extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Update Documentation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1523 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-07 02:13:32 +00:00
parent 84cb8c445d
commit ceaf86f709
13 changed files with 774 additions and 465 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author>
</authorgroup>
<pubdate>2004-07-14</pubdate>
<pubdate>2004-08-01</pubdate>
<copyright>
<year>2001-2004</year>
@ -65,7 +65,7 @@
</section>
<section>
<title>Port Forwarding</title>
<title>Port Forwarding (Port Redirection)</title>
<section id="faq1">
<title>(FAQ 1) I want to forward UDP port 7777 to my my personal PC with

2
Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml
View File

@ -111,7 +111,7 @@ Device &#34;eth0:0&#34; does not exist.
case $1 in
eth0)
/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0
/sbin/ip addr add 206.124.146.178 dev eth0 label eth0:0
;;
esac</programlisting>

43
Shorewall-docs2/bridge.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-06-11</pubdate>
<pubdate>2004-07-31</pubdate>
<copyright>
<year>2004</year>
@ -159,12 +159,11 @@
<para>Unfortunately, Linux distributions don&#39;t have good bridge
configuration tools and the network configuration GUIs don&#39;t detect
the presence of bridge devices. You may refer to <ulink
url="http://shorewall.net/2.0/myfiles.htm">my configuration files</ulink>
for an example of configuring a three-port bridge at system boot under
<trademark>SuSE</trademark>. Here is an excerpt from a Debian
<filename>/etc/network/interfaces</filename> file for a two-port bridge
with a static IP address:</para>
the presence of bridge devices. You may refer to <ulink url="myfiles.htm">my
configuration files</ulink> for an example of configuring a three-port
bridge at system boot under <trademark>SuSE</trademark>. Here is an
excerpt from a Debian <filename>/etc/network/interfaces</filename> file
for a two-port bridge with a static IP address:</para>
<blockquote>
<programlisting>auto br0
@ -294,6 +293,36 @@ exit 0</programlisting>
INTERFACES=&#34;eth0 eth1&#34; #The physical interfaces to be bridged</programlisting>
</blockquote>
<para>Andrzej Szelachowski contributed the following.</para>
<blockquote>
<programlisting>Here is how I configured bridge in Slackware:
1) I had to compile bridge-utils (It&#39;s not in the standard distribution)
2) I&#39;ve created rc.bridge in /etc/rc.d:
#########################
#! /bin/sh
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
#ifconfig lo 127.0.0.1 #this line should be uncommented if you don&#39;t use rc.inet1
brctl addbr most
brctl addif most eth0
brctl addif most eth1
ifconfig most 192.168.1.31 netmask 255.255.255.0 up
#route add default gw 192.168.1.1 metric 1 #this line should be uncommented if
#you don&#39;t use rc.inet1
#########################
3) I made rc.brige executable and added the following line to /etc/rc.d/rc.local
/etc/rc.d/rc.bridge </programlisting>
</blockquote>
<para>Users who successfully configure bridges on other distributions,
with static or dynamic IP addresses, are encouraged to send <ulink
url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I

18
Shorewall-docs2/errata.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-07-29</pubdate>
<pubdate>2004-07-30</pubdate>
<copyright>
<year>2001-2004</year>
@ -87,6 +87,22 @@
<section>
<title>Problems in Version 2.0</title>
<section>
<title>Shorewall 2.0.3a through 2.0.7</title>
<itemizedlist>
<listitem>
<para>Entries in the USER/GROUP column of an action file (made from
action.template) may be ignored or cause odd errors. </para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.7/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.3a through 2.0.4</title>

151
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-07-13</pubdate>
<pubdate>2004-08-05</pubdate>
<copyright>
<year>2001-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -40,9 +41,9 @@
<para>I use a combination of One-to-one NAT and Proxy ARP, neither of
which are relevant to a simple configuration with a single public IP
address. If you have just a single public IP address, most of what you
see here won&#39;t apply to your setup so beware of copying parts of
this configuration and expecting them to work for you. What you copy may
or may not work for you.</para>
see here won't apply to your setup so beware of copying parts of this
configuration and expecting them to work for you. What you copy may or
may not work for you.</para>
</caution>
<caution>
@ -75,19 +76,21 @@
</listitem>
<listitem>
<para>I use SNAT through 206.124.146.179 for&#x00A0; my SuSE 9.0 Linux
system <quote>Wookie</quote>, my Wife&#39;s Windows XP system
<quote>Tarry</quote>, and our&#x00A0; dual-booting (Windows
XP/Mandrake 10.0 Official) laptop <quote>Tipper</quote> which connects
through the Wireless Access Point (wap) via a Wireless Bridge (wet).<note><para>While
the distance between the WAP and where I usually use the laptop
isn&#39;t very far (25 feet or so), using a WAC11 (CardBus wireless
card) has proved very unsatisfactory (lots of lost connections). By
replacing the WAC11 with the WET11 wireless bridge, I have virtually
eliminated these problems (Being an old radio tinkerer (K7JPV), I was
also able to eliminate the disconnects by hanging a piece of aluminum
foil on the family room wall. Needless to say, my wife Tarry rejected
that as a permanent solution :-).</para></note></para>
<para>I use SNAT through 206.124.146.179 for&nbsp; my SuSE 9.0 Linux
system <quote>Wookie</quote>, my Wife's Windows XP system
<quote>Tarry</quote>, and our&nbsp; dual-booting (Windows XP/SuSE 9.1)
laptop <quote>Tipper</quote> which connects through the Wireless
Access Point (wap) via a Wireless Bridge (wet).<note>
<para>While the distance between the WAP and where I usually use
the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
wireless card) has proved very unsatisfactory (lots of lost
connections). By replacing the WAC11 with the WET11 wireless
bridge, I have virtually eliminated these problems (Being an old
radio tinkerer (K7JPV), I was also able to eliminate the
disconnects by hanging a piece of aluminum foil on the family room
wall. Needless to say, my wife Tarry rejected that as a permanent
solution :-).</para>
</note></para>
</listitem>
</itemizedlist>
@ -98,16 +101,17 @@
</listitem>
</itemizedlist>
<para>The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).</para>
<para>The firewall runs on a 256MB PII/233 with Debian Sarge
(Testing).</para>
<para>Wookie and Ursa run Samba and Wookie acts as a WINS server.</para>
<para>The wireless network connects to Wookie&#39;s eth2 via a LinkSys
WAP11.&#x00A0; In additional to using the rather weak WEP 40-bit
encryption (64-bit with the 24-bit preamble), I use <ulink
<para>The wireless network connects to Wookie's eth2 via a LinkSys
WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
(64-bit with the 24-bit preamble), I use <ulink
url="MAC_Validation.html">MAC verification</ulink>. This is still a weak
combination and if I lived near a wireless <quote>hot spot</quote>, I
would probably add IPSEC or something similar to my WiFi-&#62;local
would probably add IPSEC or something similar to my WiFi-&gt;local
connections.</para>
<para>The single system in the DMZ (address 206.124.146.177) runs postfix,
@ -132,13 +136,14 @@
in the DMZ.</para>
<para>The ethernet interface in the Server is configured with IP address
206.124.146.177, netmask 255.255.255.0. The server&#39;s default gateway
is 206.124.146.254 (Router at my ISP. This is the same default gateway
used by the firewall itself). On the firewall, an entry in my
206.124.146.177, netmask 255.255.255.0. The server's default gateway is
206.124.146.254 (Router at my ISP. This is the same default gateway used
by the firewall itself). On the firewall, an entry in my
/etc/network/interfaces file (see below) adds a host route to
206.124.146.177 through eth1 when that interface is brought up.</para>
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access.</para>
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior
access.</para>
<para><graphic align="center" fileref="images/network.png" /></para>
</section>
@ -162,7 +167,7 @@ RFC1918_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/ash
SUBSYSLOCK= #I run Debian which doesn&#39;t use service locks
SUBSYSLOCK= #I run Debian which doesn't use service locks
STATEDIR=/var/state/shorewall
MODULESDIR=
FW=fw
@ -189,9 +194,9 @@ TCP_FLAGS_DISPOSITION=DROP
<title>Params File (Edited)</title>
<blockquote>
<para><programlisting>MIRRORS=&#60;list of shorewall mirror ip addresses&#62;
NTPSERVERS=&#60;list of the NTP servers I sync with&#62;
TEXAS=&#60;ip address of gateway in Plano&#62;
<para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
TEXAS=&lt;ip address of gateway in Plano&gt;
LOG=info</programlisting></para>
</blockquote>
</section>
@ -230,7 +235,7 @@ dmz eth1 -
<blockquote>
<programlisting>#ZONE HOST(S) OPTIONS
tx&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; texas:192.168.8.0/22
tx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; texas:192.168.8.0/22
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -284,14 +289,14 @@ eth2 -
<blockquote>
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
fw fw ACCEPT # For testing fw-&#62;fw rules
fw fw ACCEPT # For testing fw-&gt;fw rules
loc net ACCEPT # Allow all net traffic from local net
$FW loc ACCEPT # Allow local access from the firewall
$FW tx ACCEPT # Allow firewall access to texas
loc tx ACCEPT # Allow local net access to texas
loc fw REJECT $LOG # Reject loc-&#62;fw and log
loc fw REJECT $LOG # Reject loc-&gt;fw and log
net all DROP $LOG 10/sec:40 # Rate limit and
# DROP net-&#62;all
# DROP net-&gt;all
all all REJECT $LOG # Reject and log the rest
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
@ -302,16 +307,15 @@ all all REJECT $LOG # Reje
<blockquote>
<para>Although most of our internal systems use one-to-one NAT, my
wife&#39;s system (192.168.1.4) uses IP Masquerading (actually SNAT)
as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
visitors with laptops.</para>
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
my SuSE system (192.168.1.3), our laptop (192.168.3.8) and visitors
with laptops.</para>
<para>The first entry allows access to the DSL modem and uses features
introduced in Shorewall 2.1.1. The leading plus sign (&#34;+_&#34;)
causes the rule to be placed before rules generated by the
/etc/shorewall/nat file below. The double colons (&#34;::&#34;) causes
the entry to be exempt from ADD_SNAT_ALIASES=Yes in my shorewall.conf
file above.</para>
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
rule to be placed before rules generated by the /etc/shorewall/nat
file below. The double colons ("::") causes the entry to be exempt
from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
<programlisting>#INTERFACE SUBNET ADDRESS
+eth0::192.168.1.1 0.0.0.0/0 192.168.1.254
@ -344,7 +348,8 @@ eth0:2 eth2 206.124.146.179
</section>
<section>
<title>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)</title>
<title>Tunnels File (Shell variable TEXAS set in
/etc/shorewall/params)</title>
<blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
@ -369,7 +374,8 @@ Mirrors #Accept traffic from the Shorewall Mirror sites
<blockquote>
<para>The $MIRRORS variable expands to a list of approximately 10 IP
addresses. So moving these checks into a separate chain reduces the
number of rules that most net-&#62;dmz traffic needs to traverse.</para>
number of rules that most net-&gt;dmz traffic needs to
traverse.</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT
@ -416,14 +422,15 @@ RejectSMB
DropUPnP
dropNotSyn
DropDNSrep
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn&#39;t flood my log
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
#with NTP requests with a source address in 16.0.0.0/8 (address of
#its PPTP tunnel to HP).</programlisting>
</blockquote>
</section>
<section>
<title>Rules File (The shell variables are set in /etc/shorewall/params)</title>
<title>Rules File (The shell variables are set in
/etc/shorewall/params)</title>
<blockquote>
<programlisting>###############################################################################################################################################################################
@ -477,7 +484,7 @@ Mirrors net dmz tcp rsync
#
# Net to Local
#
# When I&#39;m &#34;on the road&#34;, the following two rules allow me VPN access back home.
# When I'm "on the road", the following two rules allow me VPN access back home.
#
DNAT net loc:192.168.1.4 tcp 1723 -
DNAT net:!4.3.113.178 loc:192.168.1.4 gre -
@ -510,12 +517,12 @@ ACCEPT dmz net:$POPSERVERS tcp pop3
#ACCEPT dmz net:66.216.26.115 tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn&#39;t understand. Either way,
# that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG dmz net tcp 1024: 20
###############################################################################################################################################################################
# DMZ to Firewall -- ntp &#38; snmp, Silently reject Auth
# DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp 161,ssh
@ -568,7 +575,8 @@ ACCEPT tx loc:192.168.1.5 all
displayed in <emphasis role="bold">bold type</emphasis>) add a route
to my DSL modem when eth0 is brought up and a route to my DMZ server
when eth1 is brought up. It allows me to enter <quote>Yes</quote> in
the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP file</link>.</para>
the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP
file</link>.</para>
<programlisting>...
auto auto eth0
@ -594,13 +602,13 @@ iface eth1 inet static
<section>
<title>Bridge (Wookie) Configuration</title>
<para>As mentioned above, Wookie acts as a bridge. It&#39;s view of the
<para>As mentioned above, Wookie acts as a bridge. It's view of the
network is diagrammed in the following figure.</para>
<graphic fileref="images/network1.png" />
<para>I&#39;ve included the files that I used to configure that system --
some of them are SuSE-specific.</para>
<para>I've included the files that I used to configure that system -- some
of them are SuSE-specific.</para>
<para>The configuration on Wookie can be modified to test various bridging
features -- otherwise, it serves to isolate the Wireless network from the
@ -681,10 +689,9 @@ WiFi br0:eth2 maclist
my bridge/firewall. Squid listens on port 3128.</para>
<para>The remaining rules protect the local systems and bridge from
the WiFi network. Note that we don&#39;t restrict WiFi→net traffic
since the only directly-accessible system in the net zone is the
firewall (Wookie and the Firewall are connected by a cross-over
cable).</para>
the WiFi network. Note that we don't restrict WiFi→net traffic since
the only directly-accessible system in the net zone is the firewall
(Wookie and the Firewall are connected by a cross-over cable).</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST
@ -758,7 +765,7 @@ br0:eth2 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
do_stop() {
echo &#34;Stopping Bridge&#34;
echo "Stopping Bridge"
brctl delbr br0
ip link set eth0 down
ip link set eth1 down
@ -767,7 +774,7 @@ do_stop() {
do_start() {
echo &#34;Starting Bridge&#34;
echo "Starting Bridge"
ip link set eth0 up
ip link set eth1 up
ip link set eth2 up
@ -777,7 +784,7 @@ do_start() {
brctl addif br0 eth2
}
case &#34;$1&#34; in
case "$1" in
start)
do_start
;;
@ -790,7 +797,7 @@ case &#34;$1&#34; in
do_start
;;
*)
echo &#34;Usage: $0 {start|stop|restart}&#34;
echo "Usage: $0 {start|stop|restart}"
exit 1
esac
exit 0</programlisting>
@ -803,16 +810,16 @@ exit 0</programlisting>
<blockquote>
<para>This file is SuSE-specific</para>
<programlisting>BOOTPROTO=&#39;static&#39;
BROADCAST=&#39;192.168.1.255&#39;
IPADDR=&#39;192.168.1.3&#39;
NETWORK=&#39;192.168.1.0&#39;
NETMASK=&#39;255.255.255.0&#39;
REMOTE_IPADDR=&#39;&#39;
STARTMODE=&#39;onboot&#39;
UNIQUE=&#39;3hqH.MjuOqWfSZ+C&#39;
WIRELESS=&#39;no&#39;
MTU=&#39;&#39;</programlisting>
<programlisting>BOOTPROTO='static'
BROADCAST='192.168.1.255'
IPADDR='192.168.1.3'
NETWORK='192.168.1.0'
NETMASK='255.255.255.0'
REMOTE_IPADDR=''
STARTMODE='onboot'
UNIQUE='3hqH.MjuOqWfSZ+C'
WIRELESS='no'
MTU=''</programlisting>
</blockquote>
</section>

17
Shorewall-docs2/ports.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-05-28</pubdate>
<pubdate>2004-07-31</pubdate>
<copyright>
<year>2001-2002</year>
@ -54,7 +54,7 @@
zone:</para>
<programlisting>#ACTION SOURCE DESTINATION
AllowDNS dmz net</programlisting>
AllowDNS dmz net</programlisting>
</note>
<note>
@ -107,7 +107,7 @@ ACCEPT dmz net tcp 53</programlisting>
<note>
<para>Recursive Resolution means that if the server itself can&#39;t
resolve the name presented to it, the server will attempt to resolve the
name with the help of other servers. </para>
name with the help of other servers.</para>
</note>
</section>
@ -303,6 +303,17 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 443 #Secure HTTP</programlisting>
</section>
<section>
<title>X/XDMCP</title>
<para>Assume that the Choser and/or X Server are running at &#60;<emphasis>chooser</emphasis>&#62;
and the Display Manager/X applications are running at &#60;<emphasis>apps</emphasis>&#62;.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT &#60;<emphasis>chooser</emphasis>&#62; &#60;<emphasis>apps</emphasis>&#62; udp 177 #XDMCP
ACCEPT &#60;<emphasis>apps</emphasis>&#62; &#60;<emphasis>chooser</emphasis>&#62; tcp 6000:6009 #X Displays 0-9</programlisting>
</section>
<section>
<title>Other Source of Port Information</title>

14
Shorewall-docs2/quotes.xml
View File

@ -13,7 +13,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2004-03-28</pubdate>
<pubdate>2004-07-31</pubdate>
<copyright>
<year>2003</year>
@ -36,6 +36,18 @@
<section>
<title>What Users are saying...</title>
<blockquote>
<attribution>AS, Poland</attribution>
<para><emphasis>I want to say that Shorewall documentation is the best
I&#39;ve ever found on the net. It&#39;s helped me a lot in
understanding how network is working. It is the best of breed. It
contains not only Shorewall specific topics with the assumption that all
the rest is well known, but also gives some very useful background
information. Thank you very much for this wonderful piece of work.
</emphasis></para>
</blockquote>
<blockquote>
<attribution>ES, Phoenix AZ, USA</attribution>

16
Shorewall-docs2/shorewall_setup_guide.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-07-22</pubdate>
<pubdate>2004-07-31</pubdate>
<copyright>
<year>2001-2004</year>
@ -232,7 +232,7 @@
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
# LEVEL
fw net ACCEPT
loc net ACCEPT
net all DROP info
all all REJECT info</programlisting>
@ -2170,12 +2170,14 @@ localhost 86400 IN A 127.0.0.1
firewall 86400 IN A 192.0.2.176
www 86400 IN A 192.0.2.177
ns1 86400 IN A 192.0.2.177
www 86400 IN A 192.0.2.177
mail 86400 IN A 192.0.2.178
gateway 86400 IN A 192.168.201.1
winken 86400 IN A 192.168.201.2
blinken 86400 IN A 192.168.201.3
nod 86400 IN A 192.168.201.4</programlisting>
gateway 86400 IN A 192.168.201.1
winken 86400 IN A 192.168.201.2
blinken 86400 IN A 192.168.201.3
nod 86400 IN A 192.168.201.4
dmz 86400 IN A 192.168.202.1</programlisting>
<para><filename>ext/db.foobar </filename>- Forward zone for external
clients.</para>

906
Shorewall-docs2/starting_and_stopping_shorewall.xml
View File

File diff suppressed because it is too large Load Diff

4
Shorewall-docs2/support.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-07-25</pubdate>
<pubdate>2004-07-29</pubdate>
<copyright>
<year>2001-2004</year>
@ -78,7 +78,7 @@
<title>Problem Reporting Guidelines</title>
<note>
<para>Shorewall versions earlier that 1.3.0 are no longer supported.</para>
<para>Shorewall versions earlier that 1.4.0 are no longer supported.</para>
</note>
<itemizedlist>

4
Shorewall-docs2/template.xml
View File

@ -5,7 +5,7 @@
<!--$Id$-->
<articleinfo>
<title></title>
<title>Operating Shorewall</title>
<authorgroup>
<author>
@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-MM-DD</pubdate>
<pubdate>2004-07-31</pubdate>
<copyright>
<year>2004</year>

23
Shorewall-docs2/three-interface.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-07-14</pubdate>
<pubdate>2004-07-31</pubdate>
<copyright>
<year>2002-2004</year>
@ -169,12 +169,12 @@
and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even
if you do not modify those files.</para></warning></para>
<para>After you have installed Shorewall, download the three-interface
sample, un-tar it (<command>tar <option>-zxvf</option>
<filename>three-interfaces.tgz</filename></command>) and and copy the
files to <filename>/etc/shorewall</filename> (the files will replace files
with the same names that were placed in <filename>/etc/shorewall</filename>
when Shorewall was installed).</para>
<para>After you have installed Shorewall, download the <ulink
url="http://shorewall.net/pub/shorewall/Samples">three-interface sample</ulink>,
un-tar it (<command>tar <option>-zxvf</option> <filename>three-interfaces.tgz</filename></command>)
and and copy the files to <filename>/etc/shorewall</filename> (the files
will replace files with the same names that were placed in
<filename>/etc/shorewall</filename> when Shorewall was installed).</para>
<para>As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration
@ -372,13 +372,10 @@ fw net ACCEPT</programlisting>
</tip>
<tip>
<para>If you specify <emphasis>norfc1918</emphasis> for your external
<para>If you specify <emphasis>nobogons</emphasis> for your external
interface, you will want to check the <ulink url="errata.htm">Shorewall
Errata</ulink> periodically for updates to the <filename>/usr/share/shorewall/rfc1918
file</filename>. Alternatively, you can copy <filename>/usr/share/shorewall/rfc1918</filename>
to <filename>/etc/shorewall/rfc1918</filename> then <ulink
url="myfiles.htm#RFC1918">strip down your <filename>/etc/shorewall/rfc1918</filename>
file as I do</ulink>.</para>
Errata</ulink> periodically for updates to the <filename>/usr/share/shorewall/bogons
file</filename>.</para>
</tip>
</section>

37
Shorewall-docs2/traffic_shaping.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-07-14</pubdate>
<pubdate>2004-08-05</pubdate>
<copyright>
<year>2001-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -40,8 +41,8 @@
management itself but it does contain some facilities to intergrate with
traffic shaping/control solutions. In order to use traffic shaping with
Shorewall, it is essential that you get a copy of the <ulink
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink>,
version 0.3.0 or later or <ulink
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping
HOWTO</ulink>, version 0.3.0 or later or <ulink
url="http://www.tldp.org/HOWTO/Traffic-Control-HOWTO/">The Traffic Control
HOWTO</ulink>. It is also necessary to be running Linux Kernel 2.4.18 or
later. Shorewall traffic shaping support consists of the following:</para>
@ -63,14 +64,15 @@
<listitem>
<para><emphasis role="bold">/etc/shorewall/tcrules</emphasis> - A file
where you can specify firewall marking of packets. The firewall mark
value may be used to classify packets for traffic shaping/control.</para>
value may be used to classify packets for traffic
shaping/control.</para>
</listitem>
<listitem>
<para><emphasis role="bold">/etc/shorewall/tcstart </emphasis>- A
user-supplied file that is sourced by Shorewall during <quote>shorewall
start</quote> and which you can use to define your traffic shaping
disciplines and classes. I have provided a <ulink
user-supplied file that is sourced by Shorewall during
<quote>shorewall start</quote> and which you can use to define your
traffic shaping disciplines and classes. I have provided a <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</ulink> that
does table-driven CBQ shaping but if you read the traffic shaping
sections of the HOWTO mentioned above, you can probably code your own
@ -93,17 +95,18 @@
README). <emphasis role="bold">WARNING</emphasis>: If you use use
Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the
wshaper[.htb] script won&#39;t work. Traffic shaping occurs after SNAT
has already been applied so when traffic shaping happens, all outbound
wshaper[.htb] script won't work. Traffic shaping occurs after SNAT has
already been applied so when traffic shaping happens, all outbound
traffic will have as a source address the IP addresss of your
firewall&#39;s external interface.</para>
firewall's external interface.</para>
</listitem>
<listitem>
<para><emphasis role="bold">/etc/shorewall/tcclear</emphasis> - A
user-supplied file that is sourced by Shorewall when it is clearing
traffic shaping. This file is normally not required as Shorewall&#39;s
method of clearing qdisc and filter definitions is pretty general.</para>
traffic shaping. This file is normally not required as Shorewall's
method of clearing qdisc and filter definitions is pretty
general.</para>
</listitem>
</itemizedlist>
@ -161,7 +164,7 @@
<section>
<title>Kernel Configuration</title>
<para>This screen shot show how I&#39;ve configured QoS in my Kernel:<graphic
<para>This screen shot show how I've configured QoS in my Kernel:<graphic
align="center" fileref="images/QoS.png" /></para>
</section>
@ -233,7 +236,8 @@
generating the output is running under the effective user and/or
group. It may contain :</para>
<para>[&#60;user name or number&#62;]:[&#60;group name or number&#62;]</para>
<para>[&lt;user name or number&gt;]:[&lt;group name or
number&gt;]</para>
<para>The colon is optionnal when specifying only a user.</para>
@ -303,7 +307,8 @@ run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1
echo <quote> Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit</quote>
run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
echo <quote> Enabled PFIFO on Second Level Classes</quote>