. If that policy is REJECT or
DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the three-interface sample
@ -228,10 +229,11 @@ or DROP
<ol>
<li>allow all connection requests from your local network
to the internet</li>
<li>drop (ignore) all connection requests from the internet
to your firewall or local network</li>
<li>optionally accept all connection requests from the
firewall to the internet (if you uncomment the additional policy)</li>
<li>drop (ignore) all connection requests from the
internet to your firewall or local network</li>
<li>optionally accept all connection requests from
the firewall to the internet (if you uncomment the additional
policy)</li>
<li>reject all other connection requests.</li>
</ol>
@ -248,8 +250,8 @@ or DROP
<p align="left">The firewall has three network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External
Interface</i> will be the ethernet adapter that is connected to
that "Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
Interface</i> will be the ethernet adapter that is connected to that
"Modem" (e.g., <b>eth0</b>)  <u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint
<u>P</u>rotocol over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
Interface will be a ppp interface (e.g., <b>ppp0</b>). If you connect
@ -265,13 +267,13 @@ that "Modem" (e.g., <b>eth0</b>)
<p align="left">Your <i>Local Interface</i> will be an ethernet adapter (eth0,
eth1 or eth2) and will be connected to a hub or switch. Your local
computers will be connected to the same switch (note: If you have
only a single local system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
only a single local system, you can connect the firewall directly to
the computer using a <i>cross-over </i> cable).</p>
<p align="left">Your <i>DMZ Interface</i> will also be an ethernet adapter
(eth0, eth1 or eth2) and will be connected to a hub or switch.
Your DMZ computers will be connected to the same switch (note: If
you have only a single DMZ system, you can connect the firewall directly
(eth0, eth1 or eth2) and will be connected to a hub or switch. Your
DMZ computers will be connected to the same switch (note: If you
have only a single DMZ system, you can connect the firewall directly
to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
@ -307,18 +309,18 @@ list of options that are specified for the interfaces. Some hints:</p>
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign
you a single <i> Public</i> IP address. This address may be assigned
via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
of establishing your connection when you dial in (standard modem) or
establish your PPP connection. In rare cases, your ISP may assign you
a<i> static</i> IP address; that means that you configure your firewall's
external interface to use that address permanently.<i> </i>Regardless
of how the address is assigned, it will be shared by all of your systems
when you access the Internet. You will have to assign your own addresses
for your internal network (the local and DMZ Interfaces on your firewall
plus your other computers). RFC 1918 reserves several <i>Private </i>IP
address ranges for this purpose:</p>
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you
a single <i> Public</i> IP address. This address may be assigned via
the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part of
establishing your connection when you dial in (standard modem) or establish
your PPP connection. In rare cases, your ISP may assign you a<i> static</i>
IP address; that means that you configure your firewall's external interface
to use that address permanently.<i> </i>Regardless of how the address
is assigned, it will be shared by all of your systems when you access
the Internet. You will have to assign your own addresses for your internal
network (the local and DMZ Interfaces on your firewall plus your other
computers). RFC 1918 reserves several <i>Private </i>IP address ranges
for this purpose:</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -328,16 +330,16 @@ address ranges for this purpose:</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    Before starting Shorewall, you should look at the
IP address of your external interface and if it is one of the
above ranges, you should remove the 'norfc1918' option from the
external interface's entry in /etc/shorewall/interfaces.</p>
IP address of your external interface and if it is one of the above
ranges, you should remove the 'norfc1918' option from the external
interface's entry in /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<p align="left">You will want to assign your local addresses from one <i>
sub-network </i>or <i>subnet</i> and your DMZ addresses from another
subnet. For our purposes, we can consider a subnet to consists
of a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have
subnet. For our purposes, we can consider a subnet to consists of
a range of addresses x.y.z.0 - x.y.z.255. Such a subnet will have
a <i>Subnet Mask </i>of 255.255.255.0. The address x.y.z.0 is reserved
as the <i>Subnet Address</i> and x.y.z.255 is reserved as the <i>Subnet
Broadcast</i> <i>Address</i>. In Shorewall, a subnet is described using <a
@ -394,19 +396,19 @@ from the left of the subnet mask. </p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
    Your local computers (Local Computers 1 &amp; 2)
should be configured with their<i> default gateway</i> set to
the IP address of the firewall's internal interface and your DMZ
computers ( DMZ Computers 1 &amp; 2) should be configured with their
default gateway set to the IP address of the firewall's DMZ interface.  
</p>
    Your local computers (Local Computers 1 &amp;
2) should be configured with their<i> default gateway</i> set
to the IP address of the firewall's internal interface and your
DMZ computers ( DMZ Computers 1 &amp; 2) should be configured with
their default gateway set to the IP address of the firewall's DMZ
interface.   </p>
</div>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning
more about IP addressing and routing, I highly recommend <i>"IP
Fundamentals: What Everyone Needs to Know about Addressing &amp;
Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
more about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i>
Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
@ -422,33 +424,33 @@ Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13" alt="">
    <font color="#ff0000"><b>WARNING: </b></font><b>Your ISP  might
assign your external interface an RFC 1918 address. If that address is
in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC
1918 subnet for your local network and if it is in the 10.10.11.0/24 subnet
then you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
assign your external interface an RFC 1918 address. If that address is
in the 10.10.10.0/24 subnet then you will need to select a DIFFERENT RFC
1918 subnet for your local network and if it is in the 10.10.11.0/24 subnet
then you will need to select a different RFC 1918 subnet for your DMZ.</b><br>
</p>
<p align="left">IP Masquerading (SNAT)</p>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred
to as <i>non-routable</i> because the Internet backbone routers
don't forward packets which have an RFC-1918 destination address.
When one of your local systems (let's assume local computer 1) sends
a connection request to an internet host, the firewall must perform
<i>Network Address Translation </i>(NAT). The firewall rewrites the
source address in the packet to be the address of the firewall's external
interface; in other words, the firewall makes it look as if the firewall
itself is initiating the connection.  This is necessary so that the
destination host will be able to route return packets back to the firewall
(remember that packets whose destination address is reserved by RFC
1918 can't be routed accross the internet). When the firewall receives
a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to local computer 1. </p>
to as <i>non-routable</i> because the Internet backbone routers don't
forward packets which have an RFC-1918 destination address. When
one of your local systems (let's assume local computer 1) sends a
connection request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface;
in other words, the firewall makes it look as if the firewall itself
is initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed accross the internet). When the firewall receives a return
packet, it rewrites the destination address back to 10.10.10.1 and forwards
the packet on to local computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> and you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> and you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<ul>
<li>
@ -470,14 +472,14 @@ with Netfilter:</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>,
your local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b>
your local interface <b>eth1 </b>and your DMZ interface is <b>eth2</b>
then you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change it to match your configuration.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    If your external IP is static, you can enter it in
the third column in the /etc/shorewall/masq entry if you like although
the third column in the /etc/shorewall/masq entry if you like although
your firewall will work fine if you leave that column empty. Entering
your static IP in column 3 makes <br>
processing outgoing packets a little more efficient.<br>
@ -500,13 +502,13 @@ the third column in the /etc/shorewall/masq entry if you like although
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals will be to run one or more servers on your
DMZ computers. Because these computers have RFC-1918 addresses,
it is not possible for clients on the internet to connect directly
to them. It is rather necessary for those clients to address their
connection requests to your firewall who rewrites the destination
address to the address of your server and forwards the packet to that
server. When your server responds, the firewall automatically performs
SNAT to rewrite the source address in the response.</p>
DMZ computers. Because these computers have RFC-1918 addresses, it
is not possible for clients on the internet to connect directly to
them. It is rather necessary for those clients to address their connection
requests to your firewall who rewrites the destination address to
the address of your server and forwards the packet to that server.
When your server responds, the firewall automatically performs SNAT
to rewrite the source address in the response.</p>
<p align="left">The above process is called<i> Port Forwarding</i> or <i>
Destination Network Address Translation</i> (DNAT). You configure
@ -543,8 +545,8 @@ SNAT to rewrite the source address in the response.</p>
</table>
</blockquote>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to
be the same as <i>&lt;port&gt;</i>.</p>
<p>If you don't specify the <i>&lt;server port&gt;</i>, it is assumed to be
the same as <i>&lt;port&gt;</i>.</p>
<p>Example - you run a Web Server on DMZ 2 and you want to forward incoming
TCP port 80 to that system:</p>
@ -589,12 +591,12 @@ be the same as <i>&lt;port&gt;</i>.</p>
<ul>
<li>When you are connecting to your server from your
local systems, you must use the server's internal IP address (10.10.11.2).</li>
local systems, you must use the server's internal IP address (10.10.11.2).</li>
<li>Many ISPs block incoming connection requests to
port 80. If you have problems connecting to your web server, try
the following rule and try connecting to port 5000 (e.g., connect
to <a href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> where w.x.y.z
is your external IP).</li>
is your external IP).</li>
</ul>
@ -698,38 +700,38 @@ is your external IP).</li>
</blockquote>
<p>If you want to access your server from the DMZ using your external IP
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
address, see <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
    At this point, add the DNAT and ACCEPT rules for your
servers. </p>
    At this point, add the DNAT and ACCEPT rules for
your servers. </p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS)
resolver will be automatically configured (e.g., the /etc/resolv.conf
file will be written). Alternatively, your ISP may have given you
the IP address of a pair of DNS <i> name servers</i> for you to manually
configure as your primary and secondary name servers. It is <u>your</u>
responsibility to configure the resolver in your internal systems.
You can take one of two approaches:</p>
an IP address your firewall's <i>Domain Name Service </i>(DNS) resolver
will be automatically configured (e.g., the /etc/resolv.conf file
will be written). Alternatively, your ISP may have given you the IP
address of a pair of DNS <i> name servers</i> for you to manually configure
as your primary and secondary name servers. It is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take
one of two approaches:</p>
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's
name servers. If you ISP gave you the addresses of their servers
or if those addresses are available on their web site, you can
configure your internal systems to use those addresses. If that
information isn't available, look in /etc/resolv.conf on your firewall
system -- the name servers are given in "nameserver" records in that
file. </p>
or if those addresses are available on their web site, you can configure
your internal systems to use those addresses. If that information
isn't available, look in /etc/resolv.conf on your firewall system
-- the name servers are given in "nameserver" records in that file.
</p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
    You can configure a<i> Caching Name Server </i>on your
firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching
    You can configure a<i> Caching Name Server </i>on
your firewall or in your DMZ.<i> </i>Red Hat has an RPM for a caching
name server (which also requires the 'bind' RPM) and for Bering
users, there is dnscache.lrp. If you take this approach, you configure
your internal systems to use the caching name server as their primary
@ -1136,7 +1138,7 @@ you want shell access to your firewall from the internet, use SSH:</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    Now modify /etc/shorewall/rules to add or remove
other connections as required.</p>
other connections as required.</p>
</div>
<div align="left">
@ -1149,8 +1151,8 @@ other connections as required.</p>
    The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once you
have completed configuration of your firewall, you can enable Shorewall
won't try to start Shorewall before configuration is complete. Once
you have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
@ -1166,25 +1168,25 @@ other connections as required.</p>
routing is enabled on those hosts that have an entry in <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
running firewall may be restarted using the "shorewall restart"
command. If you want to totally remove any trace of Shorewall
from your Netfilter configuration, use "shorewall clear".</p>
command. If you want to totally remove any trace of Shorewall from
your Netfilter configuration, use "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
    The three-interface sample assumes that you want to
enable routing to/from <b>eth1 (</b>your local network) and<b> eth2
</b>(DMZ) when Shorewall is stopped. If these two interfaces don't
connect to your local network and DMZ or if you want to enable a
different set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
enable routing to/from <b>eth1 (</b>your local network) and<b>
eth2 </b>(DMZ) when Shorewall is stopped. If these two interfaces
don't connect to your local network and DMZ or if you want to enable
a different set of hosts, modify /etc/shorewall/routestopped accordingly.</p>
</div>
<div align="left">
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
the internet, do not issue a "shorewall stop" command unless
you have added an entry for the IP address that you are connected
from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
the internet, do not issue a "shorewall stop" command unless you
have added an entry for the IP address that you are connected from
to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
@ -1196,6 +1198,7 @@ create an <i><a href="configuration_file_basics.htm#Configs">alternate
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a><br>
</p>
</p>
<br>
</body>
</html>

319
Shorewall-docs/three-interface_fr.html
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber5" bgcolor="#400169" height="90">
id="AutoNumber5" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -42,21 +42,21 @@ ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
Tom EASTEP pour son formidable outil et sa disponibilité).</i></small></p>
<p align="left"><br>
Mettre en place un système linux en tant que firewall pour un petit réseau
contenant une DMZ est une chose assez simple à réaliser si vous comprenez
les bases et suivez cette documentation.</p>
Mettre en place un système linux en tant que firewall pour un petit
réseau contenant une DMZ est une chose assez simple à réaliser si vous
comprenez les bases et suivez cette documentation.</p>
<p>Ce guide ne prétend pas vous mettre au courant de toutes les possibilités
de Shorewall. Il se focalise sur les besoins pour configurer Shorewall dans
une de ses utilisations les plus populaire :</p>
de Shorewall. Il se focalise sur les besoins pour configurer Shorewall
dans une de ses utilisations les plus populaire :</p>
<ul>
<li>Un système Linux utilisé en tant que firewall/routeur pour un petit
réseau local.</li>
<li>Un système Linux utilisé en tant que firewall/routeur pour un
petit réseau local.</li>
<li>Une seule adresse IP publique.</li>
<li>Une DMZ connectée sur une interface Ethernet séparée.</li>
<li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame Relay,
RTC, ...</li>
<li>Une connexion passant par l'ADSL, un Modem Câble, ISDN, Frame
Relay, RTC, ...</li>
</ul>
@ -66,17 +66,17 @@ Tom EASTEP pour son formidable outil et sa disponibilit
height="635">
</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé. Vous
pouvez voir si le paquet est installé en vérifiant la présence du programme
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en effectuant
le changements dans votre configuration. Les points où, les changements dans
la configuration sont recommandées, sont signalés par une <img
vous familiariser avec ce qu'il va se passer, et de revenir au début en
effectuant le changements dans votre configuration. Les points où, les changements
dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13">
</p>
@ -92,7 +92,7 @@ sur la copie avant de l'utiliser avec Shorewall.</p>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
Version of dos2unix</a></li>
</ul>
@ -107,8 +107,8 @@ Version of dos2unix</a></li>
d'exemple <a href="http://www1.shorewall.net/pub/shorewall/Samples/">three-interface
sample</a>, un-tarez la (tar -zxvf three-interfaces.tgz) </b><b>et copiez
les fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même
nom déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
nom déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
<p>En même temps que chacun des fichiers est présenté, je vous suggère de
jeter un oeil à ceux qui se trouvent réellement sur votre système -- chacun
@ -144,8 +144,8 @@ Shorewall)</b>.</p>
<p>Les noms de zone sont définis dans <a href="Documentation.htm#Zones">/etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone -
par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
@ -154,18 +154,18 @@ par d
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par
défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
ce fichier).</p>
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si
cette politique est REJECT ou DROP la requête est alors comparée par rapport
aux règles contenues dans /etc/shorewall/common (l'archive d'exemple vous
fournit ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive three-interface
sample a les politiques suivantes :</p>
@ -265,13 +265,13 @@ l'Internet</li>
<p align="left">Le firewall a trois interfaces de réseau. Lorsque la connexion
Internet passe par le câble ou par un ROUTEUR (pas un simple modem) ADSL
(non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
(non USB), l'interface vers l'extérieur (External Interface) sera l'adaptateur
sur lequel est connecté le routeur (e.g., eth0) à moins que vous ne vous
connectiez par Point-to-PointProtocol overEthernet (PPPoE) ou par Point-to-PointTunneling
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface de
type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
votre interface extérieure sera aussi ppp0. Si votre connexion passe par Numéris
(ISDN), votre interface extérieure sera ippp0<b>.</b></p>
Protocol (PPTP), dans ce cas l'interface extérieure sera une interface
de type ppp (e.g., ppp0). Si vous vous connectez par un simple modem (RTC),
votre interface extérieure sera aussi ppp0. Si votre connexion passe par
Numéris (ISDN), votre interface extérieure sera ippp0<b>.</b></p>
<p align="left"><img border="0" src="images/BD21298_1.gif" width="13"
height="13">
@ -279,31 +279,31 @@ votre interface ext
CLAMPMSS=yes dans <a href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Votre <i>Interface locale</i> sera un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
locaux seront connectés à ce même switch (note : si vous n'avez qu'un seul
ordinateur en local, vous pouvez le connecter directement au firewall par
un <i>câble croisé</i>).</p>
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos
ordinateurs locaux seront connectés à ce même switch (note : si vous n'avez
qu'un seul ordinateur en local, vous pouvez le connecter directement au
firewall par un <i>câble croisé</i>).</p>
<p align="left">Votre <i>interface DMZ</i> sera aussi un adaptateur Ethernet
(eth0, eth1 ou eth2) et sera connecté à un hub ou un switch. Vos ordinateurs
appartenant à la DMZ seront connectés à ce même switch (note : si vous n'avez
qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement au
firewall par un <i>câble croisé</i>).</p>
appartenant à la DMZ seront connectés à ce même switch (note : si vous
n'avez qu'un seul ordinateur dans la DMZ, vous pouvez le connecter directement
au firewall par un <i>câble croisé</i>).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u> Ne connectez pas l'interface interne et externe sur le même hub
ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez pas que
ce soit shorewall qui ne marche pas.</p>
</b></u> Ne connectez pas l'interface interne et externe sur le même
hub ou switch (même pour tester). Cela ne fonctionnera pas et ne croyez
pas que ce soit shorewall qui ne marche pas.</p>
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
L'exemple de configuration de Shorewall pour trois interfaces suppose
que l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1 </b>
et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diffère,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Tant que vous y êtes, vous pourriez parcourir la liste des options qui sont
spécifiées pour les interfaces. Quelques trucs :</p>
que l'interface externe est <b>eth0, </b>l'interface locale est <b>eth1
</b> et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration
diffère, vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces
en conséquence. Tant que vous y êtes, vous pourriez parcourir la liste des
options qui sont spécifiées pour les interfaces. Quelques trucs :</p>
<ul>
<li>
@ -311,9 +311,9 @@ et que la DMZ est sur l'interface <b>eth2</b>. Si votre configuration diff
remplacer le "detect" dans la seconde colonne par un "-". </p>
</li>
<li>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien si
vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la liste
d'option. </p>
<p align="left">Si votre interface externe est ppp0 ou ippp0 ou bien
si vous avez une adresse IP statique, vous pouvez enlever le "dhcp" de la
liste d'option. </p>
</li>
</ul>
@ -324,15 +324,16 @@ d'option. </p>
sujet du Protocole d'adresse Internet (IP). Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single Public IP address).
Cette adresse peut être assignée par le Dynamic Host Configuration Protocol
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous connectez
(modem standard) ou établissez votre connexion PPP. Dans de rares cas , votre
provider peu vous assigner une adresse statique (staticIP address); cela
signifie que vous configurez votre interface externe sur votre firewall afin
d'utiliser cette adresse de manière permanente. Une fois votre adresse externe
assignée, elle va être partagée par tout vos systèmes lors de l'accès à Internet.
Vous devrez assigner vos propres adresses à votre réseau local (votre interface
interne sur le firewall ainsi que les autres ordinateurs). La RFC 1918
réserve plusieurs plages d'IP (Private IP address ranges) à cette fin :</p>
(DHCP) ou lors de l'établissement de votre connexion lorsque vous vous
connectez (modem standard) ou établissez votre connexion PPP. Dans de rares
cas , votre provider peu vous assigner une adresse statique (staticIP address);
cela signifie que vous configurez votre interface externe sur votre firewall
afin d'utiliser cette adresse de manière permanente. Une fois votre adresse
externe assignée, elle va être partagée par tout vos systèmes lors de l'accès
à Internet. Vous devrez assigner vos propres adresses à votre réseau local
(votre interface interne sur le firewall ainsi que les autres ordinateurs).
La RFC 1918 réserve plusieurs plages d'IP (Private IP address ranges) à
cette fin :</p>
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
@ -341,9 +342,9 @@ r
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
externe et si elle est comprise dans une des plages précédentes, vous devriez
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre
interface externe et si elle est comprise dans une des plages précédentes,
vous devriez enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div>
<div align="left">
@ -351,14 +352,15 @@ r
(<i>sub-network </i>ou <i>subnet)</i> et les adresse pour la DMZ à un autre
sous-réseau. Pour ce faire, nous pouvons considérer qu'un sous-réseau consiste
en une plage d'adresse x.y.z.0 à x.y.z.255. Chacun des sous-réseaux possèdera
une masque (<i>Subnet Mask)</i> de 255.255.255.0. L'adresse x.y.z.0 est
réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i> et x.y.z.255
est réservée en tant qu'adresse de broadcast du sous-réseau (<i>Subnet Broadcast</i>
<i>Address)</i>. Sous Shorewall, un sous-réseau est décrit/désigné en utilisant
la notation <a href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain
Routing</i>(CIDR)</a> qui consiste en l'adresse du sous-réseau suivie par
"/24". Le "24" se réfère au nombre de bits "1" consécutifs dans la partie
gauche du masque de sous-réseau. </p>
une masque (<i>Subnet Mask)</i> de 255.255.255.0. L'adresse x.y.z.0
est réservée comme l'adresse du sous-réseau (<i>Subnet Address)</i>
et x.y.z.255 est réservée en tant qu'adresse de broadcast du sous-réseau
(<i>Subnet Broadcast</i> <i>Address)</i>. Sous Shorewall, un sous-réseau
est décrit/désigné en utilisant la notation <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing</i>(CIDR)</a>
qui consiste en l'adresse du sous-réseau suivie par "/24". Le "24" se réfère
au nombre de bits "1" consécutifs dans la partie gauche du masque de sous-réseau.
</p>
</div>
<div align="left">
@ -393,17 +395,17 @@ r
</div>
<div align="left">
<p align="left">Il est de convention d'assigner à l'interface interne la première
adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple précédent)
ou la dernière utilisable (10.10.10.254).</p>
<p align="left">Il est de convention d'assigner à l'interface interne la
première adresse utilisable dans le sous-réseau (10.10.10.1 dans l'exemple
précédent) ou la dernière utilisable (10.10.10.254).</p>
</div>
<div align="left">
<p align="left">L'un des buts d'un sous-réseau est de permettre à tous les
ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs ils
peuvent communiquer directement. Pour communiquer avec des systèmes en dehors
du sous-réseau, les ordinateurs envoient des paquets à travers le gateway
(routeur).</p>
ordinateurs dans le sous-réseau de savoir avec quels autres ordinateurs
ils peuvent communiquer directement. Pour communiquer avec des systèmes
en dehors du sous-réseau, les ordinateurs envoient des paquets à travers
le gateway (routeur).</p>
</div>
<div align="left">
@ -413,13 +415,13 @@ adresse utilisable dans le sous-r
avec leur passerelle par défaut (<i>default gateway)</i>pointant sur l'adresse
IP de l'interface interne du firewall, et les ordinateurs de la DMZ devraient
être configurés avec leur passerelle par défaut (<i>default gateway)</i>
pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
pointant sur l'adresse IP de l'interface DMZ du firewall. </p>
</div>
<p align="left">Cette courte description ne fait que survoler les concepts
de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur l'adressage
IP et le routage, je vous recommande chaudement <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
de routage et de sous-réseau. Si vous vous voulez en apprendre plus sur
l'adressage IP et le routage, je vous recommande chaudement <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">Pour rappel, ce guide supposera que vous avez configuré votre
@ -430,8 +432,8 @@ What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
</p>
<p align="left">La passerelle par défaut (default gateway) pour les ordinateurs
de la DMZ sera 10.10.11.254 et le passerelle par défaut pour les ordinateurs
en local sera 10.10.10.254.</p>
de la DMZ sera 10.10.11.254 et le passerelle par défaut pour les
ordinateurs en local sera 10.10.10.254.</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
@ -439,21 +441,22 @@ What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas
comme non-routables car les routeurs Internet (backbone) ne font pas circuler
les paquets qui ont une adresse de destination appartenant à la RFC-1918.
Lorsqu'un de vos systèmes en local (supposons l'ordinateur1) demande une
connexion à un serveur par Internet, le firewall doit appliquer un NAT (Network
Address Translation). Le firewall ré écrit l'adresse source dans le paquet,
et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres
mots, le firewall fait croire que c'est lui même qui initie la connexion.
Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer
les paquets au firewall (souvenez vous que les paquets qui ont pour adresse
de destination, une adresse réservée par la RFC 1918 ne pourront pas être
routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse
à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
connexion à un serveur par Internet, le firewall doit appliquer un NAT (Network
Address Translation). Le firewall ré écrit l'adresse source dans le paquet,
et l'a remplace par l'adresse de l'interface externe du firewall; en d'autres
mots, le firewall fait croire que c'est lui même qui initie la connexion.
Ceci est nécessaire afin que l'hôte de destination soit capable de renvoyer
les paquets au firewall (souvenez vous que les paquets qui ont pour adresse
de destination, une adresse réservée par la RFC 1918 ne pourront pas être
routés à travers Internet, donc l'hôte Internet ne pourra adresser sa réponse
à l'ordinateur 1). Lorsque le firewall reçoit le paquet de réponse, il remet
l'adresse de destination à 10.10.10.1 et fait passer le paquet vers l'ordinateur
1. </p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de l'IP
Masquerading mais vous verrez aussi le terme de Source Network Address Translation
(SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter :</p>
<p align="left">Sur les systèmes Linux, ce procédé est souvent appelé de
l'IP Masquerading mais vous verrez aussi le terme de Source Network Address
Translation (SNAT) utilisé. Shorewall suit la convention utilisée avec Netfilter
:</p>
<ul>
<li>
@ -481,9 +484,9 @@ Masquerading mais vous verrez aussi le terme de Source Network Address Translati
height="13">
Si votre IP externe est statique, vous pouvez la mettre dans la troisième
colonne dans /etc/shorewall/masq si vous le désirez, de toutes façons votre
firewall fonctionnera bien si vous laissez cette colonne vide. Le fait de
mettre votre IP statique dans la troisième colonne permet un traitement des
paquets sortant un peu plus efficace.<br>
firewall fonctionnera bien si vous laissez cette colonne vide. Le fait
de mettre votre IP statique dans la troisième colonne permet un traitement
des paquets sortant un peu plus efficace.<br>
</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
@ -506,10 +509,10 @@ Masquerading mais vous verrez aussi le terme de Source Network Address Translati
serveurs sur nos ordinateurs dans la DMZ. que ces ordinateurs on une adresse
RFC-1918, il n'est pas possible pour les clients sur Internet de se connecter
directement à eux. Il est nécessaire à ces clients d'adresser leurs demandes
de connexion au firewall qui ré écrit l'adresse de destination de votre serveur,
et fait passer le paquet à celui-ci. Lorsque votre serveur répond, le firewall
applique automatiquement un SNAT pour ré écrire l'adresse source dans la
réponse.</p>
de connexion au firewall qui ré écrit l'adresse de destination de votre
serveur, et fait passer le paquet à celui-ci. Lorsque votre serveur répond,
le firewall applique automatiquement un SNAT pour ré écrire l'adresse source
dans la réponse.</p>
<p align="left">Ce procédé est appelé Port Forwarding ou Destination Network
Address Translation(DNAT). Vous configurez le port forwarding en utilisant
@ -535,7 +538,7 @@ r
<td>DNAT</td>
<td>net</td>
<td>dmz:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server
port&gt;</i>]</td>
port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> <br>
@ -594,14 +597,14 @@ port&gt;</i>]</td>
<p>Deux points importants à garder en mémoire :</p>
<ul>
<li>Lorsque vous vous connectez à votre serveur à partir de votre réseau
local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
<li>Lorsque vous vous connectez à votre serveur à partir de votre
réseau local, vous devez utiliser l'adresse IP interne du serveur (10.10.11.2).</li>
<li>Quelques fournisseurs Internet (Provider/ISP) bloquent les requêtes
de connexion entrantes sur le port 80. Si vous avez des problèmes pour vous
connecter à votre serveur web, essayez la règle suivante et connectez vous
sur le port 5000 (c.a.d., connectez vous à <a
de connexion entrantes sur le port 80. Si vous avez des problèmes pour
vous connecter à votre serveur web, essayez la règle suivante et connectez
vous sur le port 5000 (c.a.d., connectez vous à <a
href="http://w.x.y.z:5000"> http://w.x.y.z:5000</a> où w.x.y.z est votre
IP externe).</li>
IP externe).</li>
</ul>
@ -634,10 +637,10 @@ IP externe).</li>
</table>
</blockquote>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur depuis
le réseau local en utilisant votre adresse externe, et si vous avez une adresse
IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz précédente
par :</p>
<p>Si vous voulez avoir la possibilité de vous connecter à votre serveur
depuis le réseau local en utilisant votre adresse externe, et si vous avez
une adresse IP externe statique (fixe), vous pouvez remplacer la règle loc-&gt;dmz
précédente par :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -667,9 +670,9 @@ par :</p>
</blockquote>
<p>Si vous avez une IP dynamique, alors vous devez vous assurer que votre
interface externe est en route avant de lancer Shorewall et vous devez suivre
les étapes suivantes (en supposant que votre interface externe est <b>eth0</b>)
:</p>
interface externe est en route avant de lancer Shorewall et vous devez
suivre les étapes suivantes (en supposant que votre interface externe est
<b>eth0</b>) :</p>
<ol>
<li>Insérez ce qui suit dans /etc/shorewall/params :<br>
@ -708,8 +711,8 @@ par :</p>
</table>
</blockquote>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre adresse
IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p>Si vous voulez accéder à votre serveur dans la DMZ en utilisant votre
adresse IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p><img border="0" src="images/BD21298_2.gif" width="13" height="13">
A ce point, ajoutez les règles DNAT et ACCEPT pour vos serveurs..</p>
@ -718,38 +721,38 @@ IP externe, regardez <a href="FAQ.htm#faq2a">FAQ 2a</a>.</p>
<p align="left">Normalement, quand vous vous connectez à votre fournisseur
(ISP), une partie consiste à obtenir votre adresse IP, votre DNS pour le
firewall (Domain Name Service) est configuré automatiquement (c.a.d., le fichier
/etc/resolv.conf a été écrit). Il arrive que votre provider vous donne une
paire d'adresse IP pour les DNS (name servers) afin que vous configuriez manuellement
votre serveur de nom primaire et secondaire. La manière dont le DNS est configuré
sur votre firewall est de votre responsabilité. Vous pouvez procéder d'une
de ses deux façons :</p>
firewall (Domain Name Service) est configuré automatiquement (c.a.d., le
fichier /etc/resolv.conf a été écrit). Il arrive que votre provider vous
donne une paire d'adresse IP pour les DNS (name servers) afin que vous configuriez
manuellement votre serveur de nom primaire et secondaire. La manière dont
le DNS est configuré sur votre firewall est de votre responsabilité. Vous
pouvez procéder d'une de ses deux façons :</p>
<ul>
<li>
<p align="left">Vous pouvez configurer votre système interne pour utiliser
les noms de serveurs de votre provider. Si votre fournisseur vous donne les
adresses de leurs serveurs ou si ces adresses sont disponibles sur leur site
web, vous pouvez configurer votre système interne afin de les utiliser. Si
cette information n'est pas disponible, regardez dans /etc/resolv.conf sur
votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
les noms de serveurs de votre provider. Si votre fournisseur vous donne
les adresses de leurs serveurs ou si ces adresses sont disponibles sur leur
site web, vous pouvez configurer votre système interne afin de les utiliser.
Si cette information n'est pas disponible, regardez dans /etc/resolv.conf
sur votre firewall -- les noms des serveurs sont donnés dans l'enregistrement
"nameserver" dans ce fichier. </p>
</li>
<li>
<p align="left"><img border="0" src="images/BD21298_2.gif"
width="13" height="13">
Vous pouvez installer/configurer un cache dns (Caching Name Server) sur
votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre en cache
un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs
de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez
votre système interne pour utiliser le firewall lui même comme étant le seul
serveur de nom primaire. Vous pouvez utiliser l'adresse IP interne du firewall
(10.10.10.254 dans l'exemple) pour l'adresse de serveur de nom si vous décidez
de faire tourner le serveur de nom sur votre firewall. Pour permettre à
vos systèmes locaux de discuter avec votre serveur cache de nom, vous devez
ouvrir le port 53 (UDP ET  TCP) sur le firewall vers le réseau local; vous
ferez ceci en ajoutant les règles suivantes dans /etc/shorewall/rules.
</p>
Vous pouvez installer/configurer un cache dns (Caching Name Server)
sur votre firewall ou dans la DMZ.<i> </i>Red Hat a un RPM pour mettre
en cache un serveur de nom (le RPM requis aussi le RPM 'bind') et pour
les utilisateurs de Bering, il y a dnscache.lrp. Si vous adoptez cette
approche, vous configurez votre système interne pour utiliser le firewall
lui même comme étant le seul serveur de nom primaire. Vous pouvez utiliser
l'adresse IP interne du firewall (10.10.10.254 dans l'exemple) pour l'adresse
de serveur de nom si vous décidez de faire tourner le serveur de nom sur
votre firewall. Pour permettre à vos systèmes locaux de discuter avec votre
serveur cache de nom, vous devez ouvrir le port 53 (UDP ET  TCP) sur le
firewall vers le réseau local; vous ferez ceci en ajoutant les règles suivantes
dans /etc/shorewall/rules. </p>
</li>
</ul>
@ -1088,8 +1091,8 @@ ferez ceci en ajoutant les r
<div align="left">
<p align="left">Important: Je ne vous recommande pas d'autoriser le telnet
depuis ou vers l'Internet car il utilise du texte en clair (même pour le
login et le mot de passe !). Si vous voulez avoir un accès au shell de votre
firewall depuis Internet, utilisez SSH :</p>
login et le mot de passe !). Si vous voulez avoir un accès au shell de votre
firewall depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
@ -1126,8 +1129,8 @@ firewall depuis Internet, utilisez SSH :</p>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_2.gif" width="13"
height="13">
Et maintenant, éditez /etc/shorewall/rules pour rajouter les autres connexions
désirées.</p>
Et maintenant, éditez /etc/shorewall/rules pour rajouter les autres
connexions désirées.</p>
</div>
<div align="left">
@ -1138,11 +1141,11 @@ firewall depuis Internet, utilisez SSH :</p>
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation</a> configure votre
système pour lancer Shorewall au boot du système, mais au début avec la version
1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en avez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
système pour lancer Shorewall au boot du système, mais au début avec la
version 1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de
lancer Shorewall avec que la configuration soit finie. Une fois que vous
en avez fini avec la configuration du firewall, vous pouvez permettre le
lancement de Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left">IMPORTANT: Les utilisateurs des paquets .deb doivent éditer
@ -1152,8 +1155,8 @@ syst
<div align="left">
<p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé, le
routage est autorisé sur les hôtes qui possèdent une entrée dans <a
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre configuration
@ -1167,15 +1170,14 @@ syst
routage depuis/vers <b>eth1 </b>(votre réseau local) et<b> eth2</b>(DMZ)
lorsque Shorewall est arrêté. Si ces deux interfaces ne sont pas
connectées à votre réseau local et votre DMZ, ou si vous voulez permettre
un ensemble d'hôtes différents, modifiez /etc/shorewall/routestopped en
conséquence.</p>
un ensemble d'hôtes différents, modifiez /etc/shorewall/routestopped en conséquence.</p>
</div>
<div align="left">
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis Internet,
n'essayez pas une commande "shorewall stop" tant que vous n'avez pas ajouté
une entrée pour votre adresse IP (celle à partir de laquelle vous êtes connectée)
dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
<p align="left">ATTENTION: Si vous êtes connecté à votre firewall depuis
Internet, n'essayez pas une commande "shorewall stop" tant que vous n'avez
pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle vous
êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration </a></i><i><a
@ -1189,6 +1191,7 @@ dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a><br>
</p>
</p>
<br>
</body>
</html>

80
Shorewall-docs/traffic_shaping.htm
View File

@ -16,12 +16,10 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
@ -45,9 +43,9 @@ to be running Linux Kernel 2.4.18 or later.</p>
the setting of this variable determines whether Shorewall clears the traffic
shaping configuration during Shorewall [re]start and Shorewall stop. <br>
</li>
<li><b>/etc/shorewall/tcrules</b> - A file where you can
specify firewall marking of packets. The firewall mark value may
be used to classify packets for traffic shaping/control.<br>
<li><b>/etc/shorewall/tcrules</b> - A file where you
can specify firewall marking of packets. The firewall mark value
may be used to classify packets for traffic shaping/control.<br>
</li>
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file
that is sourced by Shorewall during "shorewall start" and which
@ -55,28 +53,28 @@ to be running Linux Kernel 2.4.18 or later.</p>
I have provided a <a
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
table-driven CBQ shaping but if you read the traffic shaping sections
of the HOWTO mentioned above, you can probably code your own
faster than you can learn how to use my sample. I personally use
of the HOWTO mentioned above, you can probably code your own faster
than you can learn how to use my sample. I personally use
<a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
HTB support may eventually become an integral part of Shorewall
since HTB is a lot simpler and better-documented than CBQ. As of
2.4.20, HTB is a standard part of the kernel but iproute2 must be patched
in order to use it.<br>
since HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
HTB is a standard part of the kernel but iproute2 must be patched in
order to use it.<br>
<br>
In tcstart, when you want to run the 'tc' utility, use
the run_tc function supplied by shorewall if you want tc errors
In tcstart, when you want to run the 'tc' utility,
use the run_tc function supplied by shorewall if you want tc errors
to stop the firewall.<br>
<br>
You can generally use off-the-shelf traffic shaping scripts by
simply copying them to /etc/shorewall/tcstart. I use <a
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
modified it according to the Wonder Shaper README). <b>WARNING: </b>If
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart
and modified it according to the Wonder Shaper README). <b>WARNING: </b>If
you use use Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
script won't work. Traffic shaping occurs after SNAT has already been applied
so when traffic shaping happens, all outbound traffic will have as a source
address the IP addresss of your firewall's external interface.<br>
script won't work. Traffic shaping occurs after SNAT has already been
applied so when traffic shaping happens, all outbound traffic will have
as a source address the IP addresss of your firewall's external interface.<br>
</li>
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file
that is sourced by Shorewall when it is clearing traffic shaping.
@ -85,8 +83,8 @@ simply copying them to /etc/shorewall/tcstart. I use <a
</ul>
Shorewall allows you to start traffic shaping when Shorewall itself
starts or it allows you to bring up traffic shaping when you bring up
your interfaces.<br>
starts or it allows you to bring up traffic shaping when you bring up your
interfaces.<br>
<br>
To start traffic shaping when Shorewall starts:<br>
@ -94,8 +92,8 @@ your interfaces.<br>
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
<li>Supply an /etc/shorewall/tcstart script to configure your traffic
shaping rules.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
shaping. That is usually unnecessary.</li>
<li>Optionally supply an /etc/shorewall/tcclear script to stop
traffic shaping. That is usually unnecessary.</li>
<li>If your tcstart script uses the 'fwmark' classifier, you can
mark packets using entries in /etc/shorewall/tcrules.</li>
@ -131,10 +129,10 @@ not be covered here. You then should:<br>
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
any address rewriting takes place. This makes it impossible to mark inbound
packets based on their destination address when SNAT or Masquerading are
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option
in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
packets based on their destination address when SNAT or Masquerading
are being used. Beginning with Shorewall 1.3.12, you can cause packet
marking to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN
option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
</p>
<p align="left">Columns in the file are as follows:</p>
@ -142,18 +140,19 @@ not be covered here. You then should:<br>
<ul>
<li>MARK - Specifies the mark value is to be assigned
in case of a match. This is an integer in the range 1-255. Beginning
with Shorewall version 1.3.14, this value may be optionally followed by ":"
and either 'F' or 'P' to designate that the marking will occur in the FORWARD
or PREROUTING chains respectively. If this additional specification is omitted,
the chain used to mark packets will be determined by the setting of the
MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
with Shorewall version 1.3.14, this value may be optionally followed by
":" and either 'F' or 'P' to designate that the marking will occur in the
FORWARD or PREROUTING chains respectively. If this additional specification
is omitted, the chain used to mark packets will be determined by the setting
of the MARK_IN_FORWARD_CHAIN option in <a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
<br>
Example - 5<br>
</li>
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place "fw" in this column. Otherwise, this is
a comma-separated list of interface names, IP addresses, MAC addresses
in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
<li>SOURCE - The source of the packet. If the packet
originates on the firewall, place "fw" in this column. Otherwise,
this is a comma-separated list of interface names, IP addresses, MAC
addresses in <a href="Documentation.htm#MAC">Shorewall Format</a> and/or
Subnets.<br>
<br>
Examples<br>
    eth0<br>
@ -166,9 +165,9 @@ list of IP addresses and/or subnets.<br>
from /etc/protocol, a number or "all"<br>
</li>
<li>PORT(S) - Destination Ports. A comma-separated list
of Port names (from /etc/services), port numbers or port ranges
(e.g., 21:22); if the protocol is "icmp", this column is interpreted
as the destination icmp type(s).<br>
of Port names (from /etc/services), port numbers or port ranges (e.g.,
21:22); if the protocol is "icmp", this column is interpreted as
the destination icmp type(s).<br>
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client.
If omitted, any source port is acceptable. Specified as a comma-separate
@ -178,8 +177,8 @@ as the destination icmp type(s).<br>
<p align="left">Example 1 - All packets arriving on eth1 should be marked
with 1. All packets arriving on eth2 and eth3 should be marked with
2. All packets originating on the firewall itself should be marked
with 3.</p>
2. All packets originating on the firewall itself should be marked with
3.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
@ -337,5 +336,6 @@ local systems or from my laptop or firewall).</li>
<br>
<br>
<br>
<br>
</body>
</html>

72
Shorewall-docs/troubleshoot.htm
View File

@ -14,7 +14,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -60,14 +60,14 @@
<blockquote>
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
</blockquote>
A search through the trace for "No chain/target/match by that name" turned
up the following: 
A search through the trace for "No chain/target/match by that name"
turned up the following: 
<blockquote>
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
</blockquote>
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
tcp-reset". In this case, the user had compiled his own kernel and had
forgotten to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
<h3>Your network environment</h3>
@ -78,8 +78,8 @@ an ill-conceived network setup. Here are several popular snafus: </p>
<li>Port Forwarding where client and server are
in the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
<li>Changing the IP address of a local system to be in the
external subnet, thinking that Shorewall will suddenly believe that
the system is in the 'net' zone.</li>
external subnet, thinking that Shorewall will suddenly believe
that the system is in the 'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch.
Given the way that the Linux kernel respond to ARP "who-has" requests,
this type of setup does NOT work the way that you expect it to.</li>
@ -89,10 +89,10 @@ the system is in the 'net' zone.</li>
<h3 align="left">If you are having connection problems:</h3>
<p align="left">If the appropriate policy for the connection that you are
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
TO MAKE IT WORK. Such additional rules will NEVER make it work, they
add clutter to your rule set and they represent a big security hole in
the event that you forget to remove them later.</p>
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES
TRYING TO MAKE IT WORK. Such additional rules will NEVER make it work,
they add clutter to your rule set and they represent a big security hole
in the event that you forget to remove them later.</p>
<p align="left">I also recommend against setting all of your policies to
ACCEPT in an effort to make something work. That robs you of one of
@ -102,8 +102,8 @@ the event that you forget to remove them later.</p>
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
see Shorewall messages, then your problem is probably NOT a Shorewall
problem. If you DO see packet messages, it may be an indication that you
are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
problem. If you DO see packet messages, it may be an indication that
you are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
<p align="left">While you are troubleshooting, it is a good idea to clear
two variables in /etc/shorewall/shorewall.conf:</p>
@ -123,9 +123,9 @@ the event that you forget to remove them later.</p>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the all2all
chain -- the packet was rejected under the "all"-&gt;"all" REJECT
policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>all2all:REJECT - This packet was REJECTed out of the
all2all chain -- the packet was rejected under the "all"-&gt;"all"
REJECT policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
@ -154,15 +154,15 @@ ping when you think that you shouldn't be allowed? Shorewall's 'Ping' Managemen
<ul>
<li>Seeing rejected/dropped packets logged out of the INPUT
or FORWARD chains? This means that:
or FORWARD chains? This means that:
<ol>
<li>your zone definitions are screwed up and the host that
is sending the packets or the destination host isn't in any zone
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
file are you?); or</li>
<li>the source and destination hosts are both connected
to the same interface and you don't have a policy or rule for
the source zone to or from the destination zone.</li>
to the same interface and you don't have a policy or rule for the
source zone to or from the destination zone.</li>
</ol>
</li>
@ -179,19 +179,19 @@ you have the following in /etc/shorewall/nat:<br>
    10.1.1.2    eth0    130.252.100.18<br>
<br>
and you ping 130.252.100.18, unless you have allowed icmp
type 8 between the zone containing the system you are pinging from
and the zone containing 10.1.1.2, the ping requests will be dropped. </li>
type 8 between the zone containing the system you are pinging from
and the zone containing 10.1.1.2, the ping requests will be dropped. </li>
<li>If you specify "routefilter" for an interface, that
interface must be up prior to starting the firewall.</li>
interface must be up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems
usually need to be configured with their default gateway set to the
IP address of their nearest firewall interface. One often overlooked
aspect of routing is that in order for two hosts to communicate, the
routing between them must be set up <u>in both directions.</u> So when
setting up routing between <b>A</b> and<b> B</b>, be sure to verify
that the route from <b>B</b> back to <b>A</b> is defined.</li>
usually need to be configured with their default gateway set to
the IP address of their nearest firewall interface. One often overlooked
aspect of routing is that in order for two hosts to communicate,
the routing between them must be set up <u>in both directions.</u>
So when setting up routing between <b>A</b> and<b> B</b>, be sure
to verify that the route from <b>B</b> back to <b>A</b> is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have
a shell with broken variable expansion. <a
a shell with broken variable expansion. <a
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
shell from the Shorewall Errata download site.</a> </li>
<li>Do you have your kernel properly configured? <a
@ -199,12 +199,13 @@ a shell with broken variable expansion. <a
<li>Shorewall requires the "ip" program. That program
is generally included in the "iproute" package which should be included
with your distribution (though many distributions don't install iproute
by default). You may also download the latest source tarball from <a
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
by default). You may also download the latest source tarball from
<a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
.</li>
<li>Problems with NAT? Be sure that you let Shorewall
add all external addresses to be use with NAT unless you have set <a
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
<li>Problems with NAT? Be sure that you let
Shorewall add all external addresses to be use with NAT unless you
have set <a href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No
in /etc/shorewall/shorewall.conf.</li>
</ul>
@ -219,6 +220,7 @@ add all external addresses to be use with NAT unless you have set <a
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>
</p>
<br>
</body>
</html>

183
Shorewall-docs/two-interface.htm
View File

@ -18,10 +18,11 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber5"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Basic Two-Interface Firewall</font></h1>
</td>
</tr>
@ -34,12 +35,12 @@
and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure
Shorewall in its most common configuration:</p>
Shorewall. It rather focuses on what is required to configure Shorewall
in its most common configuration:</p>
<ul>
<li>Linux system used as a firewall/router for a small
local network.</li>
<li>Linux system used as a firewall/router for a
small local network.</li>
<li>Single public IP address.</li>
<li>Internet connection through cable modem, DSL,
ISDN, Frame Relay, dial-up ...</li>
@ -53,9 +54,9 @@ ISDN, Frame Relay, dial-up ...</li>
</p>
<p><b>If you are running Shorewall under Mandrake 9.0 or later, you can easily
configure the above setup using the Mandrake "Internet Connection
Sharing" applet. From the Mandrake Control Center, select "Network
&amp; Internet" then "Connection Sharing".<br>
configure the above setup using the Mandrake "Internet Connection Sharing"
applet. From the Mandrake Control Center, select "Network &amp; Internet"
then "Connection Sharing".<br>
</b></p>
<p><b>Note however, that the Shorewall configuration produced by Mandrake
@ -69,8 +70,8 @@ use the rest of this documentation (it has two local zones; "loc" and "masq"
</p>
<p>Shorewall requires that you have the iproute/iproute2 package installed
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You
can tell if this package is installed by the presence of an <b>ip</b>
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can
tell if this package is installed by the presence of an <b>ip</b>
program on your firewall system. As root, you can use the 'which'
command to check for this program:</p>
@ -89,18 +90,18 @@ are marked with
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
    If you edit your configuration files on a Windows
system, you must save them as Unix files if your editor supports
that option or you must run them through dos2unix before trying
to use them. Similarly, if you copy a configuration file from your
Windows hard drive to a floppy disk, you must run dos2unix against the
copy before using it with Shorewall.</p>
that option or you must run them through dos2unix before trying to
use them. Similarly, if you copy a configuration file from your Windows
hard drive to a floppy disk, you must run dos2unix against the copy
before using it with Shorewall.</p>
<ul>
<li><a
href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a></li>
href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul>
@ -108,14 +109,13 @@ of dos2unix</a></li>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
    The configuration files for Shorewall are contained in the
directory /etc/shorewall -- for simple setups, you will only need to
deal with a few of these as described in this guide. After you have <a
href="Install.htm">installed Shorewall</a>, <b>download the <a
    The configuration files for Shorewall are contained in
the directory /etc/shorewall -- for simple setups, you will only need
to deal with a few of these as described in this guide. After you have
<a href="Install.htm">installed Shorewall</a>, <b>download the <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files
to /etc/shorewall (these files will replace files with the same
name).</b></p>
un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to
/etc/shorewall (these files will replace files with the same name).</b></p>
<p>As each file is introduced, I suggest that you look through the actual
file on your system -- each file contains detailed configuration
@ -169,8 +169,8 @@ name).</b></p>
or DROP  the request is first checked against the rules in /etc/shorewall/common
(the samples provide that file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample
has the following policies:</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has
the following policies:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
@ -242,9 +242,10 @@ has the following policies:</p>
<li>allow all connection requests from your local
network to the internet</li>
<li>drop (ignore) all connection requests from the
internet to your firewall or local network</li>
internet to your firewall or local network</li>
<li>optionally accept all connection requests from
the firewall to the internet (if you uncomment the additional policy)</li>
the firewall to the internet (if you uncomment the additional
policy)</li>
<li>reject all other connection requests.</li>
</ol>
@ -259,9 +260,9 @@ the firewall to the internet (if you uncomment the additional policy)<
height="635">
</p>
<p align="left">The firewall has two network interfaces. Where Internet connectivity
is through a cable or DSL "Modem", the <i>External Interface</i> will be
the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
will be the ethernet adapter that is connected to that "Modem" (e.g., <b>eth0</b>) 
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint
<u>T</u>unneling <u>P</u>rotocol </i>(PPTP) in which case the External
@ -276,17 +277,17 @@ ippp0</b>
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf.</a></p>
<p align="left">Your <i>Internal Interface</i> will be an ethernet adapter
(eth1 or eth0) and will be connected to a hub or switch. Your
other computers will be connected to the same hub/switch (note:
If you have only a single internal system, you can connect the firewall
(eth1 or eth0) and will be connected to a hub or switch. Your other
computers will be connected to the same hub/switch (note: If you
have only a single internal system, you can connect the firewall
directly to the computer using a <i>cross-over </i> cable).</p>
<p align="left"><u><b> <img border="0" src="images/j0213519.gif"
width="60" height="60">
</b></u>Do not connect the internal and external interface
to the same hub or switch (even for testing). It won't work the
way that you think that it will and you will end up confused and
believing that Shorewall doesn't work at all.</p>
to the same hub or switch (even for testing). It won't work the way
that you think that it will and you will end up confused and believing
that Shorewall doesn't work at all.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
@ -296,7 +297,7 @@ interface is <b>eth1</b>. If your configuration is different, you
will have to modify the sample <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
accordingly. While you are there, you may wish to review the list
of options that are specified for the interfaces. Some hints:</p>
of options that are specified for the interfaces. Some hints:</p>
<ul>
<li>
@ -321,8 +322,8 @@ via the<i> Dynamic Host Configuration Protocol</i> (DHCP) or as part
of establishing your connection when you dial in (standard modem) or
establish your PPP connection. In rare cases, your ISP may assign you
a<i> static</i> IP address; that means that you configure your firewall's
external interface to use that address permanently.<i> </i>However
your external address is assigned, it will be shared by all of your systems
external interface to use that address permanently.<i> </i>However your
external address is assigned, it will be shared by all of your systems
when you access the Internet. You will have to assign your own addresses
in your internal network (the Internal Interface on your firewall plus
your other computers). RFC 1918 reserves several <i>Private </i>IP address
@ -343,10 +344,10 @@ the external interface's entry in /etc/shorewall/interfaces.</p>
<div align="left">
<p align="left">You will want to assign your addresses from the same <i>
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
sub-network </i>(<i>subnet)</i>.  For our purposes, we can consider a subnet
to consists of a range of addresses x.y.z.0 - x.y.z.255. Such
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The
address x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
a subnet will have a <i>Subnet Mask </i>of 255.255.255.0. The address
x.y.z.0 is reserved as the <i>Subnet Address</i> and x.y.z.255
is reserved as the <i>Subnet Broadcast</i> <i>Address</i>. In Shorewall,
a subnet is described using <a
href="shorewall_setup_guide.htm#Subnets"><i>Classless InterDomain Routing
@ -439,48 +440,48 @@ Routing",</i> Thomas A. Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.
don't forward packets which have an RFC-1918 destination address.
When one of your local systems (let's assume computer 1) sends a connection
request to an internet host, the firewall must perform <i>Network
Address Translation </i>(NAT). The firewall rewrites the source
address in the packet to be the address of the firewall's external
interface; in other words, the firewall makes it look as if the firewall
itself is initiating the connection.  This is necessary so that the
destination host will be able to route return packets back to the
firewall (remember that packets whose destination address is reserved
by RFC 1918 can't be routed across the internet so the remote host
can't address its response to computer 1). When the firewall receives
a return packet, it rewrites the destination address back to 10.10.10.1
and forwards the packet on to computer 1. </p>
Address Translation </i>(NAT). The firewall rewrites the source address
in the packet to be the address of the firewall's external interface;
in other words, the firewall makes it look as if the firewall itself
is initiating the connection.  This is necessary so that the destination
host will be able to route return packets back to the firewall (remember
that packets whose destination address is reserved by RFC 1918 can't
be routed across the internet so the remote host can't address its
response to computer 1). When the firewall receives a return packet,
it rewrites the destination address back to 10.10.10.1 and forwards
the packet on to computer 1. </p>
<p align="left">On Linux systems, the above process is often referred to
as<i> IP Masquerading</i> but you will also see the term <i>Source Network
Address Translation </i>(SNAT) used. Shorewall follows the convention used
with Netfilter:</p>
<p align="left">On Linux systems, the above process is often referred to as<i>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface
address. </p>
firewall system automatically detect the external interface address.
</p>
</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify
the source address that you want outbound packets from your
local network to use. </p>
the source address that you want outbound packets from your local
network to use. </p>
</li>
</ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured with
entries in the /etc/shorewall/masq file. You will normally use
Masquerading if your external IP is dynamic and SNAT if the IP
is static.</p>
Masquerading if your external IP is dynamic and SNAT if the IP is
static.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    If your external firewall interface is <b>eth0</b>,
you do not need to modify the file provided with the sample. Otherwise,
edit /etc/shorewall/masq and change the first column to the name
of your external interface and the second column to the name of your
internal interface.</p>
of your external interface and the second column to the name of
your internal interface.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
@ -588,8 +589,8 @@ to rewrite the source address in the response.</p>
on computers 1 or 2 or on the firewall). If you want to be able
to access your web server using the IP address of your external interface,
see <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>.</li>
<li>Many ISPs block incoming connection requests to
port 80. If you have problems connecting to your web server,
<li>Many ISPs block incoming connection requests
to port 80. If you have problems connecting to your web server,
try the following rule and try connecting to port 5000.</li>
</ul>
@ -630,8 +631,8 @@ try the following rule and try connecting to port 5000.</li>
<p align="left">Normally, when you connect to your ISP, as part of getting
an IP address your firewall's <i>Domain Name Service </i>(DNS)
resolver will be automatically configured (e.g., the /etc/resolv.conf
file will be written). Alternatively, your ISP may have given you
the IP address of a pair of DNS <i> name servers</i> for you to manually
file will be written). Alternatively, your ISP may have given you the
IP address of a pair of DNS <i> name servers</i> for you to manually
configure as your primary and secondary name servers. Regardless of
how DNS gets configured on your firewall, it is <u>your</u> responsibility
to configure the resolver in your internal systems. You can take one
@ -651,15 +652,16 @@ file. </p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    You can configure a<i> Caching Name Server </i>on
your firewall.<i> </i>Red Hat has an RPM for a caching name
server (the RPM also requires the 'bind' RPM) and for Bering users,
there is dnscache.lrp. If you take this approach, you configure your
internal systems to use the firewall itself as their primary (and only)
name server. You use the internal IP address of the firewall (10.10.10.254
in the example above) for the name server address. To allow your
local systems to talk to your caching name server, you must open port
53 (both UDP and TCP) from the local network to the firewall; you do
that by adding the following rules in /etc/shorewall/rules. </p>
your firewall.<i> </i>Red Hat has an RPM for a caching name
server (the RPM also requires the 'bind' RPM) and for Bering users,
there is dnscache.lrp. If you take this approach, you configure
your internal systems to use the firewall itself as their primary
(and only) name server. You use the internal IP address of the firewall
(10.10.10.254 in the example above) for the name server address.
To allow your local systems to talk to your caching name server,
you must open port 53 (both UDP and TCP) from the local network to the
firewall; you do that by adding the following rules in /etc/shorewall/rules.
</p>
</li>
</ul>
@ -825,7 +827,8 @@ allowing all connections from the firewall to the internet.</p>
</div>
<div align="left">
<p align="left">Example - You want to run a Web Server on your firewall system:</p>
<p align="left">Example - You want to run a Web Server on your firewall
system:</p>
</div>
<div align="left">
@ -868,8 +871,8 @@ allowing all connections from the firewall to the internet.</p>
<div align="left">
<p align="left">Those two rules would of course be in addition to the rules
listed above under "You can configure a Caching Name Server
on your firewall"</p>
listed above under "You can configure a Caching Name Server on
your firewall"</p>
</div>
<div align="left">
@ -880,8 +883,7 @@ on your firewall"</p>
<div align="left">
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
the internet because it uses clear text (even for login!). If
you want shell access to your firewall from the internet, use
SSH:</p>
you want shell access to your firewall from the internet, use SSH:</p>
</div>
<div align="left">
@ -965,7 +967,7 @@ SSH:</p>
<p align="left"><br>
<img border="0" src="images/BD21298_.gif" width="13" height="13">
    Now edit your /etc/shorewall/rules file to add
or delete other connections as required.</p>
or delete other connections as required.</p>
</div>
<div align="left">
@ -975,12 +977,12 @@ or delete other connections as required.</p>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif"
width="13" height="13" alt="Arrow">
    The <a href="Install.htm">installation procedure </a>
configures your system to start Shorewall at system boot  but beginning
with Shorewall version 1.3.9 startup is disabled so that your system
won't try to start Shorewall before configuration is complete. Once
you have completed configuration of your firewall, you can enable Shorewall
startup by removing the file /etc/shorewall/startup_disabled.<br>
    The <a href="Install.htm">installation procedure
</a> configures your system to start Shorewall at system boot 
but beginning with Shorewall version 1.3.9 startup is disabled so
that your system won't try to start Shorewall before configuration
is complete. Once you have completed configuration of your firewall,
you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: </font><font
@ -1003,7 +1005,7 @@ from your Netfilter configuration, use "shorewall clear".</p>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13"
height="13">
    The two-interface sample assumes that you want to
enable routing to/from <b>eth1 </b>(the local network) when Shorewall
enable routing to/from <b>eth1 </b>(the local network) when Shorewall
is stopped. If your local network isn't connected to <b>eth1</b> or
if you wish to enable access to/from other hosts, change /etc/shorewall/routestopped
accordingly.</p>
@ -1027,5 +1029,6 @@ from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestoppe
Thomas M. Eastep</font></a><br>
</p>
<br>
<br>
</body>
</html>

503
Shorewall-docs/two-interface_fr.html
View File

@ -20,11 +20,8 @@
</head>
<body lang="fr-FR">
<p style="margin-bottom: 0cm;"><a name="AutoNumber5"></a><br>
</p>
<table width="100%" border="0" cellpadding="0" cellspacing="0"
bgcolor="#400169">
bgcolor="#3366ff">
<tbody>
<tr>
<td width="100%" height="90">
@ -41,25 +38,25 @@
<small><i><u>Notes du traducteur</u> :<br>
Je ne pr&eacute;tends pas &ecirc;tre un vrai traducteur dans le sens ou
mon travail n&#8217;est pas des plus pr&eacute;cis (loin de l&agrave;...). Je ne
me suis pas attach&eacute; &agrave; une traduction exacte du texte, mais
plut&ocirc;t &agrave; en faire une version fran&ccedil;aise intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conserv&eacute;s
sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez
les retrouver dans le reste des documentations ainsi que dans les fichiers
de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
me suis pas attach&eacute; &agrave; une traduction exacte du texte, mais plut&ocirc;t
&agrave; en faire une version fran&ccedil;aise intelligible par tous (et
par moi). Les termes techniques sont la plupart du temps conserv&eacute;s
sous leur forme originale et mis entre parenth&egrave;ses car vous pouvez
les retrouver dans le reste des documentations ainsi que dans les fichiers
de configuration. N&#8217;h&eacute;sitez pas &agrave; me contacter afin d&#8217;am&eacute;liorer
ce document <a href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a>
(merci &agrave; JMM pour sa relecture et ses commentaires pertinents, ainsi
qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i></small><i>.<br>
qu'&agrave; Tom EASTEP pour son formidable outil et sa disponibilit&eacute;)</i></small><i>.<br>
<br>
</i></p>
<p align="left">Mettre en place un syst&egrave;me Linux en tant que firewall
pour un petit r&eacute;seau est une chose assez simple, si vous comprenez
les bases et suivez la documentation.</p>
pour un petit r&eacute;seau est une chose assez simple, si vous comprenez
les bases et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il se
focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans
son utilisation la plus courante :</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
se focalise sur ce qui est n&eacute;cessaire pour configurer Shorewall, dans
son utilisation la plus courante :</p>
<ul>
<li>
@ -71,7 +68,7 @@ son utilisation la plus courante :</p>
</li>
<li>
<p>Une connexion Internet par le biais d'un modem c&acirc;ble, ADSL,
ISDN, "Frame Relay", RTC ... </p>
ISDN, "Frame Relay", RTC ... </p>
</li>
</ul>
@ -83,36 +80,36 @@ ISDN, "Frame Relay", RTC ... </p>
</p>
<p><b>Si vous faites tourner Shorewall sous Mandrake 9.0 ou plus r&eacute;cent,
vous pouvez facilement r&eacute;aliser la configuration ci-dessus en utilisant
l'applet Mandrake "Internet Connection Sharing". Depuis le "Mandrake Control
Center", s&eacute;lectionnez "Network &amp; Internet" et "Connection Sharing".
Vous ne devriez pas avoir besoin de vous r&eacute;f&eacute;rer &agrave; ce
guide.</b></p>
vous pouvez facilement r&eacute;aliser la configuration ci-dessus en utilisant
l'applet Mandrake "Internet Connection Sharing". Depuis le "Mandrake Control
Center", s&eacute;lectionnez "Network &amp; Internet" et "Connection Sharing".
Vous ne devriez pas avoir besoin de vous r&eacute;f&eacute;rer &agrave;
ce guide.</b></p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'install&eacute;.<i>
</i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant
la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall. Sous
root, utilisez la commande 'which' pour rechercher le programme :</p>
</i>Vous pouvez voir si le paquet est install&eacute; en v&eacute;rifiant
la pr&eacute;sence du programme ip sur votre syst&egrave;me de firewall.
Sous root, utilisez la commande 'which' pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qui va se passer, et de revenir au d&eacute;but
en effectuant le changements dans votre configuration. Les points o&ugrave;,
les changements dans la configuration sont recommand&eacute;es, sont signal&eacute;s
par une <img src="images/BD21298_.gif" name="Image2" align="bottom"
vous familiariser avec ce qui va se passer, et de revenir au d&eacute;but
en effectuant le changements dans votre configuration. Les points o&ugrave;,
les changements dans la configuration sont recommand&eacute;es, sont signal&eacute;s
par une <img src="images/BD21298_.gif" name="Image2" align="bottom"
width="13" height="13" border="0">
.</p>
<p><img src="images/j0213519.gif" name="Image3" align="bottom"
width="60" height="60" border="0">
&nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration sur
un syst&egrave;me Windows, vous devez les sauver comme des fichiers Unix si
votre &eacute;diteur offre cette option sinon vous devez les faire passer
par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re,
si vous copiez un fichier de configuration depuis votre disque dur Windows
vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser
avec Shorewall.</p>
&nbsp;&nbsp;&nbsp; Si vous &eacute;ditez vos fichiers de configuration
sur un syst&egrave;me Windows, vous devez les sauver comme des fichiers
Unix si votre &eacute;diteur offre cette option sinon vous devez les faire
passer par dos2unix avant d'essayer de les utiliser. De la m&ecirc;me mani&egrave;re,
si vous copiez un fichier de configuration depuis votre disque dur Windows
vers une disquette, vous devez lancer dos2unix sur la copie avant de l'utiliser
avec Shorewall.</p>
<ul>
<li>
@ -122,7 +119,7 @@ avec Shorewall.</p>
</li>
<li>
<p><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux Version
of dos2unix</a> </p>
of dos2unix</a> </p>
</li>
</ul>
@ -132,22 +129,22 @@ of dos2unix</a> </p>
<p><img src="images/BD21298_.gif" name="Image4" align="bottom"
width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Les fichiers de configuration pour Shorewall sont dans
le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous
n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit
dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute;
Shorewall</a>, t&eacute;l&eacute; chargez<b> le <a
le r&eacute;pertoire /etc/shorewall -- pour de simples configurations, vous
n'aurez seulement &agrave; faire qu'avec quelques fichiers comme d&eacute;crit
dans ce guide. Apr&egrave;s avoir <a href="Install.htm">install&eacute; Shorewall</a>,
t&eacute;l&eacute; chargez<b> le <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">two-interface sample</a>,
un-tarez le (tar -zxvf two-interfaces.tgz) et copiez les fichiers vers /etc/shorewall
(ces fichiers remplaceront les fichiers de m&ecirc;me nom).</b></p>
<p>Parall&egrave;lement &agrave; la pr&eacute;sentation de chacun des fichiers,
je vous sugg&egrave;re de regarder le fichier qui se trouve r&eacute;ellement
sur votre syst&egrave;me -- tous les fichiers contiennent des instructions
de configuration d&eacute;taill&eacute;es et des valeurs par d&eacute;faut.</p>
je vous sugg&egrave;re de regarder le fichier qui se trouve r&eacute;ellement
sur votre syst&egrave;me -- tous les fichiers contiennent des instructions
de configuration d&eacute;taill&eacute;es et des valeurs par d&eacute;faut.</p>
<p>Shorewall voit le r&eacute;seau o&ugrave; il tourne, comme un ensemble
de <i>zones.</i> Dans une configuration avec deux interfaces, les noms des
zones suivantes sont utilis&eacute;s:</p>
de <i>zones.</i> Dans une configuration avec deux interfaces, les noms des
zones suivantes sont utilis&eacute;s:</p>
<a name="AutoNumber2"></a>
<table border="0" cellpadding="3" cellspacing="0">
<tbody>
@ -183,35 +180,35 @@ zones suivantes sont utilis&eacute;s:</p>
href="Documentation.htm#Zones">/etc/shorewall/zones</a> .</p>
<p>Shorewall reconna&icirc;t aussi le syst&egrave;me de firewall comme sa
propre zone - par d&eacute;faut, le firewall est connu comme<b> fw.</b></p>
propre zone - par d&eacute;faut, le firewall est connu comme<b> fw.</b></p>
<p>Les r&egrave;gles &agrave; propos de quel trafic autoriser, et de quel
trafic interdire sont exprim&eacute;es en terme de zones.</p>
trafic interdire sont exprim&eacute;es en terme de zones.</p>
<ul>
<li>
<p style="margin-bottom: 0cm;">Vous exprimez votre politique par d&eacute;faut
pour les connexions d'une zone vers une autre zone dans le fichier<a
pour les connexions d'une zone vers une autre zone dans le fichier<a
href="Documentation.htm#Policy"> /etc/shorewall/policy </a>. </p>
</li>
<li>
<p>Vous d&eacute;finissez les exceptions &agrave; ces politiques pas
d&eacute;faut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules
d&eacute;faut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules
</a>. </p>
</li>
</ul>
<p>Pour chaque connexion demandant &agrave; entrer dans le firewall, la requ&ecirc;te
est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules.
Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande de
connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy
qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou DROP&nbsp;
la requ&ecirc;te est dans un premier temps compar&eacute;e par rapport aux
r&egrave;gles contenues dans /etc/shorewall/common.</p>
est en premier lieu compar&eacute;e par rapport au fichier /etc/shorewall/rules.
Si aucune r&egrave;gle dans ce fichier ne correspond &agrave; la demande
de connexion alors la premi&egrave;re politique dans le fichier /etc/shorewall/policy
qui y correspond sera appliqu&eacute;e. Si cette politique est REJECT ou
DROP&nbsp; la requ&ecirc;te est dans un premier temps compar&eacute;e par
rapport aux r&egrave;gles contenues dans /etc/shorewall/common.</p>
<p>Le fichier /etc/shorewall/policy inclue dans l'archive d'exemple (two-interface)
a les politiques suivantes:</p>
a les politiques suivantes:</p>
<a name="AutoNumber3"></a>
<dl>
<dd>
@ -291,10 +288,10 @@ a les politiques suivantes:</p>
</dd>
</dl>
<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante est
inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall puisse
avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez
la ligne.</blockquote>
<blockquote>Dans le fichier d'exemple (two-interface), la ligne suivante
est inclue mais elle est comment&eacute;e. Si vous voulez que votre firewall
puisse avoir un acc&egrave;s complet aux serveurs sur Internet, d&eacute;commentez
la ligne.</blockquote>
<a name="AutoNumber31"></a>
<dl>
<dd>
@ -345,17 +342,17 @@ la ligne.</blockquote>
<ol>
<li>
<p style="margin-bottom: 0cm;">permettre toutes les demandes de connexion
depuis votre r&eacute;seau local vers l'Internet </p>
depuis votre r&eacute;seau local vers l'Internet </p>
</li>
<li>
<p style="margin-bottom: 0cm;">drop (ou ignorer) toutes les demandes
de connexion depuis l'Internet vers votre firewall ou votre r&eacute;seau
local. </p>
de connexion depuis l'Internet vers votre firewall ou votre r&eacute;seau
local. </p>
</li>
<li>
<p style="margin-bottom: 0cm;">Facultativement&nbsp;accepter toutes les
demandes de connexion de votre firewall vers l'Internet (si vous avez d&eacute;
comment&eacute; la politique additionnelle) </p>
demandes de connexion de votre firewall vers l'Internet (si vous avez
d&eacute; comment&eacute; la politique additionnelle) </p>
</li>
<li>
<p>reject (rejeter) toutes les autres demandes de connexion. </p>
@ -366,7 +363,7 @@ comment&eacute; la politique additionnelle) </p>
<p><img src="images/BD21298_.gif" name="Image5" align="bottom"
width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; A ce point, &eacute;ditez votre fichier /etc/shorewall/policy
et faite les changements que vous d&eacute;sirez.</p>
et faite les changements que vous d&eacute;sirez.</p>
<h2 align="left">Network Interfaces</h2>
@ -375,52 +372,54 @@ et faite les changements que vous d&eacute;sirez.</p>
</p>
<p align="left">Le firewall a deux interfaces de r&eacute;seau. Lorsque la
connexion Internet passe par le c&acirc;ble ou par un ROUTEUR (pas un simple
modem) ADSL (non USB), l'interface vers l'ext&eacute;rieur (<i>External Interface)</i>
sera l'adaptateur sur lequel est connect&eacute; le routeur (e.g., <b>eth0</b>)&nbsp;
<u>&agrave; moins que</u> vous ne vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint<u>P</u>rotocol
over<u>E</u>thernet</i> (PPPoE) ou par <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP),
connexion Internet passe par le c&acirc;ble ou par un ROUTEUR (pas un simple
modem) ADSL (non USB), l'interface vers l'ext&eacute;rieur (<i>External
Interface)</i> sera l'adaptateur sur lequel est connect&eacute; le routeur
(e.g., <b>eth0</b>)&nbsp; <u>&agrave; moins que</u> vous ne vous connectiez
par <i><u>P</u>oint-to-<u>P</u>oint<u>P</u>rotocol over<u>E</u>thernet</i>
(PPPoE) ou par <i><u>P</u>oint-to-<u>P</u>oint<u>T</u>unneling<u>P</u>rotocol</i>(PPTP),
dans ce cas l'interface ext&eacute;rieure sera une interface de type ppp
(e.g., <b>ppp0</b>). Si vous vous connectez par un simple modem (RTC), votre
interface ext&eacute;rieure sera aussi <b>ppp0</b>. Si votre connexion passe
par Num&eacute;ris (ISDN), votre interface ext&eacute;rieure sera<b>ippp0.</b></p>
(e.g., <b>ppp0</b>). Si vous vous connectez par un simple modem (RTC), votre
interface ext&eacute;rieure sera aussi <b>ppp0</b>. Si votre connexion passe
par Num&eacute;ris (ISDN), votre interface ext&eacute;rieure sera<b>ippp0.</b></p>
<p align="left"><img src="images/BD21298_1.gif" name="Image7"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre interface vers l'ext&eacute;rieur est<b>ppp0</b>
ou <b>ippp0</b>&nbsp; alors vous mettrez CLAMPMSS=yes dans <a
ou <b>ippp0</b>&nbsp; alors vous mettrez CLAMPMSS=yes dans <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></p>
<p align="left">Votre <i>Internal Interface</i> (interface vers votre r&eacute;seau
local -&gt; LAN) sera un adaptateur Ethernet (eth1 ou eth0) et sera connect&eacute;e
&agrave; un hub ou switch (ou un PC avec un c&acirc;ble crois&eacute;). Vos
autres ordinateurs seront connect&eacute;s &agrave; ce m&ecirc;me hub/switch</p>
local -&gt; LAN) sera un adaptateur Ethernet (eth1 ou eth0) et sera connect&eacute;e
&agrave; un hub ou switch (ou un PC avec un c&acirc;ble crois&eacute;).
Vos autres ordinateurs seront connect&eacute;s &agrave; ce m&ecirc;me hub/switch</p>
<p align="left"><b><u><img src="images/j0213519.gif" name="Image8"
align="bottom" width="60" height="60" border="0">
</u></b>Ne connectez pas l'interface interne et externe sur le m&ecirc;me
hub ou switch (m&ecirc;me pour tester). Cela ne fonctionnera pas et ne croyez
pas que ce soit shorewall qui ne marche pas.</p>
hub ou switch (m&ecirc;me pour tester). Cela ne fonctionnera pas et ne croyez
pas que ce soit shorewall qui ne marche pas.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image9"
align="left" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Le fichier de configuration d'exemple pour deux interfaces
suppose que votre interface externe est <b>eth0</b>et que l'interne est <b>eth1</b>.
Si votre configuration est diff&eacute;rente, vous devrez modifier le fichier
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> en cons&eacute;quence.
Tant que vous y &ecirc;tes, vous pourriez parcourir la liste des options qui
sont sp&eacute;cifi&eacute;es pour les interfaces. Quelques trucs:</p>
suppose que votre interface externe est <b>eth0</b>et que l'interne est
<b>eth1</b>. Si votre configuration est diff&eacute;rente, vous devrez modifier
le fichier <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
en cons&eacute;quence. Tant que vous y &ecirc;tes, vous pourriez parcourir
la liste des options qui sont sp&eacute;cifi&eacute;es pour les interfaces.
Quelques trucs:</p>
<ul>
<li>
<p align="left">Si votre interface vers l'ext&eacute;rieur est <b>ppp0</b>
ou <b>ippp0</b>, vous pouvez remplacer le "detect" dans la seconde colonne
par un "-". </p>
par un "-". </p>
</li>
<li>
<p align="left">Si votre interface vers l'ext&eacute;rieur est&nbsp;<b>ppp0</b>
ou <b>ippp0</b> ou si vous avez une adresse IP statique, vous pouvez enlever
"dhcp" dans la liste des options. </p>
ou <b>ippp0</b> ou si vous avez une adresse IP statique, vous pouvez enlever
"dhcp" dans la liste des options. </p>
</li>
</ul>
@ -428,42 +427,42 @@ ou <b>ippp0</b> ou si vous avez une adresse IP statique, vous pouvez enlever
<h2 align="left">Adresses IP</h2>
<p align="left">Avant d'aller plus loin, nous devons dire quelques mots au
sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP
sujet de Internet Protocol (IP) <i>addresses</i>. Normalement, votre fournisseur
Internet (ISP) vous assignera une seule adresse IP (single <i>Public</i>IP
address). Cette adresse peut &ecirc;tre assign&eacute;e par le Dynamic<i>
Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement
de votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez
votre connexion PPP. Dans de rares cas , votre provider peut vous assigner
une adresse statique<i> (static</i>IP address); cela signifie que vous devez
configurer l'interface externe de votre firewall afin d'utiliser cette adresse
de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle
va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s
&agrave; Internet. Vous devrez assigner vos propres adresses dans votre
r&eacute;seau local (votre interface interne sur le firewall &nbsp;ainsi
que les autres ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages
d'IP (<i>Private</i>IP address ranges) &agrave; cette fin :</p>
Host Configuration Protocol</i>(DHCP) ou lors de l'&eacute;tablissement de
votre connexion lorsque vous vous connectez (modem standard) ou &eacute;tablissez
votre connexion PPP. Dans de rares cas , votre provider peut vous assigner
une adresse statique<i> (static</i>IP address); cela signifie que vous devez
configurer l'interface externe de votre firewall afin d'utiliser cette adresse
de mani&egrave;re permanente. Votre adresse externe assign&eacute;e, elle
va &ecirc;tre partag&eacute;e par tous vos syst&egrave;mes lors de l'acc&egrave;s
&agrave; Internet. Vous devrez assigner vos propres adresses dans votre r&eacute;seau
local (votre interface interne sur le firewall &nbsp;ainsi que les autres
ordinateurs). La RFC 1918 r&eacute;serve plusieurs plages d'IP (<i>Private</i>IP
address ranges) &agrave; cette fin :</p>
<pre style="text-align: left;"> 10.0.0.0 - 10.255.255.255an<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
<p align="left"><img src="images/BD21298_.gif" name="Image10"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Avant de lancer Shorewall, vous devriez regarder l'adresse
IP de votre interface externe, et si elle est dans les plages pr&eacute;c&eacute;dentes,
vous devriez enlever l'option 'norfc1918' dans la ligne concernant l'interface
externe dans le fichier /etc/shorewall/interfaces.</p>
IP de votre interface externe, et si elle est dans les plages pr&eacute;c&eacute;dentes,
vous devriez enlever l'option 'norfc1918' dans la ligne concernant l'interface
externe dans le fichier /etc/shorewall/interfaces.</p>
<p align="left">Vous devrez assigner vos adresses depuis le m&ecirc;me sous-r&eacute;seau
(<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer
un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque
sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0. L'adresse
x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau (<i>Subnet
Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse de
broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un sous-r&eacute;seau
est d&eacute;crit en utilisant <a
(<i>sub-network/subnet)</i>. Pour ce faire, nous pouvons consid&eacute;rer
un sous-r&eacute;seau dans une plage d'adresses x.y.z.0 - x.y.z.255. Chaque
sous-r&eacute;seau aura un masque (<i>Subnet Mask) </i>de 255.255.255.0.
L'adresse x.y.z.0 est r&eacute;serv&eacute;e comme l'adresse de sous-r&eacute;seau
(<i>Subnet Address) </i>et x.y.z.255 est r&eacute;serv&eacute;e en tant qu'adresse
de broadcast (<i>Subnet Broadcast</i> <i>Address)</i>. Dans Shorewall, un
sous-r&eacute;seau est d&eacute;crit en utilisant <a
href="shorewall_setup_guide.htm#Subnets"><i>la notation Classless InterDomain
Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie
par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de
bits marquant "1" dans la partie gauche du masque de sous-r&eacute;seau.</p>
Routing </i>(CIDR)</a> qui consiste en l'adresse du sous-r&eacute;seau suivie
par "/24". Le "24" se r&eacute;f&egrave;re au nombre cons&eacute;cutif de
bits marquant "1" dans la partie gauche du masque de sous-r&eacute;seau.</p>
<p align="left">Un exemple de sous-r&eacute;seau (sub-network) :</p>
<a name="AutoNumber1"></a>
@ -510,98 +509,98 @@ bits marquant "1" dans la partie gauche du masque de sous-r&eacute;seau.</p>
</dl>
<p align="left">Il est de mise d'assigner l'interface interne (LAN) &agrave;
la premi&egrave;re adresse utilisable du sous-r&eacute;seau (10.10.10.1 dans
l'exemple pr&eacute;c&eacute;dent) ou la derni&egrave;re adresse utilisable
(10.10.10.254).</p>
la premi&egrave;re adresse utilisable du sous-r&eacute;seau (10.10.10.1
dans l'exemple pr&eacute;c&eacute;dent) ou la derni&egrave;re adresse utilisable
(10.10.10.254).</p>
<p align="left">L'un des buts d'un sous-r&eacute;seau est de permettre &agrave;
tous les ordinateurs dans le sous-r&eacute;seau de savoir avec quels autres
ordinateurs ils peuvent communiquer directement. Pour communiquer avec des
syst&egrave;mes en dehors du sous-r&eacute;seau, les ordinateurs envoient
des paquets &agrave; travers le gateway (routeur).</p>
tous les ordinateurs dans le sous-r&eacute;seau de savoir avec quels autres
ordinateurs ils peuvent communiquer directement. Pour communiquer avec des
syst&egrave;mes en dehors du sous-r&eacute;seau, les ordinateurs envoient
des paquets &agrave; travers le gateway (routeur).</p>
<p align="left"><img src="images/BD21298_1.gif" name="Image11"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Vos ordinateurs en local (ordinateur 1 et ordinateur
2 dans le diagramme) devraient &ecirc;tre configur&eacute;s avec leur passerelle
par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de
l'interface interne du firewall.</p>
par d&eacute;faut<i> (default gateway</i>) pointant sur l'adresse IP de l'interface
interne du firewall.</p>
<p align="left">The foregoing short discussion barely scratches the surface
regarding subnetting and routing. If you are interested in learning more about
IP addressing and routing, I highly recommend <i>"IP Fundamentals: What Everyone
Needs to Know about Addressing &amp; Routing",</i> Thomas A. Maufer, Prentice-Hall,
1999, ISBN 0-13-975483-0.</p>
regarding subnetting and routing. If you are interested in learning more
about IP addressing and routing, I highly recommend <i>"IP Fundamentals:
What Everyone Needs to Know about Addressing &amp; Routing",</i> Thomas A.
Maufer, Prentice-Hall, 1999, ISBN 0-13-975483-0.</p>
<p align="left">Le reste de ce guide assumera que vous avez configur&eacute;
votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
votre r&eacute;seau comme montr&eacute; ci-dessous :</p>
<p align="center"><img src="images/basics1.png" name="Image12"
align="bottom" width="444" height="635" border="0">
</p>
<p align="left">La passerelle par d&eacute;faut pour les ordinateurs 1 et
2 devrait &ecirc;tre 10.10.10.254.</p>
2 devrait &ecirc;tre 10.10.10.254.</p>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">Les adresses r&eacute;serv&eacute;es par la RFC 1918 sont
parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs
Internet (backbone) ne font pas circuler les paquets qui ont une adresse de
destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes
en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur
par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>.
Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a
remplace par l'adresse de l'interface externe du firewall; en d'autres mots,
le firewall fait croire que c'est lui m&ecirc;me qui initie la connexion.
parfois d&eacute;sign&eacute;es comme <i>non-routables</i> car les routeurs
Internet (backbone) ne font pas circuler les paquets qui ont une adresse
de destination appartenant &agrave; la RFC-1918. Lorsqu'un de vos syst&egrave;mes
en local (supposons l'ordinateur1) demande une connexion &agrave; un serveur
par Internet, le firewall doit appliquer un NAT<i> (Network Address Translation)</i>.
Le firewall r&eacute; &eacute;crit l'adresse source dans le paquet, et l'a
remplace par l'adresse de l'interface externe du firewall; en d'autres mots,
le firewall fait croire que c'est lui m&ecirc;me qui initie la connexion.
Ceci est n&eacute;cessaire afin que l'h&ocirc;te de destination soit capable
de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont
pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC
1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet, donc
l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave; l'ordinateur
1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse, il remet
l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet vers
l'ordinateur 1. </p>
de renvoyer les paquets au firewall (souvenez vous que les paquets qui ont
pour adresse de destination, une adresse r&eacute;serv&eacute;e par la RFC
1918 ne pourront pas &ecirc;tre rout&eacute;s &agrave; travers Internet,
donc l'h&ocirc;te Internet ne pourra adresser sa r&eacute;ponse &agrave;
l'ordinateur 1). Lorsque le firewall re&ccedil;oit le paquet de r&eacute;ponse,
il remet l'adresse de destination &agrave; 10.10.10.1 et fait passer le paquet
vers l'ordinateur 1. </p>
<p align="left">Sur les syst&egrave;mes Linux, ce proc&eacute;d&eacute; est
souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi le
terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;.
Shorewall suit la convention utilis&eacute;e avec Netfilter:</p>
souvent appel&eacute; de l'<i>IP Masquerading</i> mais vous verrez aussi
le terme de <i>Source Network Address Translation </i>(SNAT) utilis&eacute;.
Shorewall suit la convention utilis&eacute;e avec Netfilter:</p>
<ul>
<li>
<p align="left"><i>Masquerade</i> d&eacute;signe le cas ou vous laissez
votre firewall d&eacute;tecter automatiquement l'adresse de l'interface externe.
</p>
votre firewall d&eacute;tecter automatiquement l'adresse de l'interface
externe. </p>
</li>
<li>
<p align="left"><i>SNAT</i> d&eacute;signe le cas o&ugrave; vous sp&eacute;cifiez
explicitement l'adresse source des paquets sortant de votre r&eacute;seau
local. </p>
explicitement l'adresse source des paquets sortant de votre r&eacute;seau
local. </p>
</li>
</ul>
<p align="left">Sous Shorewall, autant le Masquerading que le SNAT sont configur&eacute;
avec des entr&eacute;s dans le fichier /etc/shorewall/masq. Vous utiliserez
normalement le Masquerading si votre adresse IP externe est dynamique, et
SNAT si elle est statique.</p>
avec des entr&eacute;s dans le fichier /etc/shorewall/masq. Vous utiliserez
normalement le Masquerading si votre adresse IP externe est dynamique, et
SNAT si elle est statique.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image13"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre interface externe du firewall est <b>eth0</b>,
vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans
le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re
colonne par le nom de votre interface externe, et la seconde colonne par le
nom de votre interface interne.</p>
vous n'avez pas besoin de modifier le fichier fourni avec l'exemple. Dans
le cas contraire, &eacute;ditez /etc/shorewall/masq et changez la premi&egrave;re
colonne par le nom de votre interface externe, et la seconde colonne par
le nom de votre interface interne.</p>
<p align="left"><img src="images/BD21298_.gif" name="Image14"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Si votre IP externe est statique, vous pouvez la mettre
dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez,
de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez cette
colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me
colonne permet un traitement des paquets sortant un peu plus efficace.<br>
dans la troisi&egrave;me colonne dans /etc/shorewall/masq si vous le d&eacute;sirez,
de toutes fa&ccedil;ons votre firewall fonctionnera bien si vous laissez
cette colonne vide. Le fait de mettre votre IP statique dans la troisi&egrave;me
colonne permet un traitement des paquets sortant un peu plus efficace.<br>
<br>
<img src="images/BD21298_.gif" name="Image15" align="bottom"
width="13" height="13" border="0">
@ -622,21 +621,21 @@ suivantes, si elles n'y sont pas faite les changements n&eacute;cessaires:</p>
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">Un de nos buts est de , peut &ecirc;tre, faire tourner un
ou plusieurs serveurs sur nos ordinateurs locaux. Parce que ces ordinateurs
on une adresse RFC-1918, il n' est pas possible pour les clients sur Internet
de se connecter directement &agrave; eux. Il est n&eacute;cessaire &agrave;
ces clients d'adresser leurs demandes de connexion au firewall qui r&eacute;
&eacute;crit l'adresse de destination de votre serveur, et fait passer le
paquet &agrave; celui-ci. Lorsque votre serveur r&eacute;pond, le firewall
applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse source
dans la r&eacute;ponse.</p>
ou plusieurs serveurs sur nos ordinateurs locaux. Parce que ces ordinateurs
on une adresse RFC-1918, il n' est pas possible pour les clients sur Internet
de se connecter directement &agrave; eux. Il est n&eacute;cessaire &agrave;
ces clients d'adresser leurs demandes de connexion au firewall qui r&eacute;
&eacute;crit l'adresse de destination de votre serveur, et fait passer le
paquet &agrave; celui-ci. Lorsque votre serveur r&eacute;pond, le firewall
applique automatiquement un SNAT pour r&eacute; &eacute;crire l'adresse
source dans la r&eacute;ponse.</p>
<p align="left">Ce proc&eacute;d&eacute; est appel&eacute;<i> Port Forwarding</i>
ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez le
port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
ou <i>Destination Network Address Translation</i>(DNAT). Vous configurez
le port forwarding en utilisant les r&egrave;gles DNAT dans le fichier /etc/shorewall/rules.</p>
<p>La forme g&eacute;n&eacute;rale d'une simple r&egrave;gle de port forwarding
dans /etc/shorewall/rules est:</p>
dans /etc/shorewall/rules est:</p>
<a name="AutoNumber4"></a>
<dl>
<dd>
@ -695,8 +694,8 @@ dans /etc/shorewall/rules est:</p>
</dl>
<p>Exemple - vous faites tourner un serveur Web sur l'ordinateur 2 et vous
voulez faire passer les requ&ecirc;tes TCP sur le port 80 &agrave; ce syst&egrave;me
:</p>
voulez faire passer les requ&ecirc;tes TCP sur le port 80 &agrave; ce syst&egrave;me
:</p>
<a name="AutoNumber41"></a>
<dl>
<dd>
@ -759,17 +758,17 @@ voulez faire passer les requ&ecirc;tes TCP sur le port 80 &agrave; ce syst&egrav
<ul>
<li>
<p style="margin-bottom: 0cm;">Vous devez tester la r&egrave;gle pr&eacute;c&eacute;dente
depuis un client &agrave; l'ext&eacute;rieur de votre r&eacute;seau local
(c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1 ou
2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der
&agrave; votre serveur web en utilisant l'adresse IP externe de votre firewall,
regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. </p>
depuis un client &agrave; l'ext&eacute;rieur de votre r&eacute;seau local
(c.a.d., ne pas tester depuis un navigateur tournant sur l'ordinateur 1
ou 2 ou sur le firewall). Si vous voulez avoir la possibilit&eacute; d'acc&eacute;der
&agrave; votre serveur web en utilisant l'adresse IP externe de votre firewall,
regardez <a href="FAQ.htm#faq2">Shorewall FAQ #2</a>. </p>
</li>
<li>
<p>Quelques fournisseurs Internet (Provider/ISP) bloquent les requ&ecirc;tes
entrantes de connexion sur le port 80. Si vous avez des probl&egrave;mes
&agrave; vous connecter &agrave; votre serveur web, essayez la r&egrave;gle
suivante et connectez vous sur le port 5000. </p>
entrantes de connexion sur le port 80. Si vous avez des probl&egrave;mes
&agrave; vous connecter &agrave; votre serveur web, essayez la r&egrave;gle
suivante et connectez vous sur le port 5000. </p>
</li>
</ul>
@ -833,44 +832,45 @@ suivante et connectez vous sur le port 5000. </p>
<p><img src="images/BD21298_.gif" name="Image16" align="bottom"
width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; A ce point, modifiez /etc/shorewall/rules pour ajouter
les r&egrave;gles DNAT dont vous avez besoin.</p>
les r&egrave;gles DNAT dont vous avez besoin.</p>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normalement, quand vous vous connectez &agrave; votre fournisseur
(ISP), une partie consiste &agrave; obtenir votre adresse IP, votre DNS pour
le firewall (<i>Domain Name Service) </i>est configur&eacute; automatiquement
(c.a.d.,le fichier /etc/resolv.conf a &eacute;t&eacute; &eacute;crit). Il
arrive que votre provider vous donne une paire d'adresse IP pour les DNS<i>
(name servers)</i> afin que vous configuriez manuellement votre serveur de
nom primaire et secondaire. La mani&egrave;re dont le DNS est configur&eacute;
sur votre firewall est de <u>votre</u> responsabilit&eacute;. Vous pouvez
(ISP), une partie consiste &agrave; obtenir votre adresse IP, votre DNS
pour le firewall (<i>Domain Name Service) </i>est configur&eacute; automatiquement
(c.a.d.,le fichier /etc/resolv.conf a &eacute;t&eacute; &eacute;crit). Il
arrive que votre provider vous donne une paire d'adresse IP pour les DNS<i>
(name servers)</i> afin que vous configuriez manuellement votre serveur
de nom primaire et secondaire. La mani&egrave;re dont le DNS est configur&eacute;
sur votre firewall est de <u>votre</u> responsabilit&eacute;. Vous pouvez
proc&eacute;der d'une de ses deux fa&ccedil;ons :</p>
<ul>
<li>
<p align="left">Vous pouvez configurer votre syst&egrave;me interne pour
utiliser les noms de serveurs de votre provider. Si votre fournisseur vous
donne les adresses de leurs serveurs ou si ces adresses sont disponibles
sur leur site web, vous pouvez configurer votre syst&egrave;me interne afin
de les utiliser. Si cette information n' est pas disponible, regardez dans
/etc/resolv.conf sur votre firewall -- les noms des serveurs sont donn&eacute;s
dans l'enregistrement "nameserver" dans ce fichier. </p>
<p align="left">Vous pouvez configurer votre syst&egrave;me interne
pour utiliser les noms de serveurs de votre provider. Si votre fournisseur
vous donne les adresses de leurs serveurs ou si ces adresses sont disponibles
sur leur site web, vous pouvez configurer votre syst&egrave;me interne
afin de les utiliser. Si cette information n' est pas disponible, regardez
dans /etc/resolv.conf sur votre firewall -- les noms des serveurs sont
donn&eacute;s dans l'enregistrement "nameserver" dans ce fichier. </p>
</li>
<li>
<p align="left"><img src="images/BD21298_.gif" name="Image17"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Vous pouvez configurer un cache dns<i> (Caching Name
Server) </i>sur votre firewall.<i> </i>Red Hat a un RPM pour mettre en cache
un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les utilisateurs
de Bering, il y a dnscache.lrp. Si vous adoptez cette approche, vous configurez
votre syst&egrave;me interne pour utiliser le firewall lui m&ecirc;me comme
&eacute;tant le seul serveur de nom primaire. Vous pouvez utiliser l'adresse
IP interne du firewall (10.10.10.254 dans l'exemple) pour l'adresse de serveur
de nom. Pour permettre &agrave; vos syst&egrave;mes locaux de discuter avec
votre serveur cache de nom, vous devez ouvrir le port 53 (UDP ET&nbsp; TCP)
sur le firewall vers le r&eacute;seau local; vous ferez ceci en ajoutant
les r&egrave;gles suivantes dans /etc/shorewall/rules. </p>
Server) </i>sur votre firewall.<i> </i>Red Hat a un RPM pour mettre en
cache un serveur de nom (le RPM requis aussi le RPM 'bind') et pour les
utilisateurs de Bering, il y a dnscache.lrp. Si vous adoptez cette approche,
vous configurez votre syst&egrave;me interne pour utiliser le firewall
lui m&ecirc;me comme &eacute;tant le seul serveur de nom primaire. Vous
pouvez utiliser l'adresse IP interne du firewall (10.10.10.254 dans l'exemple)
pour l'adresse de serveur de nom. Pour permettre &agrave; vos syst&egrave;mes
locaux de discuter avec votre serveur cache de nom, vous devez ouvrir le
port 53 (UDP ET&nbsp; TCP) sur le firewall vers le r&eacute;seau local;
vous ferez ceci en ajoutant les r&egrave;gles suivantes dans /etc/shorewall/rules.
</p>
</li>
</ul>
@ -957,7 +957,7 @@ les r&egrave;gles suivantes dans /etc/shorewall/rules. </p>
<h2 align="left">Autres Connexions</h2>
<p align="left">Les fichiers exemples inclus dans l'archive (two-interface)
contiennent les r&egrave;gles suivantes :</p>
contiennent les r&egrave;gles suivantes :</p>
<a name="AutoNumber44"></a>
<dl>
<dd>
@ -1038,10 +1038,10 @@ contiennent les r&egrave;gles suivantes :</p>
</dd>
</dl>
<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave; partir
de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez d&eacute;
comment&eacute; la ligne dans /etc/shorewall/policy autorisant toutes les
connexions depuis le firewall vers Internet.</p>
<p align="left">Ces r&egrave;gles autorisent l'acc&egrave;s DNS &agrave;
partir de votre firewall et peuvent &ecirc;tre enlev&eacute;es si vous avez
d&eacute; comment&eacute; la ligne dans /etc/shorewall/policy autorisant
toutes les connexions depuis le firewall vers Internet.</p>
<p align="left">Les exemples contiennent aussi :</p>
<a name="AutoNumber45"></a>
@ -1102,11 +1102,12 @@ connexions depuis le firewall vers Internet.</p>
</dl>
<p align="left">Cette r&egrave;gle vous autorise &agrave; faire tourner un
serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre r&eacute;seau
local.</p>
serveur SSH sur votre firewall et &agrave; vous y connecter depuis votre
r&eacute;seau local.</p>
<p align="left">Si vous voulez permettre d'autres connexions entre votre firewall
et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est :</p>
<p align="left">Si vous voulez permettre d'autres connexions entre votre
firewall et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est
:</p>
<a name="AutoNumber46"></a>
<dl>
<dd>
@ -1165,7 +1166,7 @@ et d'autres syst&egrave;mes, la forme g&eacute;n&eacute;rale est :</p>
</dl>
<p align="left">Exemple - Vous voulez faire tourner un serveur Web sur votre
firewall :</p>
firewall :</p>
<a name="AutoNumber47"></a>
<dl>
<dd>
@ -1247,17 +1248,17 @@ firewall :</p>
</dd>
</dl>
<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter aux
r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez
configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p>
<p align="left">Ces deux r&egrave;gles bien s&ucirc;r viennent s'ajouter
aux r&egrave;gles d&eacute;crites pr&eacute;c&eacute;demment dans "Vous pouvez
configurer un cache dns<i> (Caching Name Server) </i>sur votre firewall"</p>
<p align="left">Si vous ne savez pas quel port et quel protocole une application
particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p>
particuli&egrave;re utilise, regardez <a href="ports.htm">ici</a>.</p>
<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre le
telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me
pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell
sur votre firewall depuis Internet, utilisez SSH :</p>
<p align="left"><b>Important: </b>Je ne vous recommande pas de permettre
le telnet depuis ou vers Internet car il utilise du texte en clair (m&ecirc;me
pour le login et le mot de passe!). Si vous voulez un acc&egrave;s au shell
sur votre firewall depuis Internet, utilisez SSH :</p>
<a name="AutoNumber48"></a>
<dl>
<dd>
@ -1318,7 +1319,7 @@ sur votre firewall depuis Internet, utilisez SSH :</p>
<p align="left"><img src="images/BD21298_.gif" name="Image18"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Maintenant &eacute;ditez votre fichier /etc/shorewall/rules
pour ajouter ou supprimer les connexions voulues.</p>
pour ajouter ou supprimer les connexions voulues.</p>
<h2 align="left">Lancer et Arr&ecirc;ter votre Firewall</h2>
@ -1326,37 +1327,38 @@ pour ajouter ou supprimer les connexions voulues.</p>
alt="Arrow" align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; La&nbsp; <a href="Install.htm">proc&eacute;dure d'installation</a>
configure votre syst&egrave;me pour lancer Shorewall au boot du syst&egrave;me,
mais pour les d&eacute;butants sous Shorewall version 1.3.9, le lancement
est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie. Une
fois la configuration de votre firewall achev&eacute;e, vous pouvez permettre
le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p>
mais pour les d&eacute;butants sous Shorewall version 1.3.9, le lancement
est d&eacute;sactiv&eacute; tant que la configuration n' est pas finie.
Une fois la configuration de votre firewall achev&eacute;e, vous pouvez
permettre le lancement de Shorewall en enlevant le fichier /etc/shorewall/startup_disabled.</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs des
paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
des paquets .deb doivent &eacute;diter /etc/default/shorewall et mettre 'startup=1'.</font></p>
<p align="left">Le firewall est lanc&eacute; en utilisant la commande "shorewall
start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;,
le routage est permis sur les h&ocirc;tes qui sont dans le fichier<a
start" et stopp&eacute; avec "shorewall stop". Lorsque le firewall est stopp&eacute;,
le routage est permis sur les h&ocirc;tes qui sont dans le fichier<a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall fonctionnant peut &ecirc;tre relanc&eacute; en utilisant la commande
"shorewall restart". Si vous voulez enlever toutes les traces de Shorewall
dans votre configuration de Netfilter, utilisez "shorewall clear".</p>
firewall fonctionnant peut &ecirc;tre relanc&eacute; en utilisant la commande
"shorewall restart". Si vous voulez enlever toutes les traces de Shorewall
dans votre configuration de Netfilter, utilisez "shorewall clear".</p>
<p align="left"><img src="images/BD21298_.gif" name="Image20"
align="bottom" width="13" height="13" border="0">
&nbsp;&nbsp;&nbsp; Les exemples (two-interface) supposent que vous voulez
permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local) lorsque
Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est pas connect&eacute;
&agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s depuis ou
vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped en cons&eacute;quence.</p>
permettre le routage depuis ou vers <b>eth1 </b>(le r&eacute;seau local)
lorsque Shorewall est stopp&eacute;. Si votre r&eacute;seau local n' est
pas connect&eacute; &agrave; <b>eth1</b> ou si vous voulez permettre l'acc&egrave;s
depuis ou vers d'autres h&ocirc;tes, changez /etc/shorewall/routestopped
en cons&eacute;quence.</p>
<p align="left"><b>ATTENTION: </b>Si vous &ecirc;tes connect&eacute; &agrave;
votre firewall depuis Internet, n'essayez pas la commande "shorewall stop"
tant que vous n'avez pas ajout&eacute; une entr&eacute;e pour votre adresse
IP depuis laquelle vous &ecirc;tes connect&eacute; dans<a
votre firewall depuis Internet, n'essayez pas la commande "shorewall stop"
tant que vous n'avez pas ajout&eacute; une entr&eacute;e pour votre adresse
IP depuis laquelle vous &ecirc;tes connect&eacute; dans<a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. De
plus, je ne vous recommande pas d'utiliser "shorewall restart"; il est mieux
de cr&eacute;er une <a href="configuration_file_basics.htm#Configs"><i>configuration
plus, je ne vous recommande pas d'utiliser "shorewall restart"; il est mieux
de cr&eacute;er une <a href="configuration_file_basics.htm#Configs"><i>configuration
alternative</i></a> et de l'essayer en utilisant la commande<a
href="starting_and_stopping_shorewall.htm">"shorewall try".</a></p>
@ -1364,7 +1366,8 @@ de cr&eacute;er une <a href="configuration_file_basics.htm#Configs"><i>configura
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
M. Eastep</font></a></p>
<br>
<br>
<br>
<br>

137
Shorewall-docs/upgrade_issues.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -56,6 +56,7 @@
<h3> </h3>
<h3>Version &gt;= 1.4.6</h3>
<ul>
<li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed
from shorewall.conf. These capabilities are now automatically detected by
@ -65,25 +66,26 @@ file as follows:<br>
<br>
<i>zone</i>    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
<br>
<i>zone</i>   eth1:192.168.1.0/24,192.168.2.0/24<br>
</li>
</ul>
<h3>Version &gt;= 1.4.4</h3>
If you are upgrading from 1.4.3 and have set the LOGMARKER variable in
<a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then
If you are upgrading from 1.4.3 and have set the LOGMARKER variable
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then
you must set the new LOGFORMAT variable appropriately and remove your setting
of LOGMARKER<br>
<br>
<h3>Version 1.4.4<br>
</h3>
If you have zone names that are 5 characters long, you may experience problems
starting Shorewall because the --log-prefix in a logging rule is too long.
Upgrade to Version 1.4.4a to fix this problem..<br>
If you have zone names that are 5 characters long, you may experience
problems starting Shorewall because the --log-prefix in a logging rule
is too long. Upgrade to Version 1.4.4a to fix this problem..<br>
<h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular
@ -102,29 +104,30 @@ transparent proxy in your local zone.</a></li>
<h3>Version &gt;= 1.4.1</h3>
<ul>
<li>Beginning with Version 1.4.1, traffic between groups in the
same zone is accepted by default. Previously, traffic from a zone to itself
was treated just like any other traffic; any matching rules were applied
followed by enforcement of the appropriate policy. With 1.4.1 and later
versions, unless you have explicit rules for traffic from Z to Z or you
have an explicit Z to Z policy (where "Z" is some zone) then traffic between
the groups in zone Z will be accepted. If you do have one or more explicit
rules for Z to Z or if you have an explicit Z to Z policy then the behavior
is as it was in prior versions.</li>
<li>Beginning with Version 1.4.1, traffic between groups in
the same zone is accepted by default. Previously, traffic from a zone
to itself was treated just like any other traffic; any matching rules
were applied followed by enforcement of the appropriate policy. With 1.4.1
and later versions, unless you have explicit rules for traffic from Z
to Z or you have an explicit Z to Z policy (where "Z" is some zone) then
traffic between the groups in zone Z will be accepted. If you do have one
or more explicit rules for Z to Z or if you have an explicit Z to Z policy
then the behavior is as it was in prior versions.</li>
</ul>
<blockquote>
<ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic
between two interfaces to the same zone, that policy can be removed and
traffic between the interfaces will traverse fewer rules than previously.</li>
between two interfaces to the same zone, that policy can be removed
and traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have
Z-&gt;Z rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one that
has "all" in either the SOURCE or DESTINATION column) to prevent traffic
between two interfaces to a zone Z and you have no rules for Z-&gt;Z
then you should add an explicit DROP or REJECT policy for Z to Z.<br>
Z-&gt;Z rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one
that has "all" in either the SOURCE or DESTINATION column) to prevent
traffic between two interfaces to a zone Z and you have no rules for
Z-&gt;Z then you should add an explicit DROP or REJECT policy for Z to
Z.<br>
</li>
</ol>
@ -143,15 +146,15 @@ then you should add an explicit DROP or REJECT policy for Z to Z.<br>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going
to be involved in any traffic between these two zones. Beginning with Shorewall
1.4.1, you can prevent Shorewall from setting up any infrastructure to
handle traffic between z1 and z2 by using the new NONE policy:<br>
to be involved in any traffic between these two zones. Beginning with
Shorewall 1.4.1, you can prevent Shorewall from setting up any infrastructure
to handle traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote>
Note that NONE policies are generally used in pairs unless there
is asymetric routing where only the traffic on one direction flows through
is asymetric routing where only the traffic on one direction flows through
the firewall and you are using a NONE polciy in the other direction. </blockquote>
<h3>Version 1.4.1<br>
@ -159,7 +162,7 @@ is asymetric routing where only the traffic on one direction flows through
<ul>
<li>In Version 1.4.1, Shorewall will never create rules to
deal with traffic from a given group back to itself. The <i>multi</i>
deal with traffic from a given group back to itself. The <i>multi</i>
interface option is no longer available so if you want to route traffic
between two subnetworks on the same interface then I recommend that you
upgrade to Version 1.4.2 and use the 'routeback' interface or host option. </li>
@ -171,31 +174,32 @@ upgrade to Version 1.4.2 and use the 'routeback' interface or host option.
iproute package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
iproute2 which will cause the upgrade of Shorewall to fail with the
diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface
options are no longer supported nor is the <b>FORWARDPING </b>option
in shorewall.conf. ICMP echo-request (ping) packets are treated just
like any other connection request and are subject to rules and policies.</li>
options are no longer supported nor is the <b>FORWARDPING </b>option
in shorewall.conf. ICMP echo-request (ping) packets are treated just
like any other connection request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when
there are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces and
hosts file has been eliminated; use entries in the routestopped file
instead.</li>
there are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces
and hosts file has been eliminated; use entries in the routestopped
file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
is no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf
@ -255,22 +259,23 @@ the SOURCE and DESTINATION columns.</li>
height="13">
     Beginning in version 1.3.14, Shorewall treats entries
in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
The change involves entries with an <b>interface name</b> in the
<b>SUBNET</b> (second) <b>column</b>:<br>
The change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST
subnet on the interface (as shown by "ip addr show <i>interface</i>")
and would masquerade traffic from that subnet. Any other subnets that
routed through eth1 needed their own entry in /etc/shorewall/masq
to be masqueraded or to have SNAT applied.</li>
routed through eth1 needed their own entry in /etc/shorewall/masq to
be masqueraded or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses
the firewall's routing table to determine ALL subnets routed through
the named interface. Traffic originating in ANY of those subnets
is masqueraded or has SNAT applied.</li>
the named interface. Traffic originating in ANY of those subnets is
masqueraded or has SNAT applied.</li>
</ul>
You will need to make a change to your configuration if:<br>
You will need to make a change to your configuration
if:<br>
<ol>
<li>You have one or more entries in /etc/shorewall/masq
@ -311,8 +316,9 @@ the old handling indefinitely so I urge current users to migrate to using
handling documentation</a> for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are now
upgrading to version 1.3.10, you will need to use the '--force' option:<br>
If you have installed the 1.3.10 Beta 1 RPM and are
now upgrading to version 1.3.10, you will need to use the '--force'
option:<br>
<br>
<blockquote>
@ -321,9 +327,8 @@ the old handling indefinitely so I urge current users to migrate to using
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file,
your application will need to be changed to reflect this change of
location.<br>
If you have an application that uses functions from that file, your
application will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3>
@ -353,14 +358,14 @@ location.<br>
<ol>
<li>Be sure you
have a backup -- you will need
to transcribe any Shorewall configuration
to transcribe any Shorewall configuration
changes that you have made to the new
configuration.</li>
<li>Replace the
shorwall.lrp package provided on
the Bering floppy with the later one. If you did
not obtain the later version from Jacques's
site, see additional instructions below.</li>
not obtain the later version from Jacques's site,
see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not
@ -382,8 +387,8 @@ forget to backup root.lrp !</li>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions 1.3.6
and 1.3.7</p>
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
<ol>
<li>
@ -391,20 +396,21 @@ forget to backup root.lrp !</li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn
-j RETURN # So that the connection tracking table can
be rebuilt<br>
                                    #
from non-SYN packets after takeover.<br>
<font face="Courier">run_iptables -A
newnotsyn -j RETURN # So that the connection tracking
table can be rebuilt<br>
                                   
# from non-SYN packets after takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common
-p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT #Accept
Acks to rebuild connection<br>
<font face="Courier">run_iptables -A
common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
#Accept Acks to rebuild connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
@ -450,15 +456,16 @@ from non-SYN packets after takeover.<br>
<p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those
applications should be modified accordingly.</p>
applications should be modified accordingly.</p>
<p><font size="2"> Last updated 6/29/2003 - <a href="support.htm">Tom Eastep</a></font>
</p>
<p><font size="2"> Last updated 6/29/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
</body>
</html>

3
Shorewall-docs/useful_links.html
View File

@ -12,7 +12,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#400169" height="90">
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -61,5 +61,6 @@
<br>
<br>
<br>
<br>
</body>
</html>

59
Shorewall-docs/whitelisting_under_shorewall.htm
View File

@ -16,7 +16,7 @@
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#400169" height="90">
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
@ -27,9 +27,9 @@
</tbody>
</table>
<p align="left">For a brief time, the 1.2 version of Shorewall supported an
/etc/shorewall/whitelist file. This file was intended to contain a list of
IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist
<p align="left">For a brief time, the 1.2 version of Shorewall supported
an /etc/shorewall/whitelist file. This file was intended to contain a list
of IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist
file was implemented as a stop-gap measure until the facilities necessary
for implementing white lists using zones was in place. As of Version 1.3
RC1, those facilities were available.</p>
@ -39,18 +39,19 @@ to a set
following environment:</p>
<ul>
<li>A firewall with three interfaces -- one to the internet, one to
a local network and one to a DMZ.</li>
<li>The local network uses SNAT to the internet and is comprised of
the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918
local network, the technique described here in no way depends on that or
on SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).</li>
<li>A firewall with three interfaces -- one to the internet, one
to a local network and one to a DMZ.</li>
<li>The local network uses SNAT to the internet and is comprised
of the class B network 10.10.0.0/16 (Note: While this example uses an RFC
1918 local network, the technique described here in no way depends on
that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static
NAT, etc.).</li>
<li>The network operations staff have workstations with IP addresses
in the class C network 10.10.10.0/24</li>
<li>We want the network operations staff to have full access to all
other hosts.</li>
<li>We want the network operations staff to bypass the transparent
HTTP proxy running on our firewall.</li>
HTTP proxy running on our firewall.</li>
</ul>
@ -127,7 +128,6 @@ since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -139,7 +139,6 @@ we don't specify a zone for it here.</p>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<table border="2">
<tbody>
<tr>
@ -159,23 +158,21 @@ we don't specify a zone for it here.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is
stopped, only the hosts in the <b>ops</b> zone will be allowed to access the
firewall and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather
than 10.10.0.0/16 so that the limited broadcast address (255.255.255.255)
falls into that zone. If I used 10.10.0.0/16 then I would have to have a
separate entry for that special address.</p>
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is stopped,
only the hosts in the <b>ops</b> zone will be allowed to access the firewall
and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than 10.10.0.0/16
so that the limited broadcast address (255.255.255.255) falls into that
zone. If I used 10.10.0.0/16 then I would have to have a separate entry for
that special address.</p>
<h2>Policy File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<table border="2">
<tbody>
<tr>
@ -189,18 +186,14 @@ separate entry for that special address.</p>
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ACCEPT</font></td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">CONTINUE</font></td>
<td> </td>
<td> </td>
</tr>
<tr>
@ -208,7 +201,6 @@ separate entry for that special address.</p>
<td>net</td>
<td>ACCEPT</td>
<td> </td>
<td> </td>
</tr>
<tr>
@ -226,7 +218,6 @@ separate entry for that special address.</p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -271,8 +262,6 @@ file.<font color="#ff0000"><b></b></font></p>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
@ -280,6 +269,7 @@ file.<font color="#ff0000"><b></b></font></p>
<p>This is the rule that transparently redirects web traffic to the transparent
proxy running on the firewall. The SOURCE column explicitly excludes the
<b>ops</b> zone from the rule.</p>
<h2>Routestopped File</h2>
<blockquote>
@ -302,24 +292,17 @@ file.<font color="#ff0000"><b></b></font></p>
<td>10.10.10.0/24</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
</blockquote>
<p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</body>