mirror of
https://gitlab.com/shorewall/code.git
synced 2025-06-27 05:01:37 +02:00
fixed quotes, add CVS Id
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@969 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3a70dd9c48
commit
d5b6f09407
@ -2,6 +2,8 @@
|
|||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
<article id="Multiple_Zones">
|
<article id="Multiple_Zones">
|
||||||
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>Multiple Zones per Interface</title>
|
<title>Multiple Zones per Interface</title>
|
||||||
|
|
||||||
@ -26,8 +28,8 @@
|
|||||||
document under the terms of the GNU Free Documentation License, Version
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled "<ulink
|
Texts. A copy of the license is included in the section entitled
|
||||||
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -82,11 +84,11 @@
|
|||||||
|
|
||||||
<para><emphasis role="bold">These examples use the local zone but the same
|
<para><emphasis role="bold">These examples use the local zone but the same
|
||||||
technique works for any zone.</emphasis> Remember that Shorewall
|
technique works for any zone.</emphasis> Remember that Shorewall
|
||||||
doesn't have any conceptual knowledge of "Internet",
|
doesn't have any conceptual knowledge of <quote>Internet</quote>,
|
||||||
"Local", or "DMZ" so all zones except the firewall itself
|
<quote>Local</quote>, or <quote>DMZ</quote> so all zones except the
|
||||||
($FW) are the same as far as Shorewall is concerned. Also, the examples
|
firewall itself ($FW) are the same as far as Shorewall is concerned. Also,
|
||||||
use private (RFC 1918) addresses but public IP addresses can be used in
|
the examples use private (RFC 1918) addresses but public IP addresses can
|
||||||
exactly the same way.</para>
|
be used in exactly the same way.</para>
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
<section>
|
<section>
|
||||||
@ -95,9 +97,9 @@
|
|||||||
<para>Here is an example of a router in the local zone.</para>
|
<para>Here is an example of a router in the local zone.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para> the <emphasis role="bold">box called "Router" could be a
|
<para>the <emphasis role="bold">box called <quote>Router</quote> could
|
||||||
VPN server</emphasis> or other such device; from the point of view of
|
be a VPN server</emphasis> or other such device; from the point of view
|
||||||
this discussion, it makes no difference.</para>
|
of this discussion, it makes no difference.</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<graphic fileref="images/MultiZone1.png" />
|
<graphic fileref="images/MultiZone1.png" />
|
||||||
@ -145,8 +147,8 @@
|
|||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Set the 'routeback' and 'newnotsyn' options
|
<para>Set the <quote>routeback</quote> and <quote>newnotsyn</quote>
|
||||||
for eth1 (the local firewall interface) in
|
options for eth1 (the local firewall interface) in
|
||||||
/etc/shorewall/interfaces.</para>
|
/etc/shorewall/interfaces.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
@ -165,19 +167,19 @@
|
|||||||
<section>
|
<section>
|
||||||
<title>Nested Zones</title>
|
<title>Nested Zones</title>
|
||||||
|
|
||||||
<para>You can define one zone (called it 'loc') as being all
|
<para>You can define one zone (called it <quote>loc</quote>) as being
|
||||||
hosts connectied to eth1 and a second zone 'loc1'
|
all hosts connectied to eth1 and a second zone <quote>loc1</quote>
|
||||||
(192.168.2.0/24) as a sub-zone.</para>
|
(192.168.2.0/24) as a sub-zone.</para>
|
||||||
|
|
||||||
<graphic fileref="images/MultiZone1A.png" />
|
<graphic fileref="images/MultiZone1A.png" />
|
||||||
|
|
||||||
<para>The advantage of this approach is that the zone 'loc1'
|
<para>The advantage of this approach is that the zone <quote>loc1</quote>
|
||||||
can use CONTINUE policies such that if a connection request
|
can use CONTINUE policies such that if a connection request
|
||||||
doesn't match a 'loc1' rule, it will be matched against
|
doesn't match a <quote>loc1</quote> rule, it will be matched
|
||||||
the 'loc' rules. For example, if your loc1->net policy is
|
against the <quote>loc</quote> rules. For example, if your
|
||||||
CONTINUE then if a connection request from loc1 to the internet
|
loc1->net policy is CONTINUE then if a connection request from
|
||||||
doesn't match any rules for loc1->net then it will be checked
|
loc1 to the internet doesn't match any rules for loc1->net
|
||||||
against the loc->net rules.</para>
|
then it will be checked against the loc->net rules.</para>
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<title>/etc/shorewall/zones</title>
|
<title>/etc/shorewall/zones</title>
|
||||||
@ -274,8 +276,8 @@
|
|||||||
</table>
|
</table>
|
||||||
|
|
||||||
<para>If you don't need Shorewall to set up infrastructure to
|
<para>If you don't need Shorewall to set up infrastructure to
|
||||||
route traffic between 'loc' and 'loc1', add these two
|
route traffic between <quote>loc</quote> and <quote>loc1</quote>, add
|
||||||
policies:</para>
|
these two policies:</para>
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<title>/etc/shorewall/policy</title>
|
<title>/etc/shorewall/policy</title>
|
||||||
@ -435,8 +437,8 @@
|
|||||||
</table>
|
</table>
|
||||||
|
|
||||||
<para>If you don't need Shorewall to set up infrastructure to
|
<para>If you don't need Shorewall to set up infrastructure to
|
||||||
route traffic between 'loc' and 'loc1', add these two
|
route traffic between <quote>loc</quote> and <quote>loc1</quote>, add
|
||||||
policies:</para>
|
these two policies:</para>
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<title>/etc/shorewall/policy</title>
|
<title>/etc/shorewall/policy</title>
|
||||||
@ -593,8 +595,8 @@
|
|||||||
</table>
|
</table>
|
||||||
|
|
||||||
<para>You probably don't want Shorewall to set up infrastructure to
|
<para>You probably don't want Shorewall to set up infrastructure to
|
||||||
route traffic between 'loc' and 'loc1' so you should add
|
route traffic between <quote>loc</quote> and <quote>loc1</quote> so you
|
||||||
these two policies:</para>
|
should add these two policies:</para>
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<title>/etc/shorewall/policy</title>
|
<title>/etc/shorewall/policy</title>
|
||||||
|
@ -2,6 +2,8 @@
|
|||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
<article id="NAT">
|
<article id="NAT">
|
||||||
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>One-to-one NAT</title>
|
<title>One-to-one NAT</title>
|
||||||
|
|
||||||
@ -30,8 +32,8 @@
|
|||||||
document under the terms of the GNU Free Documentation License, Version
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled "<ulink
|
Texts. A copy of the license is included in the section entitled
|
||||||
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -113,25 +115,26 @@
|
|||||||
/etc/shorewall/masq or /etc/shorewall/proxyarp.</para>
|
/etc/shorewall/masq or /etc/shorewall/proxyarp.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>The "ALL INTERFACES" column is used to specify whether
|
<para>The <quote>ALL INTERFACES</quote> column is used to specify
|
||||||
access to the external IP from all firewall interfaces should undergo
|
whether access to the external IP from all firewall interfaces should
|
||||||
NAT (Yes or yes) or if only access from the interface in the INTERFACE
|
undergo NAT (Yes or yes) or if only access from the interface in the
|
||||||
column should undergo NAT. If you leave this column empty, "Yes"
|
INTERFACE column should undergo NAT. If you leave this column empty,
|
||||||
is assumed. The ALL INTERFACES column was added in version 1.1.6.
|
<quote>Yes</quote> is assumed. The ALL INTERFACES column was added in
|
||||||
<emphasis role="bold">Specifying "Yes" in this column will not
|
version 1.1.6. <emphasis role="bold">Specifying <quote>Yes</quote> in
|
||||||
allow systems on the lower LAN to access each other using their public
|
this column will not allow systems on the lower LAN to access each other
|
||||||
IP addresses.</emphasis> For example, the lower left-hand system
|
using their public IP addresses.</emphasis> For example, the lower
|
||||||
(10.1.1.2) cannot connect to 130.252.100.19 and expect to be connected
|
left-hand system (10.1.1.2) cannot connect to 130.252.100.19 and expect
|
||||||
to the lower right-hand system. <ulink url="FAQ.htm#faq2a">See FAQ 2a</ulink>.</para>
|
to be connected to the lower right-hand system. <ulink
|
||||||
|
url="FAQ.htm#faq2a">See FAQ 2a</ulink>.</para>
|
||||||
</note>
|
</note>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>Shorewall will automatically add the external address to the
|
<para>Shorewall will automatically add the external address to the
|
||||||
specified interface unless you specify <ulink
|
specified interface unless you specify <ulink
|
||||||
url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>="no" (or
|
url="Documentation.htm#Aliases">ADD_IP_ALIASES</ulink>=<quote>no</quote>
|
||||||
"No") in /etc/shorewall/shorewall.conf; If you do not set
|
(or <quote>No</quote>) in /etc/shorewall/shorewall.conf; If you do not
|
||||||
ADD_IP_ALIASES or if you set it to "Yes" or "yes" then
|
set ADD_IP_ALIASES or if you set it to <quote>Yes</quote> or
|
||||||
you must NOT configure your own alias(es).</para>
|
<quote>yes</quote> then you must NOT configure your own alias(es).</para>
|
||||||
|
|
||||||
<para><important><para>Shorewall versions earlier than 1.4.6 can only
|
<para><important><para>Shorewall versions earlier than 1.4.6 can only
|
||||||
add external addresses to an interface that is configured with a single
|
add external addresses to an interface that is configured with a single
|
||||||
@ -141,13 +144,13 @@
|
|||||||
</note>
|
</note>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>The contents of the "LOCAL" column determine whether
|
<para>The contents of the <quote>LOCAL</quote> column determine whether
|
||||||
packets originating on the firewall itself and destined for the EXTERNAL
|
packets originating on the firewall itself and destined for the EXTERNAL
|
||||||
address are redirected to the internal ADDRESS. If this column contains
|
address are redirected to the internal ADDRESS. If this column contains
|
||||||
"yes" or "Yes" (and the ALL INTERFACES COLUMN also
|
<quote>yes</quote> or <quote>Yes</quote> (and the ALL INTERFACES COLUMN
|
||||||
contains "Yes" or "yes") then such packets are
|
also contains <quote>Yes</quote> or <quote>yes</quote>) then such
|
||||||
redirected; otherwise, such packets are not redirected. The LOCAL column
|
packets are redirected; otherwise, such packets are not redirected. The
|
||||||
was added in version 1.1.8.</para>
|
LOCAL column was added in version 1.1.8.</para>
|
||||||
</note>
|
</note>
|
||||||
</section>
|
</section>
|
||||||
</article>
|
</article>
|
@ -2,6 +2,8 @@
|
|||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
<article id="NetfilterOverview">
|
<article id="NetfilterOverview">
|
||||||
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>Netfilter Overview</title>
|
<title>Netfilter Overview</title>
|
||||||
|
|
||||||
@ -26,8 +28,8 @@
|
|||||||
document under the terms of the GNU Free Documentation License, Version
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled "<ulink
|
Texts. A copy of the license is included in the section entitled
|
||||||
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -76,8 +78,8 @@
|
|||||||
|
|
||||||
<graphic fileref="images/Netfilter.png" />
|
<graphic fileref="images/Netfilter.png" />
|
||||||
|
|
||||||
<para>"Local Process" means a process running on the Shorewall
|
<para><quote>Local Process</quote> means a process running on the
|
||||||
system itself.</para>
|
Shorewall system itself.</para>
|
||||||
|
|
||||||
<para>In the above diagram are boxes similar to this:</para>
|
<para>In the above diagram are boxes similar to this:</para>
|
||||||
|
|
||||||
@ -102,10 +104,10 @@
|
|||||||
</important>
|
</important>
|
||||||
|
|
||||||
<para>The above diagram should help you understand the output of
|
<para>The above diagram should help you understand the output of
|
||||||
"shorewall status".</para>
|
<quote>shorewall status</quote>.</para>
|
||||||
|
|
||||||
<para>Here are some excerpts from "shorewall status" on a server
|
<para>Here are some excerpts from <quote>shorewall status</quote> on a
|
||||||
with one interface (eth0):</para>
|
server with one interface (eth0):</para>
|
||||||
|
|
||||||
<programlisting>[root@lists html]# shorewall status
|
<programlisting>[root@lists html]# shorewall status
|
||||||
|
|
||||||
@ -124,7 +126,7 @@ Counters reset Sat Oct 11 08:12:57 PDT 2003</programlisting>
|
|||||||
|
|
||||||
<para>The following rule indicates that all traffic destined for the
|
<para>The following rule indicates that all traffic destined for the
|
||||||
firewall that comes into the firewall on eth0 is passed to a chain called
|
firewall that comes into the firewall on eth0 is passed to a chain called
|
||||||
"eth0_in". That chain will be shown further down.</para>
|
<quote>eth0_in</quote>. That chain will be shown further down.</para>
|
||||||
|
|
||||||
<programlisting> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
<programlisting> 785K 93M eth0_in all -- eth0 * 0.0.0.0/0 0.0.0.0/0
|
||||||
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
0 0 common all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
@ -157,8 +159,8 @@ Chain OUTPUT (policy DROP 1 packets, 60 bytes)
|
|||||||
785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
|
785K 93M dynamic all -- * * 0.0.0.0/0 0.0.0.0/0
|
||||||
785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
|
785K 93M net2fw all -- * * 0.0.0.0/0 0.0.0.0/0</programlisting>
|
||||||
|
|
||||||
<para>The "dynamic" chain above is where dynamic blacklisting is
|
<para>The <quote>dynamic</quote> chain above is where dynamic blacklisting
|
||||||
done.</para>
|
is done.</para>
|
||||||
|
|
||||||
<para>Next comes the <emphasis role="bold">Nat</emphasis> table:</para>
|
<para>Next comes the <emphasis role="bold">Nat</emphasis> table:</para>
|
||||||
|
|
||||||
|
@ -2,6 +2,8 @@
|
|||||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
<article id="OPENVPN">
|
<article id="OPENVPN">
|
||||||
|
<!--$Id$-->
|
||||||
|
|
||||||
<articleinfo>
|
<articleinfo>
|
||||||
<title>OpenVPN Tunnels</title>
|
<title>OpenVPN Tunnels</title>
|
||||||
|
|
||||||
@ -34,8 +36,8 @@
|
|||||||
document under the terms of the GNU Free Documentation License, Version
|
document under the terms of the GNU Free Documentation License, Version
|
||||||
1.2 or any later version published by the Free Software Foundation; with
|
1.2 or any later version published by the Free Software Foundation; with
|
||||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||||
Texts. A copy of the license is included in the section entitled "<ulink
|
Texts. A copy of the license is included in the section entitled
|
||||||
url="GnuCopyright.htm">GNU Free Documentation License</ulink>".</para>
|
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||||
</legalnotice>
|
</legalnotice>
|
||||||
</articleinfo>
|
</articleinfo>
|
||||||
|
|
||||||
@ -65,8 +67,8 @@
|
|||||||
start and stop it.</para>
|
start and stop it.</para>
|
||||||
|
|
||||||
<para>On each firewall, you will need to declare a zone to represent the
|
<para>On each firewall, you will need to declare a zone to represent the
|
||||||
remote subnet. We'll assume that this zone is called 'vpn' and
|
remote subnet. We'll assume that this zone is called <quote>vpn</quote>
|
||||||
declare it in /etc/shorewall/zones on both systems as follows.</para>
|
and declare it in /etc/shorewall/zones on both systems as follows.</para>
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<title>/etc/shorewall/zones system A & B</title>
|
<title>/etc/shorewall/zones system A & B</title>
|
||||||
@ -288,9 +290,9 @@ key my-b.key
|
|||||||
comp-lzo
|
comp-lzo
|
||||||
verb 5</programlisting>
|
verb 5</programlisting>
|
||||||
|
|
||||||
<para>You will need to allow traffic between the "vpn" zone and
|
<para>You will need to allow traffic between the <quote>vpn</quote> zone
|
||||||
the "loc" zone on both systems -- if you simply want to admit all
|
and the <quote>loc</quote> zone on both systems -- if you simply want to
|
||||||
traffic in both directions, you can use the policy file:</para>
|
admit all traffic in both directions, you can use the policy file:</para>
|
||||||
|
|
||||||
<table>
|
<table>
|
||||||
<title>/etc/shorewall/policy system A & B</title>
|
<title>/etc/shorewall/policy system A & B</title>
|
||||||
|
Loading…
x
Reference in New Issue
Block a user