From cf710d08ead9322325f521c5eee5061c0e2cb63b Mon Sep 17 00:00:00 2001 From: judas_iscariote Date: Fri, 2 Sep 2005 09:01:13 +0000 Subject: [PATCH] some changes, (somewhat incomplete,though.. ) git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2622 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb --- Shorewall-docs2/Documentation.xml | 6 +- Shorewall-docs2/ReleaseModel.xml | 4 +- Shorewall-docs2/Shorewall_Doesnt.xml | 24 +- Shorewall-docs2/errata.xml | 451 +--------------- Shorewall-docs2/ports.xml | 83 +-- Shorewall-docs2/standalone.xml | 35 +- .../whitelisting_under_shorewall.xml | 480 ++++++++++-------- 7 files changed, 350 insertions(+), 733 deletions(-) diff --git a/Shorewall-docs2/Documentation.xml b/Shorewall-docs2/Documentation.xml index 85a7b7434..51f29a249 100644 --- a/Shorewall-docs2/Documentation.xml +++ b/Shorewall-docs2/Documentation.xml @@ -614,8 +614,10 @@ NET_OPTIONS=blacklist,norfc1918 If no <number> is given then the value 1 is assumed - WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE - INVOLVED IN PROXY ARP. + + DO NOT SPECIFY arp_ignore FOR + ANY INTERFACE INVOLVED IN PROXY ARP. + diff --git a/Shorewall-docs2/ReleaseModel.xml b/Shorewall-docs2/ReleaseModel.xml index 0ee46046f..433a624df 100644 --- a/Shorewall-docs2/ReleaseModel.xml +++ b/Shorewall-docs2/ReleaseModel.xml @@ -15,7 +15,7 @@ - 2005-07-08 + 2005-09-02 2004 @@ -123,7 +123,7 @@ - The currently-supported major releases are 2.0 and 2.2. + The currently-supported major releases are 2.4.x and 3.x.
diff --git a/Shorewall-docs2/Shorewall_Doesnt.xml b/Shorewall-docs2/Shorewall_Doesnt.xml index 59cb6b593..6c2b5376c 100644 --- a/Shorewall-docs2/Shorewall_Doesnt.xml +++ b/Shorewall-docs2/Shorewall_Doesnt.xml @@ -13,12 +13,10 @@ Eastep - 2005-08-03 + 2005-09-02 - 2003 - - 2004 + 2003- 2005 @@ -36,6 +34,12 @@ + + This article applies to Shorewall 3.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 3.0.0 then please see the documentation for that release + +
Shorewall Does not: @@ -77,18 +81,6 @@ - - Set up Routing (except to support Proxy ARP) — Shorewall 2.4.0 and later CAN - set up routing for multiple internet connections. - - - - Do Traffic Shaping/Bandwidth Management (although it provides - hooks to interface to Traffic - Control/Bandwidth Management solutions) - - Configure/manage Network Devices (your Distribution includes tools for that). diff --git a/Shorewall-docs2/errata.xml b/Shorewall-docs2/errata.xml index 65aeb5c37..52969baad 100644 --- a/Shorewall-docs2/errata.xml +++ b/Shorewall-docs2/errata.xml @@ -13,7 +13,7 @@ - 2005-07-17 + 2005-09-02 2001-2005 @@ -64,37 +64,11 @@
- RFC1918 File + Problems in Shorewall. - Here - is the most up to date version of the rfc1918 file. This file only applies to Shorewall versions 1.4.* and 2.0.0 - and its bugfix updates. In Shorewall 2.0.1 and later releases, - the bogons file lists IP ranges that are reserved by - the IANA and the rfc1918 file only lists those three - ranges that are reserved by RFC 1918. -
- -
- Bogons File - - Here - is the most up to date version of the bogons file. This file only applies to Shorewall versions 2.0.1 and - later. -
- -
- Problems in Version 2.2 and Later - - Beginning with Shorewall version 2.2.0, errata will not be published - on this page. Rather, the download directory for each version will - contain: + Beginning with Shorewall version 2.2.0, errata will not be published on this page. Rather, the + download directory for each version will contain: @@ -111,423 +85,10 @@
-
- Problems in Version 2.0 - -
- Shorewall 2.0.17 - - - Users specifying TCP_FLAGS_LOG_LEVEL=ULOG will find that - "shorewall [re]start" fails with the following error: - - iptables v1.3.2: Unknown arg `--log-ip-options' -Try `iptables -h' or 'iptables --help' for more information. -ERROR: Command "/usr/sbin/iptables -A logflags -j ULOG --log-ip-options --ulog-prefix "Shorewall:logflags:DROP:"" Failed - - Install the 'firewall' - script in the errata directory into - /usr/share/shorewall/firewall replacing the file by that - name. - - - - Setting MACLIST_DISPOSITION=ACCEPT opens a serious security - vulnerability. Install the 'firewall' - script in the errata directoryinto - /usr/share/shorewall/firewall replacing the file by that - name. - - -
- -
- Shorewall 2.0.15-2.0.16 - - - - If the "rejNotSyn" action is invoked, an error occurs at - startup. - - - - Corrected in this - firewall script which may be installed in - /usr/share/shorewall/firewall as described above. -
- -
- Shorewall 2.0.12 - - - - The "shorewall add" command produces the error message: - - /usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found - - You can correct the problem yourself by editing - /usr/share/shorewall/firewall and on line 5805, replace match_destination_hosts with match_dest_hosts. - - - - Corrected in this - firewall script which may be installed in - /usr/share/shorewall/firewall as described above. -
- -
- Shorewall 2.0.10 - - The initial packages uploaded to the FTP and HTTP servers were - incorrect. Here are the MD5 sums of the incorrect packages. - - 14e8f2bfa08cc5ca2715c8b1179d5eb2  shorewall-2.0.10-1.noarch.rpm -54bcbb2216ad3db9870507cd9716fd99  shorewall-2.0.10.tgz -c2fe0acc7f056acb56d089cf8dafa39a  shorwall-2.0.10.lrp - - These incorrect packages have been replaced with correct ones - having the following MD5 sums: - - d5af452d38538b4b994c3c4abab8e012  shorewall-2.0.10-1.noarch.rpm -985ce9215ea9cc0299f0b5450fdbe05e  shorewall-2.0.10.tgz -0ec7a65e4ed4ad1db0d2a4cb0c7bd5bf  shorwall-2.0.10.lrp - - If you have installed an incorrect package, please replace - /sbin/shorewall with this - file. -
- -
- Shorewall 2.0.3 through 2.0.8 - - - - An empty PROTO column in /etc/shorewall/tcrules produced - iptables errors during shorewall start. A value - of all in that column produced a similar - error. - - - - Corrected in this - firewall script which may be installed in - /usr/share/shorewall/firewall as described above. -
- -
- Shorewall 2.0.3a through 2.0.7 - - - - Entries in the USER/GROUP column of an action file (made from - action.template) may be ignored or cause odd errors. - - - - Corrected in this - firewall script which may be installed in - /usr/share/shorewall/firewall as described above. -
- -
- Shorewall 2.0.3a through 2.0.4 - - - - Error messages regarding $RESTOREBASE occur during shorewall stop if DISABLE_IPV6=Yes in - shorewall.conf. - - - - Corrected in this - firewall script which may be installed in - /usr/share/shorewall/firewall as described above. Also fixed in - Shorewall Version 2.0.5. -
- -
- Shorewall 2.0.2 and all Shorewall 2.0.3 Releases. - - - - DNAT rules with fw as the - source zone and that specify logging cause shorewall - start to fail with an iptables error. The problem is - corrected for Shorewall 2.0.3 users in this - firewall script which may be installed in - /usr/share/shorewall/firewall as described above. - - -
- -
- Shorewall 2.0.3a and 2.0.3b - - - - Error messages regarding $RESTOREBASE occur during shorewall stop. - - - - If CLEAR_TC=Yes in shorewall.conf, - shorewall stop fails without - removing the lock file. - - - - The above problems are corrected in Shorewall version - 2.0.3c. -
- -
- Shorewall 2.0.3a - - - - Slackware users find that version 2.0.3a fails to start - because their mktemp utility does not support the - -d option. This may be corrected by installing this - corrected functions file in /var/lib/shorewall/functions. - - - - Shorewall fails to start if there is no - mktemp utility. - - - - These problems are corrected in Shorewall version 2.0.3b. -
- -
- Shorewall 2.0.3 - - - - A non-empty entry in the DEST column of /etc/shorewall/tcrules - will result in an error message and Shorewall fails to start. This - problem is fixed in Shorewall version 2.0.3a. - - - - A potentially exploitable vulnerability in the way that - Shorewall handles temporary files and directories has been found by - Javier Fernández-Sanguino Peña. This vulnerability is corrected in - Shorewall 2.0.3a. All Shorewall 2.0.x users are urged to upgrade to - 2.0.3a. - - -
- -
- Shorewall 2.0.2 - - - - Temporary restore files with names of the form - restore-nnnnn are left in - /var/lib/shorewall. - - - - "shorewall restore" and "shorewall -f start" do not load - kernel modules. - - The above two problems are corrected in - Shorewall 2.0.2a - - - - Specifying a null common action in /etc/shorewall/actions - (e.g., :REJECT) results in a startup error. - - - - If /var/lib/shorewall does not exist, - shorewall start fails. - - The above four problems are corrected in - Shorewall 2.0.2b - - - - DNAT rules work incorrectly with dynamic zones in that the - source interface is not included in the nat table DNAT rule. - - The above five problems are corrected in - Shorewall 2.0.2c - - - - During start and restart, Shorewall is detecting capabilities - before loading kernel modules. Consequently, if kernel module - autoloading is disabled, capabilities can be mis-detected during - boot. - - - - The newnotsyn option in - /etc/shorewall/hosts has no effect. - - The above seven problems are corrected - in Shorewall 2.0.2d - - - - Use of the LOG target in an action results in two LOG or ULOG - rules. - - The above eight problems are corrected - in Shorewall 2.0.2e - - - - Kernel modules fail to load when MODULE_SUFFIX isn't set in - shorewall.conf - - All of the above problems are corrected - in Shorewall 2.0.2f - - - - These problems are all corrected by the - firewall and functions files - in this - directory. Both files must be installed in - /usr/share/shorewall/ as described above. -
- -
- Shorewall 2.0.1 - - - - Confusing message mentioning IPV6 occur at startup. - - - - Modules listed in /etc/shorewall/modules don't load or produce - errors on Mandrake 10.0 Final. - - - - The shorewall delete command does not - remove all dynamic rules pertaining to the host(s) being - deleted. - - - - These problems are corrected in this - firewall script which may be installed in - /usr/share/shorewall/firewall as described - above. - - - - When run on a SuSE system, the install.sh script fails to - configure Shorewall to start at boot time. That problem is corrected - in this - version of the script. - - -
- -
- Shorewall 2.0.1/2.0.0 - - - - On Debian systems, an install using the tarball results in an - inability to start Shorewall at system boot. If you already have - this problem, install this - file as /etc/init.d/shorewall (replacing the existing file - with that name). If you are just installing or upgrading to - Shorewall 2.0.0 or 2.0.1, then replace the - init.debian.sh file in the Shorewall - distribution directory (shorewall-2.0.x) with the updated file - before running install.sh from that - directory. - - -
- -
- Shorewall 2.0.0 - - - - When using an Action in the ACTIONS column of a rule, you may - receive a warning message about the rule being a policy. While this - warning may be safely ignored, it can be eliminated by installing - the script from the link below. - - - - Thanks to Sean Mathews, a long-standing problem with Proxy ARP - and IPSEC has been corrected. - - - - The first problem has been corrected in Shorewall update - 2.0.0a. - - All of these problems may be corrected by installing this - firewall script in /usr/share/shorewall as described - above. -
-
-
Upgrade Issues The upgrade issues have moved to a separate page.
- -
- Problem with iptables 1.2.9 - - If you want to use the new features in Shorewall 2.0.2 (Betas, RCs, - Final) or later then you need to patch your iptables 1.2.9 with this - patch or you need to use the CVS version of - iptables. -
- -
- Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to - 2.4.21-RC1) - - Beginning with errata kernel 2.4.20-13.9, REJECT - --reject-with tcp-reset is broken. The symptom most commonly seen - is that REJECT rules act just like DROP rules when dealing with TCP. A - kernel patch and precompiled modules to fix this problem are available at - ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel - - - RedHat have corrected this problem in their 2.4.20-27.x - kernels. - -
- + \ No newline at end of file diff --git a/Shorewall-docs2/ports.xml b/Shorewall-docs2/ports.xml index e0da9baa5..35fd778a0 100644 --- a/Shorewall-docs2/ports.xml +++ b/Shorewall-docs2/ports.xml @@ -13,12 +13,10 @@ - 2004-10-01 + 2005-09-02 - 2001-2002 - - 2004 + 2001-2005 Thomas M. Eastep @@ -41,21 +39,26 @@ + + This article applies to Shorewall 3.0 and + later. If you are running a version of Shorewall earlier than Shorewall + 3.0.0 then please see the documentation for that release + +
Important Notes - Beginning with Shorewall 2.0.0, the Shorewall distribution - contains a library of user-defined actions that allow for easily - allowing or blocking a particular application. Check your - /usr/share/shorewall/actions.std file for a list of - the actions in your distribution. If you find what you need, you simply - use the action in a rule. For example, to allow DNS queries from the - dmz zone to the Shorewall distribution contains a library of user-defined macros + that allow for easily allowing or blocking a particular application. + Check your /usr/share/shorewall/actions.std file + for a list of macros in your distribution. If you find what you need, + you simply use the action in a rule. For example, to allow DNS queries + from the dmz zone to the net zone: #ACTION SOURCE DESTINATION -AllowDNS dmz net +DNS/ACCEPT dmz net @@ -68,28 +71,32 @@ AllowDNS dmz net at 192.168.1.4 in your DMZ. The FTP section below gives you: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -ACCEPT <source> <destination> tcp 21 +FTP/ACCEPT <source> <destination> You would code your rule as follows: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -DNAT net dmz:192.168.1.4 tcp 21 +FTP/DNAT net dmz:192.168.1.4
Auth (identd) - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -ACCEPT <source> <destination> tcp 113 + + Now,It's 21 Century , + don't use identd in production anymore. + + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +Auth/ACCEPT <source> <destination>
DNS - #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -ACCEPT <source> <destination> udp 53 -ACCEPT <source> <destination> tcp 53 + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) +DNS/ACCEPT <source> <destination> Note that if you are setting up a DNS server that supports recursive resolution, the server is the <destination> for @@ -100,10 +107,8 @@ ACCEPT <source> <destination> #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -ACCEPT all dmz udp 53 -ACCEPT all dmz tcp 53 -ACCEPT dmz net udp 53 -ACCEPT dmz net tcp 53 +DNS/ACCEPT all dmz +DNS/ACCEPT dmz net Recursive Resolution means that if the server itself can't resolve @@ -153,7 +158,7 @@ DNAT net loc:192.168.1.4 tcp 4711 FTP #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -ACCEPT <source> <destination> tcp 21 +FTP/ACCEPT <source> <destination> Look here for much more information. @@ -163,15 +168,20 @@ ACCEPT <source> <destination>ICQ/AIM #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -ACCEPT <source> net tcp 5190 +ICQ/ACCEPT <source> net
IMAP + + When accessing you mail from the internet,use only IMAP over + SSL + + #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -ACCEPT <source> <destination> tcp 143 #Unsecure IMAP -ACCEPT <source> <destination> tcp 993 #Secure IMAP +IMAP/ACCEPT <source> <destination> #Secure & Unsecure IMAP
@@ -215,6 +225,11 @@ ACCEPT <source> <destination> Pop3 + + If Possible , Avoid this protocol + , use IMAP instead. + + TCP Port 110 (Secure Pop3 is TCP Port 995) #ACTION SOURCE DESTINATION PROTO DEST PORT(S) @@ -248,10 +263,10 @@ ACCEPT <source> <destination>
- SSH + SSH/SFTP #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -ACCEPT <source> <destination> tcp 22 +SSH/ACCEPT <source> <destination>
@@ -401,6 +416,16 @@ ACCEPT <apps> <chooser Revision History + + 1.16 + + 2005-09-02 + + CR + + Updated for Shorewall v3.0 + + 1.15 diff --git a/Shorewall-docs2/standalone.xml b/Shorewall-docs2/standalone.xml index 38615cbec..1c89d4d5c 100644 --- a/Shorewall-docs2/standalone.xml +++ b/Shorewall-docs2/standalone.xml @@ -291,13 +291,6 @@ all all REJECT info if you have a static IP address, you can remove dhcp from the option list. - - - If you specify nobogons for your external - interface, you will want to check the Shorewall - Errata periodically for updates to the - /usr/share/shorewall/bogons file. -
@@ -345,12 +338,12 @@ all all REJECT info <action> net fw - You want to run a Web Server and a POP3 Server on your firewall + <title>You want to run a Web Server and a IMAP Server on your firewall system: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -AllowWeb net fw -AllowPOP3 net fw +Web/ACCEPT net fw +IMAP/ACCEPT net fw You may also choose to code your rules directly without using the @@ -363,12 +356,12 @@ AllowPOP3 net fw ACCEPT net fw <protocol> <port> - You want to run a Web Server and a POP3 Server on your firewall + <title>You want to run a Web Server and a IMAP Server on your firewall system: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) ACCEPT net fw tcp 80 -ACCEPT net fw tcp 110 +ACCEPT net fw tcp 143 If you don't know what port and protocol a particular application @@ -380,7 +373,7 @@ ACCEPT net fw tcp 110 firewall from the internet, use SSH: #ACTION SOURCE DESTINATION PROTO DEST PORT(S) -AllowSSH net fw +SSH/ACCEPT net fw @@ -409,9 +402,9 @@ AllowSSH net fw - If you are running Shorewall 2.1.3 or later, - you must enable startup by editing /etc/shorewall/shorewall.conf and - setting STARTUP_ENABLED=Yes. + You must enable startup by editing + /etc/shorewall/shorewall.conf and setting + STARTUP_ENABLED=Yes. The firewall is started using the shorewall @@ -453,6 +446,16 @@ AllowSSH net fw Revision History + + 1.9 + + 2005-09-02 + + CR + + Update for Shorewall 3.0 + + 1.8 diff --git a/Shorewall-docs2/whitelisting_under_shorewall.xml b/Shorewall-docs2/whitelisting_under_shorewall.xml index 543291124..cf39efabf 100644 --- a/Shorewall-docs2/whitelisting_under_shorewall.xml +++ b/Shorewall-docs2/whitelisting_under_shorewall.xml @@ -1,386 +1,420 @@ - +
Whitelisting Under Shorewall + Tom + Eastep - + + 2005-09-02 + - 2002 - 2003 - 2004 + 2002-2005 + Thomas M. Eastep + - - Permission is granted to copy, distribute and/or modify this - document under the terms of the GNU Free Documentation License, Version - 1.2 or any later version published by the Free Software Foundation; with - no Invariant Sections, with no Front-Cover, and with no Back-Cover - Texts. A copy of the license is included in the section entitled GNU Free Documentation License. - + Permission is granted to copy, distribute and/or modify this + document under the terms of the GNU Free Documentation License, Version + 1.2 or any later version published by the Free Software Foundation; with + no Invariant Sections, with no Front-Cover, and with no Back-Cover + Texts. A copy of the license is included in the section entitled + GNU Free Documentation + License. - - For a brief time, the 1.2 version of Shorewall supported an /etc/shorewall/whitelist file. This file was intended to contain a - list of IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was implemented as a stop-gap measure until the - facilities necessary for implementing white lists using zones was in place. As of Version 1.3 RC1, those facilities were available. - - - White lists are most often used to give special privileges to a set of hosts within an organization. Let us suppose that we have the following environment: - + + White lists are most often used to give special privileges to a set of + hosts within an organization. Let us suppose that we have the following + environment: + - - A firewall with three interfaces -- one to the Internet, one to a local network and one to a DMZ. - + A firewall with three interfaces -- one to the Internet, one to a + local network and one to a DMZ. + - - The local network uses SNAT to the internet and is comprised of the Class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918 local network, the technique described here in no way depends on that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.). - + The local network uses SNAT to the internet and + is comprised of the Class B network 10.10.0.0/16 + (Note: While this example uses an RFC 1918 local network, the technique + described here in no way depends on that or on SNAT. + It may be used with Proxy ARP, Subnet Routing, Static + NAT, etc.). + - - The network operations staff have workstations with IP addresses in the Class C network 10.10.10.0/24. - + The network operations staff have workstations with IP addresses + in the Class C network 10.10.10.0/24. + - - We want the network operations staff to have full access to all other hosts. - + We want the network operations staff to have full access to all + other hosts. + - - We want the network operations staff to bypass the transparent HTTP proxy running on our firewall. - + We want the network operations staff to bypass the transparent + HTTP proxy running on our firewall. - - The basic approach will be that we will place the operations staff's class C in its own zone called ops. Here are the appropriate configuration files: - - + + The basic approach will be that we will place the operations staff's + class C in its own zone called ops. Here are the appropriate configuration + files: + + + Zone File + - + ZONE + DISPLAY + COMMENTS + - - net - + net + Net + Internet + - - ops - + ops + Operations + Operations Staff's Class C + - - loc - + loc + Local + Local Class B + - - dmz - + dmz + DMZ + Demilitarized zone - - The ops zone has been added to the standard 3-zone zones - file -- since ops is a sub-zone of loc, we list it BEFORE - loc. - - + + The ops zone has been added to the standard 3-zone + zones file -- since ops is a sub-zone of + loc, we list it BEFORE + loc. + + + Interfaces File + - + ZONE + INTERFACE + BROADCAST + OPTIONS + - - net - - - eth0 - + net + + eth0 + <whatever> + <options> + - - dmz - - - eth1 - + dmz + + eth1 + <whatever> - + + + - - - - - - eth2 - - - 10.10.255.255 - - + - + + eth2 + + 10.10.255.255 + + - - Because eth2 interfaces to two zones (ops and loc), we don't specify a zone for it here. - - + + Because eth2 interfaces to two zones + (ops and loc), we don't specify a zone + for it here. + + + Hosts File + - + ZONE + HOST(S) + OPTIONS + - - ops - - - eth2:10.10.10.0/24 - - + ops + + eth2:10.10.10.0/24 + + + - - loc - - - eth2:0.0.0.0/0 - - + loc + + eth2:0.0.0.0/0 + + - - Here we define the ops and loc zones. When Shorewall is stopped, only the hosts in the ops zone will be allowed to access the firewall and the DMZ. I use 0.0.0.0/0 to define the loc zone rather than 10.10.0.0/16 so that the limited broadcast address (255.255.255.255) falls into that zone. If I used 10.10.0.0/16 then I would have to have a separate entry for that special address. - - + + Here we define the ops and loc + zones. When Shorewall is stopped, only the hosts in the + ops zone will be allowed to access the firewall and the + DMZ. I use 0.0.0.0/0 to define the + loc zone rather than 10.10.0.0/16 so + that the limited broadcast address (255.255.255.255) + falls into that zone. If I used 10.10.0.0/16 then I would + have to have a separate entry for that special address. + + + Policy File + SOURCE + DEST + POLICY + LOG LEVEL + LIMIT BURST + - - - - ops - - - - - all - - - - - ACCEPT - - - - + --> ops + + all + + + ACCEPT + + + + + + - - - all - - - - - ops - - - - - CONTINUE - - - - + all + + + ops + + + + CONTINUE + + + + + - - loc - - - net - - - ACCEPT - - - + loc + + net + + ACCEPT + + + + + - - net - - - all - - - DROP - - - info - - + net + + all + + DROP + + info + + + - - all - - - all - - - REJECT - - - info - - + all + + all + + REJECT + + info + + - - Two entries for ops (in bold) have been added to the standard 3-zone policy file. - - + + Two entries for ops (in bold) have been added to + the standard 3-zone policy file. + + + Rules File + ACTION + SOURCE + DEST + PROTO + DEST PORT(S) + SOURCE PORT(S) + ORIGINAL DEST + - - REDIRECT - - - loc!ops - - - 3128 - - - tcp - - - http - - - + REDIRECT + + loc!ops + + 3128 + + tcp + + http + + + + + - - ... - - - - - - - + ... + + + + + + + + + + + + - - This is the rule that transparently redirects web traffic to the transparent proxy running on the firewall. The SOURCE column explicitly excludes the ops zone from the rule. - - + + This is the rule that transparently redirects web traffic to the + transparent proxy running on the firewall. The SOURCE column explicitly excludes the + ops zone from the rule. + + + Routestopped File + INTERFACE + HOST(S)) + - - eth1 - - + eth1 + + + - - eth2 - - - 10.10.10.0/24 - + eth2 + + 10.10.10.0/24 -
+ \ No newline at end of file