extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-25 04:01:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

Update Documentation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1523 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-08-07 02:13:32 +00:00
parent 84cb8c445d
commit ceaf86f709
13 changed files with 774 additions and 465 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-07-14</pubdate> <pubdate>2004-08-01</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -65,7 +65,7 @@
</section> </section>
<section> <section>
<title>Port Forwarding</title> <title>Port Forwarding (Port Redirection)</title>
<section id="faq1"> <section id="faq1">
<title>(FAQ 1) I want to forward UDP port 7777 to my my personal PC with <title>(FAQ 1) I want to forward UDP port 7777 to my my personal PC with

2
Shorewall-docs2/Shorewall_and_Aliased_Interfaces.xml
View File

@ -111,7 +111,7 @@ Device &#34;eth0:0&#34; does not exist.
case $1 in case $1 in
eth0) eth0)
/sbin/ip addr add 206.124.146.177 dev eth0 label eth0:0 /sbin/ip addr add 206.124.146.178 dev eth0 label eth0:0
;; ;;
esac</programlisting> esac</programlisting>

43
Shorewall-docs2/bridge.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-06-11</pubdate> <pubdate>2004-07-31</pubdate>
<copyright> <copyright>
<year>2004</year> <year>2004</year>
@ -159,12 +159,11 @@
<para>Unfortunately, Linux distributions don&#39;t have good bridge <para>Unfortunately, Linux distributions don&#39;t have good bridge
configuration tools and the network configuration GUIs don&#39;t detect configuration tools and the network configuration GUIs don&#39;t detect
the presence of bridge devices. You may refer to <ulink the presence of bridge devices. You may refer to <ulink url="myfiles.htm">my
url="http://shorewall.net/2.0/myfiles.htm">my configuration files</ulink> configuration files</ulink> for an example of configuring a three-port
for an example of configuring a three-port bridge at system boot under bridge at system boot under <trademark>SuSE</trademark>. Here is an
<trademark>SuSE</trademark>. Here is an excerpt from a Debian excerpt from a Debian <filename>/etc/network/interfaces</filename> file
<filename>/etc/network/interfaces</filename> file for a two-port bridge for a two-port bridge with a static IP address:</para>
with a static IP address:</para>
<blockquote> <blockquote>
<programlisting>auto br0 <programlisting>auto br0
@ -294,6 +293,36 @@ exit 0</programlisting>
INTERFACES=&#34;eth0 eth1&#34; #The physical interfaces to be bridged</programlisting> INTERFACES=&#34;eth0 eth1&#34; #The physical interfaces to be bridged</programlisting>
</blockquote> </blockquote>
<para>Andrzej Szelachowski contributed the following.</para>
<blockquote>
<programlisting>Here is how I configured bridge in Slackware:
1) I had to compile bridge-utils (It&#39;s not in the standard distribution)
2) I&#39;ve created rc.bridge in /etc/rc.d:
#########################
#! /bin/sh
ifconfig eth0 0.0.0.0
ifconfig eth1 0.0.0.0
#ifconfig lo 127.0.0.1 #this line should be uncommented if you don&#39;t use rc.inet1
brctl addbr most
brctl addif most eth0
brctl addif most eth1
ifconfig most 192.168.1.31 netmask 255.255.255.0 up
#route add default gw 192.168.1.1 metric 1 #this line should be uncommented if
#you don&#39;t use rc.inet1
#########################
3) I made rc.brige executable and added the following line to /etc/rc.d/rc.local
/etc/rc.d/rc.bridge </programlisting>
</blockquote>
<para>Users who successfully configure bridges on other distributions, <para>Users who successfully configure bridges on other distributions,
with static or dynamic IP addresses, are encouraged to send <ulink with static or dynamic IP addresses, are encouraged to send <ulink
url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I url="mailto:webmaster@shorewall.net">me</ulink> their configuration so I

18
Shorewall-docs2/errata.xml
View File

@ -13,7 +13,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-07-29</pubdate> <pubdate>2004-07-30</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -87,6 +87,22 @@
<section> <section>
<title>Problems in Version 2.0</title> <title>Problems in Version 2.0</title>
<section>
<title>Shorewall 2.0.3a through 2.0.7</title>
<itemizedlist>
<listitem>
<para>Entries in the USER/GROUP column of an action file (made from
action.template) may be ignored or cause odd errors. </para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.7/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section> <section>
<title>Shorewall 2.0.3a through 2.0.4</title> <title>Shorewall 2.0.3a through 2.0.4</title>

151
Shorewall-docs2/myfiles.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-07-13</pubdate> <pubdate>2004-08-05</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -40,9 +41,9 @@
<para>I use a combination of One-to-one NAT and Proxy ARP, neither of <para>I use a combination of One-to-one NAT and Proxy ARP, neither of
which are relevant to a simple configuration with a single public IP which are relevant to a simple configuration with a single public IP
address. If you have just a single public IP address, most of what you address. If you have just a single public IP address, most of what you
see here won&#39;t apply to your setup so beware of copying parts of see here won't apply to your setup so beware of copying parts of this
this configuration and expecting them to work for you. What you copy may configuration and expecting them to work for you. What you copy may or
or may not work for you.</para> may not work for you.</para>
</caution> </caution>
<caution> <caution>
@ -75,19 +76,21 @@
</listitem> </listitem>
<listitem> <listitem>
<para>I use SNAT through 206.124.146.179 for&#x00A0; my SuSE 9.0 Linux <para>I use SNAT through 206.124.146.179 for&nbsp; my SuSE 9.0 Linux
system <quote>Wookie</quote>, my Wife&#39;s Windows XP system system <quote>Wookie</quote>, my Wife's Windows XP system
<quote>Tarry</quote>, and our&#x00A0; dual-booting (Windows <quote>Tarry</quote>, and our&nbsp; dual-booting (Windows XP/SuSE 9.1)
XP/Mandrake 10.0 Official) laptop <quote>Tipper</quote> which connects laptop <quote>Tipper</quote> which connects through the Wireless
through the Wireless Access Point (wap) via a Wireless Bridge (wet).<note><para>While Access Point (wap) via a Wireless Bridge (wet).<note>
the distance between the WAP and where I usually use the laptop <para>While the distance between the WAP and where I usually use
isn&#39;t very far (25 feet or so), using a WAC11 (CardBus wireless the laptop isn't very far (25 feet or so), using a WAC11 (CardBus
card) has proved very unsatisfactory (lots of lost connections). By wireless card) has proved very unsatisfactory (lots of lost
replacing the WAC11 with the WET11 wireless bridge, I have virtually connections). By replacing the WAC11 with the WET11 wireless
eliminated these problems (Being an old radio tinkerer (K7JPV), I was bridge, I have virtually eliminated these problems (Being an old
also able to eliminate the disconnects by hanging a piece of aluminum radio tinkerer (K7JPV), I was also able to eliminate the
foil on the family room wall. Needless to say, my wife Tarry rejected disconnects by hanging a piece of aluminum foil on the family room
that as a permanent solution :-).</para></note></para> wall. Needless to say, my wife Tarry rejected that as a permanent
solution :-).</para>
</note></para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -98,16 +101,17 @@
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>The firewall runs on a 256MB PII/233 with Debian Sarge (Testing).</para> <para>The firewall runs on a 256MB PII/233 with Debian Sarge
(Testing).</para>
<para>Wookie and Ursa run Samba and Wookie acts as a WINS server.</para> <para>Wookie and Ursa run Samba and Wookie acts as a WINS server.</para>
<para>The wireless network connects to Wookie&#39;s eth2 via a LinkSys <para>The wireless network connects to Wookie's eth2 via a LinkSys
WAP11.&#x00A0; In additional to using the rather weak WEP 40-bit WAP11.&nbsp; In additional to using the rather weak WEP 40-bit encryption
encryption (64-bit with the 24-bit preamble), I use <ulink (64-bit with the 24-bit preamble), I use <ulink
url="MAC_Validation.html">MAC verification</ulink>. This is still a weak url="MAC_Validation.html">MAC verification</ulink>. This is still a weak
combination and if I lived near a wireless <quote>hot spot</quote>, I combination and if I lived near a wireless <quote>hot spot</quote>, I
would probably add IPSEC or something similar to my WiFi-&#62;local would probably add IPSEC or something similar to my WiFi-&gt;local
connections.</para> connections.</para>
<para>The single system in the DMZ (address 206.124.146.177) runs postfix, <para>The single system in the DMZ (address 206.124.146.177) runs postfix,
@ -132,13 +136,14 @@
in the DMZ.</para> in the DMZ.</para>
<para>The ethernet interface in the Server is configured with IP address <para>The ethernet interface in the Server is configured with IP address
206.124.146.177, netmask 255.255.255.0. The server&#39;s default gateway 206.124.146.177, netmask 255.255.255.0. The server's default gateway is
is 206.124.146.254 (Router at my ISP. This is the same default gateway 206.124.146.254 (Router at my ISP. This is the same default gateway used
used by the firewall itself). On the firewall, an entry in my by the firewall itself). On the firewall, an entry in my
/etc/network/interfaces file (see below) adds a host route to /etc/network/interfaces file (see below) adds a host route to
206.124.146.177 through eth1 when that interface is brought up.</para> 206.124.146.177 through eth1 when that interface is brought up.</para>
<para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior access.</para> <para>Tarry (192.168.1.4) runs a PPTP server for Road Warrior
access.</para>
<para><graphic align="center" fileref="images/network.png" /></para> <para><graphic align="center" fileref="images/network.png" /></para>
</section> </section>
@ -162,7 +167,7 @@ RFC1918_LOG_LEVEL=$LOG
SMURF_LOG_LEVEL= SMURF_LOG_LEVEL=
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
SHOREWALL_SHELL=/bin/ash SHOREWALL_SHELL=/bin/ash
SUBSYSLOCK= #I run Debian which doesn&#39;t use service locks SUBSYSLOCK= #I run Debian which doesn't use service locks
STATEDIR=/var/state/shorewall STATEDIR=/var/state/shorewall
MODULESDIR= MODULESDIR=
FW=fw FW=fw
@ -189,9 +194,9 @@ TCP_FLAGS_DISPOSITION=DROP
<title>Params File (Edited)</title> <title>Params File (Edited)</title>
<blockquote> <blockquote>
<para><programlisting>MIRRORS=&#60;list of shorewall mirror ip addresses&#62; <para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&#60;list of the NTP servers I sync with&#62; NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
TEXAS=&#60;ip address of gateway in Plano&#62; TEXAS=&lt;ip address of gateway in Plano&gt;
LOG=info</programlisting></para> LOG=info</programlisting></para>
</blockquote> </blockquote>
</section> </section>
@ -230,7 +235,7 @@ dmz eth1 -
<blockquote> <blockquote>
<programlisting>#ZONE HOST(S) OPTIONS <programlisting>#ZONE HOST(S) OPTIONS
tx&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0;&#x00A0; texas:192.168.8.0/22 tx&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; texas:192.168.8.0/22
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
</section> </section>
@ -284,14 +289,14 @@ eth2 -
<blockquote> <blockquote>
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT <programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
fw fw ACCEPT # For testing fw-&#62;fw rules fw fw ACCEPT # For testing fw-&gt;fw rules
loc net ACCEPT # Allow all net traffic from local net loc net ACCEPT # Allow all net traffic from local net
$FW loc ACCEPT # Allow local access from the firewall $FW loc ACCEPT # Allow local access from the firewall
$FW tx ACCEPT # Allow firewall access to texas $FW tx ACCEPT # Allow firewall access to texas
loc tx ACCEPT # Allow local net access to texas loc tx ACCEPT # Allow local net access to texas
loc fw REJECT $LOG # Reject loc-&#62;fw and log loc fw REJECT $LOG # Reject loc-&gt;fw and log
net all DROP $LOG 10/sec:40 # Rate limit and net all DROP $LOG 10/sec:40 # Rate limit and
# DROP net-&#62;all # DROP net-&gt;all
all all REJECT $LOG # Reject and log the rest all all REJECT $LOG # Reject and log the rest
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote> </blockquote>
@ -302,16 +307,15 @@ all all REJECT $LOG # Reje
<blockquote> <blockquote>
<para>Although most of our internal systems use one-to-one NAT, my <para>Although most of our internal systems use one-to-one NAT, my
wife&#39;s system (192.168.1.4) uses IP Masquerading (actually SNAT) wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and my SuSE system (192.168.1.3), our laptop (192.168.3.8) and visitors
visitors with laptops.</para> with laptops.</para>
<para>The first entry allows access to the DSL modem and uses features <para>The first entry allows access to the DSL modem and uses features
introduced in Shorewall 2.1.1. The leading plus sign (&#34;+_&#34;) introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
causes the rule to be placed before rules generated by the rule to be placed before rules generated by the /etc/shorewall/nat
/etc/shorewall/nat file below. The double colons (&#34;::&#34;) causes file below. The double colons ("::") causes the entry to be exempt
the entry to be exempt from ADD_SNAT_ALIASES=Yes in my shorewall.conf from ADD_SNAT_ALIASES=Yes in my shorewall.conf file above.</para>
file above.</para>
<programlisting>#INTERFACE SUBNET ADDRESS <programlisting>#INTERFACE SUBNET ADDRESS
+eth0::192.168.1.1 0.0.0.0/0 192.168.1.254 +eth0::192.168.1.1 0.0.0.0/0 192.168.1.254
@ -344,7 +348,8 @@ eth0:2 eth2 206.124.146.179
</section> </section>
<section> <section>
<title>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params)</title> <title>Tunnels File (Shell variable TEXAS set in
/etc/shorewall/params)</title>
<blockquote> <blockquote>
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT <programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
@ -369,7 +374,8 @@ Mirrors #Accept traffic from the Shorewall Mirror sites
<blockquote> <blockquote>
<para>The $MIRRORS variable expands to a list of approximately 10 IP <para>The $MIRRORS variable expands to a list of approximately 10 IP
addresses. So moving these checks into a separate chain reduces the addresses. So moving these checks into a separate chain reduces the
number of rules that most net-&#62;dmz traffic needs to traverse.</para> number of rules that most net-&gt;dmz traffic needs to
traverse.</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE <programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
# PORT PORT(S) DEST LIMIT # PORT PORT(S) DEST LIMIT
@ -416,14 +422,15 @@ RejectSMB
DropUPnP DropUPnP
dropNotSyn dropNotSyn
DropDNSrep DropDNSrep
DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn&#39;t flood my log DROP loc:eth2:!192.168.1.0/24 #So that my braindead Windows[tm] XP system doesn't flood my log
#with NTP requests with a source address in 16.0.0.0/8 (address of #with NTP requests with a source address in 16.0.0.0/8 (address of
#its PPTP tunnel to HP).</programlisting> #its PPTP tunnel to HP).</programlisting>
</blockquote> </blockquote>
</section> </section>
<section> <section>
<title>Rules File (The shell variables are set in /etc/shorewall/params)</title> <title>Rules File (The shell variables are set in
/etc/shorewall/params)</title>
<blockquote> <blockquote>
<programlisting>############################################################################################################################################################################### <programlisting>###############################################################################################################################################################################
@ -477,7 +484,7 @@ Mirrors net dmz tcp rsync
# #
# Net to Local # Net to Local
# #
# When I&#39;m &#34;on the road&#34;, the following two rules allow me VPN access back home. # When I'm "on the road", the following two rules allow me VPN access back home.
# #
DNAT net loc:192.168.1.4 tcp 1723 - DNAT net loc:192.168.1.4 tcp 1723 -
DNAT net:!4.3.113.178 loc:192.168.1.4 gre - DNAT net:!4.3.113.178 loc:192.168.1.4 gre -
@ -510,12 +517,12 @@ ACCEPT dmz net:$POPSERVERS tcp pop3
#ACCEPT dmz net:66.216.26.115 tcp pop3 #ACCEPT dmz net:66.216.26.115 tcp pop3
# #
# Something is wrong with the FTP connection tracking code or there is some client out there # Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn&#39;t understand. Either way, # that is sending a PORT command which that code doesn't understand. Either way,
# the following works around the problem. # the following works around the problem.
# #
ACCEPT:$LOG dmz net tcp 1024: 20 ACCEPT:$LOG dmz net tcp 1024: 20
############################################################################################################################################################################### ###############################################################################################################################################################################
# DMZ to Firewall -- ntp &#38; snmp, Silently reject Auth # DMZ to Firewall -- ntp &amp; snmp, Silently reject Auth
# #
ACCEPT dmz fw udp ntp ntp ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp 161,ssh ACCEPT dmz fw tcp 161,ssh
@ -568,7 +575,8 @@ ACCEPT tx loc:192.168.1.5 all
displayed in <emphasis role="bold">bold type</emphasis>) add a route displayed in <emphasis role="bold">bold type</emphasis>) add a route
to my DSL modem when eth0 is brought up and a route to my DMZ server to my DSL modem when eth0 is brought up and a route to my DMZ server
when eth1 is brought up. It allows me to enter <quote>Yes</quote> in when eth1 is brought up. It allows me to enter <quote>Yes</quote> in
the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP file</link>.</para> the HAVEROUTE column of <link linkend="ProxyARP">my Proxy ARP
file</link>.</para>
<programlisting>... <programlisting>...
auto auto eth0 auto auto eth0
@ -594,13 +602,13 @@ iface eth1 inet static
<section> <section>
<title>Bridge (Wookie) Configuration</title> <title>Bridge (Wookie) Configuration</title>
<para>As mentioned above, Wookie acts as a bridge. It&#39;s view of the <para>As mentioned above, Wookie acts as a bridge. It's view of the
network is diagrammed in the following figure.</para> network is diagrammed in the following figure.</para>
<graphic fileref="images/network1.png" /> <graphic fileref="images/network1.png" />
<para>I&#39;ve included the files that I used to configure that system -- <para>I've included the files that I used to configure that system -- some
some of them are SuSE-specific.</para> of them are SuSE-specific.</para>
<para>The configuration on Wookie can be modified to test various bridging <para>The configuration on Wookie can be modified to test various bridging
features -- otherwise, it serves to isolate the Wireless network from the features -- otherwise, it serves to isolate the Wireless network from the
@ -681,10 +689,9 @@ WiFi br0:eth2 maclist
my bridge/firewall. Squid listens on port 3128.</para> my bridge/firewall. Squid listens on port 3128.</para>
<para>The remaining rules protect the local systems and bridge from <para>The remaining rules protect the local systems and bridge from
the WiFi network. Note that we don&#39;t restrict WiFi→net traffic the WiFi network. Note that we don't restrict WiFi→net traffic since
since the only directly-accessible system in the net zone is the the only directly-accessible system in the net zone is the firewall
firewall (Wookie and the Firewall are connected by a cross-over (Wookie and the Firewall are connected by a cross-over cable).</para>
cable).</para>
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL <programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT PORT(S) DEST # PORT PORT(S) DEST
@ -758,7 +765,7 @@ br0:eth2 00:0b:c1:53:cc:97 192.168.1.8 #TIPPER
PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin PATH=$PATH:/sbin:/usr/sbin:/usr/local/sbin
do_stop() { do_stop() {
echo &#34;Stopping Bridge&#34; echo "Stopping Bridge"
brctl delbr br0 brctl delbr br0
ip link set eth0 down ip link set eth0 down
ip link set eth1 down ip link set eth1 down
@ -767,7 +774,7 @@ do_stop() {
do_start() { do_start() {
echo &#34;Starting Bridge&#34; echo "Starting Bridge"
ip link set eth0 up ip link set eth0 up
ip link set eth1 up ip link set eth1 up
ip link set eth2 up ip link set eth2 up
@ -777,7 +784,7 @@ do_start() {
brctl addif br0 eth2 brctl addif br0 eth2
} }
case &#34;$1&#34; in case "$1" in
start) start)
do_start do_start
;; ;;
@ -790,7 +797,7 @@ case &#34;$1&#34; in
do_start do_start
;; ;;
*) *)
echo &#34;Usage: $0 {start|stop|restart}&#34; echo "Usage: $0 {start|stop|restart}"
exit 1 exit 1
esac esac
exit 0</programlisting> exit 0</programlisting>
@ -803,16 +810,16 @@ exit 0</programlisting>
<blockquote> <blockquote>
<para>This file is SuSE-specific</para> <para>This file is SuSE-specific</para>
<programlisting>BOOTPROTO=&#39;static&#39; <programlisting>BOOTPROTO='static'
BROADCAST=&#39;192.168.1.255&#39; BROADCAST='192.168.1.255'
IPADDR=&#39;192.168.1.3&#39; IPADDR='192.168.1.3'
NETWORK=&#39;192.168.1.0&#39; NETWORK='192.168.1.0'
NETMASK=&#39;255.255.255.0&#39; NETMASK='255.255.255.0'
REMOTE_IPADDR=&#39;&#39; REMOTE_IPADDR=''
STARTMODE=&#39;onboot&#39; STARTMODE='onboot'
UNIQUE=&#39;3hqH.MjuOqWfSZ+C&#39; UNIQUE='3hqH.MjuOqWfSZ+C'
WIRELESS=&#39;no&#39; WIRELESS='no'
MTU=&#39;&#39;</programlisting> MTU=''</programlisting>
</blockquote> </blockquote>
</section> </section>

13
Shorewall-docs2/ports.xml
View File

@ -13,7 +13,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-05-28</pubdate> <pubdate>2004-07-31</pubdate>
<copyright> <copyright>
<year>2001-2002</year> <year>2001-2002</year>
@ -303,6 +303,17 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 443 #Secure HTTP</programlisting> ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 443 #Secure HTTP</programlisting>
</section> </section>
<section>
<title>X/XDMCP</title>
<para>Assume that the Choser and/or X Server are running at &#60;<emphasis>chooser</emphasis>&#62;
and the Display Manager/X applications are running at &#60;<emphasis>apps</emphasis>&#62;.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT &#60;<emphasis>chooser</emphasis>&#62; &#60;<emphasis>apps</emphasis>&#62; udp 177 #XDMCP
ACCEPT &#60;<emphasis>apps</emphasis>&#62; &#60;<emphasis>chooser</emphasis>&#62; tcp 6000:6009 #X Displays 0-9</programlisting>
</section>
<section> <section>
<title>Other Source of Port Information</title> <title>Other Source of Port Information</title>

14
Shorewall-docs2/quotes.xml
View File

@ -13,7 +13,7 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate>2004-03-28</pubdate> <pubdate>2004-07-31</pubdate>
<copyright> <copyright>
<year>2003</year> <year>2003</year>
@ -36,6 +36,18 @@
<section> <section>
<title>What Users are saying...</title> <title>What Users are saying...</title>
<blockquote>
<attribution>AS, Poland</attribution>
<para><emphasis>I want to say that Shorewall documentation is the best
I&#39;ve ever found on the net. It&#39;s helped me a lot in
understanding how network is working. It is the best of breed. It
contains not only Shorewall specific topics with the assumption that all
the rest is well known, but also gives some very useful background
information. Thank you very much for this wonderful piece of work.
</emphasis></para>
</blockquote>
<blockquote> <blockquote>
<attribution>ES, Phoenix AZ, USA</attribution> <attribution>ES, Phoenix AZ, USA</attribution>

10
Shorewall-docs2/shorewall_setup_guide.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-07-22</pubdate> <pubdate>2004-07-31</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -232,7 +232,7 @@
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST <programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
# LEVEL # LEVEL
fw net ACCEPT loc net ACCEPT
net all DROP info net all DROP info
all all REJECT info</programlisting> all all REJECT info</programlisting>
@ -2170,12 +2170,14 @@ localhost 86400 IN A 127.0.0.1
firewall 86400 IN A 192.0.2.176 firewall 86400 IN A 192.0.2.176
www 86400 IN A 192.0.2.177 www 86400 IN A 192.0.2.177
ns1 86400 IN A 192.0.2.177 ns1 86400 IN A 192.0.2.177
www 86400 IN A 192.0.2.177 mail 86400 IN A 192.0.2.178
gateway 86400 IN A 192.168.201.1 gateway 86400 IN A 192.168.201.1
winken 86400 IN A 192.168.201.2 winken 86400 IN A 192.168.201.2
blinken 86400 IN A 192.168.201.3 blinken 86400 IN A 192.168.201.3
nod 86400 IN A 192.168.201.4</programlisting> nod 86400 IN A 192.168.201.4
dmz 86400 IN A 192.168.202.1</programlisting>
<para><filename>ext/db.foobar </filename>- Forward zone for external <para><filename>ext/db.foobar </filename>- Forward zone for external
clients.</para> clients.</para>

894
Shorewall-docs2/starting_and_stopping_shorewall.xml
View File

@ -5,7 +5,7 @@
<!--$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title>Starting/Stopping and Monitoring the Firewall</title> <title>Operating Shorewall</title>
<authorgroup> <authorgroup>
<author> <author>
@ -15,10 +15,10 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-06-15</pubdate> <pubdate>2004-08-01</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2004</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -34,312 +34,225 @@
</articleinfo> </articleinfo>
<section> <section>
<title>Operating Shorewall</title> <title>Operational Components</title>
<para>If you have a permanent internet connection such as DSL or Cable, I <para>There are a number of files that comprise the operational components
recommend that you start the firewall automatically at boot. The <ulink of Shorewall.</para>
url="Install.htm">installation procedure</ulink> attempts to set up the
init scripts to start the firewall in run levels 2-5 and stop it in run
levels 1 and 6. If you want to configure your firewall differently from
this default, you can use your distribution&#39;s run-level editor.</para>
<caution>
<itemizedlist>
<listitem>
<para>Shorewall startup is disabled by default. Once you have
configured your firewall, you can enable startup by removing the
file <filename>/etc/shorewall/startup_disabled</filename>. Note:
Users of the .deb package must edit <filename>/etc/default/shorewall</filename>
and set <quote>startup=1</quote>.</para>
</listitem>
<listitem>
<para>If you use dialup or some flavor of PPP where your IP address
can change arbitrarily, you may want to start the firewall in your
<command>/etc/ppp/ip-up.local</command> script. I recommend just
placing <quote><command>/sbin/shorewall restart</command></quote> in
that script.</para>
</listitem>
</itemizedlist>
</caution>
<para>You can manually start and stop Shoreline Firewall using the
<quote><command>/sbin/shorewall</command></quote> shell program.</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><command>shorewall [ -q ] [ -f ] start </command>- starts the <para><filename>/sbin/shorewall</filename> ̶ The program that you use
firewall. It important to understand that when the firewall is in the to interact with Shorewall. Normally the root user&#39;s PATH includes
<emphasis role="bold">Started</emphasis> state there is <filename>/sbin</filename> and the program can be run from a shell
<emphasis>no Shorewall Program</emphasis> <emphasis>running</emphasis>. prompt by simply typing <command>shorewall</command> followed by a
It rather means that Netfilter has been configured to handle traffic command. To see a list of supported commands, use the
as described in your Shorewall configuration files. Please refer to <command>help</command> command:</para>
the <link linkend="State">Shorewall State Diagram</link> as shown at
the bottom of this page for more information. The -q option was added <programlisting><command>shorewall help</command></programlisting>
in Shorewall 2.0.2 Beta 1 and reduces the amout of output produced.
Also beginning with Shorewall version 2.0.2 Beta 1, the -f option may <para>To get further information about a particular command, follow
be specified. See the <link linkend="Saved">Saved Configurations</link> <command>help</command> by the command:</para>
section below for details.</para>
<programlisting><command>shorewall help start</command></programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para><command>shorewall stop</command> - stops the firewall; the only <para><filename>/etc/shorewall</filename> ̶ The default directory
traffic permitted through the firewall is from systems listed in where Shorewall looks for configuration files. See the section
<filename>/etc/shorewall/routestopped</filename> (Beginning with entitled <link linkend="AltConfig">Alternate Configuration Directories</link>
version 1.4.7, if ADMINISABSENTMINDED=Yes in <filename>/etc/shorewall/shorewall.conf</filename> for information about how you can direct Shorewall to look in other
then in addition, all existing connections are permitted and any new directories.</para>
connections originating from the firewall itself are allowed).</para>
</listitem> </listitem>
<listitem> <listitem>
<para><command>shorewall [ -q ] restart </command>- stops the firewall <para><filename>/etc/init.d/shorewall</filename> (<filename>/etc/rc.d/firewall.rc</filename>
(if it is in the <emphasis role="bold">Started</emphasis> state) and on Slackware) ̶ The script run by <command>init</command> (the program
then starts it again. The -q option was added in Shorewall 2.0.2 Beta responsible for startup and shutdown of your system) to start
1 and reduces the amout of output produced.</para> Shorewall at boot time and to stop Shorewall at shutdown.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><command>shorewall reset</command> - reset the packet and byte <para><filename>/usr/share/shorewall/firewall</filename> ̶ The program
counters in the firewall</para> responsible for configuring Netfilter based on your configuration
files.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><command>shorewall clear</command> - remove all rules and chains <para><filename>/usr/share/shorewall/functions</filename> ̶ A library
installed by Shoreline Firewall. The firewall is <quote>wide open</quote></para> of Bourne Shell functions used by both<filename> /sbin/shorewall</filename>
</listitem> and <filename>/usr/share/shorewall/firewall</filename>.</para>
<listitem>
<para><command>shorewall refresh</command> - refresh the rules
involving the broadcast addresses of firewall interfaces, the black
list, traffic control rules and ECN control rules.</para>
</listitem>
<listitem>
<para><command>shorewall save</command> - Beginning with Shorewall
2.0.2 Beta1, this command creates a script which when run will restore
the state of the firewall to its current state. See the <link
linkend="Saved">Saved Configurations</link> section below for details.</para>
</listitem>
<listitem>
<para><command>shorewall restore [ &#60;file name&#62; ]</command> -
Runs a script created by the <command>shorewall save</command>
command. See the <link linkend="Saved">Saved Configurations</link>
section below for details.</para>
</listitem>
<listitem>
<para>shorewall forget - Added in Shorewall 2.0.2 Beta 1. Removes the
<filename>/var/lib/shorewall restore</filename> script created by the
<command>shorewall save </command>command.</para>
</listitem>
</itemizedlist>
<para>If you include the keyword debug as the first argument, then a shell
trace of the command is produced as in:</para>
<para><programlisting> <command>shorewall debug start 2&#62; /tmp/trace</command></programlisting>The
above command would trace the <quote>start</quote> command and place the
trace information in the file /tmp/trace</para>
<para>Beginning with version 1.4.7, shorewall can give detailed help about
each of its commands: <programlisting> <command>shorewall help [ command | host | address ]</command></programlisting>The
<quote>shorewall</quote> program may also be used to monitor the firewall.</para>
<itemizedlist>
<listitem>
<para><command>shorewall status</command> - produce a verbose report
about the firewall (iptables -L -n -v)</para>
</listitem>
<listitem>
<para><command>shorewall show &#60;chain1&#62; [ &#60;chain2&#62; ...
]</command> - produce a verbose report about the listed chains (<command>iptables
-L chain -n -v</command>) Note: You may only list one chain in the
show command when running Shorewall version 1.4.6 and earlier. Version
1.4.7 and later allow you to list multiple chains in one command.</para>
</listitem>
<listitem>
<para><command>shorewall show nat</command> - produce a verbose report
about the nat table (<command>iptables -t nat -L -n -v</command>)</para>
</listitem>
<listitem>
<para><command>shorewall show tos</command> - produce a verbose report
about the mangle table (<command>iptables -t mangle -L -n -v</command>)</para>
</listitem>
<listitem>
<para><command>shorewall show log</command> - display the last 20
packet log entries.</para>
</listitem>
<listitem>
<para><command>shorewall show connections</command> - displays the IP
connections currently being tracked by the firewall.</para>
</listitem>
<listitem>
<para><command>shorewall show tc</command> - displays information
about the traffic control/shaping configuration.</para>
</listitem>
<listitem>
<para><command>shorewall monitor [ &#60;delay&#62; ]</command> -
Continuously display the firewall status, last 20 log entries and nat.
When the log entry display changes, an audible alarm is sounded. The
<emphasis>&#60;delay&#62;</emphasis> indicates the number of seconds
between updates with the default being 10 seconds.</para>
</listitem>
<listitem>
<para><command>shorewall hits</command> - Produces several reports
about the Shorewall packet log messages in the current log file named
in the LOGFILE variable in <filename>/etc/shorewall/shorewall.conf</filename>.</para>
</listitem>
<listitem>
<para><command>shorewall version</command> - Displays the installed
version number.</para>
</listitem>
<listitem>
<para><command>shorewall check</command> - Performs a cursory
validation of the zones, interfaces, hosts, rules and policy files.<caution><para>The
<quote><command>check</command></quote> command is totally unsuppored
and does not parse and validate the generated iptables commands. Even
though the <quote>check</quote> command completes successfully, the
configuration may fail to start. Problem reports that complain about
errors that the <quote>check</quote> command does not detect will not
be accepted.</para><para>See the recommended way to make configuration
changes described below.</para></caution></para>
</listitem>
<listitem>
<para><command>shorewall try &#60;<errortype>configuration-directory</errortype>&#62;
[ &#60;timeout&#62; ]</command> - Restart shorewall using the
specified configuration and if an error occurs or if the
<emphasis>&#60;timeout&#62;</emphasis> option is given and the new
configuration has been up for that many seconds then shorewall is
restarted using the standard configuration.</para>
</listitem>
<listitem>
<para><command>shorewall logwatch</command> (added in version 1.3.2) -
Monitors the LOGFILE and produces an audible alarm when new Shorewall
messages are logged.</para>
</listitem>
</itemizedlist>
<para>Beginning with Shorewall 1.4.6, /sbin/shorewall supports a couple of
commands for dealing with IP addresses and IP address ranges:</para>
<itemizedlist>
<listitem>
<para><command>shorewall ipcalc [ &#60;address&#62; &#60;mask&#62; |
&#60;address&#62;/&#60;vlsm&#62; ] </command>- displays the network
address, broadcast address, network in CIDR notation and netmask
corresponding to the input[s].</para>
</listitem>
<listitem>
<para><command>shorewall iprange &#60;address1&#62;-&#60;address2&#62;</command>
- Decomposes the specified range of IP addresses into the equivalent
list of network/host addresses</para>
</listitem>
</itemizedlist>
<para>There is a set of commands dealing with <ulink
url="blacklisting_support.htm">dynamic blacklisting</ulink>:</para>
<itemizedlist>
<listitem>
<para><command>shorewall drop &#60;ip address list&#62;</command> -
causes packets from the listed IP addresses to be silently dropped by
the firewall.</para>
</listitem>
<listitem>
<para><command>shorewall reject &#60;ip address list&#62;</command> -
causes packets from the listed IP addresses to be rejected by the
firewall.</para>
</listitem>
<listitem>
<para><command>shorewall allow &#60;ip address list&#62;</command> -
re-enables receipt of packets from hosts previously blacklisted by a
drop or reject command.</para>
</listitem>
<listitem>
<para><command>shorewall save [ &#60;file name&#62; ]</command> - save
the dynamic blacklisting configuration so that it will be
automatically restored the next time that the firewall is restarted.
Beginning with Shorewall version 2.0.2 Beta1, this command also
creates a script that can be used to restore the state of the
firewall. See the <link linkend="Saved">Saved Configurations</link>
section below for details.</para>
</listitem>
<listitem>
<para><command>show dynamic</command> - displays the dynamic
blacklisting chain.</para>
</listitem>
</itemizedlist>
<para>Finally, the <quote><quote>shorewall</quote></quote> program may be
used to dynamically alter the contents of a zone.</para>
<itemizedlist>
<listitem>
<para><command>shorewall add &#60;interface&#62;[:&#60;host&#62;]
&#60;zone&#62;</command> - Adds the specified interface (and host if
included) to the specified zone.</para>
</listitem>
<listitem>
<para><command>shorewall delete &#60;interface&#62;[:&#60;host&#62;]
&#60;zone&#62;</command> - Deletes the specified interface (and host
if included) from the specified zone.</para>
<para>Examples:<programlisting> <command>shorewall add ipsec0:192.0.2.24 vpn1</command> -- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1
<command>shorewall delete ipsec0:192.0.2.24 vpn1</command> -- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1</programlisting></para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section> <section>
<title>Error Handling</title> <title>Starting, Stopping and Clearing</title>
<para>When <command>shorewall start</command>, <command>shorewall restart</command> <para>As explained in the <ulink url="Introduction.html">Introduction</ulink>,
or <command>shorewall refresh</command> encounter an error, the behavior Shorewall is not something that runs all of the time in your system.
depends on which version of Shorewall you are running and whether there is Nevertheless, for integrating Shorewall into your initialization scripts
a <filename>/var/lib/shorewall/restore</filename> script available (see it is useful to speak of <firstterm>starting</firstterm> Shorewall and
<command>shorewall save</command> above).</para> <emphasis>stopping</emphasis> Shorewall.</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para>If you are running a version of Shorewall earlier than 2.0.2 <para>Shorewall is started using the <command>shorewall start</command>
Beta 1 then the effect is as if a <command>shorewall stop</command> command. Once the start command completes successfully, Netfilter is
command had been run.</para> configured as described in your Shorewall configuration files. If
there is an error during <command>shorewall start</command>, then if
you have a <firstterm>saved configuration</firstterm> then that
configuration is restored. Otherwise, an implicit <command>shorewall
stop</command> is executed.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>If you have executed a <command>shorewall save</command> command <para>Shorewall is stopped using the <command>shorewall stop</command>
without a subsequent <command>shorewall forget</command>, then the command.</para>
firewall is restored to the state when <command>shorewall save</command>
was executed.</para> <important>
<para>The <command>shorewall stop</command> command does not remove
all netfilter rules and open your firewall for all traffic to pass.
It rather places your firewall in a safe state defined by the
contents of your <ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink>
file and the setting of ADMINISABSENTMINDED in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
</important>
</listitem>
<listitem>
<para>If you want to remove all Netfilter rules and open your firewall
for all traffic to pass, use the <command>shorewall clear</command>
command.</para>
</listitem>
<listitem>
<para>If you change your configuration and want to install the
changes, use the <command>shorewall restart </command>command.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>For additional information, see the<link linkend="State"> Shorewall
State Diagram</link> section.</para>
</section> </section>
<section> <section>
<title>Alternate Configurations</title> <title>Tracing Command Execution</title>
<para>The <command>shorewall start</command>, <command>shorewall restart</command>, <para>If you include the word <emphasis role="bold">trace</emphasis> as
the first parameter to <filename>an /sbin/shorewall</filename> command
that transfers control to <filename>/usr/share/shorewall/firewall</filename>,
execution of the latter program will be traced to STDERR.</para>
<example>
<title>Tracing <command>shorewall start</command></title>
<para>To trace the execution of <command>shorewall start</command> and
write the trace to the file <filename>/tmp/trace</filename>, you would
enter:<programlisting><command>shorewall trace start 2&#62; /tmp/trace</command></programlisting></para>
</example>
</section>
<section>
<title>Having Shorewall Start Automatically at Boot Time</title>
<para>The .rpm, .deb and .tgz all try to configure your startup scripts so
that Shorewall will start automatically at boot time. If you are using the
<command>install.sh </command>script from the .tgz and it cannot determine
how to configure automatic startup, a message to that effect will be
displayed. You will need to consult your distribution&#39;s documentation
to see how to integrate the <filename>/etc/init.d/shorewall</filename>
script into the distribution&#39;s startup mechanism.<caution><itemizedlist><listitem><para>Shorewall
startup is disabled by default. Once you have configured your firewall,
you can enable startup by removing the file <filename>/etc/shorewall/startup_disabled</filename>.
Note: Users of the .deb package must edit <filename>/etc/default/shorewall</filename>
and set <quote>startup=1</quote>.</para></listitem><listitem><para>If you
use dialup or some flavor of PPP where your IP address can change
arbitrarily, you may want to start the firewall in your
<command>/etc/ppp/ip-up.local</command> script. I recommend just placing
<quote><command>/sbin/shorewall restart</command></quote> in that script.</para></listitem></itemizedlist></caution></para>
</section>
<section>
<title>Saving a Working Configuration for Error Recovery and Fast Startup</title>
<para>Once you have Shorewall working the way that you want it to, you can
use <command>shorewall save</command> to <firstterm>save</firstterm> the
commands necessary to recreate that configuration in a
<firstterm>restore script</firstterm>.</para>
<para>In its simplest form, the save command is just:</para>
<programlisting><command>shorewall save</command></programlisting>
<para>That command creates the default restore script,
<filename>/var/lib/shorewall/restore</filename>. The default may be
changed using the RESTOREFILE option in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>. A
different file name may also be specified in the specified in the
<command>save</command> command:</para>
<programlisting><command>shorewall save &#60;filename&#62;</command></programlisting>
<para>Where &#60;<emphasis>filename</emphasis>&#62; is a simple file name
(no slashes).</para>
<para>Once created, the default restore script serves several useful
purposes:</para>
<itemizedlist>
<listitem>
<para>If you change your configuration and there is an error when you
try to restart Shorewall, the restore script will be run to restore
your firewall to working order.</para>
</listitem>
<listitem>
<para>Bootup is faster. The -f option of the start command (e.g.,
<command>shorewall -f start</command>) causes Shorewall to look for
the default restore script and if it exists, the script is run. This
is much faster than starting Shorewall using the normal mechanism of
reading the configuration files and running <command>iptables</command>
dozens or even hundreds of times. <filename>/etc/init.d/shorewall</filename>
(<filename>/etc/rc.d/firewall.rc</filename>) uses the -f option when
it is processing a request to start Shorewall.</para>
</listitem>
<listitem>
<para>The <command>shorewall restore</command> command can be used at
any time to quickly configure the firewall.</para>
<programlisting><command>shorewall restore [ &#60;filename&#62; ]</command></programlisting>
<para>If no &#60;<emphasis>filename</emphasis>&#62; is given, the
default restore script is used. Otherwise, the script
<filename>/var/lib/shorewall/&#60;filename&#62;</filename> is used.</para>
</listitem>
</itemizedlist>
<para>The ability to have multiple restore scripts means that you can save
different Shorewall firewall configurations and switch between them
quickly using the <command>restore</command> command.</para>
<para>Restore scripts may be removed using the <command>shorewall forget</command>
command:</para>
<programlisting><command>shorewall forget [ &#60;filename&#62; ]</command></programlisting>
<para>If no &#60;<emphasis>filename</emphasis>&#62; is given, the default
restore script is removed. Otherwise, <filename>/var/lib/shorewall/&#60;filename&#62;</filename>
is removed (of course, you can also use the Linux <command>rm</command>
command from the shell prompt to remove these files).</para>
</section>
<section>
<title id="AltConfig">Alternate Configuration Directories</title>
<para>As explained above, Shorewall normally looks for configuration files
in the directory <filename class="directory">/etc/shorewall</filename>.
The <command>shorewall start</command>, <command>shorewall restart</command>,
<command>shorewall check</command>, and <command>shorewall try </command>commands <command>shorewall check</command>, and <command>shorewall try </command>commands
allow you to specify which Shorewall configuration to use:</para> allow you to specify a different directory for Shorewall to check before
looking in <filename class="directory">/etc/shorewall</filename>:</para>
<programlisting> <command>shorewall [ -c &#60;configuration-directory&#62; ] {start|restart|check}</command> <programlisting> <command>shorewall [ -c &#60;configuration-directory&#62; ] {start|restart|check}</command>
<command>shorewall try &#60;configuration-directory&#62; [ &#60;timeout&#62; ]</command></programlisting> <command>shorewall try &#60;configuration-directory&#62; [ &#60;timeout&#62; ]</command></programlisting>
@ -354,6 +267,11 @@
recommend the following:</para> recommend the following:</para>
<itemizedlist> <itemizedlist>
<listitem>
<para>If you haven&#39;t saved the current working configuration, do
so using <command>shorewall save</command>.</para>
</listitem>
<listitem> <listitem>
<para><command>mkdir /etc/test</command></para> <para><command>mkdir /etc/test</command></para>
</listitem> </listitem>
@ -376,20 +294,20 @@
</listitem> </listitem>
<listitem> <listitem>
<para><command>/sbin/shorewall try ./</command></para> <para><command>shorewall try ./</command></para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>If the configuration starts but doesn&#39;t work, just <para>If the configuration starts but doesn&#39;t work, just
<quote>shorewall restart</quote> to restore the old configuration. If the <quote>shorewall restart</quote> to restore the old configuration. If the
new configuration fails to start, the <quote>try</quote> command will new configuration fails to start, the <quote>try</quote> command will
automatically start the old one for you.</para> automatically restore your configuration.</para>
<para>When the new configuration works then just:</para> <para>When the new configuration works then just:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
<para><command>cp * /etc/shorewall</command></para> <para><command>cp -f * /etc/shorewall</command></para>
</listitem> </listitem>
<listitem> <listitem>
@ -399,66 +317,390 @@
<listitem> <listitem>
<para><command>rm -rf /etc/test</command></para> <para><command>rm -rf /etc/test</command></para>
</listitem> </listitem>
<listitem>
<para><command>shorewall save</command></para>
</listitem>
</itemizedlist> </itemizedlist>
</section> </section>
<section id="Saved"> <section>
<title>Saved Configurations</title> <title>Command Reference</title>
<para>Beginning with Shorewall 2.0.2 Beta 1, Shorewall is integrated with <variablelist>
the iptables-save/iptables-restore programs through <varlistentry>
<firstterm>saved configurations</firstterm>. A saved configuration is a <term>add</term>
shell script that when executed will restore the firewall state to match
what it was when the script was created. Because of the way in which saved
configurations are used, they are also referred to using the term
<firstterm>restore script</firstterm>.</para>
<itemizedlist>
<listitem>
<para>The <command>shorewall save</command> command creates a restore
script.</para>
</listitem>
<listitem> <listitem>
<para>The <command>shorewall restore</command> command executes a <para><command>shorewall add &#60;interface&#62;[:&#60;host&#62;]
restore script.</para> &#60;zone&#62;</command></para>
<para>Adds a host or subnet to a dynamic zone usually used with
VPN&#39;s.</para>
<para>Example: <command>shorewall add ipsec0:192.0.2.24 vpn1</command></para>
<para>adds the address 192.0.2.24 from interface ipsec0 to the zone
vpn1.</para>
</listitem> </listitem>
</varlistentry>
<varlistentry>
<term>allow</term>
<listitem> <listitem>
<para>The <command>shorewall forget</command> command deleted a <para><command>shorewall allow &#60;address&#62; ...</command></para>
restore script.</para>
<para>Re-enables receipt of packets from hosts previously
blacklisted by a drop or reject command.</para>
<para>Shorewall allow, drop, rejct and save implement dynamic
blacklisting.</para>
</listitem> </listitem>
</varlistentry>
<varlistentry>
<term>check</term>
<listitem> <listitem>
<para>The <firstterm>-f </firstterm>option of the <command>shorewall <para><command>shorewall [ -c &#60;configuration-directory&#62; ]
start</command> command causes a restore script to be executed if it check</command></para>
exists.</para>
</listitem>
</itemizedlist>
<para>In Shorewall 2.0.2, the name of the restore script is fixed: <para>Performs a cursory validation of the zones, interfaces, hosts,
<filename>/var/lib/shorewall/restore</filename>. Beginning with Shorewall rules and policy files. Use this if you are unsure of any edits you
2.0.3 Beta 1, multiple restore scripts are permitted in <filename have made to the shorewall configuration. See <link
class="directory">/var/lib/shorewall</filename>.</para> linkend="AltConfig">above</link> for a recommended way to make
changes.</para>
<itemizedlist>
<listitem>
<para>The <command>shorewall save</command>, <command>shorewall
restore</command> and <command>shorewall forget</command> commands are
extended to allow you to specify a simple file name (one not
containing embedded slashes). The fiile name specifies the name of a
restore script in <filename class="directory">/var/lib/shorewall</filename>.</para>
</listitem> </listitem>
</varlistentry>
<varlistentry>
<term>clear</term>
<listitem> <listitem>
<para>A RESTOREFILE option has been added to <filename>shorewall.conf</filename>. <para><command>shorewall clear</command></para>
This variable may contain a simple file name that designates the
default restore script when the command doesn&#39;t specify one. To <para>Clear will remove all rules and chains installed by Shorewall.
maintain backward compatibility with Shorewall 2.0.2, if RESTOREFILE The firewall is then wide open and unprotected. Existing connections
is not set or is set to the empty value (RESTOREFILE=&#34;&#34;), then are untouched. Clear is often used to see if the firewall is causing
the default value is <filename>restore</filename>.</para> connection problems.</para>
</listitem> </listitem>
</itemizedlist> </varlistentry>
<varlistentry>
<term>delete</term>
<listitem>
<para><command>shorewall delete &#60;interface&#62;[:&#60;host&#62;]
&#60;zone&#62;</command></para>
<para>Deletes the specified interface (and host if included) from
the specified zone.</para>
<para>Example:</para>
<para><command>shorewall delete ipsec0:192.0.2.24 vpn1</command></para>
<para>deletes the address 192.0.2.24 from interface ipsec0 from zone
vpn1</para>
</listitem>
</varlistentry>
<varlistentry>
<term>drop</term>
<listitem>
<para><command>shorewall drop &#60;address&#62; ...</command></para>
<para>Causes packets from the specified &#60;<emphasis>address</emphasis>&#62;
to be ignored</para>
</listitem>
</varlistentry>
<varlistentry>
<term>forget</term>
<listitem>
<para><command>shorewall forget [ &#60;filename&#62; ]</command></para>
<para>Deletes<filename> /var/lib/shorewall/&#60;filename&#62;</filename>.
If no &#60;<emphasis>filename</emphasis>&#62; is given then the file
specified by RESTOREFILE in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
is removed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>help</term>
<listitem>
<para><command>shorewall help [&#60;command&#62; | host | address ]</command></para>
<para>Display helpful information about the shorewall commands.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>hits</term>
<listitem>
<para><command>hits</command></para>
<para>Produces several reports about the Shorewall packet log
messages in the current log file specified by the LOGFILE option in
<ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>ipcalc</term>
<listitem>
<para><command>shorewall ipcalc [ &#60;address&#62; &#60;mask&#62; |
&#60;address&#62;/&#60;vlsm&#62; ]</command></para>
<para>Ipcalc displays the network address, broadcast address,
network in CIDR notation and netmask corresponding to the input[s].</para>
<para>Example:</para>
<para><command>ipcalc 192.168.1.0/24</command></para>
</listitem>
</varlistentry>
<varlistentry>
<term>iprange</term>
<listitem>
<para><command>shorewall iprange
&#60;address1&#62;-&#60;address2&#62;</command></para>
<para>Iprange decomposes the specified range of IP addresses into
the equivalent list of network/host addresses.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>logwatch</term>
<listitem>
<para><command>shorewall logwatch [&#60;refresh interval&#62;]</command></para>
<para>Monitors the log file specified by theLOGFILE option in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
and produces an audible alarm when new Shorewall messages are
logged.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>monitor</term>
<listitem>
<para><command>shorewall [-x] monitor [&#60;refresh_interval&#62;]</command></para>
<para>Continuously display the firewall status, last 20 log entries
and nat. When the log entry display changes, an audible alarm is
sounded.</para>
<para>When -x is given, that option is also passed to iptables to
display actual packet and byte counts.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>refresh</term>
<listitem>
<para><command>shorewall refresh: [ -q ] refresh</command></para>
<para>The rules involving the broadcast addresses of firewall
interfaces, the black list, traffic control rules and ECN control
rules are recreated to reflect any changes made to your
configuration files. Existing connections are untouched If -q is
specified, less detain is displayed making it easier to spot
warnings.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>reject</term>
<listitem>
<para><command>shorewall reject &#60;address&#62; ...</command></para>
<para>Causes packets from the specified &#60;<emphasis>address</emphasis>&#62;s
to be rejected</para>
</listitem>
</varlistentry>
<varlistentry>
<term>reset</term>
<listitem>
<para><command>shorewall reset</command></para>
<para>All the packet and byte counters in the firewall are reset.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>restart</term>
<listitem>
<para><command>shorewall [ -q ] [ -c
&#60;configuration-directory&#62; ] restart</command></para>
<para>Restart is similar to <command>shorewall stop</command>
followed by <command>shorewall start</command>. Existing connections
are maintained. If -q is specified, less detail is displayed making
it easier to spot warnings</para>
</listitem>
</varlistentry>
<varlistentry>
<term>restore</term>
<listitem>
<para><command>shorewall [ -q ] restore [ &#60;filename&#62; ]</command></para>
<para>Restore Shorewall to a state saved using the
<command>shorewall save</command> command Existing connections are
maintained. The &#60;<emphasis>filename</emphasis>&#62; names a
restore file in <filename class="directory">/var/lib/shorewall</filename>
created using <command>shorewall save</command>; if no &#60;<emphasis>filename</emphasis>&#62;
is given then Shorewall will be restored from the file specified by
the RESTOREFILE option in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>save</term>
<listitem>
<para><command>shorewall save [ &#60;filename&#62; ]</command></para>
<para>The dynamic data is stored in /var/lib/shorewall/save. The
state of the firewall is stored in <filename>/var/lib/shorewall/&#60;filename&#62;</filename>
for use by the <command>shorewall restore</command> and
<command>shorewall -f start</command> commands. If &#60;<emphasis>filename</emphasis>&#62;
is not given then the state is saved in the file specified by the
RESTOREFILE option in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>show</term>
<listitem>
<para><command>shorewall [ -x ] show [ &#60;chain&#62; [
&#60;chain&#62; ...] |classifiers|connections|log|nat|tc|tos]</command></para>
<para><command>shorewall [ -x ] show &#60;chain&#62; [
&#60;chain&#62; ... ] </command> - produce a verbose report about
the Netfilter chain(s). (<command>iptables -L chain -n -v</command>)</para>
<para><command>shorewall [ -x ] show nat</command> - produce a
verbose report about the nat table. (<command>iptables -t nat -L -n
-v</command>)</para>
<para><command>shorewall [ -x ] show tos</command> - produce a
verbose report about the mangle table. (<command>iptables -t mangle
-L -n -v</command>)</para>
<para><command>shorewall show log</command> - display the last 20
packet log entries.</para>
<para><command>shorewall show connections</command> - displays the
IP connections currently being tracked by the firewall.</para>
<para><command>shorewall show classifiers</command> - displays
information about the traffic control/shaping classifiers.</para>
<para><command>shorewall show tc</command> - displays information
about the traffic control/shaping configuration.</para>
<para>When -x is given, that option is also passed to iptables to
display actual packet and byte counts.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>start</term>
<listitem>
<para><command>shorewall [ -q ] [ -f ] [ -c
&#60;configuration-directory&#62; ] start</command></para>
<para>Start shorewall. Existing connections through shorewall
managed interfaces are untouched. New connections will be allowed
only if they are allowed by the firewall rules or policies. If -q is
specified, less detail is displayed making it easier to spot
warnings If -f is specified, the saved configuration specified by
the RESTOREFILE option in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>
will be restored if that saved configuration exists</para>
</listitem>
</varlistentry>
<varlistentry>
<term>stop</term>
<listitem>
<para><command>shorewall stop</command></para>
<para>Stops the firewall. All existing connections, except those
listed in <filename><ulink url="Documentation.htm#Routestopped">/etc/shorewall/routestopped</ulink></filename>
or permitted by the ADMINISABSENTMINDED option in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>,
are taken down. The only new traffic permitted through the firewall
is from systems listed in <filename>/etc/shorewall/routestopped</filename>
or by ADMINISABSENTMINDED.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>status</term>
<listitem>
<para><command>shorewall [ -x ] status</command></para>
<para>Produce a verbose report about the firewall.</para>
<para>When -x is given, that option is also passed to iptables to
display actual packet and byte counts.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>try</term>
<listitem>
<para><command>shorewall try &#60;configuration-directory&#62; [
&#60;timeout&#62; ]</command></para>
<para>Restart shorewall using the specified configuration. If an
error occurs during the restart, then another shorewall restart is
performed using the default configuration. If a timeout is specified
then the restart is always performed after the timeout occurs and
uses the default configuration.</para>
<para>When restarting using the default configuration, if the
default restore script (as specified by the RESTOREFILE setting in
<ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>)
exists. then that script is used.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>version</term>
<listitem>
<para><command>shorewall version</command></para>
<para>Show the current shorewall version</para>
</listitem>
</varlistentry>
</variablelist>
</section> </section>
<section id="State"> <section id="State">
@ -573,16 +815,4 @@
</tgroup> </tgroup>
</informaltable> </informaltable>
</section> </section>
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.10</revnumber><date>2004-05-14</date><authorinitials>TE</authorinitials><revremark>Update
&#34;try&#34; syntax in the alternate configuration section to include [
&#60;timeout&#62; ]</revremark></revision><revision><revnumber>1.9</revnumber><date>2004-05-03</date><authorinitials>TE</authorinitials><revremark>Shorewall
2.0.2</revremark></revision><revision><revnumber>1.3-1.8</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Docbook
standards</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-12-31</date><authorinitials>TE</authorinitials><revremark>Added
clarification about &#34;Started State&#34;</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-29</date><authorinitials>TE</authorinitials><revremark>Initial
Docbook conversion</revremark></revision></revhistory></para>
</appendix>
</article> </article>

4
Shorewall-docs2/support.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-07-25</pubdate> <pubdate>2004-07-29</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -78,7 +78,7 @@
<title>Problem Reporting Guidelines</title> <title>Problem Reporting Guidelines</title>
<note> <note>
<para>Shorewall versions earlier that 1.3.0 are no longer supported.</para> <para>Shorewall versions earlier that 1.4.0 are no longer supported.</para>
</note> </note>
<itemizedlist> <itemizedlist>

4
Shorewall-docs2/template.xml
View File

@ -5,7 +5,7 @@
<!--$Id$--> <!--$Id$-->
<articleinfo> <articleinfo>
<title></title> <title>Operating Shorewall</title>
<authorgroup> <authorgroup>
<author> <author>
@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-MM-DD</pubdate> <pubdate>2004-07-31</pubdate>
<copyright> <copyright>
<year>2004</year> <year>2004</year>

23
Shorewall-docs2/three-interface.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-07-14</pubdate> <pubdate>2004-07-31</pubdate>
<copyright> <copyright>
<year>2002-2004</year> <year>2002-2004</year>
@ -169,12 +169,12 @@
and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even and /usr/share/doc/shorewall/default-config/modules to /etc/shorewall even
if you do not modify those files.</para></warning></para> if you do not modify those files.</para></warning></para>
<para>After you have installed Shorewall, download the three-interface <para>After you have installed Shorewall, download the <ulink
sample, un-tar it (<command>tar <option>-zxvf</option> url="http://shorewall.net/pub/shorewall/Samples">three-interface sample</ulink>,
<filename>three-interfaces.tgz</filename></command>) and and copy the un-tar it (<command>tar <option>-zxvf</option> <filename>three-interfaces.tgz</filename></command>)
files to <filename>/etc/shorewall</filename> (the files will replace files and and copy the files to <filename>/etc/shorewall</filename> (the files
with the same names that were placed in <filename>/etc/shorewall</filename> will replace files with the same names that were placed in
when Shorewall was installed).</para> <filename>/etc/shorewall</filename> when Shorewall was installed).</para>
<para>As each file is introduced, I suggest that you look through the <para>As each file is introduced, I suggest that you look through the
actual file on your system -- each file contains detailed configuration actual file on your system -- each file contains detailed configuration
@ -372,13 +372,10 @@ fw net ACCEPT</programlisting>
</tip> </tip>
<tip> <tip>
<para>If you specify <emphasis>norfc1918</emphasis> for your external <para>If you specify <emphasis>nobogons</emphasis> for your external
interface, you will want to check the <ulink url="errata.htm">Shorewall interface, you will want to check the <ulink url="errata.htm">Shorewall
Errata</ulink> periodically for updates to the <filename>/usr/share/shorewall/rfc1918 Errata</ulink> periodically for updates to the <filename>/usr/share/shorewall/bogons
file</filename>. Alternatively, you can copy <filename>/usr/share/shorewall/rfc1918</filename> file</filename>.</para>
to <filename>/etc/shorewall/rfc1918</filename> then <ulink
url="myfiles.htm#RFC1918">strip down your <filename>/etc/shorewall/rfc1918</filename>
file as I do</ulink>.</para>
</tip> </tip>
</section> </section>

37
Shorewall-docs2/traffic_shaping.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-07-14</pubdate> <pubdate>2004-08-05</pubdate>
<copyright> <copyright>
<year>2001-2004</year> <year>2001-2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para> <quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
@ -40,8 +41,8 @@
management itself but it does contain some facilities to intergrate with management itself but it does contain some facilities to intergrate with
traffic shaping/control solutions. In order to use traffic shaping with traffic shaping/control solutions. In order to use traffic shaping with
Shorewall, it is essential that you get a copy of the <ulink Shorewall, it is essential that you get a copy of the <ulink
url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</ulink>, url="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping
version 0.3.0 or later or <ulink HOWTO</ulink>, version 0.3.0 or later or <ulink
url="http://www.tldp.org/HOWTO/Traffic-Control-HOWTO/">The Traffic Control url="http://www.tldp.org/HOWTO/Traffic-Control-HOWTO/">The Traffic Control
HOWTO</ulink>. It is also necessary to be running Linux Kernel 2.4.18 or HOWTO</ulink>. It is also necessary to be running Linux Kernel 2.4.18 or
later. Shorewall traffic shaping support consists of the following:</para> later. Shorewall traffic shaping support consists of the following:</para>
@ -63,14 +64,15 @@
<listitem> <listitem>
<para><emphasis role="bold">/etc/shorewall/tcrules</emphasis> - A file <para><emphasis role="bold">/etc/shorewall/tcrules</emphasis> - A file
where you can specify firewall marking of packets. The firewall mark where you can specify firewall marking of packets. The firewall mark
value may be used to classify packets for traffic shaping/control.</para> value may be used to classify packets for traffic
shaping/control.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">/etc/shorewall/tcstart </emphasis>- A <para><emphasis role="bold">/etc/shorewall/tcstart </emphasis>- A
user-supplied file that is sourced by Shorewall during <quote>shorewall user-supplied file that is sourced by Shorewall during
start</quote> and which you can use to define your traffic shaping <quote>shorewall start</quote> and which you can use to define your
disciplines and classes. I have provided a <ulink traffic shaping disciplines and classes. I have provided a <ulink
url="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</ulink> that url="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</ulink> that
does table-driven CBQ shaping but if you read the traffic shaping does table-driven CBQ shaping but if you read the traffic shaping
sections of the HOWTO mentioned above, you can probably code your own sections of the HOWTO mentioned above, you can probably code your own
@ -93,17 +95,18 @@
README). <emphasis role="bold">WARNING</emphasis>: If you use use README). <emphasis role="bold">WARNING</emphasis>: If you use use
Masquerading or SNAT (i.e., you only have one external IP address) Masquerading or SNAT (i.e., you only have one external IP address)
then listing internal hosts in the NOPRIOHOSTSRC variable in the then listing internal hosts in the NOPRIOHOSTSRC variable in the
wshaper[.htb] script won&#39;t work. Traffic shaping occurs after SNAT wshaper[.htb] script won't work. Traffic shaping occurs after SNAT has
has already been applied so when traffic shaping happens, all outbound already been applied so when traffic shaping happens, all outbound
traffic will have as a source address the IP addresss of your traffic will have as a source address the IP addresss of your
firewall&#39;s external interface.</para> firewall's external interface.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis role="bold">/etc/shorewall/tcclear</emphasis> - A <para><emphasis role="bold">/etc/shorewall/tcclear</emphasis> - A
user-supplied file that is sourced by Shorewall when it is clearing user-supplied file that is sourced by Shorewall when it is clearing
traffic shaping. This file is normally not required as Shorewall&#39;s traffic shaping. This file is normally not required as Shorewall's
method of clearing qdisc and filter definitions is pretty general.</para> method of clearing qdisc and filter definitions is pretty
general.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
@ -161,7 +164,7 @@
<section> <section>
<title>Kernel Configuration</title> <title>Kernel Configuration</title>
<para>This screen shot show how I&#39;ve configured QoS in my Kernel:<graphic <para>This screen shot show how I've configured QoS in my Kernel:<graphic
align="center" fileref="images/QoS.png" /></para> align="center" fileref="images/QoS.png" /></para>
</section> </section>
@ -233,7 +236,8 @@
generating the output is running under the effective user and/or generating the output is running under the effective user and/or
group. It may contain :</para> group. It may contain :</para>
<para>[&#60;user name or number&#62;]:[&#60;group name or number&#62;]</para> <para>[&lt;user name or number&gt;]:[&lt;group name or
number&gt;]</para>
<para>The colon is optionnal when specifying only a user.</para> <para>The colon is optionnal when specifying only a user.</para>
@ -303,7 +307,8 @@ run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit
run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1 run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1
echo <quote> Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit</quote> echo <quote> Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit</quote>
run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10 run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5
run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10
run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5 run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5
echo <quote> Enabled PFIFO on Second Level Classes</quote> echo <quote> Enabled PFIFO on Second Level Classes</quote>