The /etc/shorewall/zones file released with Shorewall is as follows:
+ +| ZONE | +DISPLAY | +COMMENTS | +
| net | +Net | +Internet | +
| loc | +Local | +Local networks | +
| dmz | +DMZ | +Demilitarized zone | +
You may add, delete and modify entries in the /etc/shorewall/zones file - as desired so long as you have at least one zone defined.
- + as desired so long as you have at least one zone defined. +Warning 1: If you rename or delete a zone, you should perform "shorewall - stop; shorewall start" to install the change rather than - "shorewall restart".
- + stop; shorewall start" to install the change rather than + "shorewall restart". +Warning 2: The order of entries in the /etc/shorewall/zones file is - significant in some cases.
- + significant in some cases. +/etc/shorewall/interfaces
- +This file is used to tell the firewall which of your firewall's network - interfaces are connected to which zone. There will be one - entry in /etc/shorewall/interfaces for each of your interfaces. - Columns in an entry are:
- + interfaces are connected to which zone. There will be +one entry in /etc/shorewall/interfaces for each of your interfaces. + Columns in an entry are: +-
-
- ZONE - A zone defined -in the /etc/shorewall/zones file -or "-". If you specify "-", you must use the ZONE - A zone defined + in the /etc/shorewall/zones file + or "-". If you specify "-", you must use the /etc/shorewall/hosts file to define -the zones accessed via this interface. -
- INTERFACE - the name of
-the interface (examples: eth0, ppp0, ipsec+). Each interface
-can be listed on only one record in this file.
+
- INTERFACE - the name +of the interface (examples: eth0, ppp0, ipsec+). Each interface + can be listed on only one record in this file. DO NOT INCLUDE THE LOOPBACK INTERFACE -(lo) IN THIS FILE!!!
-- BROADCAST - the broadcast - address(es) for the sub-network(s) attached to the interface. - This should be left empty for P-T-P interfaces (ppp*, ippp*); -if you need to specify options for such an interface, enter + (lo) IN THIS FILE!!!
+ - BROADCAST - the broadcast
+ address(es) for the sub-network(s) attached to the interface.
+ This should be left empty for P-T-P interfaces (ppp*, ippp*);
+ if you need to specify options for such an interface, enter
"-" in this column. If you supply the special value "detect" in
- this column, the firewall will automatically determine the broadcast
- address. In order to use "detect":
+ this column, the firewall will automatically determine the broadcast
+ address. In order to use "detect":
-
-
- the - interface must be up before you start your firewall -
- the interface must only be attached - to a single sub-network (i.e., there must have a single broadcast - address). - +
- the + interface must be up before you start your firewall +
- the interface must only be attached + to a single sub-network (i.e., there must have a single broadcast + address). +
- - OPTIONS - a comma-separated - list of options. Possible options include: + +
- OPTIONS - a comma-separated
+ list of options. Possible options include:
+
+ routeback (Added in version 1.4.2) - This option causes Shorewall +to set up handling for routing packets that arrive on this interface back +out the same interface. If this option is specified, the ZONE column may not +contain "-".
+tcpflags (added in version 1.3.11) - This option causes Shorewall to make sanity checks on the header flags in TCP packets arriving on this interface. Checks include Null flags, SYN+FIN, SYN+RST and FIN+URG+PSH; @@ -271,1302 +278,1309 @@ these flag combinations are typically used for "silent" port scans. Packets failing these checks are logged according to the TCP_FLAGS_LOG_LEVEL option in /etc/shorewall/shorewall.conf and are disposed of according to the TCP_FLAGS_DISPOSITION option.
- +
-
- blacklist - This option causes incoming packets - on this interface to be checked against the
+ blacklist - This option causes incoming packets + on this interface to be checked against the blacklist.
-
- dhcp - The interface is assigned -an IP address via DHCP or is used by a DHCP server running - on the firewall. The firewall will be configured to allow - DHCP traffic to and from the interface even when the firewall - is stopped. You may also wish to use this option if you have a static - IP but you are on a LAN segment that has a lot of Laptops that -use DHCP and you select the norfc1918 option (see below).
+ dhcp - The interface is assigned + an IP address via DHCP or is used by a DHCP server running + on the firewall. The firewall will be configured to allow + DHCP traffic to and from the interface even when the firewall + is stopped. You may also wish to use this option if you have a +static IP but you are on a LAN segment that has a lot of Laptops + that use DHCP and you select the norfc1918 option (see +below). +norfc1918 - Packets arriving on this interface and that have a source address that is reserved in RFC 1918 or in other - RFCs will be dropped after being optionally logged. If packet mangling is enabled in /etc/shorewall/shorewall.conf - , then packets arriving on this interface that have a -destination address that is reserved by one of these RFCs will -also be logged and dropped.
- + addresses reserved by RFC1918 plus other ranges reserved by + the IANA or by other RFCs. +
-
- Addresses blocked by the standard packet mangling is enabled in /etc/shorewall/shorewall.conf + , then packets arriving on this interface that have a + destination address that is reserved by one of these RFCs will + also be logged and dropped.
+
+ Addresses blocked by the standard rfc1918 file include those - addresses reserved by RFC1918 plus other ranges reserved by -the IANA or by other RFCs.Beware that as IPv4 addresses become in increasingly short supply, - ISPs are beginning to use RFC 1918 addresses within their - own infrastructure. Also, many cable and DSL "modems" have - an RFC 1918 address that can be used through a web browser for - management and monitoring functions. If you want to specify - norfc1918 on your external interface but need to allow -access to certain addresses from the above list, see norfc1918 on your external interface but need to allow + access to certain addresses from the above list, see FAQ 14.
- +routefilter - Invoke the Kernel's route filtering - (anti-spoofing) facility on this interface. The kernel + (anti-spoofing) facility on this interface. The kernel will reject any packets incoming on this interface that have - a source address that would be routed outbound through another - interface on the firewall. Warning: - If you specify this option for an interface then the - interface must be up prior to starting the firewall.
- + a source address that would be routed outbound through another + interface on the firewall. Warning: + If you specify this option for an interface then +the interface must be up prior to starting the firewall. +dropunclean - Packets from this interface that are selected by the 'unclean' match target in iptables will be optionally logged and then dropped. Warning: This feature requires - that UNCLEAN match support be configured in your kernel, - either in the kernel itself or as a module. UNCLEAN - support is broken in some versions of the kernel but appears - to work ok in 2.4.17-rc1.
- + for download. I am currently running + this patch applied to kernel 2.4.16. +
-
- Update 12/17/2001: - The unclean match patch from - 2.4.17-rc1 is +
+ Update 12/17/2001: + The unclean match patch from + 2.4.17-rc1 is available - for download. I am currently running - this patch applied to kernel 2.4.16.Update 12/20/2001: I've - seen a number of tcp connection requests - with OPT (020405B40000080A...) being - dropped in the badpkt chain. This appears to be + seen a number of tcp connection requests + with OPT (020405B40000080A...) being + dropped in the badpkt chain. This appears to be a bug in the remote TCP stack whereby it is 8-byte aligning - a timestamp (TCP option 8) but rather than padding - with 0x01 it is padding with 0x00. It's a tough -call whether to deny people access to your servers -because of this rather minor bug in their networking -software. If you wish to disable the check that -causes these connections to be dropped, here's a kernel patch against 2.4.17-rc2.
- +logunclean - This option works like dropunclean - with the exception that packets selected - by the 'unclean' match target in iptables - are logged but not dropped. The - level at which the packets are logged is determined by + with the exception that packets selected + by the 'unclean' match target in iptables + are logged but not dropped. The + level at which the packets are logged is determined by the setting of LOGUNCLEAN and if LOGUNCLEAN has not been set, "info" is assumed.
- +proxyarp (Added in version 1.3.5) - This option causes -Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp - and is used when implementing Proxy ARP - Sub-netting as described at - - http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do - not set this option if you are implementing Proxy - ARP through entries in - /etc/shorewall/proxyarp.
-
-
- maclist (Added in version 1.3.10) -- If this option is specified, all connection requests from this - interface are subject to MAC Verification. - May only be specified for ethernet interfaces.
-
+ Shorewall to set /proc/sys/net/ipv4/conf/<interface>/proxy_arp
+ and is used when implementing Proxy
+ARP Sub-netting as described at
+
+ http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. Do
+ not set this option if you are implementing
+ Proxy ARP through entries in
+ /etc/shorewall/proxyarp.
+
+ maclist (Added in version 1.3.10) + - If this option is specified, all connection requests from this + interface are subject to MAC Verification. + May only be specified for ethernet interfaces. + +
My recommendations concerning options:
-
-
-
- External Interface -- tcpflags,blacklist,norfc1918,routefilter -
- Wireless Interface -- maclist,routefilter,tcpflags
-
- - Don't use dropunclean -- It's broken -in my opinion -
- Use logunclean only when you are trying - to debug a problem -
- Use dhcp and proxyarp when
-needed.
-
-
+ - External Interface -- tcpflags,blacklist,norfc1918,routefilter +
- Wireless Interface -- maclist,routefilter,tcpflags
+
+ - Don't use dropunclean -- It's broken + in my opinion +
- Use logunclean only when you are +trying to debug a problem +
- Use dhcp and proxyarp when
+ needed.
+
+
- +
Example 1: You have a conventional firewall setup in which eth0 connects - to a Cable or DSL modem and eth1 connects to your local - network and eth0 gets its IP address via DHCP. You want to -check all packets entering from the internet against the black list. Your /etc/shorewall/interfaces file - would be as follows:
- -+ would be as follows: + ++- -- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,norfc1918,blacklist -- - - -loc -eth1 -detect --
-Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces - file would be:
- --- -- +
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- - - -net -ppp0 --
--
-Example 3: You have local interface eth1 with two IP addresses - -192.168.1.1/24 and 192.168.12.1/24
- --- + +- -
- -ZONE -INTERFACE -BROADCAST -OPTIONS -- - - +loc -eth1 -192.168.1.255,192.168.12.255 --
-ZONE +INTERFACE +BROADCAST +OPTIONS + ++ +net +eth0 +detect +dhcp,norfc1918,blacklist ++ + +loc +eth1 +detect ++
+Example 2: You have a standalone dialup GNU/Linux System. Your /etc/shorewall/interfaces + file would be:
+ +++ ++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + + +net +ppp0 ++
++
+Example 3: You have local interface eth1 with two IP addresses - + 192.168.1.1/24 and 192.168.12.1/24
+ ++++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ + + +loc +eth1 +192.168.1.255,192.168.12.255 ++
+/etc/shorewall/hosts - Configuration
- + Configuration +For most applications, specifying zones entirely in terms of network interfaces is sufficient. There may be times though where you need to define a zone to be a more general collection of hosts. This is the purpose of the /etc/shorewall/hosts file.
- +WARNING: The only times that you need entries in /etc/shorewall/hosts are:
- -
--
- IF YOU DON'T HAVE EITHER OF THOSE SITUATIONS THEN DON'T TOUCH THIS FILE!! -- You have more than one zone connecting through a single interface; -or
-- You have a zone that has multiple subnetworks that connect through -a single interface and you want the Shorewall box to route traffic between -those subnetworks.
- -
-Columns in this file are:
- --
- -- ZONE - A zone defined -in the /etc/shorewall/zones file.
-- HOST(S) - The name of -a network interface followed by a colon (":") followed -by either:
- --- --
- -- An IP address (example - - eth1:192.168.1.3)
-- A subnet in CIDR -notation (example - eth2:192.168.2.0/24)
- -The interface name much match an entry in /etc/shorewall/interfaces.
--
- -- OPTIONS - A comma-separated - list of option
- --- -maclist - Added in version 1.3.10. If specified, connection - requests from the hosts specified in this entry are subject -to MAC Verification. This option is -only valid for ethernet interfaces.
-
-If you don't define any hosts for a zone, the hosts in the zone default - to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... are - the interfaces to the zone.
- -Note: You probably DON'T - want to specify any hosts for your internet zone since the hosts that - you specify will be the only ones that you will be able to access without - adding additional rules.
+ -Example 1:
- -Your local interface is eth1 and you have two groups of local hosts that - you want to make into separate zones:
- --
- -- 192.168.1.0/25
-- 192.168.1.128/
- -Your /etc/shorewall/interfaces file might look like:
- --- -- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,norfc1918 -- - - -- -eth1 -192.168.1.127,192.168.1.255 -
--
-The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces - to multiple zones.
- -Your /etc/shorewall/hosts file might look like:
- -- -- -- -
-- -ZONE -HOST(S) -OPTIONS -- -loc1 -eth1:192.168.1.0/25 --
-- - - -loc2 -eth1:192.168.1.128/25 --
-Example 2:
- -Your local interface is eth1 and you have two groups of local hosts that -you want to consider as one zone and you want Shorewall to route between them:
- --
- -- 192.168.1.0/25
-- 192.168.1.128/25
- -Your /etc/shorewall/interfaces file might look like:
- --- -- -
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -net -eth0 -detect -dhcp,norfc1918 -- - - -loc -
-eth1 -192.168.1.127,192.168.1.255 -
--
-Your /etc/shorewall/hosts file might look like:
- -- -- -- -
-- -ZONE -HOST(S) -OPTIONS -- -loc -eth1:192.168.1.0/25 --
-- - - -loc -eth1:192.168.1.128/25 --
-Nested and Overlapping Zones
- -The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow -you to define nested or overlapping zones. Such overlapping/nested zones - are allowed and Shorewall processes zones in the order that - they appear in the /etc/shorewall/zones file. So if you have - nested zones, you want the sub-zone to appear before the super-zone - and in the case of overlapping zones, the rules that will apply - to hosts that belong to both zones is determined by which zone -appears first in /etc/shorewall/zones.
- -Hosts that belong to more than one zone may be managed by the rules - of all of those zones. This is done through use of the special - CONTINUE policy described below.
- -/etc/shorewall/policy -Configuration.
- -This file is used to describe the firewall policy regarding establishment - of connections. Connection establishment is described in -terms of clients who initiate connections and servers - who receive those connection requests. Policies defined - in /etc/shorewall/policy describe which zones are allowed -to establish connections with other zones.
- -Policies established in /etc/shorewall/policy can be viewed as default - policies. If no rule in /etc/shorewall/rules applies to - a particular connection request then the policy from /etc/shorewall/policy - is applied.
- -Four policies are defined:
- --
- -- ACCEPT - The connection -is allowed.
-- DROP - The connection -request is ignored.
-- REJECT - The connection -request is rejected with an RST (TCP) or an ICMP destination-unreachable - packet being returned to the client.
-- CONTINUE - The connection - is neither ACCEPTed, DROPped nor REJECTed. CONTINUE may - be used when one or both of the zones named in the entry are - sub-zones of or intersect with another zone. For more information, - see below.
-- NONE - (Added in version 1.4.1) - Shorewall should not set -up any infrastructure for handling traffic from the SOURCE zone to the DEST -zone. When this policy is specified, the LOG LEVEL and BURST:LIMIT - columns must be left blank.
- -
-For each policy specified in /etc/shorewall/policy, you can indicate - that you want a message sent to your system log each time - that the policy is applied.
- -Entries in /etc/shorewall/policy have four columns as follows:
--
+ IF YOU DON'T HAVE EITHER OF THOSE SITUATIONS THEN DON'T TOUCH THIS +FILE!! +- SOURCE - - The name of a client zone (a zone defined in the /etc/shorewall/zones file , the - name of the firewall zone or "all").
-- DEST - - The name of a destination zone (a zone defined in the /etc/shorewall/zones file , the name of the firewall zone or "all"). Shorewall automatically - allows all traffic from the firewall to itself so the You have more than one zone connecting through a single interface; + or
+- You have a zone that has multiple subnetworks that connect through + a single interface and you want the Shorewall box to route traffic between + those subnetworks.
+ +
+Columns in this file are:
+ ++
+ +- ZONE - A zone defined + in the /etc/shorewall/zones file.
+- HOST(S) - The name of + a network interface followed by a colon (":") followed + by either:
+ +++ ++
+ +- An IP address (example + - eth1:192.168.1.3)
+- A subnet in CIDR + notation (example - eth2:192.168.2.0/24)
+ +The interface name much match an entry in /etc/shorewall/interfaces.
++
+ +- OPTIONS - A comma-separated + list of option
+ +++ +routeback (Added in version 1.4.2) - This option causes Shorewall + to set up handling for routing packets sent by this host group back back +to the same group.
+
+
+ maclist - Added in version 1.3.10. If specified, connection + requests from the hosts specified in this entry are subject to + MAC Verification. This option is only + valid for ethernet interfaces.
+If you don't define any hosts for a zone, the hosts in the zone default + to i0:0.0.0.0/0 , i1:0.0.0.0/0, ... where i0, i1, ... +are the interfaces to the zone.
+ +Note: You probably DON'T + want to specify any hosts for your internet zone since the hosts that + you specify will be the only ones that you will be able to access without + adding additional rules.
+ +Example 1:
+ +Your local interface is eth1 and you have two groups of local hosts that + you want to make into separate zones:
+ ++
+ +- 192.168.1.0/25
+- 192.168.1.128/
+ +Your /etc/shorewall/interfaces file might look like:
+ +++ ++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +net +eth0 +detect +dhcp,norfc1918 ++ + + +- +eth1 +192.168.1.127,192.168.1.255 +
++
+The '-' in the ZONE column for eth1 tells Shorewall that eth1 interfaces + to multiple zones.
+ +Your /etc/shorewall/hosts file might look like:
+ ++ ++ ++ +
++ +ZONE +HOST(S) +OPTIONS ++ +loc1 +eth1:192.168.1.0/25 ++
++ + + +loc2 +eth1:192.168.1.128/25 ++
+Example 2:
+ +Your local interface is eth1 and you have two groups of local hosts that + you want to consider as one zone and you want Shorewall to route between +them:
+ ++
+ +- 192.168.1.0/25
+- 192.168.1.128/25
+ +Your /etc/shorewall/interfaces file might look like:
+ +++ ++ +
++ +ZONE +INTERFACE +BROADCAST +OPTIONS ++ +net +eth0 +detect +dhcp,norfc1918 ++ + + +loc +
+eth1 +192.168.1.127,192.168.1.255 +
++
+Your /etc/shorewall/hosts file might look like:
+ ++ ++ ++ +
++ +ZONE +HOST(S) +OPTIONS ++ +loc +eth1:192.168.1.0/25 ++
++ + + +loc +eth1:192.168.1.128/25 ++
+Nested and Overlapping Zones
+ +The /etc/shorewall/interfaces and /etc/shorewall/hosts file allow +you to define nested or overlapping zones. Such overlapping/nested zones + are allowed and Shorewall processes zones in the order +that they appear in the /etc/shorewall/zones file. So if +you have nested zones, you want the sub-zone to appear before +the super-zone and in the case of overlapping zones, the rules +that will apply to hosts that belong to both zones is determined +by which zone appears first in /etc/shorewall/zones.
+ +Hosts that belong to more than one zone may be managed by the rules + of all of those zones. This is done through use of the special + CONTINUE policy described below.
+ +/etc/shorewall/policy + Configuration.
+ +This file is used to describe the firewall policy regarding establishment + of connections. Connection establishment is described in + terms of clients who initiate connections and servers + who receive those connection requests. Policies defined + in /etc/shorewall/policy describe which zones are allowed + to establish connections with other zones.
+ +Policies established in /etc/shorewall/policy can be viewed as default + policies. If no rule in /etc/shorewall/rules applies to + a particular connection request then the policy from /etc/shorewall/policy + is applied.
+ +Four policies are defined:
+ ++
+ +- ACCEPT - The connection + is allowed.
+- DROP - The connection + request is ignored.
+- REJECT - The connection + request is rejected with an RST (TCP) or an ICMP destination-unreachable + packet being returned to the client.
+- CONTINUE - The connection + is neither ACCEPTed, DROPped nor REJECTed. CONTINUE may + be used when one or both of the zones named in the entry are + sub-zones of or intersect with another zone. For more information, + see below.
+- NONE - (Added in version 1.4.1) - Shorewall should not set + up any infrastructure for handling traffic from the SOURCE zone to the DEST + zone. When this policy is specified, the LOG LEVEL and BURST:LIMIT + columns must be left blank.
+ +
+For each policy specified in /etc/shorewall/policy, you can indicate + that you want a message sent to your system log each time + that the policy is applied.
+ +Entries in /etc/shorewall/policy have four columns as follows:
+ ++
- +- +SOURCE - The name of a client zone (a zone defined in the + /etc/shorewall/zones file , the + name of the firewall zone or "all").
+- +DEST - The name of a destination zone (a zone defined in +the /etc/shorewall/zones file , the + name of the firewall zone or "all"). Shorewall automatically + allows all traffic from the firewall to itself so the name of the firewall zone cannot appear in both the SOURCE and DEST columns.
-- POLICY - - The default policy for connection requests from the SOURCE - zone to the DESTINATION zone.
-- LOG - LEVEL - Optional. If left empty, no log message is generated - when the policy is applied. Otherwise, this column should -contain an integer or name indicating a +POLICY - The default policy for connection requests from +the SOURCE zone to the DESTINATION zone.
+- +LOG LEVEL - Optional. If left empty, no log message is +generated when the policy is applied. Otherwise, this column +should contain an integer or name indicating a syslog level.
-- LIMIT:BURST - - Optional. If left empty, TCP connection requests - from the SOURCE zone to the DEST zone will - not be rate-limited. Otherwise, this column specifies the maximum - rate at which TCP connection requests will be accepted followed - by a colon (":") followed by the maximum burst size that will -be tolerated. Example: 10/sec:40 specifies that the -maximum rate of TCP connection requests allowed will be 10 per -second and a burst of 40 connections will be tolerated. Connection +
- LIMIT:BURST + - Optional. If left empty, TCP connection requests + from the SOURCE zone to the DEST zone will + not be rate-limited. Otherwise, this column specifies the maximum + rate at which TCP connection requests will be accepted followed + by a colon (":") followed by the maximum burst size that will + be tolerated. Example: 10/sec:40 specifies that the + maximum rate of TCP connection requests allowed will be 10 per + second and a burst of 40 connections will be tolerated. Connection requests in excess of these limits will be dropped.
- +In the SOURCE and DEST columns, you can enter "all" to indicate all - zones.
- + zones. +The policy file installed by default is as follows:
- +- +- +- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -LIMIT:BURST -- -loc -net -ACCEPT --
--
-- -net -all -DROP -info --
-- - - + + +all -all -REJECT -info --
-+ +SOURCE +DEST +POLICY +LOG LEVEL +LIMIT:BURST ++ +loc +net +ACCEPT ++
++
++ +net +all +DROP +info ++
++ + +all +all +REJECT +info ++
+
This table may be interpreted as follows:
- +-
-
- All connection requests from the -local network to hosts on the internet are accepted. -
- All connection requests originating - from the internet are ignored and logged at level KERNEL.INFO. -
- All other connection requests are -rejected and logged. - +
- All connection requests from the + local network to hosts on the internet are accepted. +
- All connection requests originating + from the internet are ignored and logged at level KERNEL.INFO. +
- All other connection requests +are rejected and logged. +
WARNING:
- +The firewall script processes the - /etc/shorewall/policy file from top to bottom and uses - the first applicable policy that it finds. For example, - in the following policy file, the policy for (loc, loc) connections - would be ACCEPT as specified in the first entry even though the - third entry in the file specifies REJECT.
- + /etc/shorewall/policy file from top to bottom and uses + the first applicable policy that it finds. For example, + in the following policy file, the policy for (loc, loc) connections + would be ACCEPT as specified in the first entry even though the + third entry in the file specifies REJECT. ++ face="Century Gothic, Arial, Helvetica">- -- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -LIMIT:BURST -- -loc -all -ACCEPT --
--
-- -net -all -DROP -info --
-- - - -loc -loc -REJECT -info --
-
IntraZone Traffic
- Shorewall allows a zone to be associated with more than one interface or -with multiple networks that interface through a single interface. Beginning -with Shorewall 1.4.1, Shorewall will ACCEPT all traffic from a zone to itself -provided that there is no explicit policy governing traffic from that zone -to itself (an explicit policy does not specify "all" in either the SOURCE -or DEST column) and that there are no rules concerning connections from that -zone to itself. If there is an explicit policy or if there are one or more -rules, then traffic within the zone is handled just like traffic between zones -is.- -
Any time that you have multiple interfaces associated with a single zone,
-you should ask yourself if you really want traffic routed between those interfaces.
-Cases where you might not want that behavior are:
-
-
-
- Multiple 'net' interfaces to different ISPs. You don't want to route -traffic from one ISP to the other through your firewall. -
- Multiple VPN clients. You don't necessarily want them to all be able
-to communicate between themselves using your gateway/router.
-
-
-
The CONTINUE -policy
- -Where zones are nested or overlapping , the - CONTINUE policy allows hosts that are within multiple zones - to be managed under the rules of all of these zones. Let's look - at an example:
- -/etc/shorewall/zones:
- --- -- +
-- -ZONE -DISPLAY -COMMENTS -- -sam -Sam -Sam's system at home -- -net -Internet -The Internet -- - - +loc -Loc -Local Network -SOURCE +DEST +POLICY +LOG LEVEL +LIMIT:BURST + ++ +loc +all +ACCEPT ++
++
++ +net +all +DROP +info ++
++ + +loc +loc +REJECT +info ++
+
/etc/shorewall/interfaces:
- -++ +
IntraZone Traffic
+ Shorewall allows a zone to be associated with more than one interface +or with multiple networks that interface through a single interface. Beginning + with Shorewall 1.4.1, Shorewall will ACCEPT all traffic from a zone to itself + provided that there is no explicit policy governing traffic from that zone + to itself (an explicit policy does not specify "all" in either the SOURCE + or DEST column) and that there are no rules concerning connections from that + zone to itself. If there is an explicit policy or if there are one or more + rules, then traffic within the zone is handled just like traffic between +zones is.+ +
Any time that you have multiple interfaces associated with a single zone,
+ you should ask yourself if you really want traffic routed between those interfaces.
+ Cases where you might not want that behavior are:
+
-
+
- Multiple 'net' interfaces to different ISPs. You don't want to route + traffic from one ISP to the other through your firewall. +
- Multiple VPN clients. You don't necessarily want them to all be
+able to communicate between themselves using your gateway/router.
+
+
+
The CONTINUE + policy
+ +Where zones are nested or overlapping , the + CONTINUE policy allows hosts that are within multiple zones + to be managed under the rules of all of these zones. Let's look + at an example:
+ +/etc/shorewall/zones:
+ +- -- +
-- -ZONE -INTERFACE -BROADCAST -OPTIONS -- -- -eth0 -detect -dhcp,norfc1918 -- - - +loc -eth1 -detect --
-ZONE +DISPLAY +COMMENTS + ++ +sam +Sam +Sam's system at home ++ +net +Internet +The Internet ++ + +loc +Loc +Local Network +
/etc/shorewall/hosts:
- -++ +
/etc/shorewall/interfaces:
+ +- + + +- +
-- -ZONE -HOST(S) -OPTIONS -- -net -eth0:0.0.0.0/0 --
-- - - +sam -eth0:206.191.149.197 --
-ZONE +INTERFACE +BROADCAST +OPTIONS + ++ +- +eth0 +detect +dhcp,norfc1918 ++ + +loc +eth1 +detect ++
+
/etc/shorewall/hosts:
+ ++++ +
++ +ZONE +HOST(S) +OPTIONS ++ +net +eth0:0.0.0.0/0 ++
++ + + +sam +eth0:206.191.149.197 ++
+
Note that Sam's home system is a member of both the sam zone - and the net - zone and as described above , that means - that sam must be listed before net in /etc/shorewall/zones.
- + and the net + zone and as described above , that means + that sam must be listed before net in /etc/shorewall/zones. +/etc/shorewall/policy:
- ++ face="Century Gothic, Arial, Helvetica">- + +- -
-- -SOURCE -DEST -POLICY -LOG LEVEL -- -loc -net -ACCEPT --
-- -sam -all -CONTINUE --
-- -net -all -DROP -info -- - - + +all -all -REJECT -info -+ +SOURCE +DEST +POLICY +LOG LEVEL ++ +loc +net +ACCEPT ++
++ +sam +all +CONTINUE ++
++ +net +all +DROP +info ++ + +all +all +REJECT +info +
The second entry above says that when Sam is the client, connection - requests should first be process under rules where the source - zone is sam and if there is no match then the connection + requests should first be process under rules where the +source zone is sam and if there is no match then the connection request should be treated under rules where the source zone is net. It is important that this policy be listed BEFORE the next policy (net to all).
- +Partial /etc/shorewall/rules:
- ++ face="Century Gothic, Arial, Helvetica">- -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -... --
--
--
--
--
--
-- -DNAT -sam -loc:192.168.1.3 -tcp -ssh -- --
-- -DNAT -net -loc:192.168.1.5 -tcp -www -- --
-- - - -... --
--
--
--
--
--
-
Given these two rules, Sam can connect to the firewall's internet interface - with ssh and the connection request will be forwarded to - 192.168.1.3. Like all hosts in the net zone, Sam can - connect to the firewall's internet interface on TCP port 80 - and the connection request will be forwarded to 192.168.1.5. The - order of the rules is not significant.
- -Sometimes it is necessary to suppress port forwarding - for a sub-zone. For example, suppose that all hosts can - SSH to the firewall and be forwarded to 192.168.1.5 EXCEPT -Sam. When Sam connects to the firewall's external IP, he should -be connected to the firewall itself. Because of the way that Netfilter - is constructed, this requires two rules as follows:
- --- + +- -
- -
- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- --
--
--
--
--
--
--
-- -... --
--
--
--
--
--
-- -DNAT -sam -fw -tcp -ssh -- --
-- -DNAT -net!sam -loc:192.168.1.3 -tcp -ssh -- --
-- - - + +... --
--
--
--
--
--
-+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +... ++
++
++
++
++
++
++ +DNAT +sam +loc:192.168.1.3 +tcp +ssh +- ++
++ +DNAT +net +loc:192.168.1.5 +tcp +www +- ++
++ + +... ++
++
++
++
++
++
+
Given these two rules, Sam can connect to the firewall's internet interface + with ssh and the connection request will be forwarded to + 192.168.1.3. Like all hosts in the net zone, Sam can + connect to the firewall's internet interface on TCP port 80 + and the connection request will be forwarded to 192.168.1.5. +The order of the rules is not significant.
+ +Sometimes it is necessary to suppress port forwarding + for a sub-zone. For example, suppose that all hosts can + SSH to the firewall and be forwarded to 192.168.1.5 EXCEPT + Sam. When Sam connects to the firewall's external IP, he should + be connected to the firewall itself. Because of the way that Netfilter + is constructed, this requires two rules as follows:
+ ++++ +
+ +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ ++
++
++
++
++
++
++
++ +... ++
++
++
++
++
++
++ +DNAT +sam +fw +tcp +ssh +- ++
++ +DNAT +net!sam +loc:192.168.1.3 +tcp +ssh +- ++
++ + + +... ++
++
++
++
++
++
+
The first rule allows Sam SSH access to the firewall. The second rule says that any clients from the net zone -with the exception of those in the 'sam' zone -should have their connection port forwarded -to 192.168.1.3. If you need to exclude - more than one zone in this way, - you can list -the zones separated by commas (e.g., net!sam,joe,fred). - This technique also may be used when + with the exception of those in the 'sam' zone + should have their connection port forwarded + to 192.168.1.3. If you need to exclude + more than one zone in this way, + you can list + the zones separated by commas (e.g., net!sam,joe,fred). + This technique also may be used when the ACTION is REDIRECT.
- +/etc/shorewall/rules
- +The /etc/shorewall/rules file defines exceptions to the policies established
- in the /etc/shorewall/policy file. There is one entry in
- /etc/shorewall/rules for each of these rules.
-
+ +
Shorewall automatically enables firewall->firewall traffic over the
- loopback interface (lo) -- that traffic cannot be regulated using
- rules and any rule that tries to regulate such traffic will generate
- a warning and will be ignored.
-
+ +
Entries in the file have the following columns:
- +-
-
- ACTION +
- ACTION
-
-
- ACCEPT, DROP, REJECT, CONTINUE. -These have the same meaning here as in the policy file -above. -
- DNAT -- Causes the connection -request to be forwarded to the system specified in the -DEST column (port forwarding). "DNAT" stands for "Destination - Network Address Translation" -
- DNAT- -- The above ACTION (DNAT) generates
-two iptables rules: 1) and header-rewriting rule in the Netfilter
-'nat' table and; 2) an ACCEPT rule in the Netfilter 'filter' table.
-DNAT- works like DNAT but only generates the header-rewriting rule.
-
- - REDIRECT -- Causes the connection - request to be redirected to a port on the local (firewall) - system. -
- LOG - Log the packet -- requires a syslog level (see below). - +
- ACCEPT, DROP, REJECT, CONTINUE. + These have the same meaning here as in the policy file + above. +
- DNAT -- Causes the connection + request to be forwarded to the system specified in the + DEST column (port forwarding). "DNAT" stands for "Destination + Network Address Translation" +
- DNAT- -- The above ACTION (DNAT) generates
+ two iptables rules: 1) and header-rewriting rule in the Netfilter
+ 'nat' table and; 2) an ACCEPT rule in the Netfilter 'filter' table.
+ DNAT- works like DNAT but only generates the header-rewriting rule.
+
+ - REDIRECT -- Causes the connection + request to be redirected to a port on the local (firewall) + system. +
- LOG - Log the packet -- requires a syslog level (see below). +
The ACTION may optionally be followed by ":" and a syslog level (example: REJECT:info). This causes the packet to be logged at the specified level prior to being processed according to the specified ACTION. Note: if the ACTION is LOG then you MUST specify a syslog level.
-
-
- The use of DNAT or REDIRECT requires -that you have NAT enabled.
-
- - SOURCE - Describes the source
- hosts to which the rule applies.. The contents of this field
- must begin with the name of a zone defined in /etc/shorewall/zones,
- $FW or "all". If the ACTION is DNAT or REDIRECT, sub-zones
+
+ The use of DNAT or REDIRECT requires + that you have NAT enabled.
+ +
+ - SOURCE - Describes the source
+ hosts to which the rule applies.. The contents of this field
+ must begin with the name of a zone defined in /etc/shorewall/zones,
+ $FW or "all". If the ACTION is DNAT or REDIRECT, sub-zones
may be excluded from the rule by following the initial zone name
-with "!' and a comma-separated list of those sub-zones to be
+ with "!' and a comma-separated list of those sub-zones to be
excluded. There is an example above.
-
- If the source is not 'all' then the -source may be further restricted by adding a colon (":") followed - by a comma-separated list of qualifiers. Qualifiers are may - include: +
+ If the source is not 'all' then the + source may be further restricted by adding a colon (":") followed + by a comma-separated list of qualifiers. Qualifiers are may + include:-
-
- An interface name - refers to -any connection requests arriving on the specified -interface (example loc:eth4). Beginning with Shorwall 1.3.9, the -interface name may optionally be followed by a colon (":") and an IP -address or subnet (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24). -
- An IP address - refers to a connection - request from the host with the specified address -(example net:155.186.235.151). If the ACTION is DNAT, this must -not be a DNS name. -
- A MAC Address in An interface name - refers to + any connection requests arriving on the specified + interface (example loc:eth4). Beginning with Shorwall 1.3.9, the + interface name may optionally be followed by a colon (":") and an +IP address or subnet (examples: loc:eth4:192.168.4.22, net:eth0:192.0.2.0/24). +
- An IP address - refers to a +connection request from the host with the specified +address (example net:155.186.235.151). If the ACTION is DNAT, +this must not be a DNS name. +
- A MAC Address in Shorewall format. -
- A subnet - refers to a connection - request from any host in the specified subnet (example - net:155.186.235.0/24). - +
- A subnet - refers to a connection + request from any host in the specified subnet (example + net:155.186.235.0/24). +
- - DEST - Describes the destination - host(s) to which the rule applies. May take most of the forms - described above for SOURCE plus the following two additional - forms: + +
- DEST - Describes the destination
+ host(s) to which the rule applies. May take most of the forms
+ described above for SOURCE plus the following two additional
+ forms:
-
-
- An IP address followed by a colon
- and the port number that the server
- is listening on (service names from /etc/services are not
- allowed - example loc:192.168.1.3:80).
-
- - A single port number (again, service - names are not allowed) -- this form is only allowed if the -ACTION is REDIRECT and refers to a server running on the firewall - itself and listening on the specified port. - +
- An IP address followed by a
+colon and the port number that the
+server is listening on (service names from /etc/services are
+ not allowed - example loc:192.168.1.3:80).
+
+ - A single port number (again, +service names are not allowed) -- this form is only allowed +if the ACTION is REDIRECT and refers to a server running on the +firewall itself and listening on the specified port. +
- + Restrictions:
+-
-
- MAC addresses may not be specified. -
- In DNAT rules, only an IP address may be given -- DNS names -are not permitted. -
- You may not specify both an IP address and an interface name
-in the DEST column.
-
-
+ - MAC addresses may not be specified. +
- In DNAT rules, only an IP address may be given -- DNS names + are not permitted. +
- You may not specify both an IP address and an interface name
+ in the DEST column.
+
+
- - An IP address followed by a colon
- and the port number that the server
- is listening on (service names from /etc/services are not
- allowed - example loc:192.168.1.3:80).
- PROTO - Protocol. Must -be a protocol name from /etc/protocols, a number or "all". - Specifies the protocol of the connection request. -
- DEST PORT(S) - Port -or port range (<low port>:<high port>) being connected - to. May only be specified if the protocol is tcp, udp -or icmp. For icmp, this column's contents are interpreted as + +
- PROTO - Protocol. Must + be a protocol name from /etc/protocols, a number or "all". + Specifies the protocol of the connection request. +
- DEST PORT(S) - Port + or port range (<low port>:<high port>) being connected + to. May only be specified if the protocol is tcp, udp + or icmp. For icmp, this column's contents are interpreted as an icmp type. If you don't want to specify DEST PORT(S) but need to include information in one of the columns to the right, enter "-" in this column. You may give a list of ports and/or port ranges separated by commas. Port numbers may be either integers or service names from /etc/services. -
- SOURCE PORTS(S) - - May be used to restrict the rule to a particular client -port or port range (a port range is specified as <low port - number>:<high port number>). If you don't want to -restrict client ports but want to specify something in the next column, - enter "-" in this column. If you wish to specify a list of port -number or ranges, separate the list elements with commas (with -no embedded white space). Port numbers may be either integers or -service names from /etc/services. -
- ORIGINAL DEST - This column
- may only be non-empty if the ACTION is DNAT or REDIRECT.
-
- If DNAT or REDIRECT is the ACTION and -the ORIGINAL DEST column is left empty, any connection request - arriving at the firewall from the SOURCE that matches the -rule will be forwarded or redirected. This works fine for connection - requests arriving from the internet where the firewall has - only a single external IP address. When the firewall has multiple - external IP addresses or when the SOURCE is other than the internet, - there will usually be a desire for the rule to only apply to -those connection requests directed to a particular IP address -(see Example 2 below for another usage). That IP address (or -a comma-separated list of such addresses) is specified in the -ORIGINAL DEST column.
-
- The IP address may be optionally followed - by ":" and a second IP address. This latter address, if present, - is used as the source address for packets forwarded to the - server (This is called "Source NAT" or SNAT).
-
- Note: When using SNAT, -it is a good idea to qualify the source with an IP address or subnet. -Otherwise, it is likely that SNAT will occur on connections other than -those described in the rule. The reason for this is that SNAT occurs in - the Netfilter POSTROUTING hook where it is not possible to restrict -the scope of a rule by incoming interface.
-
- Example: DNAT loc:192.168.1.0/24 - loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3
-
- If SNAT is not used (no ":" -and second IP address), the original source address is -used. If you want any destination address to match the rule -but want to specify SNAT, simply use a colon followed by the SNAT - address.
-
+ - SOURCE PORTS(S) + - May be used to restrict the rule to a particular + client port or port range (a port range is specified as <low +port number>:<high port number>). If you don't want + to restrict client ports but want to specify something in the next +column, enter "-" in this column. If you wish to specify a list +of port number or ranges, separate the list elements with commas + (with no embedded white space). Port numbers may be either integers + or service names from /etc/services. +
- ORIGINAL DEST - This column
+ may only be non-empty if the ACTION is DNAT or REDIRECT.
+
+ If DNAT or REDIRECT is the ACTION +and the ORIGINAL DEST column is left empty, any connection +request arriving at the firewall from the SOURCE that matches + the rule will be forwarded or redirected. This works fine +for connection requests arriving from the internet where the +firewall has only a single external IP address. When the firewall + has multiple external IP addresses or when the SOURCE is other +than the internet, there will usually be a desire for the rule + to only apply to those connection requests directed to a particular + IP address (see Example 2 below for another usage). That IP +address is specified in the ORIGINAL DEST column.
+
+ The IP address may be optionally followed + by ":" and a second IP address. This latter address, if present, + is used as the source address for packets forwarded to the + server (This is called "Source NAT" or SNAT).
+
+ Note: When using SNAT, + it is a good idea to qualify the source with an IP address or subnet. + Otherwise, it is likely that SNAT will occur on connections other than + those described in the rule. The reason for this is that SNAT occurs in + the Netfilter POSTROUTING hook where it is not possible to restrict + the scope of a rule by incoming interface.
+
+ Example: DNAT loc:192.168.1.0/24 + loc:192.168.1.3 tcp www - 206.124.146.179:192.168.1.3
+
+ If SNAT is not used (no +":" and second IP address), the original source address +is used. If you want any destination address to match the +rule but want to specify SNAT, simply use a colon followed by the +SNAT address.
+
Example 1. You wish to forward all - ssh connection requests from the internet to local system - 192.168.1.3.
- + ssh connection requests from the internet to local system + 192.168.1.3. ++ face="Century Gothic, Arial, Helvetica">- -- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- - - -DNAT -net -loc:192.168.1.3 -tcp -ssh --
--
-
Example 2. You want to redirect all local www connection requests - EXCEPT those - to your own http server (206.124.146.177) - to a Squid transparent proxy running -on the firewall and listening on port 3128. Squid will of course - require access to remote web servers. This example shows yet - another use for the ORIGINAL - DEST column; here, connection - requests that were NOT - (notice the "!") originally - destined to 206.124.146.177 are - redirected to local port 3128.
- --- + + +- +
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL +
- DESTACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL
+ DEST- -REDIRECT -loc -3128 -tcp -www -- -
-!206.124.146.177 -- - - +ACCEPT -fw -net -tcp -www --
--
-+ + +DNAT +net +loc:192.168.1.3 +tcp +ssh ++
++
+
Example 2. You want to redirect all local www connection requests + EXCEPT those + to your own http server (206.124.146.177) + to a Squid transparent proxy running + on the firewall and listening on port 3128. Squid will of course + require access to remote web servers. This example shows yet + another use for the ORIGINAL + DEST column; here, connection + requests that were NOT + (notice the "!") originally + destined to 206.124.146.177 are + redirected to local port 3128.
+ ++++ +
++ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +REDIRECT +loc +3128 +tcp +www +- +
+!206.124.146.177 ++ + + +ACCEPT +fw +net +tcp +www ++
++
+
Example 3. You want to run a web server at 155.186.235.222 in your DMZ and have it accessible remotely and locally. the DMZ is managed by Proxy ARP or by classical sub-netting.
- ++ face="Century Gothic, Arial, Helvetica">- + +- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -ACCEPT -net -dmz:155.186.235.222 -tcp -www -- --
-- - - + +ACCEPT -loc -dmz:155.186.235.222 -tcp -www --
--
-+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +ACCEPT +net +dmz:155.186.235.222 +tcp +www +- ++
++ + +ACCEPT +loc +dmz:155.186.235.222 +tcp +www ++
++
+
Example 4. You want to run wu-ftpd on 192.168.2.2 in your masqueraded
- DMZ. Your internet interface address is 155.186.235.151
- and you want the FTP server to be accessible from the internet
- in addition to the local 192.168.1.0/24 and dmz 192.168.2.0/24
- subnetworks. Note that since the server is in the 192.168.2.0/24
- subnetwork, we can assume that access to the server from that subnet
- will not involve the firewall (but see FAQ
- 2). Note that unless you have more than one external
- IP address, you can leave
- the ORIGINAL DEST column
- blank in the first rule. You
- cannot leave it blank in the
- second rule though because
- then all ftp connections
+ DMZ. Your internet interface address is 155.186.235.151
+ and you want the FTP server to be accessible from the internet
+ in addition to the local 192.168.1.0/24 and dmz 192.168.2.0/24
+ subnetworks. Note that since the server is in the 192.168.2.0/24
+ subnetwork, we can assume that access to the server from that subnet
+ will not involve the firewall (but see FAQ
+ 2). Note that unless you have more than one external
+ IP address, you can leave
+ the ORIGINAL DEST column
+ blank in the first rule. You
+ cannot leave it blank in the
+ second rule though because
+ then all ftp connections
originating in the local subnet 192.168.1.0/24 would
be sent to 192.168.2.2
regardless of the site that
@@ -1575,456 +1589,457 @@ on the firewall and listening on port 3128. Squid will of course
clearly not what you want
- .
+ face="Century Gothic, Arial, Helvetica">- + +- -
-- -ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- -DNAT -net -dmz:192.168.2.2 -tcp -ftp --
--
-- - - + +DNAT -loc:192.168.1.0/24 -dmz:192.168.2.2 -tcp -ftp -- -155.186.235.151 -+ +ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL +
+ DEST+ +DNAT +net +dmz:192.168.2.2 +tcp +ftp ++
++
++ + +DNAT +loc:192.168.1.0/24 +dmz:192.168.2.2 +tcp +ftp +- +155.186.235.151 +
If you are running wu-ftpd, you should restrict the range of passive in your /etc/ftpaccess file. I only need a few simultaneous FTP sessions - so I use port range 65500-65535. In /etc/ftpaccess, this - entry is appropriate:
- -+ so I use port range 65500-65535. In /etc/ftpaccess, this + entry is appropriate: + ++- +passive ports 0.0.0.0/0 65500 65534
-
If you are running pure-ftpd, you would include "-p 65500:65534" on - the pure-ftpd runline.
- + the pure-ftpd runline. +The important point here is to ensure that the port range used for FTP - passive connections is unique and will not overlap with -any usage on the firewall system.
- + passive connections is unique and will not overlap with + any usage on the firewall system. +Example 5. You wish to allow unlimited DMZ access to the host with MAC address 02:00:08:E3:FA:55.
- ++ face="Century Gothic, Arial, Helvetica">+ -Example 6. You wish to allow access to the SMTP server -in your DMZ from all zones.- -
-- +ACTION -SOURCE -DEST -PROTO -DEST -
- PORT(S)SOURCE -
- PORT(S)ORIGINAL -
- DEST- - - +ACCEPT -loc:~02-00-08-E3-FA-55 -dmz -all --
--
--
-ACTION +SOURCE +DEST +PROTO +DEST +
+ PORT(S)SOURCE +
+ PORT(S)ORIGINAL + +
+ DEST+ + +ACCEPT +loc:~02-00-08-E3-FA-55 +dmz +all ++
++
++
+
- -
+ Example 6. You wish to allow access to the SMTP server + in your DMZ from all zones.+ Using "DNAT-" rather than "DNAT" avoids two extra +copies of the third rule from being generated.
+ +- Example 7 (For advanced users running Shorewall version - 1.3.13 or later). From the internet, you with to forward tcp -port 25 directed to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177 -in your DMZ. You also want to allow access from the internet directly -to tcp port 25 on 192.0.2.177.- -
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-SOURCE -
- PORT(S)
-ORIGINAL -
- DEST
-- - - + +ACCEPT -
-all -
-dmz -
-tcp -
-25 -
--
--
-+ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+SOURCE +
+ PORT(S)
+ORIGINAL +
+ DEST
++ + +ACCEPT +
+all +
+dmz +
+tcp +
+25 +
++
++
+
- Note: When 'all' is used as a source or destination, - intra-zone traffic is not affected. In this example, if there -were two DMZ interfaces then the above rule would NOT enable SMTP -traffic between hosts on these interfaces.
-
- -++ Example 7 (For advanced users running Shorewall +version 1.3.13 or later). From the internet, you with to forward +tcp port 25 directed to 192.0.2.178 and 192.0.2.179 to host 192.0.2.177 + in your DMZ. You also want to allow access from the internet directly + to tcp port 25 on 192.0.2.177.
+ Note: When 'all' is used as a source or destination, + intra-zone traffic is not affected. In this example, if there + were two DMZ interfaces then the above rule would NOT enable SMTP + traffic between hosts on these interfaces.
+
+ +- Using "DNAT-" rather than "DNAT" avoids two extra copies - of the third rule from being generated.- -
-- -ACTION -
-SOURCE -
-DEST -
-PROTO -
-DEST -
- PORT(S)
-SOURCE -
- PORT(S)
-ORIGINAL -
- DEST
-- -DNAT- -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
-0 -
-192.0.2.178 -
-- -DNAT- -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
-0 -
-192.0.2.179 -
-- - - + +ACCEPT -
-net -
-dmz:192.0.2.177 -
-tcp -
-25 -
--
--
-+ +ACTION +
+SOURCE +
+DEST +
+PROTO +
+DEST +
+ PORT(S)
+SOURCE +
+ PORT(S)
+ORIGINAL +
+ DEST
++ +DNAT- +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
+0 +
+192.0.2.178 +
++ +DNAT- +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
+0 +
+192.0.2.179 +
++ + +ACCEPT +
+net +
+dmz:192.0.2.177 +
+tcp +
+25 +
++
++
+
- +
+
Look here for information on other services.
- +/etc/shorewall/common
- +Shorewall allows definition of rules that apply between -all zones. By default, these rules - are defined in the file - /etc/shorewall/common.def - but may be modified to - suit individual - requirements. Rather than modify /etc/shorewall/common.def, - you should copy that + all zones. By default, these rules + are defined in the file + /etc/shorewall/common.def + but may be modified to + suit individual + requirements. Rather than modify /etc/shorewall/common.def, + you should copy that file to /etc/shorewall/common and modify that file.
- +The /etc/shorewall/common - file is expected to contain iptables + file is expected to contain iptables commands; rather than running iptables directly, you should run it indirectly using the Shorewall function 'run_iptables'. - That way, if iptables encounters an -error, the firewall will be safely - stopped.
- + That way, if iptables encounters an + error, the firewall will be safely + stopped. +/etc/shorewall/masq
- +The /etc/shorewall/masq file is used to define classical IP Masquerading - and Source Network Address Translation (SNAT). There is one - entry in the file for each subnet that you want to masquerade. - In order to make use of this feature, you must have NAT enabled .
- +Columns are:
- +-
-
- INTERFACE - The interface - that will masquerade the subnet; this is normally your - internet interface. This interface name can be optionally qualified - by adding ":" and a subnet or host IP. When this qualification - is added, only packets addressed to that host or subnet will - be masqueraded. Beginning with Shorewall version 1.3.14, if you have +
- INTERFACE - The interface + that will masquerade the subnet; this is normally your + internet interface. This interface name can be optionally qualified + by adding ":" and a subnet or host IP. When this qualification + is added, only packets addressed to that host or subnet will + be masqueraded. Beginning with Shorewall version 1.3.14, if you have set ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf, - you can cause Shorewall to create an alias label of the form - interfacename:digit (e.g., eth0:0) by placing that label -in this column. See example 5 below. Alias labels created in this way -allow the alias to be visible to the ipconfig utility. THAT IS THE -ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE ELSE -IN YOUR SHOREWALL CONFIGURATION. -
- SUBNET - The subnet that
- you want to have masqueraded through the INTERFACE. This
- may be expressed as a single IP address, a subnet or an interface
- name. In the latter instance, the interface must be configured and
- started before Shorewall is started as Shorewall will determine
- the subnet based on information obtained from the 'ip' utility.
- When using Shorewall 1.3.13 or earlier, when
- an interface name is specified, Shorewall will only masquerade traffic
- from the first subnetwork on the named interface; if the interface interfaces
- to more that one subnetwork, you will need to add additional entries to
- this file for each of those other subnetworks. Beginning with Shorewall
-1.3.14, shorewall will masquerade/SNAT traffic from any host that is routed
-through the named interface.
-
- The subnet may be optionally followed -by "!' and a comma-separated list of addresses and/or subnets - that are to be excluded from masquerading.
- - ADDRESS - The source address - to be used for outgoing packets. This column is optional and - if left blank, the current primary IP address of the interface - in the first column is used. If you have a static IP on that interface, - listing it here makes processing of output packets a little -less expensive for the firewall. If you specify an address in this column, - it must be an IP address configured on the INTERFACE or you must have -ADD_SNAT_ALIASES enabled in /etc/shorewall/shorewall.conf. - + you can cause Shorewall to create an alias label of the form + interfacename:digit (e.g., eth0:0) by placing that label + in this column. See example 5 below. Alias labels created in this way + allow the alias to be visible to the ipconfig utility. THAT IS +THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT APPEAR ANYWHERE +ELSE IN YOUR SHOREWALL CONFIGURATION. +
- SUBNET - The subnet
+that you want to have masqueraded through the INTERFACE.
+This may be expressed as a single IP address, a subnet or an
+ interface name. In the latter instance, the interface must
+be configured and started before Shorewall is started as Shorewall
+ will determine the subnet based on information obtained from
+the 'ip' utility. When using Shorewall
+1.3.13 or earlier, when an interface name is specified, Shorewall will
+only masquerade traffic from the first subnetwork on the named interface;
+if the interface interfaces to more that one subnetwork, you will need
+to add additional entries to this file for each of those other subnetworks.
+Beginning with Shorewall 1.3.14, shorewall will masquerade/SNAT traffic
+from any host that is routed through the named interface.
+
+ The subnet may be optionally followed + by "!' and a comma-separated list of addresses and/or subnets + that are to be excluded from masquerading.
+ - ADDRESS - The source address + to be used for outgoing packets. This column is optional and + if left blank, the current primary IP address of the interface + in the first column is used. If you have a static IP on that +interface, listing it here makes processing of output packets +a little less expensive for the firewall. If you specify an address in +this column, it must be an IP address configured on the INTERFACE or +you must have ADD_SNAT_ALIASES enabled in /etc/shorewall/shorewall.conf. +
Example 1: You have eth0 connected to a cable modem and eth1 - connected to your local subnetwork 192.168.9.0/24. Your - /etc/shorewall/masq file would look like:
- -+ connected to your local subnetwork 192.168.9.0/24. Your + /etc/shorewall/masq file would look like: + ++ +- -- -
-- -INTERFACE -SUBNET -ADDRESS -- - - -eth0 -192.168.9.0/24 --
-Example 2: You have a number of IPSEC tunnels through ipsec0 - and you want to masquerade traffic from your 192.168.9.0/24 - subnet to the remote subnet 10.1.0.0/16 only.
- --- +- +
-- -INTERFACE -SUBNET -ADDRESS -- - - +ipsec0:10.1.0.0/16 -192.168.9.0/24 --
-INTERFACE +SUBNET +ADDRESS + ++ + +eth0 +192.168.9.0/24 ++
+
Example 2: You have a number of IPSEC tunnels through ipsec0 + and you want to masquerade traffic from your 192.168.9.0/24 + subnet to the remote subnet 10.1.0.0/16 only.
+ ++++ +
++ +INTERFACE +SUBNET +ADDRESS ++ + + +ipsec0:10.1.0.0/16 +192.168.9.0/24 ++
+
Example 3: You have a DSL line connected on eth0 and a local - network (192.168.10.0/24) connected - to eth1. You want all local->net - connections to use + network (192.168.10.0/24) connected + to eth1. You want all local->net + connections to use source address 206.124.146.176.
- -+ ++- +- -
-- +INTERFACE -SUBNET -ADDRESS -- - - +eth0 -192.168.10.0/24 -206.124.146.176 -INTERFACE +SUBNET +ADDRESS + ++ + +eth0 +192.168.10.0/24 +206.124.146.176 +
Example 4: Same as example 3 except that -you wish to exclude 192.168.10.44 -and 192.168.10.45 from - the SNAT rule.
- -+ you wish to exclude 192.168.10.44 + and 192.168.10.45 from + the SNAT rule. + ++- Example 5 (Shorewall version >= 1.3.14): You have a second - IP address (206.124.146.177) assigned to you and wish to use it for SNAT - of the subnet 192.168.12.0/24. You want to give that address the name - eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.- -
-- +INTERFACE -SUBNET -ADDRESS -- - - +eth0 -192.168.10.0/24!192.168.10.44,192.168.10.45 -206.124.146.176 -INTERFACE +SUBNET +ADDRESS + ++ + +eth0 +192.168.10.0/24!192.168.10.44,192.168.10.45 +206.124.146.176 +
- -++ Example 5 (Shorewall version >= 1.3.14): You have a +second IP address (206.124.146.177) assigned to you and wish to use +it for SNAT of the subnet 192.168.12.0/24. You want to give that address +the name eth0:0. You must have ADD_SNAT_ALIASES=Yes in /etc/shorewall/shorewall.conf.
+ +- +- -
-- +INTERFACE -SUBNET -ADDRESS -- - - +eth0:0 -192.168.12.0/24 -206.124.146.177 -INTERFACE +SUBNET +ADDRESS + ++ + +eth0:0 +192.168.12.0/24 +206.124.146.177 +
/etc/shorewall/proxyarp
- +If you want to use proxy ARP on an entire sub-network, - I suggest that you look -at http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/. - If you decide to use the technique - described in that + If you decide to use the technique + described in that HOWTO, you can set the proxy_arp flag for an interface (/proc/sys/net/ipv4/conf/<interface>/proxy_arp) by - including the proxyarp option - in the interface's + including the proxyarp option + in the interface's record in /etc/shorewall/interfaces. When using Proxy ARP sub-netting, - you do NOT include - any entries in /etc/shorewall/proxyarp. -
- + you do NOT include + any entries in /etc/shorewall/proxyarp. + +The /etc/shorewall/proxyarp file is used to define Proxy ARP. The file is typically used for @@ -2033,468 +2048,472 @@ small set of systems since you need one entry in this file for each system using proxy ARP. Columns -are:
- + are: +-
-
- ADDRESS - address of the - system. -
- INTERFACE - the interface - that connects to the system. If the interface is obvious - from the subnetting, you may enter "-" in this column. -
- EXTERNAL - the external -interface that you want to honor ARP requests for the -ADDRESS specified in the first column. -
- HAVEROUTE - If - you already have - a route through - INTERFACE to - ADDRESS, - this column should contain "Yes" +
- ADDRESS - address of +the system. +
- INTERFACE - the interface + that connects to the system. If the interface is obvious + from the subnetting, you may enter "-" in this column. +
- EXTERNAL - the external + interface that you want to honor ARP requests for the + ADDRESS specified in the first column. +
- HAVEROUTE - If + you already have + a route through + INTERFACE to + ADDRESS, + this column should contain "Yes" or "yes". If you want Shorewall to add the route, the column should contain - "No" + "No" or "no". - +
Note: After you have made a change to the /etc/shorewall/proxyarp - file, you may need to flush the ARP cache of all routers - on the LAN segment connected to the interface specified in the - EXTERNAL column of the change/added entry(s). If you are having - problems communicating between an individual host (A) on that - segment and a system whose entry has changed, you may need to - flush the ARP cache on host A as well.
- + file, you may need to flush the ARP cache of all routers + on the LAN segment connected to the interface specified in the + EXTERNAL column of the change/added entry(s). If you are having + problems communicating between an individual host (A) on that + segment and a system whose entry has changed, you may need to + flush the ARP cache on host A as well. +ISPs typically have ARP configured with long TTL (hours!) so if your ISPs router has a stale cache entry (as seen using "tcpdump -nei <external interface> host <IP addr>"), it may take a long while to time out. I personally have had to contact my ISP and ask them to delete a stale entry in order to restore a system to working order after changing my proxy ARP settings.
- +Example: You have public IP addresses 155.182.235.0/28. You -configure your firewall as follows:
- + configure your firewall as follows: +-
-
- eth0 - 155.186.235.1 (internet connection) -
- eth1 - 192.168.9.0/24 (masqueraded - local systems) -
- eth2 - 192.168.10.1 (interface to -your DMZ) - +
- eth0 - 155.186.235.1 (internet +connection) +
- eth1 - 192.168.9.0/24 (masqueraded + local systems) +
- eth2 - 192.168.10.1 (interface +to your DMZ) +
In your DMZ, you want to install a Web/FTP server with public address - 155.186.235.4. On the Web server, you subnet just like the - firewall's eth0 and you configure 155.186.235.1 as the default - gateway. In your /etc/shorewall/proxyarp file, you will have:
- -+ 155.186.235.4. On the Web server, you subnet just like +the firewall's eth0 and you configure 155.186.235.1 as the +default gateway. In your /etc/shorewall/proxyarp file, you will +have: + ++- +- -
-- -ADDRESS -INTERFACE -EXTERNAL -HAVEROUTE -- - - + +155.186.235.4 -eth2 -eth0 -No -+ +ADDRESS +INTERFACE +EXTERNAL +HAVEROUTE ++ + +155.186.235.4 +eth2 +eth0 +No +
Note: You may want to configure the servers in your DMZ with a subnet - that is smaller than the subnet of your internet interface. - See the Proxy ARP Subnet Mini HOWTO (http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/) - for details. In this case you will want to place "Yes" in - the HAVEROUTE column.
- + for details. In this case you will want to place "Yes" +in the HAVEROUTE column. +Warning: Do not use Proxy ARP and FreeS/Wan on the same system unless you are prepared to suffer the consequences. If you start or restart Shorewall with an IPSEC tunnel active, - the proxied IP addresses are mistakenly assigned to the IPSEC - tunnel device (ipsecX) rather than to the interface that you - specify in the INTERFACE column of /etc/shorewall/proxyarp. I haven't - had the time to debug this problem so I can't say if it is a bug -in the Kernel or in FreeS/Wan.
- + the proxied IP addresses are mistakenly assigned to the IPSEC + tunnel device (ipsecX) rather than to the interface that you + specify in the INTERFACE column of /etc/shorewall/proxyarp. I haven't + had the time to debug this problem so I can't say if it is a bug + in the Kernel or in FreeS/Wan. +You might be able to work around this problem using the following - (I haven't tried it):
- + (I haven't tried it): +In /etc/shorewall/init, include:
- +qt service ipsec stop
- +In /etc/shorewall/start, include:
- +qt service ipsec start
- +/etc/shorewall/nat
- +The /etc/shorewall/nat file is used to define static NAT. There is one - entry in the file for each static NAT relationship that - you wish to define. In order to make use of this feature, you - must have NAT enabled .
- + entry in the file for each static NAT relationship that + you wish to define. In order to make use of this feature, +you must have NAT enabled . +IMPORTANT: If all you want to do - is forward ports to -servers behind your firewall, you - do NOT want to use - static NAT. Port - forwarding can be + is forward ports to + servers behind your firewall, you + do NOT want to use + static NAT. Port + forwarding can be accomplished - with simple entries in + with simple entries in the rules -file. Also, in most - cases - Proxy ARP - provides a - superior solution -to static NAT because -the internal systems - are accessed - using the same IP address internally + file. Also, in most + cases + Proxy ARP + provides a + superior solution + to static NAT because + the internal systems + are accessed + using the same IP address internally and externally.
- +Columns in an entry are:
- +-
-
- EXTERNAL - External IP -address - This should NOT be the primary IP address -of the interface named in the next column. -
- INTERFACE - Interface -that you want the EXTERNAL IP address to appear on. Beginning - with Shorewall version 1.3.14, if you have set ADD_IP_ALIASES=Yes in - /etc/shorewall/shorewall.conf, you can specify an -alias label of the form interfacename:digit (e.g., eth0:0) and +
- EXTERNAL - External +IP address - This should NOT be the primary IP + address of the interface named in the next column. +
- INTERFACE - Interface + that you want the EXTERNAL IP address to appear on. +Beginning with Shorewall version 1.3.14, if you have set ADD_IP_ALIASES=Yes +in /etc/shorewall/shorewall.conf, you can specify +an alias label of the form interfacename:digit (e.g., eth0:0) and Shorewall will create the alias with that label. Alias labels created - in this way allow the alias to be visible to the ipconfig utility. + in this way allow the alias to be visible to the ipconfig utility. THAT IS THE ONLY THING THAT THIS LABEL IS GOOD FOR AND IT MAY NOT -APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION. -
- INTERNAL - Internal IP -address. -
- ALL - INTERFACES - - If Yes - or yes (or - left - empty), - NAT will be effective - from all hosts. - If No or no - then NAT - will be - effective - only - through the interface - named in the - INTERFACE column. -
- LOCAL - If Yes or yes and -the ALL INTERFACES column contains Yes or yes, NAT will -be effective from the firewall system. Note: For -this to work, you must be running kernel 2.4.19 or later and -iptables 1.2.6a or later and you must have enabled CONFIG_IP_NF_NAT_LOCAL - in your kernel. - + APPEAR ANYWHERE ELSE IN YOUR SHOREWALL CONFIGURATION. +
- INTERNAL - Internal +IP address. +
- ALL + INTERFACES + - If Yes + or yes (or + left + empty), + NAT will be effective + from all hosts. + If No or no + then NAT + will be + effective + only + through the interface + named in the + INTERFACE column. +
- LOCAL - If Yes or yes and + the ALL INTERFACES column contains Yes or yes, NAT will + be effective from the firewall system. Note: For + this to work, you must be running kernel 2.4.19 or later and + iptables 1.2.6a or later and you must have enabled CONFIG_IP_NF_NAT_LOCAL + in your kernel. +
Look here for additional information and an example. -
- + +/etc/shorewall/tunnels
- +The /etc/shorewall/tunnels file allows you to define IPSec, GRE, IPIP, - OpenVPN and PPTP - tunnels with end-points on your firewall. To use ipsec, you must - install version 1.9, 1.91 or the current OpenVPN and PPTP + tunnels with end-points on your firewall. To use ipsec, you must + install version 1.9, 1.91 or the current FreeS/WAN development snapshot.
- +Note: For kernels 2.4.4 and above, you will need to use version 1.91 - or a development snapshot as patching with version 1.9 -results in kernel compilation errors.
- + or a development snapshot as patching with version 1.9 + results in kernel compilation errors. +Instructions for setting up IPSEC tunnels may - be found here, instructions - for IPIP and GRE tunnels are here, instructions + for IPIP and GRE tunnels are here, instructions for OpenVPN tunnels are here, and - instructions for PPTP tunnels are here.
- + instructions for PPTP tunnels are here. +/etc/shorewall/shorewall.conf
- +This file is used to set the following firewall parameters:
- +-
-
- CLEAR_TC - Added at
-version 1.3.13
- If this option is set to 'No' then Shorewall won't clear the - current traffic control rules during [re]start. This setting is intended - for use by people that prefer to configure traffic shaping when the network - interfaces come up rather than when the firewall is started. If that -is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No and do not supply - an /etc/shorewall/tcstart file. That way, your traffic shaping rules -can still use the 'fwmark' classifier based on packet marking defined -in /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is assumed.
-
- - MARK_IN_FORWARD_CHAIN - Added at version 1.3.12
- If your kernel has a FORWARD chain in the mangle table, - you may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking specified - in the tcrules file to occur - in that chain rather than in the PREROUTING chain. This permits you - to mark inbound traffic based on its destination address when SNAT -or Masquerading are in use. To determine if your kernel has a FORWARD -chain in the mangle table, use the "/sbin/shorewall show mangle" command; - if a FORWARD chain is displayed then your kernel will support this -option. If this option is not specified or if it is given the empty value -(e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No is assumed.
-
- - RFC1918_LOG_LEVEL - Added at version 1.3.12
- This parameter determines the level at which packets - logged under the 'norfc1918' - mechanism are logged. The value must be a valid CLEAR_TC - Added +at version 1.3.13
+ If this option is set to 'No' then Shorewall won't clear +the current traffic control rules during [re]start. This setting is +intended for use by people that prefer to configure traffic shaping +when the network interfaces come up rather than when the firewall is +started. If that is what you want to do, set TC_ENABLED=Yes and CLEAR_TC=No +and do not supply an /etc/shorewall/tcstart file. That way, your traffic +shaping rules can still use the 'fwmark' classifier based on packet marking +defined in /etc/shorewall/tcrules. If not specified, CLEAR_TC=Yes is assumed.
+
+ - MARK_IN_FORWARD_CHAIN - Added at version 1.3.12
+ If your kernel has a FORWARD chain in the mangle +table, you may set MARK_IN_FORWARD_CHAIN=Yes to cause the marking +specified in the tcrules file +to occur in that chain rather than in the PREROUTING chain. This +permits you to mark inbound traffic based on its destination address +when SNAT or Masquerading are in use. To determine if your kernel has +a FORWARD chain in the mangle table, use the "/sbin/shorewall show +mangle" command; if a FORWARD chain is displayed then your kernel +will support this option. If this option is not specified or if it +is given the empty value (e.g., MARK_IN_FORWARD_CHAIN="") then MARK_IN_FORWARD_CHAIN=No + is assumed.
+
+ - RFC1918_LOG_LEVEL - Added at version
+1.3.12
+ This parameter determines the level at which packets + logged under the 'norfc1918' + mechanism are logged. The value must be a valid syslog level and if no level is given, - then info is assumed. Prior to Shorewall version 1.3.12, these packets - are always logged at the info level.
- - TCP_FLAGS_DISPOSITION - Added in Version
- 1.3.11
- Determines the disposition of TCP packets that fail -the checks enabled by the tcpflags -interface option and must have a value of ACCEPT (accept the packet), -REJECT (send an RST response) or DROP (ignore the packet). If not -set or if set to the empty value (e.g., TCP_FLAGS_DISPOSITION="") then -TCP_FLAGS_DISPOSITION=DROP is assumed.
- - TCP_FLAGS_LOG_LEVEL - Added in Version + then info is assumed. Prior to Shorewall version 1.3.12, these packets + are always logged at the info level. +
- TCP_FLAGS_DISPOSITION - Added in Version
1.3.11
- Determines the tcpflags + interface option and must have a value of ACCEPT (accept the packet), + REJECT (send an RST response) or DROP (ignore the packet). If not + set or if set to the empty value (e.g., TCP_FLAGS_DISPOSITION="") then + TCP_FLAGS_DISPOSITION=DROP is assumed.
+ - TCP_FLAGS_LOG_LEVEL - Added in Version
+ 1.3.11
+ Determines the syslog level for logging packets -that fail the checks enabled by the tcpflags -interface option.The value must be a valid syslogd log level. + that fail the checks enabled by the tcpflags + interface option.The value must be a valid syslogd log level. If you don't want to log these packets, set to the empty value (e.g., TCP_FLAGS_LOG_LEVEL="").
-
- - MACLIST_DISPOSITION - Added in Version
- 1.3.10
- Determines the disposition of connections requests - that fail MAC Verification and - must have the value ACCEPT (accept the connection request anyway), REJECT - (reject the connection request) or DROP (ignore the connection request). - If not set or if set to the empty value (e.g., MACLIST_DISPOSITION="") - then MACLIST_DISPOSITION=REJECT is assumed.
- - MACLIST_LOG_LEVEL - Added in Version
- 1.3.10
- Determines the +- MACLIST_DISPOSITION - Added in Version + 1.3.10
+
+ Determines the disposition of connections +requests that fail MAC Verification +and must have the value ACCEPT (accept the connection request anyway), +REJECT (reject the connection request) or DROP (ignore the connection +request). If not set or if set to the empty value (e.g., MACLIST_DISPOSITION="") + then MACLIST_DISPOSITION=REJECT is assumed.- MACLIST_LOG_LEVEL - Added in +Version 1.3.10
-
+ Determines the syslog level for logging connection - requests that fail MAC Verification. - The value must be a valid syslogd log level. If you don't want - to log these connection requests, set to the empty value (e.g., -MACLIST_LOG_LEVEL="").
-- NEWNOTSYN - Added in Version 1.3.8
-
- When set to "Yes" or "yes", Shorewall will -filter TCP packets that are not part of an established connention - and that are not SYN packets (SYN flag on - ACK flag off). If set - to "No", Shorewall will silently drop such packets. If not set - or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No is - assumed.
-
- If you have a HA setup with failover to another - firewall, you should have NEWNOTSYN=Yes on both firewalls. -You should also select NEWNOTSYN=Yes if you have asymmetric routing.
-- LOGNEWNOTSYN - Added in Version - 1.3.6
-
- Beginning with version 1.3.6, Shorewall - drops non-SYN TCP packets that are not part of an existing - connection. If you would like to log these packets, set -LOGNEWNOTSYN to the syslog level -at which you want the packets logged. Example: LOGNEWNOTSYN=ULOG|
-
- Note: Packets logged under this - option are usually the result of broken remote IP stacks - rather than the result of any sort of attempt to breach your - firewall.- DETECT_DNAT_ADDRS - - Added in Version 1.3.4
-
- If set to "Yes" or "yes", Shorewall will detect the IP address(es) - of the interface(es) to the source zone and will include this -(these) address(es) in DNAT rules as the original destination - IP address. If set to "No" or "no", Shorewall will not detect this - (these) address(es) and any destination IP address will match the -DNAT rule. If not specified or empty, "DETECT_DNAT_ADDRS=Yes" is -assumed.
-- MULTIPORT - Added in -Version 1.3.2
+
- If set to "Yes" or "yes", Shorewall -will use the Netfilter multiport facility. In order to -use this facility, your kernel must have multiport support -(CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used, Shorewall - will generate a single rule from each record in the /etc/shorewall/rules - file that meets these criteria:
- + requests that fail MAC Verification. + The value must be a valid syslogd log level. If you don't want + to log these connection requests, set to the empty value (e.g., + MACLIST_LOG_LEVEL="").
+- NEWNOTSYN - Added in Version +1.3.8
+
+ When set to "Yes" or "yes", Shorewall will + filter TCP packets that are not part of an established connention + and that are not SYN packets (SYN flag on - ACK flag off). If +set to "No", Shorewall will silently drop such packets. If not +set or set to the empty value (e.g., "NEWNOTSYN="), NEWNOTSYN=No +is assumed.
+
+ If you have a HA setup with failover to +another firewall, you should have NEWNOTSYN=Yes on both firewalls. + You should also select NEWNOTSYN=Yes if you have asymmetric routing.
+- LOGNEWNOTSYN - Added in Version + 1.3.6
+
+ Beginning with version 1.3.6, Shorewall + drops non-SYN TCP packets that are not part of an existing + connection. If you would like to log these packets, set + LOGNEWNOTSYN to the syslog +level at which you want the packets logged. Example: LOGNEWNOTSYN=ULOG|
+
+ Note: Packets logged under +this option are usually the result of broken remote IP +stacks rather than the result of any sort of attempt to +breach your firewall.- DETECT_DNAT_ADDRS + - Added in Version 1.3.4
+
+ If set to "Yes" or "yes", Shorewall will detect the first IP + address of the interface to the source zone and will include this address +in DNAT rules as the original destination IP address. If set to "No" +or "no", Shorewall will not detect this address and any destination + IP address will match the DNAT rule. If not specified or empty, +"DETECT_DNAT_ADDRS=Yes" is assumed.
+- MULTIPORT - Added +in Version 1.3.2
-
+ If set to "Yes" or "yes", Shorewall + will use the Netfilter multiport facility. In order +to use this facility, your kernel must have multiport +support (CONFIG_IP_NF_MATCH_MULTIPORT). When this support is used, + Shorewall will generate a single rule from each record in +the /etc/shorewall/rules file that meets these criteria:
+-
-
- No port range(s) specified -
- Specifies 15 or fewer ports - +
- No port range(s) specified +
- Specifies 15 or fewer ports +
Rules not meeting those criteria will continue to generate an individual - rule for each listed port or port range.
-- NAT_BEFORE_RULES
-
- If set to "No" or "no", port forwarding - rules can override the contents of the /etc/shorewall/nat - file. If set to "Yes" or "yes", port forwarding rules cannot - override static NAT. If not set or set to an empty value, -"Yes" is assumed.- FW
-
- This - parameter specifies the - name of the - firewall zone. - If not set or - if set -to an empty string, the value - "fw" is assumed.- SUBSYSLOCK
-
- This parameter should be set to -the name of a file that the firewall should create if -it starts successfully and remove when it stops. Creating -and removing this file allows Shorewall to work with your distribution's - initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall. - For Debian, the value is /var/state/shorewall and in LEAF it - is /var/run/shorwall. Example: SUBSYSLOCK=/var/lock/subsys/shorewall.- STATEDIR
+
- This parameter specifies the name - of a directory where Shorewall stores state information. - If the directory doesn't exist when Shorewall starts, it -will create the directory. Example: STATEDIR=/tmp/shorewall.
-
- NOTE: If you change the STATEDIR - variable while the firewall is running, create the new -directory if necessary then copy the contents of the old + rule for each listed port or port range. +- NAT_BEFORE_RULES
+
+ If set to "No" or "no", port forwarding + rules can override the contents of the /etc/shorewall/nat file. If set to "Yes" or + "yes", port forwarding rules cannot override static NAT. +If not set or set to an empty value, "Yes" is assumed.- FW
+
+ This + parameter specifies the + name of the + firewall zone. + If not set +or if + set to an empty string, the value + "fw" is assumed.- SUBSYSLOCK
+
+ This parameter should be set +to the name of a file that the firewall should create +if it starts successfully and remove when it stops. Creating + and removing this file allows Shorewall to work with your distribution's + initscripts. For RedHat, this should be set to /var/lock/subsys/shorewall. + For Debian, the value is /var/state/shorewall and in LEAF +it is /var/run/shorwall. Example: SUBSYSLOCK=/var/lock/subsys/shorewall.- STATEDIR
-
+ This parameter specifies the +name of a directory where Shorewall stores state information. + If the directory doesn't exist when Shorewall starts, +it will create the directory. Example: STATEDIR=/tmp/shorewall.
+
+ NOTE: If you change the STATEDIR + variable while the firewall is running, create the new + directory if necessary then copy the contents of the old directory to the new directory.- MODULESDIR
-
- This parameter specifies the directory - where your kernel netfilter modules may be found. If - you leave the variable empty, Shorewall will supply the value - "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.- LOGRATE and LOGBURST
-
- These parameters set the match -rate and initial burst size for logged packets. Please -see the iptables man page for a description of the behavior - of these parameters (the iptables option --limit is set by LOGRATE -and --limit-burst is set by LOGBURST). If both parameters are - set empty, no rate-limiting will occur.
-
- Example:
- LOGRATE=10/minute
- LOGBURST=5
-- LOGFILE
- This parameter - tells the /sbin/shorewall - program where +- MODULESDIR
+
+ This parameter specifies the +directory where your kernel netfilter modules may be +found. If you leave the variable empty, Shorewall will supply +the value "/lib/modules/`uname -r`/kernel/net/ipv4/netfilter.- LOGRATE and LOGBURST
+
+ These parameters set the match + rate and initial burst size for logged packets. Please + see the iptables man page for a description of the behavior + of these parameters (the iptables option --limit is set by +LOGRATE and --limit-burst is set by LOGBURST). If both parameters + are set empty, no rate-limiting will occur.
+
+ Example:
+ LOGRATE=10/minute
+ LOGBURST=5
+- LOGFILE
-
+ This parameter + tells the /sbin/shorewall + program where to look for Shorewall messages when processing - the "show log", "monitor", - "status" and + the "show log", "monitor", + "status" and "hits" commands. If not assigned or if assigned an empty value, /var/log/messages - is -assumed.- NAT_ENABLED
+
- This parameter determines whether - Shorewall supports NAT operations. NAT operations -include:
-
- Static NAT
- Port Forwarding
- Port Redirection
- Masquerading
-
- If the parameter has no value -or has a value of "Yes" or "yes" then NAT is enabled. + is + assumed.- NAT_ENABLED
-
+ This parameter determines whether + Shorewall supports NAT operations. NAT operations + include:
+
+ Static NAT
+ Port Forwarding
+ Port Redirection
+ Masquerading
+
+ If the parameter has no value + or has a value of "Yes" or "yes" then NAT is enabled. If the parameter has a value of "no" or "No" then NAT is disabled.
-- MANGLE_ENABLED
-
- This parameter determines if packet - mangling is enabled. If the parameter has no value or - has a value of "Yes" or "yes" than packet mangling is enabled. - If the parameter has a value of "no" or "No" then packet -mangling is disabled. If packet mangling is disabled, the -/etc/shorewall/tos file is ignored.
-- IP_FORWARDING
-
- This parameter determines whether - Shorewall enables or disables IPV4 Packet Forwarding - (/proc/sys/net/ipv4/ip_forward). Possible values are:
-
- On or on - packet forwarding - will be enabled.
- Off or off - packet forwarding - will be disabled.
- Keep or keep - Shorewall will - neither enable nor disable packet forwarding.
-
- If this variable is not set or -is given an empty value (IP_FORWARD="") then IP_FORWARD=On - is assumed.
-- ADD_IP_ALIASES
+
- This parameter determines whether - Shorewall automatically adds the +- MANGLE_ENABLED
+
+ This parameter determines if +packet mangling is enabled. If the parameter has no +value or has a value of "Yes" or "yes" than packet mangling + is enabled. If the parameter has a value of "no" or "No" +then packet mangling is disabled. If packet mangling is disabled, + the /etc/shorewall/tos file is ignored.
+- IP_FORWARDING
+
+ This parameter determines whether + Shorewall enables or disables IPV4 Packet Forwarding + (/proc/sys/net/ipv4/ip_forward). Possible values are:
+
+ On or on - packet forwarding + will be enabled.
+ Off or off - packet forwarding + will be disabled.
+ Keep or keep - Shorewall +will neither enable nor disable packet forwarding.
+
+ If this variable is not set +or is given an empty value (IP_FORWARD="") then IP_FORWARD=On + is assumed.
+- ADD_IP_ALIASES
-
+ This parameter determines whether + Shorewall automatically adds the external address(es) in /etc/shorewall/nat . If the variable is -set to "Yes" or "yes" then Shorewall automatically adds these aliases. -If it is set to "No" or "no", you must add these aliases yourself -using your distribution's network configuration tools. RESTRICTION: - Shorewall can only add addresses to the first subnetwork configured -on an interface.
-
- If this variable is not set or -is given an empty value (ADD_IP_ALIASES="") then ADD_IP_ALIASES=Yes - is assumed.- ADD_SNAT_ALIASES
-
- This parameter determines whether Shorewall - automatically adds the SNAT ADDRESS in /etc/shorewall/masq. If the variable is -set to "Yes" or "yes" then Shorewall automatically adds these -addresses. If it is set to "No" or "no", you must add these addresses - yourself using your distribution's network configuration tools. - RESTRICTION: Shorewall can only add addresses to the first subnetwork -configured on an interface.
-
- If this variable is not set or -is given an empty value (ADD_SNAT_ALIASES="") then -ADD_SNAT_ALIASES=No is assumed.
-- LOGUNCLEAN
+
- This parameter - determines the logging -level of - mangled/invalid - packets - controlled by - the 'dropunclean - and logunclean' + set to "Yes" or "yes" then Shorewall automatically adds these aliases. + If it is set to "No" or "no", you must add these aliases yourself + using your distribution's network configuration tools. RESTRICTION: + Shorewall can only add addresses to the first subnetwork configured + on an interface.
+
+ If this variable is not set or + is given an empty value (ADD_IP_ALIASES="") then +ADD_IP_ALIASES=Yes is assumed.- ADD_SNAT_ALIASES
+
+ This parameter determines whether +Shorewall automatically adds the SNAT ADDRESS + in /etc/shorewall/masq. If the variable +is set to "Yes" or "yes" then Shorewall automatically adds +these addresses. If it is set to "No" or "no", you must add these + addresses yourself using your distribution's network configuration + tools. RESTRICTION: Shorewall can only add addresses +to the first subnetwork configured on an interface.
+
+ If this variable is not set or + is given an empty value (ADD_SNAT_ALIASES="") then + ADD_SNAT_ALIASES=No is assumed.
+- LOGUNCLEAN
-
+ This parameter + determines the logging + level of + mangled/invalid + packets + controlled by + the 'dropunclean + and logunclean' interface options. If LOGUNCLEAN is empty (LOGUNCLEAN=) then @@ -2506,16 +2525,16 @@ packets selected by logged under the 'info' log level). Otherwise, these packets are logged at the -specified level - (Example: - LOGUNCLEAN=debug).- BLACKLIST_DISPOSITION
+
- This parameter - determines the disposition -of packets from - blacklisted - hosts. It may -have the value DROP if the packets + specified level + (Example: + LOGUNCLEAN=debug).- BLACKLIST_DISPOSITION
-
+ This parameter + determines the disposition + of packets from + blacklisted + hosts. It may + have the value DROP if the packets are to be dropped or REJECT if the packets are to @@ -2524,22 +2543,22 @@ have the value DROP if the packets port unreachable reply or a -TCP RST (tcp only). If you do not assign - a value or if - you assign an empty value - then DROP is - assumed.- BLACKLIST_LOGLEVEL
+
- This paremter - determines if packets from - blacklisted - hosts are - logged and it - determines the syslog -level that they are to be logged - at. Its value +TCP RST (tcp only). If you do not assign + a value or if + you assign an empty value + then DROP is + assumed.- BLACKLIST_LOGLEVEL
-
+ This paremter + determines if packets +from blacklisted + hosts are + logged and it + determines the syslog + level that they are to be logged + at. Its value is a syslog level - (Example: + (Example: BLACKLIST_LOGLEVEL=debug). If you do not assign a value or if you assign an empty value @@ -2547,20 +2566,20 @@ you do not assign a value or if you from blacklisted hosts are not logged.- CLAMPMSS
- This parameter - enables the TCP Clamp -MSS to PMTU - feature of - Netfilter and - is usually - required when - your internet connection - is through PPPoE - or PPTP. If set - to "Yes" - or "yes", - the feature is +- CLAMPMSS
-
+ This parameter + enables the TCP Clamp + MSS to PMTU + feature of + Netfilter and + is usually + required when + your internet connection + is through PPPoE + or PPTP. If set + to "Yes" + or "yes", + the feature is enabled. If left blank or set to @@ -2572,204 +2591,204 @@ MSS to PMTU Note: This option requires CONFIG_IP_NF_TARGET_TCPMSS in your kernel.- ROUTE_FILTER
- +
- If this parameter is given the value -"Yes" or "yes" then route filtering (anti-spoofing) is - enabled on all network interfaces. The default value is "no".- ROUTE_FILTER
+
+ If this parameter is given the value + "Yes" or "yes" then route filtering (anti-spoofing) is + enabled on all network interfaces. The default value is "no". - MACLIST_DISPOSITION - Added in Version + 1.3.10
/etc/shorewall/modules Configuration
- +The file /etc/shorewall/modules contains commands for loading the kernel - modules required by Shorewall-defined firewall rules. Shorewall - will source this file during start/restart provided that -it exists and that the directory specified by the MODULESDIR -parameter exists (see /etc/shorewall/shorewall.conf - above).
- + modules required by Shorewall-defined firewall rules. +Shorewall will source this file during start/restart provided +that it exists and that the directory specified by the MODULESDIR + parameter exists (see /etc/shorewall/shorewall.conf + above). +The file that is released with Shorewall calls the Shorewall function - "loadmodule" for the set of modules that I load.
- + "loadmodule" for the set of modules that I load. +The loadmodule function is called as follows:
- -+ ++- + <module parameters> ] +loadmodule <modulename> [ - <module parameters> ]
-
where
- -+ +- +<modulename>
- -+ ++- +is the name of the modules without the trailing ".o" (example ip_conntrack).
-<module parameters>
- -+ +-Optional parameters to the insmod utility.
+The function determines if the module named by <modulename> - is already loaded and if not then the function determines - if the ".o" file corresponding to the module exists in the - moduledirectory; if so, then the following command - is executed:
- -+ is already loaded and if not then the function determines + if the ".o" file corresponding to the module exists in +the moduledirectory; if so, then the following command + is executed: + ++- + parameters> +insmod moduledirectory/<modulename>.o <module - parameters>
-If the file doesn't exist, the function determines of the ".o.gz" file corresponding to the module exists in the moduledirectory. If it does, the function assumes that the running configuration supports compressed - modules and execute the following command:
- -+ modules and execute the following command: + ++- + parameters> +insmod moduledirectory/<modulename>.o.gz <module - parameters>
-/etc/shorewall/tos Configuration
- +The /etc/shorewall/tos file allows you to set the Type of Service field - in packet headers based on packet source, packet destination, - protocol, source port and destination port. In order for - this file to be processed by Shorewall, you must have mangle support enabled .
- +Entries in the file have the following columns:
- +-
- -- SOURCE -- The source zone. - May be qualified by following the zone name with a colon - (":") and either an IP address, an IP subnet, a MAC address - in Shorewall Format or the name of an -interface. This column may also contain the name of - the firewall - zone to - indicate packets originating on the firewall itself or "all" to - indicate any source.
-- DEST -- The destination -zone. May be qualified by following the zone name with -a colon (":") and either an IP address or an IP subnet. Because -packets are marked prior to routing, you may not specify - the name of an interface. This column may also contain "all" - to indicate any destination.
-- PROTOCOL -- The name of -a protocol in /etc/protocols or the protocol's number.
-- SOURCE PORT(S) -- The -source port or a port range. For all ports, place a +
- SOURCE -- The source +zone. May be qualified by following the zone name with +a colon (":") and either an IP address, an IP subnet, a MAC +address in Shorewall Format or the name + of an interface. This column may also contain the name +of the firewall + zone +to indicate packets originating on the firewall itself or "all" +to indicate any source.
+- DEST -- The destination + zone. May be qualified by following the zone name with + a colon (":") and either an IP address or an IP subnet. +Because packets are marked prior to routing, you may not specify + the name of an interface. This column may also contain +"all" to indicate any destination.
+- PROTOCOL -- The name +of a protocol in /etc/protocols or the protocol's number.
+- SOURCE PORT(S) -- The + source port or a port range. For all ports, place a hyphen ("-") in this column.
-- DEST PORT(S) -- The destination - port or a port range. To indicate all ports, place a hyphen - ("-") in this column.
-- TOS -- The type of service. - Must be one of the following:
- +- DEST PORT(S) -- The +destination port or a port range. To indicate all ports, +place a hyphen ("-") in this column.
+- TOS -- The type of service. + Must be one of the following:
+-++ +++- + Maximize-Throughput (8)-Minimize-Delay (16)
-
- Maximize-Throughput (8)
- Maximize-Reliability (4)
- Minimize-Cost (2)
- Normal-Service (0)
+ Maximize-Reliability (4)
+ Minimize-Cost (2)
+ Normal-Service (0) +The /etc/shorewall/tos file that is included with Shorewall contains - the following entries.
- -+ the following entries. + ++- +- -
-- -SOURCE -DEST -PROTOCOL -SOURCE -
- PORT(S)DEST PORT(S) -TOS -- -all -all -tcp -- -ssh -16 -- -all -all -tcp -ssh -- -16 -- -all -all -tcp -- -ftp -16 -- -all -all -tcp -ftp -- -16 -- -all -all -tcp -- -ftp-data -8 -- - - + +all -all -tcp -ftp-data -- -8 -+ +SOURCE +DEST +PROTOCOL +SOURCE +
+ PORT(S)DEST PORT(S) +TOS ++ +all +all +tcp +- +ssh +16 ++ +all +all +tcp +ssh +- +16 ++ +all +all +tcp +- +ftp +16 ++ +all +all +tcp +ftp +- +16 ++ +all +all +tcp +- +ftp-data +8 ++ + +all +all +tcp +ftp-data +- +8 +WARNING: Users have reported that odd routing problems result from - adding the ESP and AH protocols to the /etc/shorewall/tos -file.
- + adding the ESP and AH protocols to the /etc/shorewall/tos + file. +/etc/shorewall/blacklist
- +Each line in /etc/shorewall/blacklist contains an IP address, a MAC address in Shorewall Format - or + or subnet address. Example:
- +130.252.100.69- +
206.124.146.0/24Packets from hosts listed @@ -2782,128 +2801,132 @@ file.
the value assigned to the BLACKLIST_DISPOSITION - and BLACKLIST_LOGLEVEL variables in - /etc/shorewall/shorewall.conf. - Only - packets arriving - on interfaces - that - have the - 'blacklist' - option in - /etc/shorewall/interfaces - are - checked against the - blacklist. The black list is designed to prevent listed - hosts/subnets from accessing services on your network.
- - + and BLACKLIST_LOGLEVEL variables in + /etc/shorewall/shorewall.conf. + Only + packets arriving + on interfaces + that + have the + 'blacklist' + option in + /etc/shorewall/interfaces + are + checked against the + blacklist. The black list is designed to prevent listed + hosts/subnets from accessing services on your network.
+ +Beginning with Shorewall 1.3.8, the blacklist file has three columns:
- + +
--
- +- ADDRESS/SUBNET - As described -above.
-- PROTOCOL - Optional. If specified, - only packets specifying this protocol will be blocked.
-- PORTS - Optional; may only be -given if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated - list of port numbers or service names (from /etc/services). If -present, only packets destined for the specified protocol and -one of the listed ports are blocked. When the PROTOCOL is icmp, the -PORTS column contains a comma-separated list of ICMP type numbers +
- ADDRESS/SUBNET - As described + above.
+- PROTOCOL - Optional. If specified, + only packets specifying this protocol will be blocked.
+- PORTS - Optional; may only +be given if PROTOCOL is tcp, udp or icmp. Expressed as a comma-separated + list of port numbers or service names (from /etc/services). If + present, only packets destined for the specified protocol and + one of the listed ports are blocked. When the PROTOCOL is icmp, +the PORTS column contains a comma-separated list of ICMP type numbers or names (see "iptables -h icmp").
- + +
-Shorewall also has a dynamic blacklist - capability.
- + capability. +IMPORTANT: The Shorewall blacklist file is NOT - designed to police your users' web browsing -- to do that, - I suggest that you install and configure Squid (http://www.squid-cache.org).
- +/etc/shorewall/rfc1918 (Added in Version 1.3.1)
- +This file lists the subnets affected by the norfc1918 - interface option. Columns in the file are:
- + interface option. Columns in the file are: +-
+ + +- SUBNET - The subnet -using VLSM notation (e.g., 192.168.0.0/16).
-- TARGET - What -to do with packets to/from the SUBNET: +
- SUBNET - The subnet + using VLSM notation (e.g., 192.168.0.0/16).
+- TARGET - +What to do with packets to/from the SUBNET: +
- --
-- RETURN - Process -the packet normally thru the rules and policies.
-- DROP - Silently -drop the packet.
-- logdrop - Log then -drop the packet -- see the RFC1918_LOG_LEVEL -parameter above.
- +- RETURN - Process + the packet normally thru the rules and policies.
+- DROP - Silently + drop the packet.
+- logdrop - Log +then drop the packet -- see the RFC1918_LOG_LEVEL + parameter above.
+/etc/shorewall/routestopped (Added in Version - 1.3.4)
- + 1.3.4) +This file defines the hosts that are accessible from the firewall when - the firewall is stopped. Columns in the file are:
- + the firewall is stopped. Columns in the file are: +-
- +- INTERFACE - The firewall - interface through which the host(s) comminicate with the firewall.
-- HOST(S) - (Optional) -- A comma-separated list of IP/Subnet addresses. If not supplied - or supplied as "-" then 0.0.0.0/0 is assumed.
- +- INTERFACE - The +firewall interface through which the host(s) comminicate +with the firewall.
+- HOST(S) - (Optional) + - A comma-separated list of IP/Subnet addresses. If not supplied + or supplied as "-" then 0.0.0.0/0 is assumed.
+Example: When your firewall is stopped, you want firewall accessibility - from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ - interfaces through eth1 and your local hosts through eth2.
- -+ from local hosts 192.168.1.0/24 and from your DMZ. Your DMZ + interfaces through eth1 and your local hosts through eth2. + ++- +- -
-- -INTERFACE -HOST(S) -- -eth2 -192.168.1.0/24 -- - - + +eth1 -- -+ +INTERFACE +HOST(S) ++ +eth2 +192.168.1.0/24 ++ + +eth1 +- +/etc/shorewall/maclist (Added in Version 1.3.10)
- This file is described in the MAC Validation Documentation.
- +/etc/shorewall/ecn (Added in Version 1.4.0)
- This file is described in the ECN Control Documentation.
-
- -Updated 4/11/2003 - Tom Eastep -
- +
+ +Updated 5/9/2003 - Tom Eastep +
+Copyright © 2001, 2002, 2003 Thomas M. Eastep.
+ +
-
+
diff --git a/Shorewall-docs/FAQ.htm b/Shorewall-docs/FAQ.htm index 42b172409..a23d7a211 100644 --- a/Shorewall-docs/FAQ.htm +++ b/Shorewall-docs/FAQ.htm @@ -1,1238 +1,1255 @@ - + - + - + - +Shorewall FAQ - + - +- -
- +- ++ + - - + + + +- Shorewall FAQs
-Looking for Step by Step Configuration Instructions? Check out the QuickStart Guides.
+ +
-PORT FORWARDING
- + + - + port 7777 to my my personal PC with IP address + 192.168.1.5. I've looked everywhere and can't find + how to do it. +
-1a. Ok -- I followed those instructions - but it doesn't work.
- + but it doesn't work.
-
+ +1b. I'm still having problems with - port forwarding
- + port forwarding + - + +DNS and PORT FORWARDING/NAT
- + + - + to www.mydomain.com (IP 130.151.100.69) to system + 192.168.1.5 in my local network. External clients + can browse http://www.mydomain.com but internal + clients can't. + - + subnet and I use static NAT to assign non-RFC1918 + addresses to hosts in Z. Hosts in Z cannot communicate + with each other using their external (non-RFC1918 addresses) + so they can't access each other using their DNS names. +
-NETMEETING/MSN
- + +
-3. I want to use Netmeeting - or MSN Instant Messenger with Shorewall. - What do I do?
- + or MSN Instant Messenger with Shorewall. + What do I do? +OPEN PORTS
- + + - + to check my firewall and it shows some ports + as 'closed' rather than 'blocked'. Why? +
-4a. I just ran an nmap UDP scan - of my firewall and it showed 100s of ports as open!!!!
- + of my firewall and it showed 100s of ports as +open!!!!
+ + 4b. I have a port that I can't close no matter how +I change my rules.CONNECTION PROBLEMS
- +5. I've installed Shorewall and now - I can't ping through the firewall
- + I can't ping through the firewall
-
- 15. My local systems can't see out -to the net
+
+ 15. My local systems can't see out + to the net +LOGGING
- + +
-6. Where are the log messages - written and how do I change the destination?
- + written and how do I change the destination? +6a. Are there any log parsers - that work with Shorewall?
- + that work with Shorewall? +6b. DROP messages on port 10619 are flooding the logs with their connect - requests. Can i exclude these error messages for this port temporarily - from logging in Shorewall?
- + requests. Can i exclude these error messages for this port temporarily + from logging in Shorewall?
-
+ + - + of these DROP messages from port 53 to some high numbered + port. They get dropped, but what the heck are they?
+ + - + in Shorewall log messages so long? I thought MAC addresses + were only 6 bytes in length.
+ +16. Shorewall is writing log messages - all over my console making it unusable!
- 17. -How do I find out why this traffic is -getting logged?
-
-
- 21. I see these strange log entries - occasionally; what are they?
- + all over my console making it unusable!
+ + 17. + How do I find out why this traffic is + getting logged?
+
+ 21. I see these strange log entries + occasionally; what are they?
+STARTING AND STOPPING
- + + - +
-8. When I try to start Shorewall - on RedHat I get messages about insmod failing - -- what's wrong?
- + on RedHat I get messages about insmod failing + -- what's wrong?
-
+ +8a. When I try to start Shorewall - on RedHat I get a message referring me to FAQ #8
- + on RedHat I get a message referring me to FAQ #8
-
+ +9. Why can't Shorewall detect - my interfaces properly at startup?
- 22. I have -some iptables commands that I want to run when Shorewall - starts. Which file do I put them in?
- + my interfaces properly at startup? + 22. I have + some iptables commands that I want to run when Shorewall + starts. Which file do I put them in?
+ABOUT SHOREWALL
- + +
-10. What distributions does - it work with?
- + it work with? +11. What features does it support?
- +12. Is there a GUI?
- +13. Why do you call it "Shorewall"?
- 23. Why do you use -such ugly fonts on your web site?
-
- 25. How to I tell which version of Shorewall - I am running?
- + 23. Why do you use + such ugly fonts on your web site?
+
+ 25. How to I tell which version of Shorewall + I am running?
+RFC 1918
- + + - + and it has an internel web server that allows +me to configure/monitor it but as expected if I enable + rfc1918 blocking for my eth0 interface, it also + blocks the cable modems web server. + - +
-ALIAS IP ADDRESSES/VIRTUAL INTERFACES
- 18. Is there any -way to use aliased ip addresses with Shorewall, and - maintain separate rulesets for different IPs?
-
- + + 18. Is there +any way to use aliased ip addresses with Shorewall, + and maintain separate rulesets for different IPs?
+MISCELLANEOUS
- 19. I have added entries to /etc/shorewall/tcrules - but they don't seem to do anything. Why?
-
-
- 20. I have - just set up a server. Do I have to change Shorewall to -allow access to my server from the internet?
-
- 24. How can I allow -conections to let's say the ssh port only from specific -IP Addresses on the internet?
-
-
-
- -
+ + 19. I have added entries to /etc/shorewall/tcrules + but they don't seem to do anything. Why?
+
+ 20. I +have just set up a server. Do I have to change Shorewall +to allow access to my server from the internet?
+
+ 24. How can I allow + conections to let's say the ssh port only from specific + IP Addresses on the internet?
+
+
+
+ +
1. I want to forward UDP port 7777 to - my my personal PC with IP address 192.168.1.5. I've - looked everywhere and can't find how to do it.
- + my my personal PC with IP address 192.168.1.5. +I've looked everywhere and can't find how to do it. +Answer: The first example in the rules file documentation shows how to - do port forwarding under Shorewall. The format of - a port-forwarding rule to a local system is as follows:
- -+ do port forwarding under Shorewall. The format +of a port-forwarding rule to a local system is as follows: + ++- +- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE - PORT -ORIG. - DEST. -- - - + id="AutoNumber1" cellspacing="1"> + +DNAT -net -loc:<local - IP address>[:<local port>] -<protocol> -<port - #> --
--
-+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE + PORT +ORIG. + DEST. ++ + +DNAT +net +loc:<local + IP address>[:<local port>] +<protocol> +<port + #> ++
++
+So to forward UDP port 7777 to internal system 192.168.1.5, - the rule is:
- -+ the rule is: + ++- +- -
-- -ACTION -SOURCE -DESTINATION -PROTOCOL -PORT -SOURCE - PORT -ORIG. - DEST. -- - - + id="AutoNumber1" cellspacing="1"> + +DNAT -net -loc:192.168.1.5 -udp -7777 --
--
-+ +ACTION +SOURCE +DESTINATION +PROTOCOL +PORT +SOURCE + PORT +ORIG. + DEST. ++ + +DNAT +net +loc:192.168.1.5 +udp +7777 ++
++
+If - you want to forward requests directed to a particular address - ( <external IP> ) on your firewall to an internal - system:- --
- 
- 
- 
- A couple of recent
-configuration changes at www.shorewall.net broke the
- Search facility:
- 
- 
- 
- 
- 
- 
- 
- 
- 
+ 
- 
- 
- 
- 
- 
- 
- 
+ 
+
- If you run LEAF Bering, your Shorewall configuration is NOT
-what I release -- I suggest that you consider installing a stock Shorewall
+ If you run LEAF Bering, your Shorewall configuration is NOT
+what I release -- I suggest that you consider installing a stock Shorewall
lrp from the shorewall.net site before you proceed.
- .
- 
- If your external interface is ppp0 or ippp0 then
+ If your external interface is ppp0 or ippp0 then
you will want to set CLAMPMSS=yes in 
- Edit the /etc/shorewall/interfaces file and define the network
- interfaces on your firewall and associate each interface with a zone.
- If you have a zone that is interfaced through more than one interface,
-simply include one entry for each interface and repeat the zone name as
+ Edit the /etc/shorewall/interfaces file and define the network
+ interfaces on your firewall and associate each interface with a zone.
+ If you have a zone that is interfaced through more than one interface,
+simply include one entry for each interface and repeat the zone name as
many times as necessary.
- 
- 
- 
- The Shorewall one-interface sample configuration assumes that the
- external interface is eth0. If your configuration is different,
- you will have to modify the sample /etc/shorewall/interfaces file accordingly.
- While you are there, you may wish to review the list of options that are
- specified for the interface. Some hints:
- 
- 
- 
- 
-