some changes, (somewhat incomplete,though.. )

git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@2622 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
judas_iscariote 2005-09-02 09:01:13 +00:00
parent 2b2e213fe8
commit cf710d08ea
7 changed files with 350 additions and 733 deletions

View File

@ -614,8 +614,10 @@ NET_OPTIONS=blacklist,norfc1918</programlisting>
<para>If no &lt;<emphasis>number</emphasis>&gt; is given then
the value 1 is assumed</para>
<para>WARNING -- DO NOT SPECIFY arp_ignore FOR ANY INTERFACE
INVOLVED IN PROXY ARP.</para>
<para><warning>
<para><emphasis role="bold">DO NOT SPECIFY arp_ignore FOR
ANY INTERFACE INVOLVED IN PROXY ARP</emphasis>.</para>
</warning></para>
</listitem>
</varlistentry>

View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2005-07-08</pubdate>
<pubdate>2005-09-02</pubdate>
<copyright>
<year>2004</year>
@ -123,7 +123,7 @@
</listitem>
</orderedlist>
<para>The currently-supported major releases are 2.0 and 2.2.</para>
<para>The currently-supported major releases are 2.4.x and 3.x.</para>
</section>
<section>

View File

@ -13,12 +13,10 @@
<surname>Eastep</surname>
</author>
<pubdate>2005-08-03</pubdate>
<pubdate>2005-09-02</pubdate>
<copyright>
<year>2003</year>
<year>2004</year>
<year>2003-</year>
<year>2005</year>
@ -36,6 +34,12 @@
</legalnotice>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that release</emphasis></para>
</caution>
<section>
<title>Shorewall Does not:</title>
@ -77,18 +81,6 @@
</itemizedlist>
</listitem>
<listitem>
<para>Set up Routing (except to support <ulink
url="ProxyARP.htm">Proxy ARP</ulink>) — Shorewall 2.4.0 and later CAN
set up routing for multiple internet connections.</para>
</listitem>
<listitem>
<para>Do Traffic Shaping/Bandwidth Management (although it provides
<ulink url="traffic_shaping.htm">hooks to interface to Traffic
Control/Bandwidth Management solutions</ulink>)</para>
</listitem>
<listitem>
<para>Configure/manage Network Devices (your Distribution includes
tools for that).</para>

View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2005-07-17</pubdate>
<pubdate>2005-09-02</pubdate>
<copyright>
<year>2001-2005</year>
@ -64,37 +64,11 @@
</caution>
<section>
<title>RFC1918 File</title>
<title>Problems in Shorewall.</title>
<para><ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.10/rfc1918">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#rfc1918">rfc1918 file</ulink>. <emphasis
role="bold">This file only applies to Shorewall versions 1.4.* and 2.0.0
and its bugfix updates</emphasis>. In Shorewall 2.0.1 and later releases,
the <filename>bogons</filename> file lists IP ranges that are reserved by
the IANA and the <filename>rfc1918</filename> file only lists those three
ranges that are reserved by <ulink
url="shorewall_setup_guide.htm#RFC1918">RFC 1918</ulink>.</para>
</section>
<section>
<title>Bogons File</title>
<para><ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.10/bogons">Here</ulink>
is the most up to date version of the <ulink
url="Documentation.htm#Bogons">bogons file</ulink>. <emphasis
role="bold">This file only applies to Shorewall versions 2.0.1 and
later.</emphasis></para>
</section>
<section>
<title>Problems in Version 2.2 and Later</title>
<para>Beginning with Shorewall version 2.2.0, errata will not be published
on this page. Rather, the download directory for each version will
contain:</para>
<para>Beginning with Shorewall version 2.2.0, errata <emphasis
role="bold">will not be published on this page</emphasis>. Rather, the
download directory for each version will contain:</para>
<orderedlist>
<listitem>
@ -111,423 +85,10 @@
</orderedlist>
</section>
<section>
<title>Problems in Version 2.0</title>
<section>
<title>Shorewall 2.0.17</title>
<itemizedlist>
<listitem>
<para>Users specifying TCP_FLAGS_LOG_LEVEL=ULOG will find that
"shorewall [re]start" fails with the following error:</para>
<programlisting>iptables v1.3.2: Unknown arg `--log-ip-options'
Try `iptables -h' or 'iptables --help' for more information.
ERROR: Command "/usr/sbin/iptables -A logflags -j ULOG --log-ip-options --ulog-prefix "Shorewall:logflags:DROP:"" Failed</programlisting>
<para>Install the '<ulink
url="http://www1.shorewall.net/pub/shorewall/errata/2.0.17/firewall">firewall'
script in the errata directory </ulink>into
/usr/share/shorewall/firewall replacing the file by that
name.</para>
</listitem>
<listitem>
<para>Setting MACLIST_DISPOSITION=ACCEPT opens a serious security
vulnerability. Install the '<ulink
url="http://www1.shorewall.net/pub/shorewall/errata/2.0.17/firewall">firewall'
script in the errata directory</ulink>into
/usr/share/shorewall/firewall replacing the file by that
name.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.15-2.0.16</title>
<itemizedlist>
<listitem>
<para>If the "rejNotSyn" action is invoked, an error occurs at
startup.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.16/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.12</title>
<itemizedlist>
<listitem>
<para>The "shorewall add" command produces the error message:</para>
<programlisting>/usr/share/shorewall/firewall: line 1: match_destination_hosts: command not found</programlisting>
<para>You can correct the problem yourself by editing
/usr/share/shorewall/firewall and on line 5805, replace <emphasis
role="bold">match_destination_hosts</emphasis> with <emphasis
role="bold">match_dest_hosts</emphasis>.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.12/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.10</title>
<para>The initial packages uploaded to the FTP and HTTP servers were
incorrect. Here are the MD5 sums of the incorrect packages.</para>
<programlisting>14e8f2bfa08cc5ca2715c8b1179d5eb2 &nbsp;shorewall-2.0.10-1.noarch.rpm
54bcbb2216ad3db9870507cd9716fd99 &nbsp;shorewall-2.0.10.tgz
c2fe0acc7f056acb56d089cf8dafa39a &nbsp;shorwall-2.0.10.lrp</programlisting>
<para>These incorrect packages have been replaced with correct ones
having the following MD5 sums:</para>
<programlisting>d5af452d38538b4b994c3c4abab8e012 &nbsp;shorewall-2.0.10-1.noarch.rpm
985ce9215ea9cc0299f0b5450fdbe05e &nbsp;shorewall-2.0.10.tgz
0ec7a65e4ed4ad1db0d2a4cb0c7bd5bf &nbsp;shorwall-2.0.10.lrp</programlisting>
<para>If you have installed an incorrect package, please replace
<filename>/sbin/shorewall</filename> with <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.10/shorewall">this
file</ulink>.</para>
</section>
<section>
<title>Shorewall 2.0.3 through 2.0.8</title>
<itemizedlist>
<listitem>
<para>An empty PROTO column in /etc/shorewall/tcrules produced
iptables errors during <command>shorewall start</command>. A value
of <command>all</command> in that column produced a similar
error.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.8/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.3a through 2.0.7</title>
<itemizedlist>
<listitem>
<para>Entries in the USER/GROUP column of an action file (made from
action.template) may be ignored or cause odd errors.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.7/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</section>
<section>
<title>Shorewall 2.0.3a through 2.0.4</title>
<itemizedlist>
<listitem>
<para>Error messages regarding $RESTOREBASE occur during <emphasis
role="bold">shorewall stop</emphasis> if DISABLE_IPV6=Yes in
shorewall.conf.</para>
</listitem>
</itemizedlist>
<para>Corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above. Also fixed in
Shorewall Version 2.0.5.</para>
</section>
<section>
<title>Shorewall 2.0.2 and all Shorewall 2.0.3 Releases.</title>
<itemizedlist>
<listitem>
<para>DNAT rules with <emphasis role="bold">fw</emphasis> as the
source zone and that specify logging cause <command>shorewall
start</command> to fail with an iptables error. The problem is
corrected for Shorewall 2.0.3 users in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.3/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.3a and 2.0.3b</title>
<itemizedlist>
<listitem>
<para>Error messages regarding $RESTOREBASE occur during <emphasis
role="bold">shorewall stop</emphasis>.</para>
</listitem>
<listitem>
<para>If CLEAR_TC=Yes in <filename>shorewall.conf</filename>,
<emphasis role="bold">shorewall stop</emphasis> fails without
removing the lock file.</para>
</listitem>
</itemizedlist>
<para>The above problems are corrected in Shorewall version
2.0.3c.</para>
</section>
<section>
<title>Shorewall 2.0.3a</title>
<itemizedlist>
<listitem>
<para>Slackware users find that version 2.0.3a fails to start
because their <command>mktemp</command> utility does not support the
-d option. This may be corrected by installing <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.3/functions">this
corrected <filename>functions</filename> file</ulink> in <filename
class="directory">/var/lib/shorewall/functions</filename>.</para>
</listitem>
<listitem>
<para>Shorewall fails to start if there is no
<command>mktemp</command> utility.</para>
</listitem>
</itemizedlist>
<para>These problems are corrected in Shorewall version 2.0.3b.</para>
</section>
<section>
<title>Shorewall 2.0.3</title>
<itemizedlist>
<listitem>
<para>A non-empty entry in the DEST column of /etc/shorewall/tcrules
will result in an error message and Shorewall fails to start. This
problem is fixed in Shorewall version 2.0.3a.</para>
</listitem>
<listitem>
<para>A potentially exploitable vulnerability in the way that
Shorewall handles temporary files and directories has been found by
Javier Fernández-Sanguino Peña. This vulnerability is corrected in
Shorewall 2.0.3a. All Shorewall 2.0.x users are urged to upgrade to
2.0.3a.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.2</title>
<itemizedlist>
<listitem>
<para>Temporary restore files with names of the form
<filename>restore-</filename><emphasis>nnnnn</emphasis> are left in
/var/lib/shorewall.</para>
</listitem>
<listitem>
<para>"shorewall restore" and "shorewall -f start" do not load
kernel modules.</para>
<para><emphasis role="bold">The above two problems are corrected in
Shorewall 2.0.2a</emphasis></para>
</listitem>
<listitem>
<para>Specifying a null common action in /etc/shorewall/actions
(e.g., :REJECT) results in a startup error.</para>
</listitem>
<listitem>
<para>If <filename>/var/lib/shorewall</filename> does not exist,
<command>shorewall start</command> fails.</para>
<para><emphasis role="bold">The above four problems are corrected in
Shorewall 2.0.2b</emphasis></para>
</listitem>
<listitem>
<para>DNAT rules work incorrectly with dynamic zones in that the
source interface is not included in the nat table DNAT rule.</para>
<para><emphasis role="bold">The above five problems are corrected in
Shorewall 2.0.2c</emphasis></para>
</listitem>
<listitem>
<para>During start and restart, Shorewall is detecting capabilities
before loading kernel modules. Consequently, if kernel module
autoloading is disabled, capabilities can be mis-detected during
boot.</para>
</listitem>
<listitem>
<para>The <emphasis>newnotsyn</emphasis> option in
<filename>/etc/shorewall/hosts</filename> has no effect.</para>
<para><emphasis role="bold">The above seven problems are corrected
in Shorewall 2.0.2d</emphasis></para>
</listitem>
<listitem>
<para>Use of the LOG target in an action results in two LOG or ULOG
rules.</para>
<para><emphasis role="bold">The above eight problems are corrected
in Shorewall 2.0.2e</emphasis></para>
</listitem>
<listitem>
<para>Kernel modules fail to load when MODULE_SUFFIX isn't set in
shorewall.conf</para>
<para><emphasis role="bold">All of the above problems are corrected
in Shorewall 2.0.2f</emphasis></para>
</listitem>
</itemizedlist>
<para>These problems are all corrected by the
<filename>firewall</filename> and <filename>functions</filename> files
in <ulink url="http://shorewall.net/pub/shorewall/errata/2.0.2">this
directory</ulink>. Both files must be installed in
<filename>/usr/share/shorewall/</filename> as described above.</para>
</section>
<section>
<title>Shorewall 2.0.1</title>
<itemizedlist>
<listitem>
<para>Confusing message mentioning IPV6 occur at startup.</para>
</listitem>
<listitem>
<para>Modules listed in /etc/shorewall/modules don't load or produce
errors on Mandrake 10.0 Final.</para>
</listitem>
<listitem>
<para>The <command>shorewall delete</command> command does not
remove all dynamic rules pertaining to the host(s) being
deleted.</para>
</listitem>
</itemizedlist>
<para>These problems are corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/firewall">this
firewall script</ulink> which may be installed in
<filename>/usr/share/shorewall/firewall</filename> as described
above.</para>
<itemizedlist>
<listitem>
<para>When run on a SuSE system, the install.sh script fails to
configure Shorewall to start at boot time. That problem is corrected
in <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/install.sh">this
version of the script</ulink>.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.1/2.0.0</title>
<itemizedlist>
<listitem>
<para>On Debian systems, an install using the tarball results in an
inability to start Shorewall at system boot. If you already have
this problem, install <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.1/init.debian.sh">this
file</ulink> as /etc/init.d/shorewall (replacing the existing file
with that name). If you are just installing or upgrading to
Shorewall 2.0.0 or 2.0.1, then replace the
<filename>init.debian.sh</filename> file in the Shorewall
distribution directory (shorewall-2.0.x) with the updated file
before running <command>install.sh</command> from that
directory.</para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Shorewall 2.0.0</title>
<itemizedlist>
<listitem>
<para>When using an Action in the ACTIONS column of a rule, you may
receive a warning message about the rule being a policy. While this
warning may be safely ignored, it can be eliminated by installing
the script from the link below.</para>
</listitem>
<listitem>
<para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
and IPSEC has been corrected.</para>
</listitem>
</itemizedlist>
<para>The first problem has been corrected in Shorewall update
2.0.0a.</para>
<para>All of these problems may be corrected by installing <ulink
url="http://shorewall.net/pub/shorewall/errata/2.0.0/firewall">this
firewall script</ulink> in /usr/share/shorewall as described
above.</para>
</section>
</section>
<section>
<title>Upgrade Issues</title>
<para>The upgrade issues have moved to <ulink url="upgrade_issues.htm">a
separate page</ulink>.</para>
</section>
<section>
<title>Problem with iptables 1.2.9</title>
<para>If you want to use the new features in Shorewall 2.0.2 (Betas, RCs,
Final) or later then you need to patch your iptables 1.2.9 with <ulink
url="http://shorewall.net/pub/shorewall/errata/iptables-1.2.9.diff">this
patch</ulink> or you need to use the <ulink
url="http://www.netfilter.org/downloads.html#cvs">CVS version of
iptables</ulink>.</para>
</section>
<section>
<title>Problems with RH Kernels after 2.4.20-9 and REJECT (also applies to
2.4.21-RC1)</title>
<para>Beginning with errata kernel 2.4.20-13.9, <quote>REJECT
--reject-with tcp-reset</quote> is broken. The symptom most commonly seen
is that REJECT rules act just like DROP rules when dealing with TCP. A
kernel patch and precompiled modules to fix this problem are available at
<ulink
url="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</ulink></para>
<note>
<para>RedHat have corrected this problem in their 2.4.20-27.x
kernels.</para>
</note>
</section>
</article>

View File

@ -13,12 +13,10 @@
</author>
</authorgroup>
<pubdate>2004-10-01</pubdate>
<pubdate>2005-09-02</pubdate>
<copyright>
<year>2001-2002</year>
<year>2004</year>
<year>2001-2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -41,21 +39,26 @@
</abstract>
</articleinfo>
<caution>
<para><emphasis role="bold">This article applies to Shorewall 3.0 and
later. If you are running a version of Shorewall earlier than Shorewall
3.0.0 then please see the documentation for that release</emphasis></para>
</caution>
<section>
<title>Important Notes</title>
<note>
<para>Beginning with Shorewall 2.0.0, the Shorewall distribution
contains a library of user-defined actions that allow for easily
allowing or blocking a particular application. Check your
<filename>/usr/share/shorewall/actions.std</filename> file for a list of
the actions in your distribution. If you find what you need, you simply
use the action in a rule. For example, to allow DNS queries from the
<emphasis role="bold">dmz</emphasis> zone to the <emphasis
<para> Shorewall distribution contains a library of user-defined macros
that allow for easily allowing or blocking a particular application.
Check your <filename>/usr/share/shorewall/actions.std</filename> file
for a list of macros in your distribution. If you find what you need,
you simply use the action in a rule. For example, to allow DNS queries
from the <emphasis role="bold">dmz</emphasis> zone to the <emphasis
role="bold">net</emphasis> zone:</para>
<programlisting>#ACTION SOURCE DESTINATION
AllowDNS dmz net</programlisting>
DNS/ACCEPT dmz net</programlisting>
</note>
<note>
@ -68,28 +71,32 @@ AllowDNS dmz net</programlisting>
at 192.168.1.4 in your DMZ. The FTP section below gives you:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 21</programlisting>
FTP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
<para>You would code your rule as follows:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
DNAT net dmz:192.168.1.4 tcp 21</programlisting>
FTP/DNAT net dmz:192.168.1.4 </programlisting>
</note>
</section>
<section>
<title>Auth (identd)</title>
<caution>
<para><emphasis role="bold"><emphasis>Now,It's 21 Century</emphasis> ,
don't use identd in production anymore.</emphasis></para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 113</programlisting>
Auth/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
</section>
<section>
<title>DNS</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> udp 53
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 53</programlisting>
DNS/ACCEPT <emphasis> &lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>
<para>Note that if you are setting up a DNS server that supports recursive
resolution, the server is the &lt;<emphasis>destination</emphasis>&gt; for
@ -100,10 +107,8 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
local clients then you would need:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT all dmz udp 53
ACCEPT all dmz tcp 53
ACCEPT dmz net udp 53
ACCEPT dmz net tcp 53</programlisting>
DNS/ACCEPT all dmz
DNS/ACCEPT dmz net </programlisting>
<note>
<para>Recursive Resolution means that if the server itself can't resolve
@ -153,7 +158,7 @@ DNAT net loc:192.168.1.4 tcp 4711</programlisting>
<title>FTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 21</programlisting>
FTP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis></programlisting>
<para>Look <ulink url="FTP.html">here</ulink> for much more
information.</para>
@ -163,15 +168,20 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
<title>ICQ/AIM</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> net tcp 5190</programlisting>
ICQ/ACCEPT <emphasis>&lt;source&gt;</emphasis> net</programlisting>
</section>
<section>
<title>IMAP</title>
<caution>
<para>When accessing you mail from the internet,use <emphasis
role="bold">only</emphasis> <emphasis role="bold">IMAP over
SSL</emphasis></para>
</caution>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 143 #Unsecure IMAP
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 993 #Secure IMAP</programlisting>
IMAP/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> #Secure &amp; Unsecure IMAP</programlisting>
</section>
<section>
@ -215,6 +225,11 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
<section>
<title>Pop3</title>
<caution>
<para>If Possible , <emphasis role="bold">Avoid this protocol</emphasis>
, use <emphasis role="bold">IMAP</emphasis> instead.</para>
</caution>
<para>TCP Port 110 (Secure Pop3 is TCP Port 995)</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
@ -248,10 +263,10 @@ ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</e
</section>
<section>
<title>SSH</title>
<title>SSH/SFTP</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> tcp 22</programlisting>
SSH/ACCEPT <emphasis>&lt;source&gt;</emphasis> <emphasis>&lt;destination&gt;</emphasis> </programlisting>
</section>
<section>
@ -401,6 +416,16 @@ ACCEPT &lt;<emphasis>apps</emphasis>&gt; &lt;<emphasis>chooser</emphasis>
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>1.16</revnumber>
<date>2005-09-02</date>
<authorinitials>CR</authorinitials>
<revremark>Updated for Shorewall v3.0</revremark>
</revision>
<revision>
<revnumber>1.15</revnumber>

View File

@ -291,13 +291,6 @@ all all REJECT info</programlisting>
if you have a static IP address, you can remove <quote>dhcp</quote> from
the option list.</para>
</tip>
<tip>
<para>If you specify <emphasis>nobogons</emphasis> for your external
interface, you will want to check the <ulink url="errata.htm">Shorewall
Errata</ulink> periodically for updates to the
<filename>/usr/share/shorewall/bogons file</filename>.</para>
</tip>
</section>
<section>
@ -345,12 +338,12 @@ all all REJECT info</programlisting>
&lt;<emphasis>action</emphasis>&gt; net fw</programlisting>
<example>
<title>You want to run a Web Server and a POP3 Server on your firewall
<title>You want to run a Web Server and a IMAP Server on your firewall
system:</title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
AllowWeb net fw
AllowPOP3 net fw</programlisting>
Web/ACCEPT net fw
IMAP/ACCEPT net fw</programlisting>
</example>
<para>You may also choose to code your rules directly without using the
@ -363,12 +356,12 @@ AllowPOP3 net fw</programlisting>
ACCEPT net fw <emphasis>&lt;protocol&gt;</emphasis> <emphasis>&lt;port&gt;</emphasis></programlisting>
<example>
<title>You want to run a Web Server and a POP3 Server on your firewall
<title>You want to run a Web Server and a IMAP Server on your firewall
system:</title>
<para><programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT net fw tcp 80
ACCEPT net fw tcp 110</programlisting></para>
ACCEPT net fw tcp 143</programlisting></para>
</example>
<para>If you don't know what port and protocol a particular application
@ -380,7 +373,7 @@ ACCEPT net fw tcp 110</programlisting></para>
firewall from the internet, use SSH:</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
AllowSSH net fw </programlisting>
SSH/ACCEPT net fw </programlisting>
</important>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
@ -409,9 +402,9 @@ AllowSSH net fw </programlisting>
</important>
<important>
<para><emphasis role="bold">If you are running Shorewall 2.1.3 or later,
you must enable startup by editing /etc/shorewall/shorewall.conf and
setting STARTUP_ENABLED=Yes.</emphasis></para>
<para><emphasis role="bold">You must enable startup by editing
/etc/shorewall/shorewall.conf and setting
STARTUP_ENABLED=Yes.</emphasis></para>
</important>
<para>The firewall is started using the <quote><command>shorewall
@ -453,6 +446,16 @@ AllowSSH net fw </programlisting>
<title>Revision History</title>
<para><revhistory>
<revision>
<revnumber>1.9</revnumber>
<date>2005-09-02</date>
<authorinitials>CR</authorinitials>
<revremark>Update for Shorewall 3.0</revremark>
</revision>
<revision>
<revnumber>1.8</revnumber>

View File

@ -1,384 +1,418 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
<!-- $Id$ -->
<article id="whitelisting_under_shorewall">
<articleinfo>
<title>Whitelisting Under Shorewall</title>
<author>
<firstname>Tom</firstname>
<surname>Eastep</surname>
</author>
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
<pubdate>2005-09-02</pubdate>
<copyright>
<year>2002</year>
<year>2003</year>
<year>2004</year>
<year>2002-2005</year>
<holder>Thomas M. Eastep</holder>
</copyright>
<legalnotice>
<para>
Permission is granted to copy, distribute and/or modify this
<para>Permission is granted to copy, distribute and/or modify this
document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled <quote><ulink url="copyright.htm" type="">GNU Free Documentation License</ulink></quote>.
</para>
Texts. A copy of the license is included in the section entitled
<quote><ulink type="" url="copyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
<para>
For a brief time, the 1.2 version of Shorewall supported an <literal>/etc/shorewall/whitelist</literal> file. This file was intended to contain a
list of IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was implemented as a stop-gap measure until the
facilities necessary for implementing white lists using zones was in place. As of Version <literal>1.3 RC1</literal>, those facilities were available.
</para>
<para>
White lists are most often used to give special privileges to a set of hosts within an organization. Let us suppose that we have the following environment:
</para>
<para>White lists are most often used to give special privileges to a set of
hosts within an organization. Let us suppose that we have the following
environment:</para>
<itemizedlist mark="bullet" spacing="compact">
<listitem>
<para>
A firewall with three interfaces -- one to the Internet, one to a local network and one to a <acronym>DMZ</acronym>.
</para>
<para>A firewall with three interfaces -- one to the Internet, one to a
local network and one to a <acronym>DMZ</acronym>.</para>
</listitem>
<listitem>
<para>
The local network uses <acronym>SNAT</acronym> to the internet and is comprised of the Class B network <literal>10.10.0.0/16</literal> (Note: While this example uses an RFC 1918 local network, the technique described here in no way depends on that or on <acronym>SNAT</acronym>. It may be used with Proxy <acronym>ARP</acronym>, Subnet Routing, Static NAT, etc.).
</para>
<para>The local network uses <acronym>SNAT</acronym> to the internet and
is comprised of the Class B network <literal>10.10.0.0/16</literal>
(Note: While this example uses an RFC 1918 local network, the technique
described here in no way depends on that or on <acronym>SNAT</acronym>.
It may be used with Proxy <acronym>ARP</acronym>, Subnet Routing, Static
NAT, etc.).</para>
</listitem>
<listitem>
<para>
The network operations staff have workstations with IP addresses in the Class C network <literal>10.10.10.0/24</literal>.
</para>
<para>The network operations staff have workstations with IP addresses
in the Class C network <literal>10.10.10.0/24</literal>.</para>
</listitem>
<listitem>
<para>
We want the network operations staff to have full access to all other hosts.
</para>
<para>We want the network operations staff to have full access to all
other hosts.</para>
</listitem>
<listitem>
<para>
We want the network operations staff to bypass the transparent <acronym>HTTP</acronym> proxy running on our firewall.
</para>
<para>We want the network operations staff to bypass the transparent
<acronym>HTTP</acronym> proxy running on our firewall.</para>
</listitem>
</itemizedlist>
<para>
The basic approach will be that we will place the operations staff's class C in its own zone called ops. Here are the appropriate configuration files:
</para>
<!-- Zone File -->
<para>The basic approach will be that we will place the operations staff's
class C in its own zone called ops. Here are the appropriate configuration
files:</para>
<!-- Zone File -->
<bridgehead renderas="sect4">Zone File</bridgehead>
<informaltable colsep="1" pgwide="0">
<tgroup cols="3" align="left">
<tgroup align="left" cols="3">
<thead valign="middle">
<row valign="middle">
<entry align="left">ZONE</entry>
<entry align="left">DISPLAY</entry>
<entry align="left">COMMENTS</entry>
</row>
</thead>
<tbody valign="middle">
<row valign="middle">
<entry align="left">
<literal>net</literal>
</entry>
<entry align="left"><literal>net</literal></entry>
<entry align="left">Net</entry>
<entry align="left">Internet</entry>
</row>
<row valign="middle">
<entry align="left">
<literal>ops</literal>
</entry>
<entry align="left"><literal>ops</literal></entry>
<entry align="left">Operations</entry>
<entry align="left">Operations Staff's Class C</entry>
</row>
<row valign="middle">
<entry align="left">
<literal>loc</literal>
</entry>
<entry align="left"><literal>loc</literal></entry>
<entry align="left">Local</entry>
<entry align="left">Local Class B</entry>
</row>
<row valign="middle">
<entry align="left">
<literal>dmz</literal>
</entry>
<entry align="left"><literal>dmz</literal></entry>
<entry align="left">DMZ</entry>
<entry align="left">Demilitarized zone</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>
The <literal>ops</literal> zone has been added to the standard 3-zone zones
file -- since <literal>ops</literal> is a sub-zone of <literal>loc</literal>, we list it <emphasis>BEFORE</emphasis>
<literal>loc</literal>.
</para>
<!-- Interfaces File -->
<para>The <literal>ops</literal> zone has been added to the standard 3-zone
zones file -- since <literal>ops</literal> is a sub-zone of
<literal>loc</literal>, we list it <emphasis>BEFORE</emphasis>
<literal>loc</literal>.</para>
<!-- Interfaces File -->
<bridgehead renderas="sect4">Interfaces File</bridgehead>
<informaltable colsep="1" pgwide="0">
<tgroup cols="4" align="left">
<tgroup align="left" cols="4">
<thead valign="middle">
<row valign="middle">
<entry align="left">ZONE</entry>
<entry align="left">INTERFACE</entry>
<entry align="left">BROADCAST</entry>
<entry align="left">OPTIONS</entry>
</row>
</thead>
<tbody valign="middle">
<row valign="middle">
<entry align="left">
<literal>net</literal>
</entry>
<entry align="left">
<literal>eth0</literal>
</entry>
<entry align="left"><literal>net</literal></entry>
<entry align="left"><literal>eth0</literal></entry>
<entry align="left">&lt;whatever&gt;</entry>
<entry align="left">&lt;options&gt;</entry>
</row>
<row valign="middle">
<entry align="left">
<literal>dmz</literal>
</entry>
<entry align="left">
<literal>eth1</literal>
</entry>
<entry align="left"><literal>dmz</literal></entry>
<entry align="left"><literal>eth1</literal></entry>
<entry align="left">&lt;whatever&gt;</entry>
<entry align="left"/>
<entry align="left"></entry>
</row>
<row>
<entry align="left">
<literal>-</literal>
</entry>
<entry align="left">
<literal>eth2</literal>
</entry>
<entry align="left">
<literal>10.10.255.255</literal>
</entry>
<entry align="left"/>
<entry align="left"><literal>-</literal></entry>
<entry align="left"><literal>eth2</literal></entry>
<entry align="left"><literal>10.10.255.255</literal></entry>
<entry align="left"></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>
Because <literal>eth2</literal> interfaces to two zones (<literal>ops</literal> and <literal>loc</literal>), we don't specify a zone for it here.
</para>
<!-- Hosts File -->
<para>Because <literal>eth2</literal> interfaces to two zones
(<literal>ops</literal> and <literal>loc</literal>), we don't specify a zone
for it here.</para>
<!-- Hosts File -->
<bridgehead renderas="sect4">Hosts File</bridgehead>
<informaltable colsep="1" pgwide="0">
<tgroup cols="3" align="left">
<tgroup align="left" cols="3">
<thead valign="middle">
<row valign="middle">
<entry align="left">ZONE</entry>
<entry align="left">HOST(S)</entry>
<entry align="left">OPTIONS</entry>
</row>
</thead>
<tbody valign="middle">
<row valign="middle">
<entry align="left">
<literal>ops</literal>
</entry>
<entry align="left">
<literal>eth2:10.10.10.0/24</literal>
</entry>
<entry align="left"/>
<entry align="left"><literal>ops</literal></entry>
<entry align="left"><literal>eth2:10.10.10.0/24</literal></entry>
<entry align="left"></entry>
</row>
<row valign="middle">
<entry align="left">
<literal>loc</literal>
</entry>
<entry align="left">
<literal>eth2:0.0.0.0/0</literal>
</entry>
<entry align="left"/>
<entry align="left"><literal>loc</literal></entry>
<entry align="left"><literal>eth2:0.0.0.0/0</literal></entry>
<entry align="left"></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>
Here we define the <literal>ops</literal> and <literal>loc</literal> zones. When Shorewall is stopped, only the hosts in the <literal>ops</literal> zone will be allowed to access the firewall and the <acronym>DMZ</acronym>. I use <literal>0.0.0.0/0</literal> to define the <literal>loc</literal> zone rather than <literal>10.10.0.0/16</literal> so that the limited broadcast address (<literal>255.255.255.255</literal>) falls into that zone. If I used <literal>10.10.0.0/16</literal> then I would have to have a separate entry for that special address.
</para>
<!-- Policy File -->
<para>Here we define the <literal>ops</literal> and <literal>loc</literal>
zones. When Shorewall is stopped, only the hosts in the
<literal>ops</literal> zone will be allowed to access the firewall and the
<acronym>DMZ</acronym>. I use <literal>0.0.0.0/0</literal> to define the
<literal>loc</literal> zone rather than <literal>10.10.0.0/16</literal> so
that the limited broadcast address (<literal>255.255.255.255</literal>)
falls into that zone. If I used <literal>10.10.0.0/16</literal> then I would
have to have a separate entry for that special address.</para>
<!-- Policy File -->
<bridgehead renderas="sect4">Policy File</bridgehead>
<informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="5">
<thead valign="middle">
<row valign="middle">
<entry align="left">SOURCE</entry>
<entry align="left">DEST</entry>
<entry align="left">POLICY</entry>
<entry align="left">LOG LEVEL</entry>
<entry align="left">LIMIT BURST</entry>
</row>
</thead>
<tbody>
<row valign="middle">
<entry align="left">
<!-- To color the cell grey, uncomment the following 2 lines
<entry align="left"><!-- To color the cell grey, uncomment the following 2 lines
<?dbhtml bgcolor="#EEEEEE" ?>
<?dbfo bgcolor="#EEEEEE" ?>
-->
<emphasis role="bold">
<literal>ops</literal>
</emphasis>
</entry>
<entry align="left">
<emphasis role="bold">
<literal>all</literal>
</emphasis>
</entry>
<entry align="left">
<emphasis role="bold">
<literal>ACCEPT</literal>
</emphasis>
</entry>
<entry align="left"/>
<entry align="left"/>
--> <emphasis role="bold"> <literal>ops</literal> </emphasis></entry>
<entry align="left"><emphasis role="bold"> <literal>all</literal>
</emphasis></entry>
<entry align="left"><emphasis role="bold"> <literal>ACCEPT</literal>
</emphasis></entry>
<entry align="left"></entry>
<entry align="left"></entry>
</row>
<row valign="middle">
<entry align="left">
<emphasis role="bold">
<literal>all</literal>
</emphasis>
</entry>
<entry align="left">
<emphasis role="bold">
<literal>ops</literal>
</emphasis>
</entry>
<entry align="left">
<emphasis role="bold">
<literal>CONTINUE</literal>
</emphasis>
</entry>
<entry align="left"/>
<entry align="left"/>
<entry align="left"><emphasis role="bold"> <literal>all</literal>
</emphasis></entry>
<entry align="left"><emphasis role="bold"> <literal>ops</literal>
</emphasis></entry>
<entry align="left"><emphasis role="bold">
<literal>CONTINUE</literal> </emphasis></entry>
<entry align="left"></entry>
<entry align="left"></entry>
</row>
<row valign="middle">
<entry align="left">
<literal>loc</literal>
</entry>
<entry align="left">
<literal>net</literal>
</entry>
<entry align="left">
<literal>ACCEPT</literal>
</entry>
<entry align="left"/>
<entry align="left"/>
<entry align="left"><literal>loc</literal></entry>
<entry align="left"><literal>net</literal></entry>
<entry align="left"><literal>ACCEPT</literal></entry>
<entry align="left"></entry>
<entry align="left"></entry>
</row>
<row valign="middle">
<entry align="left">
<literal>net</literal>
</entry>
<entry align="left">
<literal>all</literal>
</entry>
<entry align="left">
<literal>DROP</literal>
</entry>
<entry align="left">
<literal>info</literal>
</entry>
<entry align="left"/>
<entry align="left"><literal>net</literal></entry>
<entry align="left"><literal>all</literal></entry>
<entry align="left"><literal>DROP</literal></entry>
<entry align="left"><literal>info</literal></entry>
<entry align="left"></entry>
</row>
<row valign="middle">
<entry align="left">
<literal>all</literal>
</entry>
<entry align="left">
<literal>all</literal>
</entry>
<entry align="left">
<literal>REJECT</literal>
</entry>
<entry align="left">
<literal>info</literal>
</entry>
<entry align="left"/>
<entry align="left"><literal>all</literal></entry>
<entry align="left"><literal>all</literal></entry>
<entry align="left"><literal>REJECT</literal></entry>
<entry align="left"><literal>info</literal></entry>
<entry align="left"></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>
Two entries for <literal>ops</literal> (in bold) have been added to the standard 3-zone policy file.
</para>
<!-- Rules File -->
<para>Two entries for <literal>ops</literal> (in bold) have been added to
the standard 3-zone policy file.</para>
<!-- Rules File -->
<bridgehead renderas="sect4">Rules File</bridgehead>
<informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="7">
<thead valign="middle">
<row valign="middle">
<entry align="left">ACTION</entry>
<entry align="left">SOURCE</entry>
<entry align="left">DEST</entry>
<entry align="left">PROTO</entry>
<entry align="left">DEST PORT(S)</entry>
<entry align="left">SOURCE PORT(S)</entry>
<entry align="left">ORIGINAL DEST</entry>
</row>
</thead>
<tbody>
<row valign="middle">
<entry align="left">
<literal>REDIRECT</literal>
</entry>
<entry align="left">
<literal>loc!ops</literal>
</entry>
<entry align="left">
<literal>3128</literal>
</entry>
<entry align="left">
<literal>tcp</literal>
</entry>
<entry align="left">
<literal>http</literal>
</entry>
<entry align="left"/>
<entry align="left"/>
<entry align="left"><literal>REDIRECT</literal></entry>
<entry align="left"><literal>loc!ops</literal></entry>
<entry align="left"><literal>3128</literal></entry>
<entry align="left"><literal>tcp</literal></entry>
<entry align="left"><literal>http</literal></entry>
<entry align="left"></entry>
<entry align="left"></entry>
</row>
<row valign="middle">
<entry align="left">
<literal>...</literal>
</entry>
<entry align="left"/>
<entry align="left"/>
<entry align="left"/>
<entry align="left"/>
<entry align="left"/>
<entry align="left"/>
<entry align="left"><literal>...</literal></entry>
<entry align="left"></entry>
<entry align="left"></entry>
<entry align="left"></entry>
<entry align="left"></entry>
<entry align="left"></entry>
<entry align="left"></entry>
</row>
</tbody>
</tgroup>
</informaltable>
<para>
This is the rule that transparently redirects web traffic to the transparent proxy running on the firewall. The <emphasis role="bold">SOURCE</emphasis> column explicitly excludes the <literal>ops</literal> zone from the rule.
</para>
<!-- Routestopped File -->
<para>This is the rule that transparently redirects web traffic to the
transparent proxy running on the firewall. The <emphasis
role="bold">SOURCE</emphasis> column explicitly excludes the
<literal>ops</literal> zone from the rule.</para>
<!-- Routestopped File -->
<bridgehead renderas="sect4">Routestopped File</bridgehead>
<informaltable colsep="1" pgwide="0">
<tgroup align="left" cols="2">
<thead valign="middle">
<row valign="middle">
<entry align="left">INTERFACE</entry>
<entry align="left">HOST(S))</entry>
</row>
</thead>
<tbody>
<row valign="middle">
<entry align="left">
<literal>eth1</literal>
</entry>
<entry align="left"/>
<entry align="left"><literal>eth1</literal></entry>
<entry align="left"></entry>
</row>
<row valign="middle">
<entry align="left">
<literal>eth2</literal>
</entry>
<entry align="left">
<literal>10.10.10.0/24</literal>
</entry>
<entry align="left"><literal>eth2</literal></entry>
<entry align="left"><literal>10.10.10.0/24</literal></entry>
</row>
</tbody>
</tgroup>