mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-25 00:53:49 +01:00
Third batch of mindless ID changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@6696 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3eda07bab4
commit
d6f388a755
@ -57,7 +57,7 @@
|
||||
the RPM, the tunnel script may be found in the Shorewall documentation
|
||||
directory (usually /usr/share/doc/shorewall-<version>/).</para>
|
||||
|
||||
<section>
|
||||
<section id="Bridged">
|
||||
<title>Bridging two Masqueraded Networks</title>
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
@ -80,7 +80,7 @@
|
||||
<quote>tunnel_type</quote> parameter to the type of tunnel that you want
|
||||
to create.</para>
|
||||
|
||||
<example>
|
||||
<example id="Tunnel">
|
||||
<title>/etc/shorewall/tunnel</title>
|
||||
|
||||
<programlisting>tunnel_type=gre</programlisting>
|
||||
@ -117,7 +117,7 @@ ipip net 134.28.54.2</programlisting>
|
||||
|
||||
<para>In the tunnel script on system A:</para>
|
||||
|
||||
<example>
|
||||
<example id="TunnelA">
|
||||
<title>tunnel script on system A</title>
|
||||
|
||||
<programlisting>tunnel=tosysb
|
||||
@ -143,7 +143,7 @@ ipip net 206.191.148.9</programlisting>
|
||||
|
||||
<para>And in the tunnel script on system B:</para>
|
||||
|
||||
<example>
|
||||
<example id="TunnelB">
|
||||
<title>tunnel script on system B</title>
|
||||
|
||||
<programlisting>tunnel=tosysa
|
||||
|
@ -45,7 +45,7 @@
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>Shorewall verions 2.2.0 and later include support for the ipp2p
|
||||
@ -57,7 +57,7 @@
|
||||
Mailing List.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Scope">
|
||||
<title>Scope</title>
|
||||
|
||||
<para>In the following files, the "PROTO" or "PROTOCOL" column may contain
|
||||
@ -87,7 +87,7 @@
|
||||
"ipp2p" is assumed (Shorewall will generate "-m ipp2p --ipp2p").</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Example">
|
||||
<title>Example:</title>
|
||||
|
||||
<para>Example 2 in the ipp2p documentation recommends the following
|
||||
|
@ -69,7 +69,7 @@
|
||||
using physdev match support</emphasis>"</ulink> article.</para>
|
||||
</warning>
|
||||
|
||||
<section>
|
||||
<section id="Overview">
|
||||
<title>Shorewall 3.0 and Kernel 2.6 IPSEC</title>
|
||||
|
||||
<para>This is <emphasis role="bold">not</emphasis> a HOWTO for Kernel 2.6
|
||||
@ -218,7 +218,7 @@
|
||||
configured.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="GwFw">
|
||||
<title>IPSec Gateway on the Firewall System</title>
|
||||
|
||||
<para>Suppose that we have the following sutuation:</para>
|
||||
@ -455,7 +455,7 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="RoadWarrior">
|
||||
<title>Mobile System (Road Warrior)</title>
|
||||
|
||||
<para>Suppose that you have a laptop system (B) that you take with you
|
||||
@ -464,7 +464,7 @@ sec ipsec mode=tunnel <emphasis role="bold">mss=1400</emphasis
|
||||
|
||||
<graphic fileref="images/Mobile.png" />
|
||||
|
||||
<example>
|
||||
<example id="roadWarrior">
|
||||
<title>Road Warrior VPN</title>
|
||||
|
||||
<para>You need to define a zone for the laptop or include it in your
|
||||
@ -648,7 +648,7 @@ RACOON=/usr/sbin/racoon</programlisting>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Transport">
|
||||
<title>Transport Mode</title>
|
||||
|
||||
<para>In today's wireless world, it is often the case that individual
|
||||
@ -764,7 +764,7 @@ all all REJECT info
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="XP">
|
||||
<title>IPSEC and <trademark>Windows</trademark> XP</title>
|
||||
|
||||
<para>I have successfully configured my work laptop to use IPSEC with
|
||||
@ -825,7 +825,7 @@ all all REJECT info
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="More">
|
||||
<title>Source of Additional Samples</title>
|
||||
|
||||
<para>Be sure to check out the <filename
|
||||
|
@ -59,14 +59,14 @@
|
||||
Shorewall.</para>
|
||||
</warning>
|
||||
|
||||
<section>
|
||||
<section id="Prelim">
|
||||
<title>Preliminary Reading</title>
|
||||
|
||||
<para>I recommend reading the <ulink url="VPNBasics.html">VPN
|
||||
Basics</ulink> article if you plan to implement any type of VPN.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Swans">
|
||||
<title>Configuring FreeS/Wan and Derivatives Such as OpenS/Wan</title>
|
||||
|
||||
<para>There is an excellent guide to configuring IPSEC tunnels at <ulink
|
||||
@ -102,7 +102,7 @@ conn packetdefault
|
||||
</important>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="GwFw">
|
||||
<title>IPSec Gateway on the Firewall System</title>
|
||||
|
||||
<para>Suppose that we have the following sutuation:</para>
|
||||
@ -224,7 +224,7 @@ vpn loc ACCEPT</programlisting>
|
||||
url="http://www.xs4all.nl/%7Efreeswan/">FreeS/WAN</ulink>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Hub">
|
||||
<title>VPN Hub using Kernel 2.4</title>
|
||||
|
||||
<para>Shorewall can be used in a VPN Hub environment where multiple remote
|
||||
@ -355,7 +355,7 @@ vpn2 vpn1 ACCEPT</programlisting>
|
||||
</note>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="RoadWarrior">
|
||||
<title>Mobile System (Road Warrior) Using Kernel 2.4</title>
|
||||
|
||||
<para>Suppose that you have a laptop system (B) that you take with you
|
||||
@ -364,7 +364,7 @@ vpn2 vpn1 ACCEPT</programlisting>
|
||||
|
||||
<graphic fileref="images/Mobile.png" />
|
||||
|
||||
<example>
|
||||
<example id="roadWarrior">
|
||||
<title>Road Warrior VPN</title>
|
||||
|
||||
<para>You need to define a zone for the laptop or include it in your
|
||||
@ -396,7 +396,7 @@ ipsec net 0.0.0.0/0</programlisting>
|
||||
</example>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Dynamic">
|
||||
<title>Dynamic RoadWarrior Zones</title>
|
||||
|
||||
<para>Beginning with Shorewall release 1.3.10, you can define multiple VPN
|
||||
@ -433,22 +433,5 @@ ipsec net 0.0.0.0/0 vpn1,vpn2,vpn3</programlisting>
|
||||
<para>and the <quote>down</quote> part will:</para>
|
||||
|
||||
<programlisting>/sbin/shorewall delete ipsec0:134.28.54.2 vpn2</programlisting>
|
||||
|
||||
<section>
|
||||
<title>Limitations of Dynamic Zones</title>
|
||||
|
||||
<para>If you include a dynamic zone in the exclude list of a DNAT rule,
|
||||
the dynamically-added hosts are not excluded from the rule.</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
|
||||
DNAT z!dyn loc:192.168.1.3 tcp 80</programlisting>
|
||||
|
||||
<example>
|
||||
<title>dyn=dynamic zone</title>
|
||||
|
||||
<para>Dynamic changes to the zone <emphasis role="bold">dyn</emphasis>
|
||||
will have no effect on the above rule.</para>
|
||||
</example>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
@ -1,78 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>Shorewall and the 2.6 Linux Kernel</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2003</year>
|
||||
|
||||
<year>2004</year>
|
||||
|
||||
<year>2005</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>General</title>
|
||||
|
||||
<para>Shorewall is compatible with the Linux 2.6 kernel series and
|
||||
contains support for the following features that are added in that
|
||||
series:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para><ulink url="netmap.html">NETMAP</ulink> Target Support.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="bridge.html">Bridge/Firewall</ulink> Support
|
||||
(physdev match support).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="traffic_shaping.htm">CLASSIFY</ulink> Target
|
||||
Support.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>IPSEC</title>
|
||||
|
||||
<para>The 2.6 Linux kernel introduces a new implementation of IPSEC which
|
||||
eliminates the <filename class="devicefile">ipsecN</filename> device
|
||||
names. Netfilter/iptables support for this new implementation is
|
||||
incomplete unless your kernel has been patched. For unpatched kernels, see
|
||||
the <ulink url="IPSEC.htm">Shorewall IPSEC documentation</ulink>
|
||||
(Shorewall support for IPSEC with unpatched 2.6 kernels is very limited).
|
||||
For patched 2.6 kernels (including those supplied with
|
||||
<trademark>SUSE</trademark> 9.2) see the <ulink
|
||||
url="IPSEC-2.6.html">Kernel 2.6 IPSEC documentation</ulink>.</para>
|
||||
</section>
|
||||
</article>
|
@ -70,7 +70,7 @@
|
||||
<ulink url="OPENVPN.html">OpenVPN</ulink>.</emphasis></para>
|
||||
</important>
|
||||
|
||||
<section>
|
||||
<section id="Components">
|
||||
<title>Components</title>
|
||||
|
||||
<para>There are six components to this facility.</para>
|
||||
@ -154,7 +154,7 @@
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="maclist">
|
||||
<title>/etc/shorewall/maclist</title>
|
||||
|
||||
<para>The columns in /etc/shorewall/maclist are:</para>
|
||||
@ -203,12 +203,11 @@
|
||||
</variablelist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Examples">
|
||||
<title>Examples</title>
|
||||
|
||||
<example>
|
||||
<title>Here are my files (look <ulink url="myfiles.htm">here</ulink> for
|
||||
details about my setup)</title>
|
||||
<example id="Example1">
|
||||
<title>Here are my files</title>
|
||||
|
||||
<para>/etc/shorewall/shorewall.conf:</para>
|
||||
|
||||
@ -245,7 +244,7 @@ $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop
|
||||
</note></para>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
<example id="Example2">
|
||||
<title>Router in Wireless Zone</title>
|
||||
|
||||
<para>Suppose now that I add a second wireless segment to my wireless
|
||||
@ -264,4 +263,4 @@ $WIFI_IF 00:1f:79:cd:fe:2e 192.168.3.6 #Work Laptop
|
||||
of the host sending the traffic.</para>
|
||||
</example>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
@ -47,7 +47,7 @@
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Overview">
|
||||
<title>Overview of Shorewall Macros?</title>
|
||||
|
||||
<para>Shorewall macros allow a symbolic name to be associated with a
|
||||
@ -266,9 +266,11 @@ ACCEPT fw loc tcp 135,139,445</programlisting>
|
||||
<para>Shorewall versions 3.4 and later include standard 'Reject' and
|
||||
'Drop' macros that are equivalent to the 'Reject' and 'Drop'
|
||||
actions.</para>
|
||||
|
||||
<para>Default Macros are not supported by Shorewall-perl.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Defining">
|
||||
<title>Defining your own Macros</title>
|
||||
|
||||
<para>To define a new macro:</para>
|
||||
@ -572,7 +574,7 @@ bar:debug</programlisting>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="ActionOrMacro">
|
||||
<title>How do I know if I should create an Action or a Macro?</title>
|
||||
|
||||
<para>While actions and macros perform similar functions, in any given
|
||||
@ -597,4 +599,4 @@ bar:debug</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
@ -34,7 +34,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>One of the major changes in Shorewall version 3.4 involved breaking
|
||||
@ -46,9 +46,9 @@
|
||||
nothing but function declarations. Shorewall libraries may be loaded into
|
||||
a running shell program using the shell's "." operator. The library files
|
||||
have names which begin with "lib." and are installed in <filename
|
||||
class="directory">/usr/share/shorewall/</filename>. </para>
|
||||
class="directory">/usr/share/shorewall/</filename>.</para>
|
||||
|
||||
<para> Individual libraries are of one of two classes. The first class of
|
||||
<para>Individual libraries are of one of two classes. The first class of
|
||||
libraries are <firstterm>required libraries</firstterm> which, as their
|
||||
name implies, must be included in any Shorewall installation. The other
|
||||
libraries are <firstterm>optional libraries</firstterm> that implement a
|
||||
@ -56,7 +56,7 @@
|
||||
based on the requirements of the individual installation.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Required">
|
||||
<title>Required Libraries</title>
|
||||
|
||||
<para>Shorewall 3.4 includes the following required libraries.</para>
|
||||
@ -84,7 +84,7 @@
|
||||
Shorewall Lite systems.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Optional">
|
||||
<title>Optional Libraries</title>
|
||||
|
||||
<para>Optional libraries are loaded upon demand based on the user's
|
||||
|
@ -73,7 +73,7 @@
|
||||
</itemizedlist>
|
||||
</warning>
|
||||
|
||||
<section>
|
||||
<section id="Support">
|
||||
<title>Multiple Internet Connection Support</title>
|
||||
|
||||
<para>Beginning with Shorewall 2.3.2, limited support is included for
|
||||
@ -102,7 +102,7 @@
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<section>
|
||||
<section id="Overview">
|
||||
<title>Overview</title>
|
||||
|
||||
<para>Let's assume that a firewall is connected via two separate
|
||||
@ -182,7 +182,7 @@
|
||||
example.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="providers">
|
||||
<title>/etc/shorewall/providers File</title>
|
||||
|
||||
<para>Entries in this file have the following columns. As in all
|
||||
@ -444,7 +444,7 @@
|
||||
</variablelist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Providers">
|
||||
<title>What an entry in the Providers File Does</title>
|
||||
|
||||
<para>Adding another entry in the providers file simply creates an
|
||||
@ -595,7 +595,7 @@ done</programlisting>
|
||||
</warning>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Provider_Doesnt">
|
||||
<title>What an entry in the Providers File Does NOT Do</title>
|
||||
|
||||
<para>Given that Shorewall is simply a tool to configure Netfilter and
|
||||
@ -670,8 +670,8 @@ DROP:info net:192.168.1.0/24 all</programlisting>
|
||||
<emphasis>net</emphasis> in the SOURCE column.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Example</title>
|
||||
<section id="Example1">
|
||||
<title id="Example">Example</title>
|
||||
|
||||
<para>The configuration in the figure at the top of this section would
|
||||
be specified in <filename>/etc/shorewall/providers</filename> as
|
||||
@ -784,7 +784,7 @@ eth1 eth2 130.252.99.27</programlisting>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="route_rules">
|
||||
<title>/etc/shorewall/route_rules</title>
|
||||
|
||||
<para>The <filename>/etc/shorewall/route_rules</filename> file was added
|
||||
@ -810,7 +810,7 @@ eth1 eth2 130.252.99.27</programlisting>
|
||||
Does</emphasis></link>.</para>
|
||||
</warning>
|
||||
|
||||
<section>
|
||||
<section id="Routing_rules">
|
||||
<title>Routing Rules</title>
|
||||
|
||||
<para>Routing rules are maintained by the Linux kernel and can be
|
||||
@ -832,7 +832,7 @@ gateway:~ #</programlisting>
|
||||
with MARK 1 going to Blarg and mark 2 going to Comcast.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="route_rules_columns">
|
||||
<title>Columns in the route_rules file</title>
|
||||
|
||||
<para>Columns in the file are:</para>
|
||||
@ -928,4 +928,4 @@ gateway:~ #</programlisting>Note that because we used a priority of 1000, the
|
||||
</section>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
@ -41,7 +41,7 @@
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="Intro">
|
||||
<title>Introduction</title>
|
||||
|
||||
<para>While most configurations can be handled with each of the firewall's
|
||||
@ -103,7 +103,7 @@
|
||||
be used in exactly the same way.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Router">
|
||||
<title>Router in the Local Zone</title>
|
||||
|
||||
<para>Here is an example of a router in the local zone.</para>
|
||||
@ -116,7 +116,7 @@
|
||||
|
||||
<graphic fileref="images/MultiZone1.png" />
|
||||
|
||||
<section>
|
||||
<section id="Standard">
|
||||
<title>Can You Use the Standard Configuration?</title>
|
||||
|
||||
<para>In many cases, the <ulink url="two-interface.htm">standard
|
||||
@ -141,7 +141,7 @@
|
||||
restart Shorewall.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Enough">
|
||||
<title>Will One Zone be Enough?</title>
|
||||
|
||||
<para>If the firewalling requirements for the two local networks is the
|
||||
@ -170,13 +170,13 @@
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Separate">
|
||||
<title>I Need Separate Zones</title>
|
||||
|
||||
<para>If you need to make 192.168.2.0/24 into its own zone, you can do
|
||||
it one of two ways; Nested Zones or Parallel Zones.</para>
|
||||
|
||||
<section>
|
||||
<section id="Nested">
|
||||
<title>Nested Zones</title>
|
||||
|
||||
<para>You can define one zone (called it <quote>loc</quote>) as being
|
||||
@ -225,7 +225,7 @@ loc loc1 NONE
|
||||
loc1 loc NONE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Parallel">
|
||||
<title>Parallel Zones</title>
|
||||
|
||||
<para>You define both zones in the /etc/shorewall/hosts file to create
|
||||
@ -265,7 +265,7 @@ loc2 loc1 NONE</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Special">
|
||||
<title>Some Hosts have Special Firewalling Requirements</title>
|
||||
|
||||
<para>There are cases where a subset of the addresses associated with an
|
||||
|
@ -41,7 +41,7 @@
|
||||
release.</emphasis></para>
|
||||
</caution>
|
||||
|
||||
<section>
|
||||
<section id="One-to-one">
|
||||
<title>One-to-one NAT</title>
|
||||
|
||||
<important>
|
||||
@ -130,7 +130,7 @@
|
||||
ACCEPT net loc:10.1.1.2 tcp 80 - 130.252.100.18</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="ARP">
|
||||
<title>ARP cache</title>
|
||||
|
||||
<para>A word of warning is in order here. ISPs typically configure their
|
||||
|
@ -85,14 +85,14 @@
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<section>
|
||||
<section id="Prelim">
|
||||
<title>Preliminary Reading</title>
|
||||
|
||||
<para>I recommend reading the <ulink url="VPNBasics.html">VPN
|
||||
Basics</ulink> article if you plan to implement any type of VPN.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Routed">
|
||||
<title>Bridging two Masqueraded Networks</title>
|
||||
|
||||
<para>Suppose that we have the following situation:</para>
|
||||
@ -243,7 +243,7 @@ vpn loc ACCEPT</programlisting>
|
||||
the two masqueraded subnetworks can now talk to each other.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="RoadWarrior">
|
||||
<title>Roadwarrior</title>
|
||||
|
||||
<para>OpenVPN 2.0 provides excellent support for roadwarriors. Consider
|
||||
@ -466,7 +466,7 @@ verb 3</programlisting>
|
||||
have the IP address 192.168.1.8 regardless.</para>
|
||||
</note>
|
||||
|
||||
<section>
|
||||
<section id="bridge">
|
||||
<title>Configuring the Bridge</title>
|
||||
|
||||
<para>The firewall ran Debian Sarge so the bridge was defined in
|
||||
@ -495,20 +495,19 @@ iface br0 inet static
|
||||
zone.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="openvpn">
|
||||
<title>Configuring OpenVPN</title>
|
||||
|
||||
<para>We used X.509 certificates for authentication.</para>
|
||||
|
||||
<section>
|
||||
<section id="server">
|
||||
<title>Firewall (Server) configuration.</title>
|
||||
|
||||
<para>/etc/openvpn/server-bridge.conf defined a bridge and reserved IP
|
||||
addresses 192.168.1.64-192.168.1.71 for VPN clients. Note that the
|
||||
bridge server only used local IP address 192.168.3.254. We ran two
|
||||
instances of OpenVPN; this one and a second tunnel-mode instance for
|
||||
remote access (see <ulink url="myfiles.htm">this
|
||||
article</ulink>).</para>
|
||||
remote access.</para>
|
||||
|
||||
<para></para>
|
||||
|
||||
@ -553,7 +552,7 @@ verb 3</programlisting>
|
||||
<programlisting>ifconfig-push 192.168.1.8 255.255.255.0</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="tipper">
|
||||
<title>Tipper Configuration</title>
|
||||
|
||||
<para>/etc/openvpn/wireless.conf:</para>
|
||||
@ -587,7 +586,7 @@ mute-replay-warnings
|
||||
verb 3</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="XP">
|
||||
<title>Eastepnc6000 (Windows XP) Configuration</title>
|
||||
|
||||
<para>C:\Program Files\Openvpn\config\homewireless.ovpn:</para>
|
||||
@ -619,7 +618,7 @@ persist-key
|
||||
verb 3</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Linux">
|
||||
<title>Eastepnc6000 (SUSE 10.0) Configuration</title>
|
||||
|
||||
<para>The configuration was the same as shown above only with
|
||||
@ -628,7 +627,7 @@ verb 3</programlisting>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Shorewall">
|
||||
<title>Configuring Shorewall</title>
|
||||
|
||||
<para>In this configuration, we didn't need any firewalling between the
|
||||
@ -639,10 +638,10 @@ verb 3</programlisting>
|
||||
to configure Shorewall as shown in the <ulink
|
||||
url="bridge.html">Bridge/Firewall documentation</ulink>.</para>
|
||||
|
||||
<section>
|
||||
<section id="FW">
|
||||
<title>Firewall</title>
|
||||
|
||||
<section>
|
||||
<section id="interfaces">
|
||||
<title>/etc/shorewall/interfaces</title>
|
||||
|
||||
<para>Note that the bridge (br0) is defined as the interface to the
|
||||
@ -657,7 +656,7 @@ Wifi eth0 192.168.3.255 dhcp,maclist
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="tunnels">
|
||||
<title>/etc/shorewall/tunnels</title>
|
||||
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY
|
||||
@ -667,7 +666,7 @@ openvpnserver:1194 Wifi 192.168.3.0/24
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Tipper">
|
||||
<title>Tipper</title>
|
||||
|
||||
<para>Wireless networks pose a threat to all systems that are
|
||||
@ -675,7 +674,7 @@ openvpnserver:1194 Wifi 192.168.3.0/24
|
||||
Eastepnc6000 ran <trademark>Sygate</trademark> Security Agent and
|
||||
Tipper ran a Shorewall-based Netfilter firewall.</para>
|
||||
|
||||
<section>
|
||||
<section id="zones">
|
||||
<title>/etc/shorewall/zones</title>
|
||||
|
||||
<programlisting>#ZONE TYPE OPTIONS IN OUT
|
||||
@ -686,7 +685,7 @@ net ipv4
|
||||
</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="interfaces1">
|
||||
<title>/etc/shorewall/interfaces</title>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
@ -696,7 +695,7 @@ net eth0 detect routefilter,dhcp,tcpflags
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="policy">
|
||||
<title>/etc/shorewall/policy</title>
|
||||
|
||||
<para>Since we didn't expect any traffic between the <emphasis
|
||||
|
@ -34,7 +34,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Ipsets">
|
||||
<title>What are Ipsets?</title>
|
||||
|
||||
<para>Ipsets are an extention to Netfilter/iptables that are currently
|
||||
@ -67,7 +67,7 @@
|
||||
ipsets.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Support">
|
||||
<title>Shorewall Support for Ipsets</title>
|
||||
|
||||
<para>Support for ipsets was introduced in Shorewall version 2.3.0. In
|
||||
@ -119,8 +119,8 @@ ACCEPT +sshok $FW tcp 22</programlisting></para>
|
||||
"shorewall save" will save the contents of your ipsets. The file where the
|
||||
sets are saved is formed by taking the name where the Shorewall
|
||||
configuration is stored and appending "-ipsets". So if you enter the
|
||||
command "shorewall save standard" then Shorewall will save the file as
|
||||
/var/lib/shorewall/standard-ipsets</para>
|
||||
command "shorewall save standard" then Shorewall will save the file as
|
||||
/var/lib/shorewall/standard-ipsets</para>
|
||||
|
||||
<para>Regardless of the setting of SAVE_IPSETS, the <command>shorewall -f
|
||||
start</command> and <command>shorewall restore</command> commands will
|
||||
@ -187,7 +187,7 @@ ipset -B Blacklist 206.124.146.177 -b SMTP</command></programlisting>
|
||||
<para>Now only port 25 will be blocked from 206.124.146.177.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Dynamic">
|
||||
<title>Defining Dynamic Zones using Ipsets</title>
|
||||
|
||||
<para>The use of ipsets provides a much better way to define dynamic zones
|
||||
@ -214,4 +214,4 @@ dyn eth3:+Dyn</programlisting>
|
||||
you're all set. You can add and delete addresses from Dyn without having
|
||||
to touch Shorewall.</para>
|
||||
</section>
|
||||
</article>
|
||||
</article>
|
@ -40,7 +40,7 @@
|
||||
url="http://www.kernelnewbies.org">http://www.kernelnewbies.org</ulink>.</para>
|
||||
</note>
|
||||
|
||||
<section>
|
||||
<section id="Network">
|
||||
<title>Network Options Configuration</title>
|
||||
|
||||
<para>Here's a screen shot of my Network Options Configuration:<graphic
|
||||
@ -83,7 +83,7 @@
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Netfilter">
|
||||
<title>Netfilter Configuration</title>
|
||||
|
||||
<para>Here's a screen shot of my Netfilter configuration:<graphic
|
||||
@ -151,7 +151,7 @@ CONFIG_IP_NF_ARPFILTER=m
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Netfilter-2.6">
|
||||
<title>Kernel 2.6 Netfilter Options</title>
|
||||
|
||||
<para>Here's a screenshot of my modularized 2.6 Kernel config (Navigation:
|
||||
@ -244,7 +244,7 @@ CONFIG_BRIDGE_NF_EBTABLES=m
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="Kernel-2.6.16">
|
||||
<title>Kernel 2.6.16 and Later Netfilter Options</title>
|
||||
|
||||
<para>Here's a screenshot of my modularized 2.6.16 Kernel config
|
||||
|
936
docs/myfiles.xml
936
docs/myfiles.xml
@ -1,936 +0,0 @@
|
||||
<?xml version="1.0" encoding="UTF-8"?>
|
||||
<!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<article>
|
||||
<!--$Id$-->
|
||||
|
||||
<articleinfo>
|
||||
<title>About My Network</title>
|
||||
|
||||
<authorgroup>
|
||||
<author>
|
||||
<firstname>Tom</firstname>
|
||||
|
||||
<surname>Eastep</surname>
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate><?dbtimestamp format="Y/m/d"?></pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2006</year>
|
||||
|
||||
<holder>Thomas M. Eastep</holder>
|
||||
</copyright>
|
||||
|
||||
<legalnotice>
|
||||
<para>Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<title>My Current Network</title>
|
||||
|
||||
<caution>
|
||||
<para>I use a combination of One-to-one NAT and Xen paravirtualization,
|
||||
neither of which are relevant to a simple configuration with a single
|
||||
public IP address. If you have just a single public IP address, most of
|
||||
what you see here won't apply to your setup so beware of copying parts
|
||||
of this configuration and expecting them to work for you. What you copy
|
||||
may or may not work in your environment.</para>
|
||||
</caution>
|
||||
|
||||
<caution>
|
||||
<para>The configuration shown here corresponds to Shorewall version
|
||||
3.0.3. My configuration uses features not available in earlier Shorewall
|
||||
releases.</para>
|
||||
</caution>
|
||||
|
||||
<para>I have DSL service with 5 static IP addresses (206.124.146.176-180).
|
||||
My DSL <quote>modem</quote> (<ulink
|
||||
url="http://www.westell.com/pages/index.jsp">Westell</ulink> 2200) is
|
||||
connected to eth2 and has IP address 192.168.1.1 (factory default). The
|
||||
modem is configured in <quote>bridge</quote> mode so PPPoE is not
|
||||
involved. I have a local network connected to eth1 which is bridged to
|
||||
interface tun0 via bridge br0 (subnet 192.168.1.0/24) and a wireless
|
||||
network (192.168.3.0/24) connected to eth0.</para>
|
||||
|
||||
<para>In this configuration:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>I use one-to-one NAT for <emphasis>"Ursa"</emphasis> (my
|
||||
personal system that run SUSE 10.0) - Internal address 192.168.1.5 and
|
||||
external address 206.124.146.178.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>I use one-to-one NAT for "<emphasis>lists</emphasis>" (My server
|
||||
system that runs SUSE 10.0 in a Xen virtual system on
|
||||
<emphasis>ursa</emphasis>) - Internal address 192.168.1.7 and external
|
||||
address 206.124.146.177.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>I use one-to-one NAT for <emphasis>"Eastepnc6000</emphasis>" (My
|
||||
work system -- Windows XP SP1/SUSE 10.0). Internal address 192.168.1.6
|
||||
and external address 206.124.146.180.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>use SNAT through 206.124.146.179 for my Wife's Windows XP
|
||||
system <quote><emphasis>Tarry</emphasis></quote> and our SUSE 10.0
|
||||
laptop <quote><emphasis>Tipper</emphasis></quote> which connects
|
||||
through the Wireless Access Point (wap).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>The firewall runs on a Celeron 1.4Ghz under SUSE 10.0.</para>
|
||||
|
||||
<para><emphasis>Ursa</emphasis> runs Samba for file sharing with the
|
||||
Windows systems and is configured as a Wins server.</para>
|
||||
|
||||
<para>The wireless network connects to the firewall's eth0 via a LinkSys
|
||||
WAP11. In additional to using the rather weak WEP 40-bit encryption
|
||||
(64-bit with the 24-bit preamble), I use <ulink
|
||||
url="MAC_Validation.html">MAC verification</ulink> and <ulink
|
||||
url="OPENVPN.html#Bridge">OpenVPN in bridge mode</ulink>.</para>
|
||||
|
||||
<para>The server in runs <ulink
|
||||
url="http://www.postfix.org">Postfix</ulink>, <ulink
|
||||
url="http://www.courier-mta.org/imap/">Courier IMAP</ulink> (imap and
|
||||
imaps), <ulink url="http://www.isc.org/sw/bind/">DNS (Bind 9)</ulink>, a
|
||||
<ulink url="http://www.apache.org">Web server (Apache)</ulink> and an
|
||||
<ulink url="http://www.pureftpd.org/">FTP server
|
||||
(Pure-ftpd)</ulink>.</para>
|
||||
|
||||
<para>The firewall system itself runs a <ulink
|
||||
url="http://www.isc.org/sw/dhcp/">DHCP server</ulink> that serves the
|
||||
local and wireless networks.</para>
|
||||
|
||||
<para>All administration and publishing is done using ssh/scp. I have a
|
||||
desktop environment installed on the firewall but I usually don't start
|
||||
it. X applications tunnel through SSH to <emphasis>Ursa</emphasis> or one
|
||||
of the laptops. The server also has a desktop environment installed but it
|
||||
is never started. For the most part, X tunneled through SSH is used for
|
||||
server administration and the server runs at run level 3 (multi-user
|
||||
console mode on SUSE).</para>
|
||||
|
||||
<para>In addition to the OpenVPN bridge, the firewall hosts an OpenVPN
|
||||
Tunnel server for VPN access from our second home in <ulink
|
||||
url="http://www.omakchamber.com/">Omak, Washington</ulink> or when we are
|
||||
otherwise out of town.</para>
|
||||
|
||||
<para><graphic align="center" fileref="images/network.png" /><note>
|
||||
<para><emphasis>Eastepnc6000</emphasis> is shown in both the local LAN
|
||||
and in the Wifi zone with IP address 192.168.1.6 -- clearly, the
|
||||
computer can only be in one place or the other.
|
||||
<emphasis>Tipper</emphasis> can also be in either place and will have
|
||||
the IP address 192.168.1.8 regardless.</para>
|
||||
</note></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Ursa (Xen) Configuration</title>
|
||||
|
||||
<para>Ursa runs two domains. Domain 0 is my personal Linux desktop
|
||||
environment. The other domains comprise my DMZ. There is currently only
|
||||
one system (lists) in the DMZ.</para>
|
||||
|
||||
<graphic align="center" fileref="images/Xen3.png" />
|
||||
|
||||
<para>Ursa's Shorewall configuration is described in <ulink
|
||||
url="Xen.html">the article about Xen and Shorewall</ulink>.</para>
|
||||
|
||||
<para>About the only thing that is unique about the configuration of
|
||||
Domain 1 (lists) is that its (virtualized) eth0 has two addresses:</para>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>192.168.1.7/24</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>206.124.146.177/32</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
<para>This prevents the DNS server from getting confused due to the fact
|
||||
that the two different views have a different IP addresses for the primary
|
||||
name server for the domain shorewall.net.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Firewall Configuration</title>
|
||||
|
||||
<section>
|
||||
<title>Shorewall.conf</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>STARTUP_ENABLED=Yes
|
||||
LOGFILE=/var/log/messages
|
||||
LOGFORMAT="Shorewall:%s:%s:"
|
||||
LOGTAGONLY=No
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
LOGALLNEW=
|
||||
BLACKLIST_LOGLEVEL=
|
||||
MACLIST_LOG_LEVEL=$LOG
|
||||
TCP_FLAGS_LOG_LEVEL=$LOG
|
||||
RFC1918_LOG_LEVEL=$LOG
|
||||
SMURF_LOG_LEVEL=$LOG
|
||||
LOG_MARTIANS=No
|
||||
IPTABLES=
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
SHOREWALL_SHELL=/bin/dash
|
||||
SUBSYSLOCK=
|
||||
MODULESDIR=
|
||||
CONFIG_PATH=/etc/shorewall:/usr/share/shorewall
|
||||
RESTOREFILE=standard
|
||||
IPSECFILE=zones
|
||||
FW=
|
||||
IP_FORWARDING=On
|
||||
ADD_IP_ALIASES=No
|
||||
ADD_SNAT_ALIASES=No
|
||||
RETAIN_ALIASES=Yes
|
||||
TC_ENABLED=Internal
|
||||
CLEAR_TC=Yes
|
||||
MARK_IN_FORWARD_CHAIN=Yes
|
||||
CLAMPMSS=Yes
|
||||
ROUTE_FILTER=No
|
||||
DETECT_DNAT_IPADDRS=Yes
|
||||
MUTEX_TIMEOUT=60
|
||||
ADMINISABSENTMINDED=Yes
|
||||
BLACKLISTNEWONLY=Yes
|
||||
DELAYBLACKLISTLOAD=No
|
||||
MODULE_SUFFIX=
|
||||
DISABLE_IPV6=Yes
|
||||
BRIDGING=No
|
||||
DYNAMIC_ZONES=No
|
||||
PKTTYPE=No
|
||||
RFC1918_STRICT=Yes
|
||||
MACLIST_TTL=60
|
||||
SAVE_IPSETS=No
|
||||
MAPOLDACTIONS=No
|
||||
FASTACCEPT=No
|
||||
BLACKLIST_DISPOSITION=DROP
|
||||
MACLIST_TABLE=mangle
|
||||
MACLIST_DISPOSITION=DROP
|
||||
TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Params File (Edited)</title>
|
||||
|
||||
<blockquote>
|
||||
<para><programlisting>NTPSERVERS=<list of NTP server IP addresses>
|
||||
POPSERVERS=<list of external POP3 servers accessed by fetchmail running on the DMZ server>
|
||||
LOG=info
|
||||
WIFI_IF=eth0
|
||||
EXT_IF=eth2
|
||||
INT_IF=br0
|
||||
OMAK=<ip address of the gateway at our second home>
|
||||
MIRRORS=<list IP addresses of Shorewall mirrors></programlisting></para>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Zones File</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE TYPE OPTTIONS IN OUT
|
||||
# OPTIONS OPTIONS
|
||||
fw firewall
|
||||
net ipv4
|
||||
loc ipv4
|
||||
dmz:loc ipv4
|
||||
vpn ipv4
|
||||
Wifi ipv4
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Interfaces File</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net $EXT_IF 206.124.146.255 dhcp,norfc1918,logmartians,blacklist,tcpflags,nosmurfs
|
||||
loc $INT_IF detect dhcp,routeback
|
||||
vpn tun+ -
|
||||
Wifi $WIFI_IF - dhcp,maclist
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Hosts File</title>
|
||||
|
||||
<para>This file is used to define the dmz zone -- the single (virtual)
|
||||
system with internal IP address 192.168.1.7.</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE HOST(S) OPTIONS
|
||||
dmz $INT_IF:192.168.1.7
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS LINE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Routestopped File</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#INTERFACE HOST(S) OPTIONS
|
||||
$INT_IF - source,dest
|
||||
$WIFI_IF - source,dest
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Providers File</title>
|
||||
|
||||
<blockquote>
|
||||
<para>This entry isn't necessary but it allows me to smoke test
|
||||
parsing of the providers file.</para>
|
||||
|
||||
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
|
||||
Blarg 1 1 main $EXT_IF 206.124.146.254 track,balance=1 $INT_IF,$WIFI_IF,tun0
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Blacklist File (Edited)</title>
|
||||
|
||||
<blockquote>
|
||||
<para>I blacklist a number of ports globally to cut down on the amount
|
||||
of noise in my firewall log. Note that the syntax shown below was
|
||||
introduced in Shorewall 3.0.3 ("-" in the ADDRESS/SUBNET column);
|
||||
earlier versions must use "0.0.0.0/0".</para>
|
||||
|
||||
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
|
||||
- udp 1024:1033
|
||||
- tcp 57,1433,1434,2401,2745,3127,3306,3410,4899,5554,6101,8081,9898
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>RFC1918 File</title>
|
||||
|
||||
<blockquote>
|
||||
<para>Because my DSL modem has an RFC 1918 address (192.168.1.1) and
|
||||
is connected to eth0, I need to make an exception for that address in
|
||||
my rfc1918 file. I copied /usr/share/shorewall/rfc1918 to
|
||||
/etc/shorewall/rfc1918 and changed it as follows:</para>
|
||||
|
||||
<programlisting>#SUBNET TARGET
|
||||
<emphasis role="bold">192.168.1.1 RETURN</emphasis>
|
||||
172.16.0.0/12 logdrop # RFC 1918
|
||||
192.168.0.0/16 logdrop # RFC 1918
|
||||
10.0.0.0/8 logdrop # RFC 1918
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Policy File</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#SOURCE DESTINATION POLICY LOG LEVEL BURST:LIMIT
|
||||
$FW $FW ACCEPT
|
||||
loc net ACCEPT
|
||||
$FW vpn ACCEPT
|
||||
vpn net ACCEPT
|
||||
vpn loc ACCEPT
|
||||
fw Wifi ACCEPT
|
||||
loc vpn ACCEPT
|
||||
$FW loc ACCEPT #Firewall to Local
|
||||
loc $FW REJECT $LOG
|
||||
net all DROP $LOG 10/sec:40
|
||||
all all REJECT $LOG
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Masq File</title>
|
||||
|
||||
<blockquote>
|
||||
<para>Although most of our internal systems use one-to-one NAT, my
|
||||
wife's system (192.168.1.4) uses IP Masquerading (actually SNAT) as do
|
||||
our wireless network systems and visitors with laptops.</para>
|
||||
|
||||
<para>The first entry allows access to the DSL modem and uses features
|
||||
introduced in Shorewall 2.1.1. The leading plus sign ("+_") causes the
|
||||
rule to be placed before rules generated by the /etc/shorewall/nat
|
||||
file below.</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNET ADDRESS PROTO PORT(S) IPSEC
|
||||
+$EXT_IF:192.168.1.1 0.0.0.0/0 192.168.1.254
|
||||
$EXT_IF 192.168.0.0/22 206.124.146.179
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>NAT File</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#EXTERNAL INTERFACE INTERNAL ALL LOCAL
|
||||
# INTERFACES
|
||||
206.124.146.177 $EXT_IF 192.168.1.7 No No
|
||||
206.124.146.178 $EXT_IF 192.168.1.5 No No
|
||||
206.124.146.180 $EXT_IF 192.168.1.6 No No
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Tunnels</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||||
openvpnserver:1194 net 0.0.0.0/0
|
||||
openvpnserver:1194 Wifi 192.168.3.0/24
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section id="Actions">
|
||||
<title>Actions File</title>
|
||||
|
||||
<blockquote>
|
||||
<para>The Limit action is described in a <ulink
|
||||
url="PortKnocking.html#Limit">separate article</ulink>.</para>
|
||||
|
||||
<programlisting>#ACTION
|
||||
Mirrors #Accept traffic from the Shorewall Mirror sites
|
||||
Limit #Limit connection rate from each individual Host
|
||||
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>action.Mirrors File</title>
|
||||
|
||||
<blockquote>
|
||||
<para>$MIRRORS is set in <filename>/etc/shorewall/params</filename>
|
||||
above.</para>
|
||||
|
||||
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE
|
||||
# PORT PORT(S) DEST LIMIT
|
||||
ACCEPT $MIRRORS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Accounting File</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION CHAIN SOURCE DESTINATION PROTO DEST SOURCE USER/
|
||||
# PORT(S) PORT(S) GROUP
|
||||
hp:COUNT accounting $EXT_IF $INT_IF:192.168.1.6 UDP
|
||||
hp:COUNT accounting $INT_IF:192.168.1.6 $EXT_IF UDP
|
||||
DONE hp
|
||||
|
||||
mail:COUNT - $EXT_IF $INT_IF:192.168.1.7 tcp 25
|
||||
mail:COUNT - $INT_IF:192.168.1.7 $EXT_IF tcp 25
|
||||
DONE mail
|
||||
|
||||
web - $EXT_IF $INT_IF:192.168.1.7 tcp 80
|
||||
web - $EXT_IF $INT_IF:192.168.1.7 tcp 443
|
||||
web - $INT_IF:192.168.1.7 $EXT_IF tcp 80
|
||||
web - $INT_IF:192.168.1.7 $EXT_IF tcp 443
|
||||
|
||||
COUNT web $EXT_IF $INT_IF:192.168.1.7
|
||||
COUNT web $INT_IF:192.168.1.7 $EXT_IF
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Rules File (The shell variables are set in
|
||||
/etc/shorewall/params)</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>SECTION NEW
|
||||
###############################################################################################################################################################################
|
||||
#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
###############################################################################################################################################################################
|
||||
REJECT:$LOG loc net tcp 25
|
||||
REJECT:$LOG loc net udp 1025:1031
|
||||
#
|
||||
# Stop NETBIOS crap
|
||||
#
|
||||
REJECT loc net tcp 137,445
|
||||
REJECT loc net udp 137:139
|
||||
#
|
||||
# Stop my idiotic work laptop from sending to the net with an HP source/dest IP address
|
||||
#
|
||||
DROP loc:!192.168.0.0/22 net
|
||||
DROP Wifi net:15.0.0.0/8
|
||||
DROP Wifi net:16.0.0.0/8
|
||||
###############################################################################################################################################################################
|
||||
# Local Network to Firewall
|
||||
#
|
||||
DROP loc:!192.168.0.0/22 fw # Silently drop traffic with an HP source IP from my XP box
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
loc fw tcp 22
|
||||
ACCEPT loc fw tcp time,631,8080
|
||||
ACCEPT loc fw udp 161,ntp,631
|
||||
ACCEPT loc:192.168.1.5 fw udp 111
|
||||
DROP loc fw tcp 3185 #SUSE Meta pppd
|
||||
Ping/ACCEPT loc fw
|
||||
###############################################################################################################################################################################
|
||||
# Local Network to Wireless
|
||||
#
|
||||
Ping/ACCEPT loc Wifi
|
||||
###############################################################################################################################################################################
|
||||
# Insecure Wireless to DMZ
|
||||
#
|
||||
ACCEPT Wifi dmz udp domain
|
||||
ACCEPT Wifi dmz tcp domain
|
||||
###############################################################################################################################################################################
|
||||
# Insecure Wireless to Internet
|
||||
#
|
||||
ACCEPT Wifi net udp 500
|
||||
ACCEPT Wifi net udp 4500
|
||||
ACCEPT Wifi:192.168.3.9 net all
|
||||
Ping/ACCEPT Wifi net
|
||||
###############################################################################################################################################################################
|
||||
# Insecure Wireless to Firewall
|
||||
#
|
||||
SSH/ACCEPT Wifi fw
|
||||
###############################################################################################################################################################################
|
||||
# Road Warriors to Firewall
|
||||
#
|
||||
ACCEPT vpn fw tcp ssh,time,631,8080
|
||||
ACCEPT vpn fw udp 161,ntp,631
|
||||
Ping/ACCEPT vpn fw
|
||||
###############################################################################################################################################################################
|
||||
# Road Warriors to DMZ
|
||||
#
|
||||
ACCEPT vpn dmz udp domain
|
||||
ACCEPT vpn dmz tcp www,smtp,smtps,domain,ssh,imap,https,imaps,ftp,10023,pop3 -
|
||||
Ping/ACCEPT vpn dmz
|
||||
###############################################################################################################################################################################
|
||||
# Local network to DMZ
|
||||
#
|
||||
ACCEPT loc dmz udp domain
|
||||
ACCEPT loc dmz tcp ssh,smtps,www,ftp,imaps,domain,https -
|
||||
ACCEPT loc dmz tcp smtp
|
||||
ACCEPT loc dmz udp 33434:33454
|
||||
###############################################################################################################################################################################
|
||||
# Internet to ALL -- drop NewNotSyn packets
|
||||
#
|
||||
dropNotSyn net fw tcp
|
||||
dropNotSyn net loc tcp
|
||||
dropNotSyn net dmz tcp
|
||||
###############################################################################################################################################################################
|
||||
# Internet to DMZ
|
||||
#
|
||||
ACCEPT net dmz udp domain
|
||||
LOG:$LOG net:64.126.128.0/18 dmz tcp smtp
|
||||
ACCEPT net dmz tcp smtps,www,ftp,imaps,domain,https -
|
||||
ACCEPT net dmz tcp smtp - 206.124.146.177,206.124.146.178
|
||||
ACCEPT net dmz udp 33434:33454
|
||||
Mirrors net dmz tcp rsync
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
net dmz tcp 22
|
||||
Ping/ACCEPT net dmz
|
||||
###############################################################################################################################################################################
|
||||
#
|
||||
# Net to Local
|
||||
#
|
||||
##########################################################################################
|
||||
# Test Server
|
||||
#
|
||||
ACCEPT net loc:192.168.1.9 tcp 80
|
||||
ACCEPT net loc:192.168.1.9 tcp 443
|
||||
ACCEPT net loc:192.168.1.9 tcp 21
|
||||
Ping/ACCEPT net loc:192.168.1.9
|
||||
#
|
||||
# When I'm "on the road", the following two rules allow me VPN access back home using PPTP.
|
||||
#
|
||||
DNAT net loc:192.168.1.4 tcp 1729
|
||||
DNAT net loc:192.168.1.4 gre
|
||||
#
|
||||
# Roadwarrior access to Ursa
|
||||
#
|
||||
ACCEPT net:$OMAK loc tcp 22
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
net loc tcp 22
|
||||
#
|
||||
# ICQ
|
||||
#
|
||||
ACCEPT net loc:192.168.1.5 tcp 113,4000:4100
|
||||
#
|
||||
# Bittorrent
|
||||
#
|
||||
ACCEPT net loc:192.168.1.5 tcp 6881:6889,6969
|
||||
ACCEPT net loc:192.168.1.5 udp 6881:6889,6969
|
||||
#
|
||||
# Real Audio
|
||||
#
|
||||
ACCEPT net loc:192.168.1.5 udp 6970:7170
|
||||
#
|
||||
# Overnet
|
||||
#
|
||||
#ACCEPT net loc:192.168.1.5 tcp 4662
|
||||
#ACCEPT net loc:192.168.1.5 udp 12112
|
||||
#
|
||||
# OpenVPN
|
||||
#
|
||||
ACCEPT net loc:192.168.1.5 udp 1194
|
||||
#
|
||||
# Skype
|
||||
#
|
||||
ACCEPT net loc:192.168.1.6 tcp 1194
|
||||
#
|
||||
# Silently Handle common probes
|
||||
#
|
||||
REJECT net loc tcp www,ftp,https
|
||||
DROP net loc icmp 8
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Internet
|
||||
#
|
||||
ACCEPT dmz net udp domain,ntp
|
||||
ACCEPT dmz net tcp echo,ftp,ssh,smtp,whois,domain,www,81,https,cvspserver,2702,2703,8080
|
||||
ACCEPT dmz net:$POPSERVERS tcp pop3
|
||||
Ping/ACCEPT dmz net
|
||||
#
|
||||
# Some FTP clients seem prone to sending the PORT command split over two packets. This prevents the FTP connection tracking
|
||||
# code from processing the command and setting up the proper expectation. The following rule allows active FTP to work in these cases
|
||||
# but logs the connection so I can keep an eye on this potential security hole.
|
||||
#
|
||||
ACCEPT:$LOG dmz net tcp 1024: 20
|
||||
###############################################################################################################################################################################
|
||||
# DMZ to Firewall -- ntp & snmp, Silently reject Auth
|
||||
#
|
||||
ACCEPT dmz fw udp ntp ntp
|
||||
ACCEPT dmz fw tcp 161,ssh
|
||||
ACCEPT dmz fw udp 161
|
||||
REJECT dmz fw tcp auth
|
||||
Ping/ACCEPT dmz fw
|
||||
###############################################################################################################################################################################
|
||||
# Internet to Firewall
|
||||
#
|
||||
REJECT net fw tcp www,ftp,https
|
||||
DROP net fw icmp 8
|
||||
ACCEPT net fw udp 33434:33454
|
||||
ACCEPT net:$OMAK fw udp ntp
|
||||
ACCEPT net fw tcp auth
|
||||
ACCEPT net:$OMAK fw tcp 22
|
||||
Limit:$LOG:SSHA,3,60\
|
||||
net fw tcp 22
|
||||
###############################################################################################################################################################################
|
||||
# Firewall to Internet
|
||||
#
|
||||
ACCEPT fw net:$NTPSERVERS udp ntp ntp
|
||||
#ACCEPT fw net:$POPSERVERS tcp pop3
|
||||
ACCEPT fw net udp domain
|
||||
ACCEPT fw net tcp domain,www,https,ssh,1723,whois,1863,ftp,2702,2703,7
|
||||
ACCEPT fw net udp 33435:33535
|
||||
ACCEPT fw net icmp
|
||||
REJECT:$LOG fw net udp 1025:1031
|
||||
DROP fw net udp ntp
|
||||
Ping/ACCEPT fw net
|
||||
###############################################################################################################################################################################
|
||||
# Firewall to DMZ
|
||||
#
|
||||
ACCEPT fw dmz tcp domain,www,ftp,ssh,smtp,993,465
|
||||
ACCEPT fw dmz udp domain
|
||||
REJECT fw dmz udp 137:139
|
||||
Ping/ACCEPT fw dmz
|
||||
###############################################################################################################################################################################
|
||||
# Firewall to Insecure Wireless
|
||||
#
|
||||
Ping/ACCEPT fw Wifi
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>/etc/shorewall/tcdevices</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#INTERFACE IN-BANDWITH OUT-BANDWIDTH
|
||||
$EXT_IF 1.5mbit 384kbit
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>/etc/shorewall/tcclasses</title>
|
||||
|
||||
<blockquote>
|
||||
<para>My traffic shaping configuration is basically the "WonderShaper"
|
||||
<ulink
|
||||
url="http://www1.shorewall.net/pub/shorewall/Samples/tc4shorewall">example
|
||||
from tc4shorewall</ulink> with a little tweaking.</para>
|
||||
|
||||
<programlisting>#INTERFACE MARK RATE CEIL PRIORITY OPTIONS
|
||||
$EXT_IF 10 full ful 1 tcp-ack,tos-minimize-delay
|
||||
$EXT_IF 20 9*full/10 9*full/10 2 default
|
||||
$EXT_IF 30 6*full/10 6*full/10 3
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>/etc/shorewall/tcrules</title>
|
||||
|
||||
<blockquote>
|
||||
<para>I give full bandwidth to my local systems -- the server gets
|
||||
throttled and rsync gets throttled even more.</para>
|
||||
|
||||
<note>
|
||||
<para>The class id for tc4shorewall-generated classes is
|
||||
<<emphasis>device number</emphasis>>:<<emphasis>100 + mark
|
||||
value</emphasis>> where the first device in
|
||||
<filename>/etc/shorewall/tcdevices</filename> is device number 1,
|
||||
the second is device number 2 and so on. The rules below are using
|
||||
the Netfilter CLASSIFY target to classify the traffic directly
|
||||
without having to first mark then classify based on the
|
||||
marks.</para>
|
||||
</note>
|
||||
|
||||
<programlisting>#MARK SOURCE DEST PROTO PORT(S) CLIENT USER TEST
|
||||
# PORT(S)
|
||||
1:110 192.168.0.0/22 $EXT_IF
|
||||
1:130 206.124.146.177 $EXT_IF tcp - 873 #Rsync to the Mirrors
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
|
||||
<para>Here is the output of <command>shorewall show tc</command> while
|
||||
the Shorewall mirrors were receiving updates via rsync and the link
|
||||
was otherwise idle. Note the rate limiting imposed by the 1:30
|
||||
Class.</para>
|
||||
|
||||
<programlisting>Shorewall-3.0.0-RC2 Traffic Control at gateway - Sat Oct 22 09:11:26 PDT 2005
|
||||
|
||||
...
|
||||
|
||||
Device eth2:
|
||||
qdisc htb 1: r2q 10 default 120 direct_packets_stat 2 ver 3.17
|
||||
Sent 205450106 bytes 644093 pkts (dropped 0, overlimits 104779)
|
||||
backlog 20p
|
||||
qdisc ingress ffff: ----------------
|
||||
Sent 160811382 bytes 498294 pkts (dropped 37, overlimits 0)
|
||||
qdisc sfq 110: parent 1:110 limit 128p quantum 1514b flows 128/1024 perturb 10sec
|
||||
Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
|
||||
qdisc sfq 120: parent 1:120 limit 128p quantum 1514b flows 128/1024 perturb 10sec
|
||||
Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
|
||||
qdisc sfq 130: parent 1:130 limit 128p quantum 1514b flows 128/1024 perturb 10sec
|
||||
Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
|
||||
backlog 20p
|
||||
class htb 1:110 parent 1:1 leaf 110: prio 1 quantum 4915 rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 0
|
||||
Sent 81718034 bytes 417516 pkts (dropped 0, overlimits 0)
|
||||
rate 424bit
|
||||
lended: 417516 borrowed: 0 giants: 0
|
||||
tokens: 36864 ctokens: 36864
|
||||
|
||||
class htb 1:1 root rate 384000bit ceil 384000bit burst 1791b/8 mpu 0b overhead 0b cburst 1791b/8 mpu 0b overhead 0b level 7
|
||||
Sent 205422474 bytes 644073 pkts (dropped 0, overlimits 0)
|
||||
rate 231568bit 19pps
|
||||
lended: 0 borrowed: 0 giants: 0
|
||||
tokens: -26280 ctokens: -26280
|
||||
|
||||
class htb 1:130 parent 1:1 leaf 130: prio 3 quantum 2944 rate 230000bit ceil 230000bit burst 1714b/8 mpu 0b overhead 0b cburst 1714b/8 mpu 0b overhead 0b level 0
|
||||
Sent 62507157 bytes 48802 pkts (dropped 0, overlimits 0)
|
||||
<emphasis role="bold">rate 230848bit 19pps backlog 18p</emphasis>
|
||||
lended: 48784 borrowed: 0 giants: 0
|
||||
tokens: -106401 ctokens: -106401
|
||||
|
||||
class htb 1:120 parent 1:1 leaf 120: prio 2 quantum 4416 rate 345000bit ceil 345000bit burst 1771b/8 mpu 0b overhead 0b cburst 1771b/8 mpu 0b overhead 0b level 0
|
||||
Sent 61224535 bytes 177773 pkts (dropped 0, overlimits 0)
|
||||
rate 1000bit
|
||||
lended: 177773 borrowed: 0 giants: 0
|
||||
tokens: 41126 ctokens: 41126
|
||||
|
||||
...</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>/etc/openvpn/server.conf</title>
|
||||
|
||||
<para>Only the tunnel-mode OpenVPN configuration is described here --
|
||||
the bridge is described in the <ulink url="OPENVPN.html">OpenVPN
|
||||
documentation</ulink>.</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>dev tun
|
||||
|
||||
local 206.124.146.176
|
||||
|
||||
server 192.168.2.0 255.255.255.0
|
||||
|
||||
dh dh1024.pem
|
||||
|
||||
ca /etc/certs/cacert.pem
|
||||
|
||||
crl-verify /etc/certs/crl.pem
|
||||
|
||||
cert /etc/certs/gateway.pem
|
||||
key /etc/certs/gateway_key.pem
|
||||
|
||||
port 1194
|
||||
|
||||
comp-lzo
|
||||
|
||||
user nobody
|
||||
group nogroup
|
||||
|
||||
keepalive 15 45
|
||||
ping-timer-rem
|
||||
persist-tun
|
||||
persist-key
|
||||
|
||||
client-config-dir /etc/openvpn/clients
|
||||
ccd-exclusive
|
||||
client-to-client
|
||||
|
||||
verb 3</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Tipper and Eastepnc6000 Configuration in the Wireless
|
||||
Network</title>
|
||||
|
||||
<para>Please find this information in the <ulink
|
||||
url="OPENVPN.html#Bridge">OpenVPN bridge mode</ulink>
|
||||
documentation.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Tipper Configuration while on the Road</title>
|
||||
|
||||
<para>This laptop is either configured on our wireless network
|
||||
(192.168.3.8) or as a standalone system on the road.</para>
|
||||
|
||||
<para><emphasis>Tipper</emphasis>'s view of the world is shown in the
|
||||
following diagram:</para>
|
||||
|
||||
<graphic align="center" fileref="images/network2.png" valign="middle" />
|
||||
|
||||
<section>
|
||||
<title>zones</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE DISPLAY COMMENTS
|
||||
home Home Shorewall Network
|
||||
net Net Internet
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>policy</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
$FW net ACCEPT
|
||||
$FW home ACCEPT
|
||||
home $FW ACCEPT
|
||||
net home NONE
|
||||
home net NONE
|
||||
net all DROP info
|
||||
# The FOLLOWING POLICY MUST BE LAST
|
||||
all all REJECT info
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>interfaces</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
net eth0 detect dhcp,tcpflags
|
||||
home tun0 -
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>rules</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL RATE USER/
|
||||
# PORT PORT(S) DEST LIMIT GROUP
|
||||
ACCEPT net $FW icmp 8
|
||||
ACCEPT net $FW tcp 22
|
||||
ACCEPT net $FW tcp 4000:4100
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>/etc/openvpn/home.conf</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>dev tun
|
||||
remote gateway.shorewall.net
|
||||
up /etc/openvpn/home.up
|
||||
|
||||
tls-client
|
||||
pull
|
||||
|
||||
ca /etc/certs/cacert.pem
|
||||
|
||||
cert /etc/certs/tipper.pem
|
||||
key /etc/certs/tipper_key.pem
|
||||
|
||||
port 1194
|
||||
|
||||
user nobody
|
||||
group nogroup
|
||||
|
||||
comp-lzo
|
||||
|
||||
ping 15
|
||||
ping-restart 45
|
||||
ping-timer-rem
|
||||
persist-tun
|
||||
persist-key
|
||||
|
||||
verb 3</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>/etc/openvpn/home.up</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>#!/bin/bash
|
||||
|
||||
ip route add 192.168.1.0/24 via $5 #Access to Home Network
|
||||
ip route add 206.124.146.177/32 via $5 #So that DNS names will resolve in my
|
||||
#Internal Bind 9 view because the source IP will
|
||||
#be in 192.168.2.0/24</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
</article>
|
@ -43,7 +43,7 @@
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
<section>
|
||||
<section id="Important">
|
||||
<title>Important</title>
|
||||
|
||||
<para>It is important that you read all of the sections on this page where
|
||||
@ -69,12 +69,12 @@
|
||||
command to see the groups associated with each of your zones.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="V4.0.0">
|
||||
<title>Versions >= 4.0.0-Beta1</title>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para> This is the first Shorewall release that fully integrates the
|
||||
<para>This is the first Shorewall release that fully integrates the
|
||||
new Shorewall-perl compiler. You are now offered a choice as to which
|
||||
compiler(s) you install. In Shorewall 4.0.0, there are the following
|
||||
packages:<itemizedlist>
|
||||
@ -123,12 +123,12 @@ rpm -U shorewall-4.0.0.noarch.rpm</programlisting>If you are upgrading using
|
||||
caused the corresponding flag in /proc to be reset for all interfaces.
|
||||
Beginning in Shorewall 4.0.0, leaving these options empty causes
|
||||
Shorewall to leave the flags in /proc as they are. You must set the
|
||||
option to 'No' in order to obtain the old behavior. </para>
|
||||
option to 'No' in order to obtain the old behavior.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="V3.4.0">
|
||||
<title>Versions >= 3.4.0-Beta1</title>
|
||||
|
||||
<orderedlist>
|
||||
@ -336,7 +336,7 @@ all all REJECT:MyReject info</programlisting>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="V3.2.0">
|
||||
<title>Version >= 3.2.0</title>
|
||||
|
||||
<orderedlist>
|
||||
@ -546,7 +546,7 @@ all all REJECT:MyReject info</programlisting>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="V3.0.0">
|
||||
<title>Version >= 3.0.0</title>
|
||||
|
||||
<orderedlist>
|
||||
@ -687,7 +687,7 @@ rejNotSyn:info net all tcp</programlisting>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<section id="V2.4.0">
|
||||
<title>Version >= 2.4.0</title>
|
||||
|
||||
<orderedlist>
|
||||
@ -714,676 +714,4 @@ rejNotSyn:info net all tcp</programlisting>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 2.2.0</title>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Shorewall configuration files except shorewall.conf are now
|
||||
empty (they contain only comments). If you wish to retain the defaults
|
||||
in any of the following files, you should copy these files before
|
||||
upgrading them then restore them after the upgrade:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>/etc/shorewall/zones</member>
|
||||
|
||||
<member>/etc/shorewall/policy</member>
|
||||
|
||||
<member>/etc/shorewall/tos</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The following builtin actions have been removed and have been
|
||||
replaced by the new action logging implementation described in the new
|
||||
features below.</para>
|
||||
|
||||
<simplelist>
|
||||
<member>logNotSyn</member>
|
||||
|
||||
<member>rLogNotSyn</member>
|
||||
|
||||
<member>dLogNotSyn</member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If shorewall.conf is upgraded to the latest version, it needs to
|
||||
be modified to set STARTUP_ENABLED=Yes.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The Leaf/Bering version of Shorewall was previously
|
||||
named:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>shorwall-<version>.lrp</member>
|
||||
</simplelist>
|
||||
|
||||
<para>Beginning with 2.1, that file will now be named:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>shorewall-lrp-<version>.tgz</member>
|
||||
</simplelist>
|
||||
|
||||
<para>Simply rename that file to 'shorwall.lrp' when installing it on
|
||||
your LEAF/Bering system.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The ORIGINAL DEST column of the /etc/shorewall/rules file may no
|
||||
longer contain a second (SNAT) address. You must use an entry in
|
||||
/etc/shorewall/masq instead.</para>
|
||||
|
||||
<para>Example from Shorewall FAQ #1:</para>
|
||||
|
||||
<blockquote>
|
||||
<para>Prior to Shorewall 2.1:</para>
|
||||
|
||||
<para>/etc/shorewall/interfaces</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 detect routeback</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST
|
||||
DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69:192.168.1.254 </programlisting>
|
||||
|
||||
<para>Shorewall 2.1 and Later:</para>
|
||||
|
||||
<para>/etc/shorewall/interfaces</para>
|
||||
|
||||
<programlisting>#ZONE INTERFACE BROADCAST OPTIONS
|
||||
loc eth1 detect routeback</programlisting>
|
||||
|
||||
<para>/etc/shorewall/masq:</para>
|
||||
|
||||
<programlisting>#INTERFACE SUBNETS ADDRESS PROTO PORT(S)
|
||||
eth1 eth1 192.168.1.254 tcp 80</programlisting>
|
||||
|
||||
<para>/etc/shorewall/rules:</para>
|
||||
|
||||
<programlisting>#ACTION SOURCE DEST PROTO DEST PORT SOURCE ORIGINAL
|
||||
# PORT DEST
|
||||
DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69</programlisting>
|
||||
</blockquote>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The 'logunclean' and 'dropunclean' options that were deprecated
|
||||
in Shorewall 2.0 have now been removed completely.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The default port for 'openvpn' tunnels (/etc/shorewall/tunnels)
|
||||
has been changed to 1194 to match a similar change in the OpenVPN
|
||||
product. The IANA has registered port 1194 for use by OpenVPN.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>A new IPTABLES variable has been added to shorewall.conf. This
|
||||
variable names the iptables executable that Shorewall will use. The
|
||||
variable is set to "/sbin/iptables". If you use the new
|
||||
shorewall.conf, you may need to change this setting to maintain
|
||||
compatibility with your current setup (if you use your existing
|
||||
shorewall.conf that does not set IPTABLES then you should experience
|
||||
no change in behavior).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 2.0.2 RC1</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>If you are upgrading from Shorewall 1.4.x and you have commands
|
||||
in your <filename>/etc/shorewall/common</filename> file that are not
|
||||
directly related to the <emphasis role="bold">common</emphasis> chain
|
||||
then you will want to move those commands to
|
||||
<filename>/etc/shorewall/initdone</filename>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 2.0.2 Beta 1</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>Extension Scripts - In order for extension scripts to work
|
||||
properly with the new iptables-save/restore integration introduced in
|
||||
Shorewall 2.0.2 Beta 1, some change may be required to your extension
|
||||
scripts.</para>
|
||||
|
||||
<para>If your extension scripts are executing commands other than
|
||||
<command>iptables</command> then those commands must also be written
|
||||
to the restore file (a temporary file in <filename
|
||||
class="directory">/var/lib/shorewall</filename> that is renamed
|
||||
<filename>/var/lib/shorewall/restore-base</filename> at the completion
|
||||
of the <filename>/sbin/shorewall</filename> command). The following
|
||||
functions should be of help:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>save_command() -- saves the passed command to the restore
|
||||
file.</para>
|
||||
|
||||
<para>Example: <programlisting>save_command echo Operation Complete</programlisting></para>
|
||||
|
||||
<para>That command would simply write "echo Operation Complete" to
|
||||
the restore file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>run_and_save_command() -- saves the passed command to the
|
||||
restore file then executes it. The return value is the exit status
|
||||
of the command. Example: <programlisting>run_and_save_command "echo 1 > /proc/sys/net/ipv4/icmp_echo_ignore_all"</programlisting></para>
|
||||
|
||||
<para>Note that as in this example, when the command involves file
|
||||
redirection then the entire command must be enclosed in quotes.
|
||||
This applies to all of the functions described here.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>ensure_and_save_command() -- runs the passed command. If the
|
||||
command fails, the firewall is restored to its prior saved state
|
||||
and the operation is terminated. If the command succeeds, the
|
||||
command is written to the restore file</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Dynamic Zone support. - If you don't need to use the
|
||||
<command>shorewall add</command> and <command>shorewall
|
||||
delete</command> commands, you should set DYNAMIC_ZONES=No in
|
||||
<filename>/etc/shorewall/shorewall.conf</filename>.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 2.0.1</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The function of 'norfc1918' is now split between that option and
|
||||
a new 'nobogons' option. The rfc1918 file released with Shorewall now
|
||||
contains entries for only those three address ranges reserved by RFC
|
||||
1918. A 'nobogons' interface option has been added which handles bogon
|
||||
source addresses (those which are reserved by the IANA, those reserved
|
||||
for DHCP auto-configuration and the class C test-net reserved for
|
||||
testing and documentation examples). This will allow users to perform
|
||||
RFC 1918 filtering without having to deal with out of date data from
|
||||
IANA. Those who are willing to update their
|
||||
<filename>/usr/share/shorewall/bogons</filename> file regularly can
|
||||
specify the 'nobogons' option in addition to 'norfc1918'. The level at
|
||||
which bogon packets are logged is specified in the new BOGON_LOG_LEVEL
|
||||
variable in shorewall.conf. If that option is not specified or is
|
||||
specified as empty (e.g, BOGON_LOG_LEVEL="") then bogon packets whose
|
||||
TARGET is 'logdrop' in
|
||||
<filename>/usr/share/shorewall/bogons</filename> are logged at the
|
||||
'info' level.</para>
|
||||
|
||||
<warning>
|
||||
<para>If you have a file named <filename>rfc1918</filename> in your
|
||||
<filename class="directory">/etc/shorewall</filename> directory, you
|
||||
must either remove that file or you must copy
|
||||
<filename>/usr/share/shorewall/rfc1918</filename> to <filename
|
||||
class="directory">/etc/shorewall</filename> and modify that file
|
||||
appropriately. Do not leave the old <filename>rfc1918</filename>
|
||||
file in <filename
|
||||
class="directory">/etc/shorewall</filename>.</para>
|
||||
</warning>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>VERSION >= 2.0.0-Beta1</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The 'dropunclean' and 'logunclean' interface options are no
|
||||
longer supported. If either option is specified in
|
||||
<filename>/etc/shorewall/interfaces</filename>, a threatening message
|
||||
will be generated.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The NAT_BEFORE_RULES option has been removed from
|
||||
<filename>shorewall.conf</filename>. The behavior of Shorewall 2.0 is
|
||||
as if NAT_BEFORE_RULES=No had been specified. In other words, DNAT
|
||||
rules now always take precedence over one-to-one NAT
|
||||
specifications.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The default value for the ALL INTERFACES column in
|
||||
<filename>/etc/shorewall/nat</filename> has changed. In Shorewall 1.*,
|
||||
if the column was left empty, a value of "Yes" was assumed. This has
|
||||
been changed so that a value of "No" is now assumed.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The following files don't exist in Shorewall 2.0:</para>
|
||||
|
||||
<simplelist>
|
||||
<member><filename>/etc/shorewall/common.def</filename></member>
|
||||
|
||||
<member><filename>/etc/shorewall/common</filename></member>
|
||||
|
||||
<member><filename>/etc/shorewall/icmpdef</filename></member>
|
||||
|
||||
<member><filename>/etc/shorewall/action.template</filename> (moved
|
||||
to
|
||||
<filename>/usr/share/shorewall/action.template</filename>)</member>
|
||||
</simplelist>
|
||||
|
||||
<para>The <filename>/etc/shorewall/action</filename> file now allows
|
||||
an action to be designated as the "common" action for a particular
|
||||
policy type by following the action name with ":" and the policy
|
||||
(DROP, REJECT or ACCEPT).</para>
|
||||
|
||||
<para>The file /usr/share/shorewall/actions.std has been added to
|
||||
define those actions that are released as part of Shorewall 2.0 In
|
||||
that file are two actions as follows:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>Drop:DROP</member>
|
||||
|
||||
<member>Reject:REJECT</member>
|
||||
</simplelist>
|
||||
|
||||
<para>The <quote>Drop</quote> action is the common action for DROP
|
||||
policies while the <quote>Reject</quote> action is the default action
|
||||
for REJECT policies. These actions will be performed on packets prior
|
||||
to applying the DROP or REJECT policy respectively. In the first
|
||||
release, the difference between "Reject" and "Drop" is that "Reject"
|
||||
REJECTs SMB traffic while "Drop" silently drops such traffic.</para>
|
||||
|
||||
<para>As described above, Shorewall allows a common action for ACCEPT
|
||||
policies but does not specify such an action in the default
|
||||
configuration.</para>
|
||||
|
||||
<para>For more information see the <ulink
|
||||
url="Actions.html">User-defined Action Page</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <filename>/etc/shorewall</filename> directory no longer
|
||||
contains <filename>users</filename> file or a
|
||||
<filename>usersets</filename> file. Similar functionality is now
|
||||
available using user-defined actions.</para>
|
||||
|
||||
<para>Now, action files created by copying
|
||||
<filename>/usr/share/shorewall/action.template</filename> may now
|
||||
specify a USER and or GROUP name/id in the final column just like in
|
||||
the rules file (see below). It is thus possible to create actions that
|
||||
control traffic from a list of users and/or groups.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The last column in <filename>/etc/shorewall/rules</filename> is
|
||||
now labeled USER/GROUP and may contain:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>[!]<<emphasis>user number</emphasis>>[:]</member>
|
||||
|
||||
<member>[!]<<emphasis>user name</emphasis>>[:]</member>
|
||||
|
||||
<member>[!]:<<emphasis>group number</emphasis>></member>
|
||||
|
||||
<member>[!]:<<emphasis>group name</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
number</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
name</emphasis>>:<<emphasis>group
|
||||
number</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
inumber</emphasis>>:<<emphasis>group
|
||||
name</emphasis>></member>
|
||||
|
||||
<member>[!]<<emphasis>user
|
||||
name</emphasis>>:<<emphasis>group name</emphasis>></member>
|
||||
</simplelist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If your kernel has IPV6 support (recent
|
||||
<trademark>SUSE</trademark> for example), and you don't use IPV6 then
|
||||
you will probably want to set DISABLE_IPV6=Yes in <ulink
|
||||
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.
|
||||
You must have ipv6tables installed.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 1.4.9</title>
|
||||
|
||||
<itemizedlist>
|
||||
<listitem>
|
||||
<para>The default value of NEWNOTSYN set in <ulink
|
||||
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink> has
|
||||
been changed from 'No' to 'Yes'. I find that NEWNOTSYN=No tends to
|
||||
result in lots of "stuck" connections because any network timeout
|
||||
during TCP session tear down results in retries being dropped
|
||||
(Netfilter has removed the connection from the conntrack table but the
|
||||
end-points haven't completed shutting down the connection). I
|
||||
therefore have chosen NEWNOTSYN=Yes as the default value and I advise
|
||||
caution in using NEWNOTSYN=Yes.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 1.4.8</title>
|
||||
|
||||
<itemizedlist mark="bullet">
|
||||
<listitem>
|
||||
<para>The meaning of <varname>ROUTE_FILTER=Yes</varname> has changed.
|
||||
Previously this setting was documented as causing route filtering to
|
||||
occur on all network interfaces; this didn't work. Beginning with this
|
||||
release, <varname>ROUTE_FILTER=Yes</varname> causes route filtering to
|
||||
occur on all interfaces brought up while Shorewall is running. This
|
||||
means that it may be appropriate to set
|
||||
<varname>ROUTE_FILTER=Yes</varname> and use the routefilter option in
|
||||
<filename
|
||||
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
|
||||
entries.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 1.4.6</title>
|
||||
|
||||
<itemizedlist mark="bullet">
|
||||
<listitem>
|
||||
<para>The <varname>NAT_ENABLED</varname>,
|
||||
<varname>MANGLE_ENABLED</varname> and <varname>MULTIPORT</varname>
|
||||
options have been removed from <filename>shorewall.conf</filename>.
|
||||
These capabilities are now automatically detected by Shorewall.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>An undocumented feature previously allowed entries in the host
|
||||
file as follows: <synopsis>
|
||||
zone eth1:192.168.1.0/24,eth2:192.168.2.0/24
|
||||
</synopsis> This capability was never documented and has been removed in
|
||||
1.4.6 to allow entries of the following format: <synopsis>
|
||||
zone eth1:192.168.1.0/24,192.168.2.0/24
|
||||
</synopsis></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 1.4.4</title>
|
||||
|
||||
<para>If you are upgrading from 1.4.3 and have set the
|
||||
<varname>LOGMARKER</varname> variable in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>shorewall.conf</filename>,
|
||||
then you must set the new <varname>LOGFORMAT</varname> variable
|
||||
appropriately and remove your setting of
|
||||
<varname>LOGMARKER</varname>.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version 1.4.4</title>
|
||||
|
||||
<para>If you have zone names that are 5 characters long, you may
|
||||
experience problems starting Shorewall because the
|
||||
<option>--log-prefix</option> in a logging rule is too long. Upgrade to
|
||||
Version 1.4.4a to fix this problem.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 1.4.2</title>
|
||||
|
||||
<para>There are some cases where you may want to handle traffic from a
|
||||
particular group to itself. While I personally think that such a setups
|
||||
are ridiculous, there are two cases covered in this documentation where it
|
||||
can occur: <itemizedlist>
|
||||
<listitem>
|
||||
<para><ulink url="FAQ.htm#faq2">In FAQ #2</ulink></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para><ulink url="Shorewall_Squid_Usage.html">When running
|
||||
<application>Squid</application> as a transparent proxy in your
|
||||
local zone.</ulink></para>
|
||||
</listitem>
|
||||
</itemizedlist> If you have either of these cases, you will want to
|
||||
review the current documentation and change your configuration
|
||||
accordingly.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 1.4.1</title>
|
||||
|
||||
<itemizedlist mark="bullet">
|
||||
<listitem>
|
||||
<para>Beginning with Version 1.4.1, traffic between groups in the same
|
||||
zone is accepted by default. Previously, traffic from a zone to itself
|
||||
was treated just like any other traffic; any matching rules were
|
||||
applied followed by enforcement of the appropriate policy. With 1.4.1
|
||||
and later versions, unless you have explicit rules for traffic from Z
|
||||
to Z or you have an explicit Z to Z policy (where "Z" is some zone)
|
||||
then traffic between the groups in zone Z will be accepted. If you do
|
||||
have one or more explicit rules for Z to Z or if you have an explicit
|
||||
Z to Z policy then the behavior is as it was in prior versions.</para>
|
||||
|
||||
<orderedlist numeration="arabic">
|
||||
<listitem>
|
||||
<para>If you have a Z Z ACCEPT policy for a zone to allow traffic
|
||||
between two interfaces to the same zone, that policy can be
|
||||
removed and traffic between the interfaces will traverse fewer
|
||||
rules than previously.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you have a Z Z DROP or Z Z REJECT policy or you have
|
||||
Z->Z rules then your configuration should not require any
|
||||
change.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you are currently relying on a implicit policy (one that
|
||||
has "all" in either the SOURCE or DESTINATION column) to prevent
|
||||
traffic between two interfaces to a zone Z and you have no rules
|
||||
for Z->Z then you should add an explicit DROP or REJECT policy
|
||||
for Z to Z.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Sometimes, you want two separate zones on one interface but you
|
||||
don't want Shorewall to set up any infrastructure to handle traffic
|
||||
between them. <example>
|
||||
<title>The <filename>zones</filename>,
|
||||
<filename>interfaces</filename> and, <filename>hosts</filename>
|
||||
file contents</title>
|
||||
|
||||
<programlisting>
|
||||
<filename class="directory">/etc/shorewall/</filename><filename>zones</filename>
|
||||
z1 Zone1 The first Zone
|
||||
z2 Zone2 The second Zone
|
||||
|
||||
<filename class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
|
||||
z2 eth1 192.168.1.255
|
||||
|
||||
<filename class="directory">/etc/shorewall/</filename><filename>hosts</filename>
|
||||
z1 eth1:192.168.1.3
|
||||
</programlisting>
|
||||
</example> Here, zone z1 is nested in zone z2 and the firewall is
|
||||
not going to be involved in any traffic between these two zones.
|
||||
Beginning with Shorewall 1.4.1, you can prevent Shorewall from setting
|
||||
up any infrastructure to handle traffic between z1 and z2 by using the
|
||||
new NONE policy: <example>
|
||||
<title>The contents of <filename>policy</filename></title>
|
||||
|
||||
<programlisting>
|
||||
<filename class="directory">/etc/shorewall/</filename><filename>policy</filename>
|
||||
z1 z2 NONE
|
||||
z2 z1 NONE
|
||||
</programlisting>
|
||||
</example> Note that NONE policies are generally used in pairs
|
||||
unless there is asymmetric routing where only the traffic on one
|
||||
direction flows through the firewall and you are using a NONE policy
|
||||
in the other direction.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version 1.4.1</title>
|
||||
|
||||
<itemizedlist mark="bullet">
|
||||
<listitem>
|
||||
<para>In Version 1.4.1, Shorewall will never create rules to deal with
|
||||
traffic from a given group back to itself. The
|
||||
<varname>multi</varname> interface option is no longer available so if
|
||||
you want to route traffic between two subnetworks on the same
|
||||
interface then I recommend that you upgrade to Version 1.4.2 and use
|
||||
the <varname>routeback</varname> interface or host option.</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 1.4.0</title>
|
||||
|
||||
<important>
|
||||
<para>Shorewall >=1.4.0 requires the <command>iproute</command>
|
||||
package ('<literal>ip</literal>' utility).</para>
|
||||
</important>
|
||||
|
||||
<note>
|
||||
<para>Unfortunately, some distributions call this package
|
||||
<command>iproute2</command> which will cause the upgrade of Shorewall to
|
||||
fail with the diagnostic: <synopsis>error: failed dependencies:iproute is needed by shorewall-1.4.0-1</synopsis>This
|
||||
may be worked around by using the <option>--nodeps</option> option of
|
||||
<command>rpm</command> (<command>rpm -Uvh --nodeps
|
||||
<filename>your_shorewall_rpm.rpm</filename></command>).</para>
|
||||
</note>
|
||||
|
||||
<para>If you are upgrading from a version < 1.4.0, then: <itemizedlist
|
||||
mark="bullet">
|
||||
<listitem>
|
||||
<para>The <varname>noping</varname> and
|
||||
<varname>forwardping</varname> interface options are no longer
|
||||
supported nor is the <varname>FORWARDPING</varname> option in
|
||||
<filename>shorewall.conf</filename>. ICMP echo-request (ping)
|
||||
packets are treated just like any other connection request and are
|
||||
subject to rules and policies.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Interface names of the form
|
||||
<varname><device>:<integer></varname> in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>interfaces</filename>
|
||||
now generate a Shorewall error at startup (they always have produced
|
||||
warnings in <application
|
||||
class="software">iptables</application>).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <varname>MERGE_HOSTS</varname> variable has been removed
|
||||
from <filename>shorewall.conf</filename>. Shorewall 1.4 behaves like
|
||||
1.3 did when <varname>MERGE_HOSTS=Yes</varname>; that is zone
|
||||
contents are determined by <emphasis>BOTH</emphasis> the interfaces
|
||||
and hosts files when there are entries for the zone in both
|
||||
files.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <varname>routestopped</varname> option in the interfaces
|
||||
and hosts file has been eliminated; use entries in the
|
||||
<filename>routestopped</filename> file instead.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The Shorewall 1.2 syntax for <varname>DNAT</varname> and
|
||||
<varname>REDIRECT</varname> rules is no longer accepted; you must
|
||||
convert to using the new syntax.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <varname>ALLOWRELATED</varname> variable in
|
||||
<filename>shorewall.conf</filename> is no longer supported.
|
||||
Shorewall 1.4 behavior is the same as 1.3 with
|
||||
<varname>ALLOWRELATED=Yes</varname>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Late-arriving DNS replies are now dropped by default; there is
|
||||
no need for your own <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>common</filename>
|
||||
file simply to avoid logging these packets.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <filename>firewall</filename>,
|
||||
<filename>functions</filename> and <filename>version</filename>
|
||||
files have been moved to <filename
|
||||
class="directory">/usr/share/shorewall</filename>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The <filename>icmp.def</filename> file has been removed. If
|
||||
you include it from <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>icmpdef</filename>,
|
||||
you will need to modify that file.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you followed the advice in FAQ #2 and call
|
||||
<varname>find_interface_address</varname> in <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>params</filename>,
|
||||
that code should be moved to <filename
|
||||
class="directory">/etc/shorewall/</filename><filename>init</filename>.</para>
|
||||
</listitem>
|
||||
</itemizedlist></para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version 1.4.0</title>
|
||||
|
||||
<itemizedlist mark="bullet">
|
||||
<listitem>
|
||||
<para>The <varname>multi</varname> interface option is no longer
|
||||
supported. Shorewall will generate rules for sending packets back out
|
||||
the same interface that they arrived on in two cases: <itemizedlist
|
||||
mark="hollow">
|
||||
<listitem>
|
||||
<para>There is an <emphasis>explicit</emphasis> policy for the
|
||||
source zone to or from the destination zone. An explicit policy
|
||||
names both zones and does not use the <varname>all</varname>
|
||||
reserved word.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>There are one or more rules for traffic for the source
|
||||
zone to or from the destination zone including rules that use
|
||||
the <varname>all</varname> reserved word. Exception: if the
|
||||
source zone and destination zone are the same then the rule must
|
||||
be explicit - it must name the zone in both the
|
||||
<varname>SOURCE</varname> and <varname>DESTINATION</varname>
|
||||
columns.</para>
|
||||
</listitem>
|
||||
</itemizedlist></para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
</section>
|
||||
</article>
|
Loading…
Reference in New Issue
Block a user