extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 14:20:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

some changes, (somewhat incomplete,though.. )

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2622 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
judas_iscariote 2005-09-02 09:01:13 +00:00
parent 2b2e213fe8
commit cf710d08ea
7 changed files with 350 additions and 733 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Shorewall-docs2/Documentation.xml
View File

@ -614,8 +614,10 @@ NET_OPTIONS=blacklist,norfc1918</programlisting>
<para>If no &lt;<emphasis>number</emphasis>&gt; is given then <para>If no &lt;<emphasis>number</emphasis>&gt; is given then
the value 1 is assumed</para> the value 1 is assumed</para>
<para>WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE <para><warning>
INVOLVED IN PROXY ARP.</para> <para><emphasis role="bold">DO NOT SPECIFY arp_ignore FOR
ANY INTERFACE INVOLVED IN PROXY ARP</emphasis>.</para>
</warning></para>
</listitem> </listitem>
</varlistentry> </varlistentry>

4
Shorewall-docs2/ReleaseModel.xml
View File

@ -15,7 +15,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-07-08</pubdate> <pubdate>2005-09-02</pubdate>
<copyright> <copyright>
<year>2004</year> <year>2004</year>
@ -123,7 +123,7 @@
</listitem> </listitem>
</orderedlist> </orderedlist>
<para>The currently-supported major releases are 2.0 and 2.2.</para> <para>The currently-supported major releases are 2.4.x and 3.x.</para>
</section> </section>
<section> <section>

24
Shorewall-docs2/Shorewall_Doesnt.xml
View File

@ -13,12 +13,10 @@
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate>2005-08-03</pubdate> <pubdate>2005-09-02</pubdate>
<copyright> <copyright>
<year>2003</year> <year>2003-</year>
<year>2004</year>
<year>2005</year> <year>2005</year>
@ -36,6 +34,12 @@
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that release</emphasis></para>
</caution>
<section> <section>
<title>Shorewall Does not:</title> <title>Shorewall Does not:</title>
@ -77,18 +81,6 @@
</itemizedlist> </itemizedlist>
</listitem> </listitem>
<listitem>
<para>Set up Routing (except to support <ulink
url="ProxyARP.htm">Proxy ARP</ulink>) — Shorewall 2.4.0 and later CAN
set up routing for multiple internet connections.</para>
</listitem>
<listitem>
<para>Do Traffic Shaping/Bandwidth Management (although it provides
<ulink url="traffic_shaping.htm">hooks to interface to Traffic
Control/Bandwidth Management solutions</ulink>)</para>
</listitem>
<listitem> <listitem>
<para>Configure/manage Network Devices (your Distribution includes <para>Configure/manage Network Devices (your Distribution includes
tools for that).</para> tools for that).</para>

449
Shorewall-docs2/errata.xml
View File

@ -13,7 +13,7 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2005-07-17</pubdate> <pubdate>2005-09-02</pubdate>
<copyright> <copyright>
<year>2001-2005</year> <year>2001-2005</year>
@ -64,37 +64,11 @@
</caution> </caution>
<section> <section>
<title>RFC1918 File</title> <title>Problems in Shorewall.</title>
<para><ulink <para>Beginning with Shorewall version 2.2.0, errata <emphasis
url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink> role="bold">will not be published on this page</emphasis>. Rather, the
is the most up to date version of the <ulink download directory for each version will contain:</para>
url="Documentation.htm#rfc1918">rfc1918 file</ulink>. <emphasis
role="bold">This file only applies to Shorewall versions 1.4.* and 2.0.0
and its bugfix updates</emphasis>. In Shorewall 2.0.1 and later releases,
the <filename>bogons</filename> file lists IP ranges that are reserved by
the IANA and the <filename>rfc1918</filename> file only lists those three
ranges that are reserved by <ulink
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink>.</para>
</section>
<section>
<title>Bogons File</title>
<para><ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.10/bogons">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#Bogons">bogons file</ulink>. <emphasis
role="bold">This file only applies to Shorewall versions 2.0.1 and
later.</emphasis></para>
</section>
<section>
<title>Problems in Version 2.2 and Later</title>
<para>Beginning with Shorewall version 2.2.0, errata will not be published
on this page. Rather, the download directory for each version will
contain:</para>
<orderedlist> <orderedlist>
<listitem> <listitem>
@ -111,423 +85,10 @@
</orderedlist> </orderedlist>
</section> </section>
<section>
<title>Problems in Version 2.0</title>
<section>
<title>Shorewall 2.0.17</title>
<itemizedlist>
<listitem>
<para>Users specifying TCP_FLAGS_LOG_LEVEL=ULOG will find that
"shorewall [re]start" fails with the following error:</para>
<programlisting>iptables v1.3.2: Unknown arg `--log-ip-options'
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/usr/sbin/iptables -A logflags -j ULOG --log-ip-options --ulog-prefix "Shorewall:logflags:DROP:"" Failed</programlisting>
<para>Install the '<ulink
url="http://www1.shorewall.net/pub/shorewall/errata/2.0.17/firewall">firewall'
script in the errata directory </ulink>into
/usr/share/shorewall/firewall replacing the file by that
name.</para>
</listitem>
<listitem>
<para>Setting MACLIST_DISPOSITION=ACCEPT opens a serious security
vulnerability. Install the '<ulink
url="http://www1.shorewall.net/pub/shorewall/errata/2.0.17/firewall">firewall'
script in the errata directory</ulink>into
/usr/share/shorewall/firewall replacing the file by that
name.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.15-2.0.16</title>
<itemizedlist>
<listitem>
<para>If the "rejNotSyn" action is invoked, an error occurs at
startup.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.16/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.12</title>
<itemizedlist>
<listitem>
<para>The "shorewall add" command produces the error message:</para>
<programlisting>/usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found</programlisting>
<para>You can correct the problem yourself by editing
/usr/share/shorewall/firewall and on line 5805, replace <emphasis
role="bold">match_destination_hosts</emphasis> with <emphasis
role="bold">match_dest_hosts</emphasis>.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.12/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.10</title>
<para>The initial packages uploaded to the FTP and HTTP servers were
incorrect. Here are the MD5 sums of the incorrect packages.</para>
<programlisting>14e8f2bfa08cc5ca2715c8b1179d5eb2 &nbsp;shorewall-2.0.10-1.noarch.rpm
54bcbb2216ad3db9870507cd9716fd99 &nbsp;shorewall-2.0.10.tgz
c2fe0acc7f056acb56d089cf8dafa39a &nbsp;shorwall-2.0.10.lrp</programlisting>
<para>These incorrect packages have been replaced with correct ones
having the following MD5 sums:</para>
<programlisting>d5af452d38538b4b994c3c4abab8e012 &nbsp;shorewall-2.0.10-1.noarch.rpm
985ce9215ea9cc0299f0b5450fdbe05e &nbsp;shorewall-2.0.10.tgz
0ec7a65e4ed4ad1db0d2a4cb0c7bd5bf &nbsp;shorwall-2.0.10.lrp</programlisting>
<para>If you have installed an incorrect package, please replace
<filename>/sbin/shorewall</filename> with <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.10/shorewall">this
file</ulink>.</para>
</section>
<section>
<title>Shorewall 2.0.3 through 2.0.8</title>
<itemizedlist>
<listitem>
<para>An empty PROTO column in /etc/shorewall/tcrules produced
iptables errors during <command>shorewall start</command>. A value
of <command>all</command> in that column produced a similar
error.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.8/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.3a through 2.0.7</title>
<itemizedlist>
<listitem>
<para>Entries in the USER/GROUP column of an action file (made from
action.template) may be ignored or cause odd errors.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.7/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.3a through 2.0.4</title>
<itemizedlist>
<listitem>
<para>Error messages regarding $RESTOREBASE occur during <emphasis
role="bold">shorewall stop</emphasis> if DISABLE_IPV6=Yes in
shorewall.conf.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above. Also fixed in
Shorewall Version 2.0.5.</para>
</section>
<section>
<title>Shorewall 2.0.2 and all Shorewall 2.0.3 Releases.</title>
<itemizedlist>
<listitem>
<para>DNAT rules with <emphasis role="bold">fw</emphasis> as the
source zone and that specify logging cause <command>shorewall
start</command> to fail with an iptables error. The problem is
corrected for Shorewall 2.0.3 users in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.3a and 2.0.3b</title>
<itemizedlist>
<listitem>
<para>Error messages regarding $RESTOREBASE occur during <emphasis
role="bold">shorewall stop</emphasis>.</para>
</listitem>
<listitem>
<para>If CLEAR_TC=Yes in <filename>shorewall.conf</filename>,
<emphasis role="bold">shorewall stop</emphasis> fails without
removing the lock file.</para>
</listitem>
</itemizedlist>
<para>The above problems are corrected in Shorewall version
2.0.3c.</para>
</section>
<section>
<title>Shorewall 2.0.3a</title>
<itemizedlist>
<listitem>
<para>Slackware users find that version 2.0.3a fails to start
because their <command>mktemp</command> utility does not support the
-d option. This may be corrected by installing <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.3/functions">this
corrected <filename>functions</filename> file</ulink> in <filename
class="directory">/var/lib/shorewall/functions</filename>.</para>
</listitem>
<listitem>
<para>Shorewall fails to start if there is no
<command>mktemp</command> utility.</para>
</listitem>
</itemizedlist>
<para>These problems are corrected in Shorewall version 2.0.3b.</para>
</section>
<section>
<title>Shorewall 2.0.3</title>
<itemizedlist>
<listitem>
<para>A non-empty entry in the DEST column of /etc/shorewall/tcrules
will result in an error message and Shorewall fails to start. This
problem is fixed in Shorewall version 2.0.3a.</para>
</listitem>
<listitem>
<para>A potentially exploitable vulnerability in the way that
Shorewall handles temporary files and directories has been found by
Javier Fernández-Sanguino Peña. This vulnerability is corrected in
Shorewall 2.0.3a. All Shorewall 2.0.x users are urged to upgrade to
2.0.3a.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.2</title>
<itemizedlist>
<listitem>
<para>Temporary restore files with names of the form
<filename>restore-</filename><emphasis>nnnnn</emphasis> are left in
/var/lib/shorewall.</para>
</listitem>
<listitem>
<para>"shorewall restore" and "shorewall -f start" do not load
kernel modules.</para>
<para><emphasis role="bold">The above two problems are corrected in
Shorewall 2.0.2a</emphasis></para>
</listitem>
<listitem>
<para>Specifying a null common action in /etc/shorewall/actions
(e.g., :REJECT) results in a startup error.</para>
</listitem>
<listitem>
<para>If <filename>/var/lib/shorewall</filename> does not exist,
<command>shorewall start</command> fails.</para>
<para><emphasis role="bold">The above four problems are corrected in
Shorewall 2.0.2b</emphasis></para>
</listitem>
<listitem>
<para>DNAT rules work incorrectly with dynamic zones in that the
source interface is not included in the nat table DNAT rule.</para>
<para><emphasis role="bold">The above five problems are corrected in
Shorewall 2.0.2c</emphasis></para>
</listitem>
<listitem>
<para>During start and restart, Shorewall is detecting capabilities
before loading kernel modules. Consequently, if kernel module
autoloading is disabled, capabilities can be mis-detected during
boot.</para>
</listitem>
<listitem>
<para>The <emphasis>newnotsyn</emphasis> option in
<filename>/etc/shorewall/hosts</filename> has no effect.</para>
<para><emphasis role="bold">The above seven problems are corrected
in Shorewall 2.0.2d</emphasis></para>
</listitem>
<listitem>
<para>Use of the LOG target in an action results in two LOG or ULOG
rules.</para>
<para><emphasis role="bold">The above eight problems are corrected
in Shorewall 2.0.2e</emphasis></para>
</listitem>
<listitem>
<para>Kernel modules fail to load when MODULE_SUFFIX isn't set in
shorewall.conf</para>
<para><emphasis role="bold">All of the above problems are corrected
in Shorewall 2.0.2f</emphasis></para>
</listitem>
</itemizedlist>
<para>These problems are all corrected by the
<filename>firewall</filename> and <filename>functions</filename> files
in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.2">this
directory</ulink>. Both files must be installed in
<filename>/usr/share/shorewall/</filename> as described above.</para>
</section>
<section>
<title>Shorewall 2.0.1</title>
<itemizedlist>
<listitem>
<para>Confusing message mentioning IPV6 occur at startup.</para>
</listitem>
<listitem>
<para>Modules listed in /etc/shorewall/modules don't load or produce
errors on Mandrake 10.0 Final.</para>
</listitem>
<listitem>
<para>The <command>shorewall delete</command> command does not
remove all dynamic rules pertaining to the host(s) being
deleted.</para>
</listitem>
</itemizedlist>
<para>These problems are corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
firewall script</ulink> which may be installed in
<filename>/usr/share/shorewall/firewall</filename> as described
above.</para>
<itemizedlist>
<listitem>
<para>When run on a SuSE system, the install.sh script fails to
configure Shorewall to start at boot time. That problem is corrected
in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/install.sh">this
version of the script</ulink>.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.1/2.0.0</title>
<itemizedlist>
<listitem>
<para>On Debian systems, an install using the tarball results in an
inability to start Shorewall at system boot. If you already have
this problem, install <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
file</ulink> as /etc/init.d/shorewall (replacing the existing file
with that name). If you are just installing or upgrading to
Shorewall 2.0.0 or 2.0.1, then replace the
<filename>init.debian.sh</filename> file in the Shorewall
distribution directory (shorewall-2.0.x) with the updated file
before running <command>install.sh</command> from that
directory.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.0</title>
<itemizedlist>
<listitem>
<para>When using an Action in the ACTIONS column of a rule, you may
receive a warning message about the rule being a policy. While this
warning may be safely ignored, it can be eliminated by installing
the script from the link below.</para>
</listitem>
<listitem>
<para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
and IPSEC has been corrected.</para>
</listitem>
</itemizedlist>
<para>The first problem has been corrected in Shorewall update
2.0.0a.</para>
<para>All of these problems may be corrected by installing <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
firewall script</ulink> in /usr/share/shorewall as described
above.</para>
</section>
</section>
<section> <section>
<title>Upgrade Issues</title> <title>Upgrade Issues</title>
<para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a <para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a
separate page</ulink>.</para> separate page</ulink>.</para>
</section> </section>
<section>
<title>Problem with iptables 1.2.9</title>
<para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
Final) or later then you need to patch your iptables 1.2.9 with <ulink
url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
patch</ulink> or you need to use the <ulink
url="http://www.netfilter.org/downloads.html#cvs">CVS version of
iptables</ulink>.</para>
</section>
<section>
<title>Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
2.4.21-RC1)</title>
<para>Beginning with errata kernel 2.4.20-13.9, <quote>REJECT
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
is that REJECT rules act just like DROP rules when dealing with TCP. A
kernel patch and precompiled modules to fix this problem are available at
<ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
<note>
<para>RedHat have corrected this problem in their 2.4.20-27.x
kernels.</para>
</note>
</section>
</article> </article>

79
Shorewall-docs2/ports.xml
View File

@ -13,12 +13,10 @@
</author> </author>
</authorgroup> </authorgroup>
<pubdate>2004-10-01</pubdate> <pubdate>2005-09-02</pubdate>
<copyright> <copyright>
<year>2001-2002</year> <year>2001-2005</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
@ -41,21 +39,26 @@
</abstract> </abstract>
</articleinfo> </articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that release</emphasis></para>
</caution>
<section> <section>
<title>Important Notes</title> <title>Important Notes</title>
<note> <note>
<para>Beginning with Shorewall 2.0.0, the Shorewall distribution <para> Shorewall distribution contains a library of user-defined macros
contains a library of user-defined actions that allow for easily that allow for easily allowing or blocking a particular application.
allowing or blocking a particular application. Check your Check your <filename>/usr/share/shorewall/actions.std</filename> file
<filename>/usr/share/shorewall/actions.std</filename> file for a list of for a list of macros in your distribution. If you find what you need,
the actions in your distribution. If you find what you need, you simply you simply use the action in a rule. For example, to allow DNS queries
use the action in a rule. For example, to allow DNS queries from the from the <emphasis role="bold">dmz</emphasis> zone to the <emphasis
<emphasis role="bold">dmz</emphasis> zone to the <emphasis
role="bold">net</emphasis> zone:</para> role="bold">net</emphasis> zone:</para>
<programlisting>#ACTION SOURCE DESTINATION <programlisting>#ACTION SOURCE DESTINATION
AllowDNS dmz net</programlisting> DNS/ACCEPT dmz net</programlisting>
</note> </note>
<note> <note>
@ -68,28 +71,32 @@ AllowDNS dmz net</programlisting>
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para> at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 21</programlisting> FTP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
<para>You would code your rule as follows:</para> <para>You would code your rule as follows:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNAT net dmz:192.168.1.4 tcp 21</programlisting> FTP/DNAT net dmz:192.168.1.4 </programlisting>
</note> </note>
</section> </section>
<section> <section>
<title>Auth (identd)</title> <title>Auth (identd)</title>
<caution>
<para><emphasis role="bold"><emphasis>Now,It's 21 Century</emphasis> ,
don't use identd in production anymore.</emphasis></para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 113</programlisting> Auth/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section> </section>
<section> <section>
<title>DNS</title> <title>DNS</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 53 DNS/ACCEPT <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 53</programlisting>
<para>Note that if you are setting up a DNS server that supports recursive <para>Note that if you are setting up a DNS server that supports recursive
resolution, the server is the &lt;<emphasis>destination</emphasis>&gt; for resolution, the server is the &lt;<emphasis>destination</emphasis>&gt; for
@ -100,10 +107,8 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
local clients then you would need:</para> local clients then you would need:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT all dmz udp 53 DNS/ACCEPT all dmz
ACCEPT all dmz tcp 53 DNS/ACCEPT dmz net </programlisting>
ACCEPT dmz net udp 53
ACCEPT dmz net tcp 53</programlisting>
<note> <note>
<para>Recursive Resolution means that if the server itself can't resolve <para>Recursive Resolution means that if the server itself can't resolve
@ -153,7 +158,7 @@ DNAT net loc:192.168.1.4 tcp 4711</programlisting>
<title>FTP</title> <title>FTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 21</programlisting> FTP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
<para>Look <ulink url="FTP.html">here</ulink> for much more <para>Look <ulink url="FTP.html">here</ulink> for much more
information.</para> information.</para>
@ -163,15 +168,20 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
<title>ICQ/AIM</title> <title>ICQ/AIM</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> net tcp 5190</programlisting> ICQ/ACCEPT <emphasis>&lt;source&gt;</emphasis> net</programlisting>
</section> </section>
<section> <section>
<title>IMAP</title> <title>IMAP</title>
<caution>
<para>When accessing you mail from the internet,use <emphasis
role="bold">only</emphasis> <emphasis role="bold">IMAP over
SSL</emphasis></para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 143 #Unsecure IMAP IMAP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Secure &amp; Unsecure IMAP</programlisting>
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 993 #Secure IMAP</programlisting>
</section> </section>
<section> <section>
@ -215,6 +225,11 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
<section> <section>
<title>Pop3</title> <title>Pop3</title>
<caution>
<para>If Possible , <emphasis role="bold">Avoid this protocol</emphasis>
, use <emphasis role="bold">IMAP</emphasis> instead.</para>
</caution>
<para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para> <para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
@ -248,10 +263,10 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
</section> </section>
<section> <section>
<title>SSH</title> <title>SSH/SFTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 22</programlisting> SSH/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>
</section> </section>
<section> <section>
@ -401,6 +416,16 @@ ACCEPT &lt;<emphasis>apps</emphasis>&gt; &lt;<emphasis>chooser</emphasis>
<title>Revision History</title> <title>Revision History</title>
<para><revhistory> <para><revhistory>
<revision>
<revnumber>1.16</revnumber>
<date>2005-09-02</date>
<authorinitials>CR</authorinitials>
<revremark>Updated for Shorewall v3.0</revremark>
</revision>
<revision> <revision>
<revnumber>1.15</revnumber> <revnumber>1.15</revnumber>

35
Shorewall-docs2/standalone.xml
View File

@ -291,13 +291,6 @@ all all REJECT info</programlisting>
if you have a static IP address, you can remove <quote>dhcp</quote> from if you have a static IP address, you can remove <quote>dhcp</quote> from
the option list.</para> the option list.</para>
</tip> </tip>
<tip>
<para>If you specify <emphasis>nobogons</emphasis> for your external
interface, you will want to check the <ulink url="errata.htm">Shorewall
Errata</ulink> periodically for updates to the
<filename>/usr/share/shorewall/bogons file</filename>.</para>
</tip>
</section> </section>
<section> <section>
@ -345,12 +338,12 @@ all all REJECT info</programlisting>
&lt;<emphasis>action</emphasis>&gt; net fw</programlisting> &lt;<emphasis>action</emphasis>&gt; net fw</programlisting>
<example> <example>
<title>You want to run a Web Server and a POP3 Server on your firewall <title>You want to run a Web Server and a IMAP Server on your firewall
system:</title> system:</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
AllowWeb net fw Web/ACCEPT net fw
AllowPOP3 net fw</programlisting> IMAP/ACCEPT net fw</programlisting>
</example> </example>
<para>You may also choose to code your rules directly without using the <para>You may also choose to code your rules directly without using the
@ -363,12 +356,12 @@ AllowPOP3 net fw</programlisting>
ACCEPT net fw <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting> ACCEPT net fw <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
<example> <example>
<title>You want to run a Web Server and a POP3 Server on your firewall <title>You want to run a Web Server and a IMAP Server on your firewall
system:</title> system:</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net fw tcp 80 ACCEPT net fw tcp 80
ACCEPT net fw tcp 110</programlisting></para> ACCEPT net fw tcp 143</programlisting></para>
</example> </example>
<para>If you don't know what port and protocol a particular application <para>If you don't know what port and protocol a particular application
@ -380,7 +373,7 @@ ACCEPT net fw tcp 110</programlisting></para>
firewall from the internet, use SSH:</para> firewall from the internet, use SSH:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S) <programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
AllowSSH net fw </programlisting> SSH/ACCEPT net fw </programlisting>
</important> </important>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para> <para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -409,9 +402,9 @@ AllowSSH net fw </programlisting>
</important> </important>
<important> <important>
<para><emphasis role="bold">If you are running Shorewall 2.1.3 or later, <para><emphasis role="bold">You must enable startup by editing
you must enable startup by editing /etc/shorewall/shorewall.conf and /etc/shorewall/shorewall.conf and setting
setting STARTUP_ENABLED=Yes.</emphasis></para> STARTUP_ENABLED=Yes.</emphasis></para>
</important> </important>
<para>The firewall is started using the <quote><command>shorewall <para>The firewall is started using the <quote><command>shorewall
@ -453,6 +446,16 @@ AllowSSH net fw </programlisting>
<title>Revision History</title> <title>Revision History</title>
<para><revhistory> <para><revhistory>
<revision>
<revnumber>1.9</revnumber>
<date>2005-09-02</date>
<authorinitials>CR</authorinitials>
<revremark>Update for Shorewall 3.0</revremark>
</revision>
<revision> <revision>
<revnumber>1.8</revnumber> <revnumber>1.8</revnumber>

460
Shorewall-docs2/whitelisting_under_shorewall.xml
View File

@ -1,384 +1,418 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> <!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- $Id$ --> <!-- $Id$ -->
<article id="whitelisting_under_shorewall"> <article id="whitelisting_under_shorewall">
<articleinfo> <articleinfo>
<title>Whitelisting Under Shorewall</title> <title>Whitelisting Under Shorewall</title>
<author> <author>
<firstname>Tom</firstname> <firstname>Tom</firstname>
<surname>Eastep</surname> <surname>Eastep</surname>
</author> </author>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<pubdate>2005-09-02</pubdate>
<copyright> <copyright>
<year>2002</year> <year>2002-2005</year>
<year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder> <holder>Thomas M. Eastep</holder>
</copyright> </copyright>
<legalnotice> <legalnotice>
<para> <para>Permission is granted to copy, distribute and/or modify this
Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with 1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <quote><ulink url="copyright.htm" type="">GNU Free Documentation License</ulink></quote>. Texts. A copy of the license is included in the section entitled
</para> <quote><ulink type="" url="copyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice> </legalnotice>
</articleinfo> </articleinfo>
<para>
For a brief time, the 1.2 version of Shorewall supported an <literal>/etc/shorewall/whitelist</literal> file. This file was intended to contain a <para>White lists are most often used to give special privileges to a set of
list of IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was implemented as a stop-gap measure until the hosts within an organization. Let us suppose that we have the following
facilities necessary for implementing white lists using zones was in place. As of Version <literal>1.3 RC1</literal>, those facilities were available. environment:</para>
</para>
<para>
White lists are most often used to give special privileges to a set of hosts within an organization. Let us suppose that we have the following environment:
</para>
<itemizedlist mark="bullet" spacing="compact"> <itemizedlist mark="bullet" spacing="compact">
<listitem> <listitem>
<para> <para>A firewall with three interfaces -- one to the Internet, one to a
A firewall with three interfaces -- one to the Internet, one to a local network and one to a <acronym>DMZ</acronym>. local network and one to a <acronym>DMZ</acronym>.</para>
</para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>The local network uses <acronym>SNAT</acronym> to the internet and
The local network uses <acronym>SNAT</acronym> to the internet and is comprised of the Class B network <literal>10.10.0.0/16</literal> (Note: While this example uses an RFC 1918 local network, the technique described here in no way depends on that or on <acronym>SNAT</acronym>. It may be used with Proxy <acronym>ARP</acronym>, Subnet Routing, Static NAT, etc.). is comprised of the Class B network <literal>10.10.0.0/16</literal>
</para> (Note: While this example uses an RFC 1918 local network, the technique
described here in no way depends on that or on <acronym>SNAT</acronym>.
It may be used with Proxy <acronym>ARP</acronym>, Subnet Routing, Static
NAT, etc.).</para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>The network operations staff have workstations with IP addresses
The network operations staff have workstations with IP addresses in the Class C network <literal>10.10.10.0/24</literal>. in the Class C network <literal>10.10.10.0/24</literal>.</para>
</para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>We want the network operations staff to have full access to all
We want the network operations staff to have full access to all other hosts. other hosts.</para>
</para>
</listitem> </listitem>
<listitem> <listitem>
<para> <para>We want the network operations staff to bypass the transparent
We want the network operations staff to bypass the transparent <acronym>HTTP</acronym> proxy running on our firewall. <acronym>HTTP</acronym> proxy running on our firewall.</para>
</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<para>
The basic approach will be that we will place the operations staff's class C in its own zone called ops. Here are the appropriate configuration files: <para>The basic approach will be that we will place the operations staff's
</para> class C in its own zone called ops. Here are the appropriate configuration
files:</para>
<!-- Zone File --> <!-- Zone File -->
<bridgehead renderas="sect4">Zone File</bridgehead> <bridgehead renderas="sect4">Zone File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup cols="3" align="left"> <tgroup align="left" cols="3">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">ZONE</entry> <entry align="left">ZONE</entry>
<entry align="left">DISPLAY</entry> <entry align="left">DISPLAY</entry>
<entry align="left">COMMENTS</entry> <entry align="left">COMMENTS</entry>
</row> </row>
</thead> </thead>
<tbody valign="middle"> <tbody valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>net</literal></entry>
<literal>net</literal>
</entry>
<entry align="left">Net</entry> <entry align="left">Net</entry>
<entry align="left">Internet</entry> <entry align="left">Internet</entry>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>ops</literal></entry>
<literal>ops</literal>
</entry>
<entry align="left">Operations</entry> <entry align="left">Operations</entry>
<entry align="left">Operations Staff's Class C</entry> <entry align="left">Operations Staff's Class C</entry>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>loc</literal></entry>
<literal>loc</literal>
</entry>
<entry align="left">Local</entry> <entry align="left">Local</entry>
<entry align="left">Local Class B</entry> <entry align="left">Local Class B</entry>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>dmz</literal></entry>
<literal>dmz</literal>
</entry>
<entry align="left">DMZ</entry> <entry align="left">DMZ</entry>
<entry align="left">Demilitarized zone</entry> <entry align="left">Demilitarized zone</entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>
<para>
The <literal>ops</literal> zone has been added to the standard 3-zone zones <para>The <literal>ops</literal> zone has been added to the standard 3-zone
file -- since <literal>ops</literal> is a sub-zone of <literal>loc</literal>, we list it <emphasis>BEFORE</emphasis> zones file -- since <literal>ops</literal> is a sub-zone of
<literal>loc</literal>. <literal>loc</literal>, we list it <emphasis>BEFORE</emphasis>
</para> <literal>loc</literal>.</para>
<!-- Interfaces File --> <!-- Interfaces File -->
<bridgehead renderas="sect4">Interfaces File</bridgehead> <bridgehead renderas="sect4">Interfaces File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup cols="4" align="left"> <tgroup align="left" cols="4">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">ZONE</entry> <entry align="left">ZONE</entry>
<entry align="left">INTERFACE</entry> <entry align="left">INTERFACE</entry>
<entry align="left">BROADCAST</entry> <entry align="left">BROADCAST</entry>
<entry align="left">OPTIONS</entry> <entry align="left">OPTIONS</entry>
</row> </row>
</thead> </thead>
<tbody valign="middle"> <tbody valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>net</literal></entry>
<literal>net</literal>
</entry> <entry align="left"><literal>eth0</literal></entry>
<entry align="left">
<literal>eth0</literal>
</entry>
<entry align="left">&lt;whatever&gt;</entry> <entry align="left">&lt;whatever&gt;</entry>
<entry align="left">&lt;options&gt;</entry> <entry align="left">&lt;options&gt;</entry>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>dmz</literal></entry>
<literal>dmz</literal>
</entry> <entry align="left"><literal>eth1</literal></entry>
<entry align="left">
<literal>eth1</literal>
</entry>
<entry align="left">&lt;whatever&gt;</entry> <entry align="left">&lt;whatever&gt;</entry>
<entry align="left"/>
<entry align="left"></entry>
</row> </row>
<row> <row>
<entry align="left"> <entry align="left"><literal>-</literal></entry>
<literal>-</literal>
</entry> <entry align="left"><literal>eth2</literal></entry>
<entry align="left">
<literal>eth2</literal> <entry align="left"><literal>10.10.255.255</literal></entry>
</entry>
<entry align="left"> <entry align="left"></entry>
<literal>10.10.255.255</literal>
</entry>
<entry align="left"/>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>
<para>
Because <literal>eth2</literal> interfaces to two zones (<literal>ops</literal> and <literal>loc</literal>), we don't specify a zone for it here. <para>Because <literal>eth2</literal> interfaces to two zones
</para> (<literal>ops</literal> and <literal>loc</literal>), we don't specify a zone
for it here.</para>
<!-- Hosts File --> <!-- Hosts File -->
<bridgehead renderas="sect4">Hosts File</bridgehead> <bridgehead renderas="sect4">Hosts File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup cols="3" align="left"> <tgroup align="left" cols="3">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">ZONE</entry> <entry align="left">ZONE</entry>
<entry align="left">HOST(S)</entry> <entry align="left">HOST(S)</entry>
<entry align="left">OPTIONS</entry> <entry align="left">OPTIONS</entry>
</row> </row>
</thead> </thead>
<tbody valign="middle"> <tbody valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>ops</literal></entry>
<literal>ops</literal>
</entry> <entry align="left"><literal>eth2:10.10.10.0/24</literal></entry>
<entry align="left">
<literal>eth2:10.10.10.0/24</literal> <entry align="left"></entry>
</entry>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>loc</literal></entry>
<literal>loc</literal>
</entry> <entry align="left"><literal>eth2:0.0.0.0/0</literal></entry>
<entry align="left">
<literal>eth2:0.0.0.0/0</literal> <entry align="left"></entry>
</entry>
<entry align="left"/>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>
<para>
Here we define the <literal>ops</literal> and <literal>loc</literal> zones. When Shorewall is stopped, only the hosts in the <literal>ops</literal> zone will be allowed to access the firewall and the <acronym>DMZ</acronym>. I use <literal>0.0.0.0/0</literal> to define the <literal>loc</literal> zone rather than <literal>10.10.0.0/16</literal> so that the limited broadcast address (<literal>255.255.255.255</literal>) falls into that zone. If I used <literal>10.10.0.0/16</literal> then I would have to have a separate entry for that special address. <para>Here we define the <literal>ops</literal> and <literal>loc</literal>
</para> zones. When Shorewall is stopped, only the hosts in the
<literal>ops</literal> zone will be allowed to access the firewall and the
<acronym>DMZ</acronym>. I use <literal>0.0.0.0/0</literal> to define the
<literal>loc</literal> zone rather than <literal>10.10.0.0/16</literal> so
that the limited broadcast address (<literal>255.255.255.255</literal>)
falls into that zone. If I used <literal>10.10.0.0/16</literal> then I would
have to have a separate entry for that special address.</para>
<!-- Policy File --> <!-- Policy File -->
<bridgehead renderas="sect4">Policy File</bridgehead> <bridgehead renderas="sect4">Policy File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="5"> <tgroup align="left" cols="5">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">SOURCE</entry> <entry align="left">SOURCE</entry>
<entry align="left">DEST</entry> <entry align="left">DEST</entry>
<entry align="left">POLICY</entry> <entry align="left">POLICY</entry>
<entry align="left">LOG LEVEL</entry> <entry align="left">LOG LEVEL</entry>
<entry align="left">LIMIT BURST</entry> <entry align="left">LIMIT BURST</entry>
</row> </row>
</thead> </thead>
<tbody> <tbody>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><!-- To color the cell grey, uncomment the following 2 lines
<!-- To color the cell grey, uncomment the following 2 lines
<?dbhtml bgcolor="#EEEEEE" ?> <?dbhtml bgcolor="#EEEEEE" ?>
<?dbfo bgcolor="#EEEEEE" ?> <?dbfo bgcolor="#EEEEEE" ?>
--> --> <emphasis role="bold"> <literal>ops</literal> </emphasis></entry>
<emphasis role="bold">
<literal>ops</literal> <entry align="left"><emphasis role="bold"> <literal>all</literal>
</emphasis> </emphasis></entry>
</entry>
<entry align="left"> <entry align="left"><emphasis role="bold"> <literal>ACCEPT</literal>
<emphasis role="bold"> </emphasis></entry>
<literal>all</literal>
</emphasis> <entry align="left"></entry>
</entry>
<entry align="left"> <entry align="left"></entry>
<emphasis role="bold">
<literal>ACCEPT</literal>
</emphasis>
</entry>
<entry align="left"/>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><emphasis role="bold"> <literal>all</literal>
<emphasis role="bold"> </emphasis></entry>
<literal>all</literal>
</emphasis> <entry align="left"><emphasis role="bold"> <literal>ops</literal>
</entry> </emphasis></entry>
<entry align="left">
<emphasis role="bold"> <entry align="left"><emphasis role="bold">
<literal>ops</literal> <literal>CONTINUE</literal> </emphasis></entry>
</emphasis>
</entry> <entry align="left"></entry>
<entry align="left">
<emphasis role="bold"> <entry align="left"></entry>
<literal>CONTINUE</literal>
</emphasis>
</entry>
<entry align="left"/>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>loc</literal></entry>
<literal>loc</literal>
</entry> <entry align="left"><literal>net</literal></entry>
<entry align="left">
<literal>net</literal> <entry align="left"><literal>ACCEPT</literal></entry>
</entry>
<entry align="left"> <entry align="left"></entry>
<literal>ACCEPT</literal>
</entry> <entry align="left"></entry>
<entry align="left"/>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>net</literal></entry>
<literal>net</literal>
</entry> <entry align="left"><literal>all</literal></entry>
<entry align="left">
<literal>all</literal> <entry align="left"><literal>DROP</literal></entry>
</entry>
<entry align="left"> <entry align="left"><literal>info</literal></entry>
<literal>DROP</literal>
</entry> <entry align="left"></entry>
<entry align="left">
<literal>info</literal>
</entry>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>all</literal></entry>
<literal>all</literal>
</entry> <entry align="left"><literal>all</literal></entry>
<entry align="left">
<literal>all</literal> <entry align="left"><literal>REJECT</literal></entry>
</entry>
<entry align="left"> <entry align="left"><literal>info</literal></entry>
<literal>REJECT</literal>
</entry> <entry align="left"></entry>
<entry align="left">
<literal>info</literal>
</entry>
<entry align="left"/>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>
<para>
Two entries for <literal>ops</literal> (in bold) have been added to the standard 3-zone policy file. <para>Two entries for <literal>ops</literal> (in bold) have been added to
</para> the standard 3-zone policy file.</para>
<!-- Rules File --> <!-- Rules File -->
<bridgehead renderas="sect4">Rules File</bridgehead> <bridgehead renderas="sect4">Rules File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="7"> <tgroup align="left" cols="7">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">ACTION</entry> <entry align="left">ACTION</entry>
<entry align="left">SOURCE</entry> <entry align="left">SOURCE</entry>
<entry align="left">DEST</entry> <entry align="left">DEST</entry>
<entry align="left">PROTO</entry> <entry align="left">PROTO</entry>
<entry align="left">DEST PORT(S)</entry> <entry align="left">DEST PORT(S)</entry>
<entry align="left">SOURCE PORT(S)</entry> <entry align="left">SOURCE PORT(S)</entry>
<entry align="left">ORIGINAL DEST</entry> <entry align="left">ORIGINAL DEST</entry>
</row> </row>
</thead> </thead>
<tbody> <tbody>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>REDIRECT</literal></entry>
<literal>REDIRECT</literal>
</entry> <entry align="left"><literal>loc!ops</literal></entry>
<entry align="left">
<literal>loc!ops</literal> <entry align="left"><literal>3128</literal></entry>
</entry>
<entry align="left"> <entry align="left"><literal>tcp</literal></entry>
<literal>3128</literal>
</entry> <entry align="left"><literal>http</literal></entry>
<entry align="left">
<literal>tcp</literal> <entry align="left"></entry>
</entry>
<entry align="left"> <entry align="left"></entry>
<literal>http</literal>
</entry>
<entry align="left"/>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>...</literal></entry>
<literal>...</literal>
</entry> <entry align="left"></entry>
<entry align="left"/>
<entry align="left"/> <entry align="left"></entry>
<entry align="left"/>
<entry align="left"/> <entry align="left"></entry>
<entry align="left"/>
<entry align="left"/> <entry align="left"></entry>
<entry align="left"></entry>
<entry align="left"></entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>
</informaltable> </informaltable>
<para>
This is the rule that transparently redirects web traffic to the transparent proxy running on the firewall. The <emphasis role="bold">SOURCE</emphasis> column explicitly excludes the <literal>ops</literal> zone from the rule. <para>This is the rule that transparently redirects web traffic to the
</para> transparent proxy running on the firewall. The <emphasis
role="bold">SOURCE</emphasis> column explicitly excludes the
<literal>ops</literal> zone from the rule.</para>
<!-- Routestopped File --> <!-- Routestopped File -->
<bridgehead renderas="sect4">Routestopped File</bridgehead> <bridgehead renderas="sect4">Routestopped File</bridgehead>
<informaltable colsep="1" pgwide="0"> <informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="2"> <tgroup align="left" cols="2">
<thead valign="middle"> <thead valign="middle">
<row valign="middle"> <row valign="middle">
<entry align="left">INTERFACE</entry> <entry align="left">INTERFACE</entry>
<entry align="left">HOST(S))</entry> <entry align="left">HOST(S))</entry>
</row> </row>
</thead> </thead>
<tbody> <tbody>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>eth1</literal></entry>
<literal>eth1</literal>
</entry> <entry align="left"></entry>
<entry align="left"/>
</row> </row>
<row valign="middle"> <row valign="middle">
<entry align="left"> <entry align="left"><literal>eth2</literal></entry>
<literal>eth2</literal>
</entry> <entry align="left"><literal>10.10.10.0/24</literal></entry>
<entry align="left">
<literal>10.10.10.0/24</literal>
</entry>
</row> </row>
</tbody> </tbody>
</tgroup> </tgroup>