extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-12-22 14:20:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 2.0.3-RC2

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1403 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-06-19 16:05:50 +00:00
parent 3ca68c3b59
commit dbd062e23e
25 changed files with 405 additions and 373 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
Lrp2/usr/share/shorewall/firewall
View File

@ -4496,7 +4496,7 @@ setup_blacklist() {
createchain blacklst no
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
for host in $hosts; do
interface=${host%%:*}
@ -4851,7 +4851,7 @@ initialize_netfilter () {
fi
fi
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW,INVALID" || state=
echo "Creating Interface Chains..."

2
Lrp2/usr/share/shorewall/version
View File

@ -1 +1 @@
2.0.3-RC1
2.0.3-RC2

32
Shorewall-docs/Documentation.xml
View File

@ -1232,13 +1232,40 @@ DNAT net loc:192.168.1.3 tcp ssh
<para>The <filename>/etc/shorewall/rules</filename> file defines
exceptions to the policies established in the <filename>/etc/shorewall/policy</filename>
file. There is one entry in /etc/shorewall/rules for each of these rules.</para>
file. There is one entry in /etc/shorewall/rules for each of these rules.
Entries in this file only govern the establishment of new connections —
packets that are part of an existing connection or that establish a
connection that is related to an existing connection are automatically
accepted.</para>
<para>Shorewall automatically enables firewall-&#62;firewall traffic over
the loopback interface (lo) -- that traffic cannot be regulated using
rules and any rule that tries to regulate such traffic will generate a
warning and will be ignored.</para>
<para>Rules for each pair of zones (source zone, destination zone) are
evaluated in the order that they appear in the file — the first match
determines the disposition of the connection request with a couple of
caveats:</para>
<itemizedlist>
<listitem>
<para>LOG rules cause the connection request to be logged then
processing continues with the next rule in the file.</para>
</listitem>
<listitem>
<para>QUEUE rules cause the connection request to be passed to
user-space -- the user-space application can later insert them back
into the stream for further processing by following rules.</para>
</listitem>
<listitem>
<para>CONTINUE rules may cause the connection request to be
reprocessed using a different (source zone, destination zone) pair.</para>
</listitem>
</itemizedlist>
<para>Entries in the file have the following columns:</para>
<variablelist>
@ -3115,7 +3142,8 @@ eth1 -</programlisting>
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.12</revnumber><date>2004-01-21</date><authorinitials>TE</authorinitials><revremark>Add
<para><revhistory><revision><revnumber>1.13</revnumber><date>2004-02-13</date><authorinitials>TE</authorinitials><revremark>Add
information about the order of rules evalution.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-21</date><authorinitials>TE</authorinitials><revremark>Add
masquerade destination list.</revremark></revision><revision><revnumber>1.12</revnumber><date>2004-01-18</date><authorinitials>TE</authorinitials><revremark>Correct
typo.</revremark></revision><revision><revnumber>1.11</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Standards
Compliance</revremark></revision><revision><revnumber>1.10</revnumber><date>2004-01-05</date><authorinitials>TE</authorinitials><revremark>Improved

49
Shorewall-docs/FAQ.xml
View File

@ -17,7 +17,7 @@
</author>
</authorgroup>
<pubdate>2004-01-25</pubdate>
<pubdate>2004-03-04</pubdate>
<copyright>
<year>2001-2004</year>
@ -529,6 +529,28 @@ eth2 192.168.2.0/24</programlisting>
<para>See the <ulink url="FTP.html">Shorewall and FTP page</ulink>.</para>
</section>
<section id="faq33">
<title>(FAQ 33) From clients behind the firewall, connections to some
sites fail. Connections to the same sites from the firewall itself work
fine. What&#39;s wrong.</title>
<para><emphasis role="bold">Answer</emphasis>: Most likely, you need to
set CLAMPMSS=Yes in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
</section>
<section id="faq35">
<title>(FAQ 35) I have two Ethernet interfaces to my local network which
I have bridged. When Shorewall is started, I&#39;m unable to pass
traffic through the bridge. I have defined the bridge interface (br0) as
the local interface in /etc/shorewall/interfaces; the bridged Ethernet
interfaces are not defined to Shorewall. How do I tell Shorewall to
allow traffic through the bridge?</title>
<para>Answer: Add the <firstterm>routeback</firstterm> option to
<filename class="devicefile">br0</filename> in <ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.</para>
</section>
</section>
<section>
@ -576,7 +598,7 @@ url="http://www.shorewall.net/pub/shorewall/parsefw/">http://www.shorewall.net/p
<ulink url="http://gege.org/iptables">http://gege.org/iptables</ulink>
<ulink url="http://home.regit.org/ulogd-php.html">http://home.regit.org/ulogd-php.html</ulink></literallayout>
<para>I personnaly use Logwatch. It emails me a report each day from
<para>I personally use Logwatch. It emails me a report each day from
my various systems with each report summarizing the logged activity on
the corresponding system.</para>
</section>
@ -1254,6 +1276,15 @@ Creating input Chains...
after that will be ignored. Check <quote>man iptables</quote> and look
at the -I (--insert) command.</para>
</section>
<section id="faq34">
<title>(FAQ 34) How can I speed up start (restart)?</title>
<para>Using a light-weight shell such as <command>ash</command> can
dramatically decrease the time required to <emphasis role="bold">start</emphasis>
or <emphasis role="bold">restart</emphasis> Shorewall. See the
SHOREWALL_SHELL variable in <ulink url="Documentation.htm#Conf"><filename>shorewall.conf</filename></ulink>.</para>
</section>
</section>
<section>
@ -1542,19 +1573,19 @@ iptables: Invalid argument
<section id="faq28">
<title>(FAQ 28) How do I use Shorewall as a Bridging Firewall?</title>
<para>Basically, you don&#39;t. While there are kernel patches that
allow you to route bridge traffic through Netfilter, the environment is
so different from the Layer 3 firewalling environment that very little
of Shorewall works. In fact, so much of Shorewall doesn&#39;t work that
my official position is that <quote>Shorewall doesn&#39;t work with
Layer 2 Bridging</quote>.</para>
<para>Experimental Shorewall Bridging Firewall support is available —
<ulink url="2.0/bridge.html">check here for details</ulink>.</para>
</section>
</section>
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.15</revnumber><date>2004-01-25</date><authorinitials>TE</authorinitials><revremark>Updated
<para><revhistory><revision><revnumber>1.19</revnumber><date>2004-03-05</date><authorinitials>TE</authorinitials><revremark>Added
link to Bridge.</revremark></revision><revision><revnumber>1.18</revnumber><date>2004-02-27</date><authorinitials>TE</authorinitials><revremark>Added
FAQ 35.</revremark></revision><revision><revnumber>1.17</revnumber><date>2004-02-15</date><authorinitials>TE</authorinitials><revremark>Added
FAQ 34.</revremark></revision><revision><revnumber>1.16</revnumber><date>2004-02-11</date><authorinitials>TE</authorinitials><revremark>Added
FAQ 33.</revremark></revision><revision><revnumber>1.15</revnumber><date>2004-01-25</date><authorinitials>TE</authorinitials><revremark>Updated
FAQ 32 to mention masquerading. Remove tables.</revremark></revision><revision><revnumber>1.14</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Added
FAQ 27a regarding kernel/iptables incompatibility.</revremark></revision><revision><revnumber>1.13</revnumber><date>2004-01-24</date><authorinitials>TE</authorinitials><revremark>Add
a note about the <emphasis role="bold">detectnets</emphasis> interface

23
Shorewall-docs/IPSEC.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-22</pubdate>
<pubdate>2004-03-20</pubdate>
<copyright>
<year>2001-2004</year>
@ -52,24 +52,9 @@
configuring FreeS/Wan.</para>
<warning>
<para>Do not use Proxy ARP and FreeS/Wan on the same system unless you
are prepared to suffer the consequences. If you start or restart
Shorewall with an IPSEC tunnel active, the proxied IP addresses are
mistakenly assigned to the IPSEC tunnel device (ipsecX) rather than to
the interface that you specify in the INTERFACE column of
/etc/shorewall/proxyarp. I haven&#39;t had the time to debug this
problem so I can&#39;t say if it is a bug in the Kernel or in FreeS/Wan.</para>
<para>You <emphasis role="bold">might</emphasis> be able to work around
this problem using the following (I haven&#39;t tried it):</para>
<para>In /etc/shorewall/init, include:</para>
<programlisting>qt service ipsec stop</programlisting>
<para>In /etc/shorewall/start, include:</para>
<programlisting>qt service ipsec start</programlisting>
<para>IPSEC and Proxy ARP don&#39;t work well together unless you have
Shorewall version 1.4.10 with the approriate <ulink url="errata.htm">Errata</ulink>
fix applied or are running Shorewall 1.4.10e or later.</para>
</warning>
<important>

52
Shorewall-docs/Install.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2003-04-08</pubdate>
<pubdate>2004-03-01</pubdate>
<copyright>
<year>2001</year>
@ -24,6 +24,8 @@
<year>2003</year>
<year>2004</year>
<holder>Thomas M. Eastep</holder>
</copyright>
@ -37,21 +39,16 @@
</legalnotice>
</articleinfo>
<important>
<para>Before upgrading, be sure to review the <ulink
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
</important>
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
</important>
<section id="Install_RPM">
<title>Install using RPM</title>
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
</important>
<para>To install Shorewall using the RPM:</para>
<warning>
@ -117,6 +114,13 @@
<section id="Install_Tarball">
<title>Install using tarball</title>
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
</important>
<para>To install Shorewall using the tarball and install script:</para>
<orderedlist>
@ -186,6 +190,13 @@
<section id="LRP">
<title>Install the .lrp</title>
<important>
<para>Before attempting installation, I strongly urge you to read and
print a copy of the <ulink url="shorewall_quickstart_guide.htm">Shorewall
QuickStart</ulink> Guide for the configuration that most closely matches
your own.</para>
</important>
<para>To install my version of Shorewall on a fresh Bering disk, simply
replace the <quote>shorwall.lrp</quote> file on the image with the file
that you downloaded. See the <ulink url="two-interface.htm">two-interface
@ -195,6 +206,11 @@
<section id="Upgrade_RPM">
<title>Upgrade using RPM</title>
<important>
<para>Before upgrading, be sure to review the <ulink
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
</important>
<para>If you already have the Shorewall RPM installed and are upgrading to
a new version:</para>
@ -264,6 +280,11 @@
<section id="Upgrade_Tarball">
<title>Upgrade using tarball</title>
<important>
<para>Before upgrading, be sure to review the <ulink
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
</important>
<para>If you already have Shorewall installed and are upgrading to a new
version using the tarball:</para>
@ -348,6 +369,11 @@
<section id="LRP_Upgrade">
<title>Upgrade the .lrp</title>
<important>
<para>Before upgrading, be sure to review the <ulink
url="upgrade_issues.htm">Upgrade Issues</ulink>.</para>
</important>
<para>If you already have a running Bering installation and wish to
upgrade to a later version of Shorewall:</para>

8
Shorewall-docs/Shorewall_Doesnt.xml
View File

@ -13,11 +13,13 @@
<surname>Eastep</surname>
</author>
<pubdate>2003-10-07</pubdate>
<pubdate>2004-03-05</pubdate>
<copyright>
<year>2003</year>
<year>2004</year>
<holder>Thomas M Eastep</holder>
</copyright>
@ -36,7 +38,9 @@
<itemizedlist>
<listitem>
<para>Be used to filter traffic through a Layer 2 Bridge</para>
<para>Be used to filter traffic through a Layer 2 Bridge (although
experimental Shorewall Bridge code is available — check <ulink
url="2.0/bridge.html">here</ulink> for details).</para>
</listitem>
<listitem>

6
Shorewall-docs/Shorewall_Squid_Usage.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-04</pubdate>
<pubdate>2004-04-19</pubdate>
<copyright>
<year>2003-2004</year>
@ -153,7 +153,7 @@ REDIRECT loc 3228 tcp www - !206.124.146.
<para>In /etc/shorewall/init, put:</para>
<programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
ip rule add fwmark 202 table www.out
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via 192.168.1.3 dev eth1 table www.out
ip route flush cache
echo 0 &#62; /proc/sys/net/ipv4/conf/eth1/send_redirects
@ -232,7 +232,7 @@ chkconfig --level 35 iptables on</command></programlisting>
<para>In /etc/shorewall/init, put:</para>
<programlisting><command>if [ -z &#34;`ip rule list | grep www.out`&#34; ] ; then
ip rule add fwmark 202 table www.out
ip rule add fwmark CA table www.out # Note 0xCA = 202
ip route add default via 192.0.2.177 dev eth1 table www.out
ip route flush cache
fi</command></programlisting>

16
Shorewall-docs/blacklisting_support.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-17</pubdate>
<pubdate>2004-02-17</pubdate>
<copyright>
<year>2002-2004</year>
@ -57,7 +57,19 @@
</listitem>
</orderedlist>
<para>Only the source address is checked against the blacklists.</para>
<important>
<para><emphasis role="bold">Only the source address is checked against
the blacklists</emphasis>. Blacklists only stop blacklisted hosts from
connecting to you — they do not stop you or your users from connecting
to blacklisted hosts .</para>
</important>
<important>
<para><emphasis role="bold">Neither form of Shorewall blacklisting is
appropriate for blacklisting 1,000s of different addresses</emphasis>.
The blacklists will take forever to load and will have a very negative
effect on firewall performance.</para>
</important>
</section>
<section>

6
Shorewall-docs/configuration_file_basics.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-05</pubdate>
<pubdate>2004-02-20</pubdate>
<copyright>
<year>2001-2004</year>
@ -383,7 +383,7 @@ DNAT net loc:192.168.1.3 tcp 4000:4100</programlisting>
numbers separated by colons.</para>
<example>
<title>MAC Address of a NIC</title>
<title>MAC Address of an Ethernet Controller</title>
<programlisting> &#x00A0;&#x00A0;&#x00A0;&#x00A0; [root@gateway root]# <command>ifconfig eth0</command>
&#x00A0;&#x00A0;&#x00A0;&#x00A0; eth0 Link encap:Ethernet HWaddr <emphasis
@ -402,7 +402,7 @@ role="bold">02:00:08:E3:FA:55</emphasis>
Shorewall requires MAC addresses to be written in another way. In
Shorewall, MAC addresses begin with a tilde (<quote>~</quote>) and consist
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address in
the example above would be written <quote>~02-00-08-E3-FA-55</quote>.</para>
the example above would be written <emphasis role="bold">~02-00-08-E3-FA-55</emphasis>.</para>
<note>
<para>It is not necessary to use the special Shorewall notation in the

51
Shorewall-docs/errata.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-02-04</pubdate>
<pubdate>2004-04-16</pubdate>
<copyright>
<year>2001-2004</year>
@ -86,12 +86,55 @@
<para>The <emphasis role="bold">maclist</emphasis> interface option
previously wasn&#39;t available on Atheros WiFi cards.</para>
</listitem>
<listitem>
<para>In the /etc/shorewall/masq entry <quote>eth0:!10.1.1.150
&#x00A0; &#x00A0;0.0.0.0/0!10.1.0.0/16 &#x00A0; &#x00A0; 10.1.2.16</quote>,
the <quote>!10.1.0.0/16</quote> is ignored.</para>
</listitem>
<listitem>
<para>A startup error occurs if an entry in the tcrules file has an
empty USER/GROUP column.</para>
</listitem>
<listitem>
<para>Specifying multiple excluded source zones in a REDIRECT or
DNAT rule produces a startup error. Example of problem rule:<programlisting>#ACTION SOURCE DEST PROTO DEST PORT(S)
DNAT z1!z2,z3 z4:192.168.4.5 tcp 22</programlisting></para>
</listitem>
<listitem>
<para>When using an Action in the ACTIONS column of a rule, you may
receive a warning message about the rule being a policy. While this
warning may be safely ignored, it may be eliminated by installing
the updated script linked below.</para>
</listitem>
<listitem>
<para>Thanks to Sean Mathews, a long-standing problem with Proxy ARP
and IPSEC has been corrected.</para>
</listitem>
</itemizedlist>
<para>These problems have been corrected in <ulink
url="http://shorewall.net/pub/shorewall/errata/1.4.10/firewall">this
firewall script</ulink> which may be installed in
/usr/share/shorewall/firewall as described above.</para>
<para>The first two problem corrections were included in Shorewall
update 1.4.10a.</para>
<para>The first three problem corrections were included in Shorewall
update 1.4.10b.</para>
<para>The first four problem corrections were included in Shorewall
update 1.4.10c.</para>
<para>The first six problem corrections were included in Shorewall
update 1.4.10d.</para>
<para>All problem corrections were included in Shorewall update 1.4.10e.</para>
</section>
<section>
@ -503,7 +546,11 @@ Aborted (core dumped)</programlisting>
<appendix>
<title>Revision History4</title>
<para><revhistory><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Startup
<para><revhistory><revision><revnumber>1.9</revnumber><date>2004-03-20</date><authorinitials>TE</authorinitials><revremark>Proxy
ARP/IPSEC fix.</revremark></revision><revision><revnumber>1.8</revnumber><date>2004-03-04</date><authorinitials>TE</authorinitials><revremark>Multiple
excluded zones problem..</revremark></revision><revision><revnumber>1.7</revnumber><date>2004-02-15</date><authorinitials>TE</authorinitials><revremark>TCrules
file problem..</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-09</date><authorinitials>TE</authorinitials><revremark>Masq
file exclusion problem.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Startup
Problem</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-19</date><authorinitials>TE</authorinitials><revremark>IPV6
address problems. Make RFC1918 file section more prominent.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-14</date><authorinitials>TE</authorinitials><revremark>Confusing
template file in 1.4.9</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Added

BIN
Shorewall-docs/images/network.png
View File

Binary file not shown.

138
Shorewall-docs/images/network.vdx
View File

@ -1,5 +1,5 @@
<?xml version='1.0' encoding='utf-8' ?>
<?integrity app='Visio' version='10.0' buildnum='525' metric='0' key='3D330883D5BE4379276659B7B337FAEA68F7858049847BF4B73896BB87EE95E3C3BF4CD8EBD5807CEC8562DD2B8068195CBF86047C1AD8342F35E9CB454BE30A' keystart='261' ?>
<?integrity app='Visio' version='10.0' buildnum='525' metric='0' key='84600AB4CD69630D9AFF2AEF0195FFF9DC4D028D530F10CBC91B68E9842059260FCCC6173566192227FA36BC2287B555303536255BD184146EF63F63251341A6' keystart='261' ?>
<VisioDocument xmlns='urn:schemas-microsoft-com:office:visio'>
<DocumentProperties>
@ -1249,8 +1249,8 @@ BAQP/////////////////////////////////////////////////////////////////////////
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////wAAAP//////////////////////
/////////////////////////////////////////////////////////////////////////////
//////////////////////////////////////////////////wAAAP///7+/v////7+/v////7+/
v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////
///////////////
/////////////////////////////////////////////////////////////////////////////
////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wCfnwkoKA
@ -1261,9 +1261,9 @@ vzBAQP///////////////////////////////////////////////////////////////////////
AAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wBAQAD
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////////
/////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////wAAAP////////////////////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
////////////////////////////////////////////////////wAAAGBgYP///wAAAP///wAAAP
///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wA
AAP//////////////////////////////////////////////////////////////////////////
/////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
wD//wD//wB/fw5YWAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
@ -1273,8 +1273,8 @@ AD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//w
AAAAD//wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////wAAAP///
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
///wAAAP///wAAAP/////////////////////////////////////////////////////////////
//////////////////////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wD//wD//wlgYACHhwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
@ -1307,8 +1307,8 @@ AQAD//wBAQAD//wBAQAD//wBAQAD//wBwcAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////
///////////////
/////////////////////////////////////////////////////0BAQP///0BAQP///0BAQP///
0BAQP///0BAQP///0BAQP///////wAAAH9/f////39/f////39/f////39/f////39/f////39/f/
///39/f////39/f////39/f////39/f//////////////////////////////////////////////
0BAQP///0BAQP///0BAQP///////wAAAP////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
/wAAAAD//wD//wD//wCfnwD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wAAA
AD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
@ -1318,8 +1318,8 @@ D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wC/vzBAQP/
AD//wAAAAD//wAAAAD//wAAAAD//wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
/////////9zc3Hl5eZWVlf///////////////////////wAAAP///wAAAP///wAAAP///wAAAP///
wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP////////////////////////
/////////9zc3Hl5eZWVlf///////////////////////wAAAP///////////////////////////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
//////////////////wAAAAD//wD//wD//wD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBAQAD/
/wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wDPzwD//wD//wD//wD//wD//wD//
@ -1329,8 +1329,8 @@ D//wD//wC/vzBAQP/////////////////////////////////////////////////////////////
/wD//wD//wCHhwD//wBAQAD//wBAQAD//wBAQAD//wBAQAD//wBwcAD//wD//wD//wD//wD//wD//
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////
/////////////////////////////////////////////////////////////////////////////
//////////////////////////3l5eTEzOVVVV25ucv///////////////////wAAAAAAAP///wAA
AP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///////////
//////////////////////////3l5eTEzOVVVV25ucv///////////////////wAAAP//////////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
///////////////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
@ -1384,22 +1384,22 @@ wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////////////////
wC/vzBAQP////////////////////////////////////////////////////////////////////
///////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD
//wAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAJqampCQkA8eHgDn5wD//wD//wD//wD/
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////wAAA
P///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP////
///////////////////3d3d2Jmcd/h5ZSe0p6lzs3Nzc3NzUxRaWtsbv///////////////wAAAP/
//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP//////
/////////////////////////////////////////////////////////////////////////////
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////wAAAP///wAAAP///wAAA
P///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///w
AAAP///wAAAP///////3d3d2Jmcd/h5ZSe0p6lzs3Nzc3NzUxRaWtsbv///////yAgIP///wAAAP/
//wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAA
AP///0BAQP///////////////////////////////////////////////////////////////////
////////////////////////////wAAAAD//wD//wD//wD//wD//wCoqAEEBAcNDQcNDQcNDQcNDQ
cNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQcNDQYODgDKygD//wD//wD//wD//wD//wD
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wC/vzBAQP///////////////////////////////////////////////////
////////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wAAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwAAAAJqampqamjM/PwC
fnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////
/////////0BAQP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAA
P///wAAAP///39/f////////////////////3d3d2Jmcd/h5ayy0c3Nzc3NzY6Yz46Yz2ZmZm1ucf
///////0BAQP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
//wAAAP///39/f///////////////////////////////////////////////////////////////
fnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////0BAQP//
/wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAA
P///wAAAP///wAAAP///wAAAP///39/f////3d3d2Jmcd/h5ayy0c3Nzc3NzY6Yz46Yz2ZmZm1ucf
///////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/
//wAAAP///wAAAP///wAAAP//////////////////////////////////////////////////////
/////////////////////////////////////////////wAAAAD//wD//wD//wD//wD//wA/PyAgI
JCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkJCQkDQ7OxkoKADf3w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
@ -1407,10 +1407,10 @@ D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
/////////////////////////////////////////////////////////////////7+/vxBAQAD//
wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAAMDAwIODg6qqqsDAwMXFxcDAwMDAwMDAwMDAwA
AAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wx
gYJ+fn////////////////////////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v///
/7+/v////7+/v////7+/v////7+/v////////////////////////3d3d2Jmcd/h5cTG0M3NzY6Yz
46Yz83Nzc3NzUxRaW1ucf///////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7
+/v////7+/v////7+/v////7+/v//////////////////////////////////////////////////
gYJ+fn////////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v///
/7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////////3d3d2Jmcd/h5cTG0M3NzY6Yz
46Yz83Nzc3NzUxRaW1uccfHx////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7
+/v////7+/v////7+/v////7+/v////7+/v////8/Pz//////////////////////////////////
//////////////////////////////////////////////////////////////wAAAACvrwD//wD/
/wD//wD//wA/PyEhIWBgYGBgYLS0tMDAwMDAwMDAwMDAwMDAwMDAwMDAwJ2dnZiYmJiYmKKiopiYm
JiYmEBMTIeHhxMz
@ -1567,9 +1567,9 @@ zBAQP////////////////////////////////////////////////////////////////////////
///////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wA
AADAwMCNLIwqRChwcHBwcHBMTEwcHBxUVFTAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD/
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////
////////7+/v0BAQP///////////////////////////////////////0BAQP///0BAQP///0BAQP
///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQJubmyQkJI+PjzMzM////0BAQP/////
/////////////////////////////////////////////////////////////////////////////
////////7+/v0BAQP///////////////////////////////0BAQP///0BAQP///0BAQP///0BAQP
///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQJubmyQkJI+PjzMzM////0BAQP///0B
AQP//////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
@ -1579,9 +1579,9 @@ D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
/////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
wAAADAwMBEZEQAoAAAAAAAAAAAAAAICAg4ODjAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////////////////////////
//////////7+/v0BAQP///////////////////////////////////9/f3////wAAAP///wAAAP//
/wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgY
P////////////////////////////////////////////////////////////////////////////
//////////7+/v0BAQP///////////////////////////5+fn////wAAAP///wAAAP///wAAAP//
/wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAA
P///yAgIP////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
//////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//
@ -1590,9 +1590,9 @@ D//wD//wD//wD//wC/vzBAQP/////////////////////////////////////////////////////
//////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wAAADAwMC4uLgAAAAAAAAAAAAAAAAAAAB4eHjAwMAAAAJqampqamjM/PwCfn
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////
///////////////////////////7+/v0BAQP///////////////////////////////////////0B
///////////////////////////7+/v0BAQP///////////////////////////////0BAQP///0B
AQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP///0BAQP//
/0BAQP///0BAQP///////////////////////////////////////////////////////////////
/0BAQP///0BAQP///0BAQP///////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
///////////////////////////////////////////wAAAAD//wD//wD//wD//wD//wD//wD//wD
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
@ -1613,8 +1613,8 @@ fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwB/fwBgYDBAQP///////////////////
///7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAADAwMB83HwjPCC4uLhISEgs
LCwMDAwoKCjAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP///////
////////////////////////////////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/////////////////////////////
////////////////////////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP/////////////////////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
6+vr39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f3
@ -1624,8 +1624,8 @@ LCwMDAwoKCjAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD/
////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAADAwMC
kpKQAAAAAAAAAAAAAAAAAAABgYGDAwMAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//wD
//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////////////////
/7+/v0BAQP///////////////////////////////////9/f3////wAAAP///wAAAP///wAAAP///
wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgYP////////
/7+/v0BAQP///////////////////////////5+fn////wAAAP///wAAAP///wAAAP///wAAAP///
wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///yAgIP
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
@ -1636,8 +1636,8 @@ wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgYP////////
//////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wAAAFRU
VAAAAAAAAAAAAAAAAAAAAAAAAAAAAFRUVAAAAJqampqamjM/PwCfnwD//wD//wD//wD//wD//wD//
wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn/////////////////////////////////////
///7+/v0BAQP///////////////////////////////////////39/f////39/f////39/f////39
/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f///////////
///7+/v0BAQP///////////////////////////////39/f////39/f////39/f////39/f////39
/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f////39/f///
/////////////////////////////////////////////////////////////////////////////
////////////////////////////////8/PzwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@ -1659,8 +1659,8 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
D//wD//wD//wD//wD//wD//wD//wCTkwMGBm9vb4GBgYGBgYGBgYGBgYGBgYGBgYGBgYqKimh3d5q
amjM/PwCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///
/////////////////////////////////////7+/v0BAQP///////////////////////////////
////////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
///wAAAP///wAAAP///wAAAP/////////////////////////////////////////////////////
wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
///wAAAP///wAAAP///wAAAP///wAAAP/////////////////////////////////////////////
//////////////////////////////////////////////////////////////////7+/vxAQQAAA
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
@ -1670,8 +1670,8 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP//////////////////////////
xBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wCoqAkPD8rKyubm5ubm5ubm5ubm5u
bm5ubm5ubm5ru7u2h3dzM+PgCfnwD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
//wD//wxgYJ+fn////////////////////////////////////////7+/v0BAQP//////////////
/////////////////////9/f3////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///2BgYP////////////////////////////////
/////////////5+fn////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///yAgIP////////////////////////
/////////////////////////////////////////////////////////////////////////////
//////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA3wAA/wAAfwAA/wAAfwAA
/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAfwAA/wAAf
@ -1681,8 +1681,8 @@ AA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAvzAwQP/////////
/////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wCoqAkPD
zk5OTk5OTk5OTk5OTk5OTk5OTk5OTk5OSQkJBATEwCVlQD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v0B
AQP///////////////////////////////////////7+/v////7+/v////7+/v////7+/v////7+/
v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////////////////////
AQP///////////////////////////////7+/v////7+/v////7+/v////7+/v////7+/v////7+/
v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////////////
///////////////
/////////////////////////////////////////////////////////////////////////////
////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAAAAA/wAAAAAA/w
@ -1693,8 +1693,8 @@ A/wAAAAAA/wAA3wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
///////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wC
oqAA/PwA/PwA/PwA/PwA/PwA/PwA/PwA/PwA/PwA/PwDg4AD//wD//wD//wD//wD//wD//wD//wD/
/wD//wD//wD//wD//wD//wD//wxgYJ+fn////////////////////////////////////////7+/v
0BAQP////////////////////////////////////f39////7+/v////7+/v////7+/v////7+/v/
///7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////9fX1//////////////
0BAQP///////////////////////////+fn5////7+/v////7+/v////7+/v////7+/v////7+/v/
///7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////7+/v////8fHx//////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAv
wAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/wAAAAAA/w
@ -1704,9 +1704,9 @@ A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA
////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD
//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn///////////////////////////
/////////////7+/v0BAQP///////////////////////////////////////wAAAP///wAAAP///
/////////////7+/v0BAQP///////////////////////////////wAAAP///wAAAP///wAAAP///
wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP
/////////////////////////////////////////////////////////////////////////////
///wAAAP/////////////////////////////////////////////////////////////////////
//////////////////////////////////////////7+/vxAQQAAA/wAA/wAA/wAA/wAA/wAA/wAA
/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/w
@ -1715,9 +1715,9 @@ A/wAA/wAA/wAA/wAA/wAAvzAwQP//////////////////////////////////////////////////
/////////////////////////////////////////////////7+/vxBAQAD//wD//wD//wD//wD//
wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//w
D//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wD//wxgYJ+fn//////////
//////////////////////////////7+/v0BAQP///////////////////////////////////9/f
3////wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
wAAAP///wAAAP///2BgYP////////////////////////////////////////////////////////
//////////////////////////////7+/v0BAQP///////////////////////////5+fn////wAA
AP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///wAAAP///
wAAAP///wAAAP///wAAAP///yAgIP////////////////////////////////////////////////
///////////////////////////////////////////////////////////7+/vxAQQAAA/wAA/wA
A/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/wAAxwAA/wAAvwAA/wAAvwAA/wAAvwAA
/wAAvwAA/wAAvwAA/wAAvwAA/wAAvwAA/wAAvwAA/wAAvwAA/wAA/wAA/wAA/wAA/wAA/wAA/wAA/
@ -3206,8 +3206,8 @@ f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f39/f
/////////////////////////////////////////////////////////////////////////////
/////////////w4AAAAUAAAAAAAAABAAAAAUAAAA</PreviewPicture>
<TimeCreated>2002-08-11T08:58:32</TimeCreated>
<TimeSaved>2003-12-29T07:34:23</TimeSaved>
<TimeEdited>2003-12-29T07:34:13</TimeEdited>
<TimeSaved>2004-02-13T16:20:19</TimeSaved>
<TimeEdited>2004-02-13T16:11:36</TimeEdited>
<TimePrinted>2002-08-11T08:58:32</TimePrinted>
</DocumentProperties>
<DocumentSettings TopPage='0' DefaultTextStyle='3' DefaultLineStyle='3' DefaultFillStyle='3' DefaultGuideStyle='4'>
@ -40781,7 +40781,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
</Master>
</Masters>
<Pages>
<Page ID='0' NameU='Page-1' ViewScale='1' ViewCenterX='35.9' ViewCenterY='27.65'>
<Page ID='0' NameU='Page-1' ViewScale='1' ViewCenterX='35.9' ViewCenterY='91.65'>
<PageSheet LineStyle='0' FillStyle='0' TextStyle='0'>
<PageProps>
<PageWidth Unit='IN'>85</PageWidth>
@ -40990,10 +40990,10 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
<Y F='Height*0'>0</Y>
</LineTo>
</Geom>
<Text><cp IX='0'/>206.124.146.176
206.124.146.178
206.124.146.179
206.124.146.180</Text>
<Text><cp IX='0'/>206.124.146.176/24
206.124.146.178/24
206.124.146.179/24
206.124.146.180/24</Text>
</Shape>
<Shape ID='74' Type='Shape' LineStyle='3' FillStyle='3' TextStyle='3'>
<XForm>
@ -41731,8 +41731,8 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
</Shape>
<Shape ID='31' Type='Shape' LineStyle='1' FillStyle='1' TextStyle='3'>
<XForm>
<PinX>44</PinX>
<PinY>45</PinY>
<PinX>45.1</PinX>
<PinY>43.1</PinY>
<Width>15</Width>
<Height>3</Height>
<LocPinX F='Width*0.5'>7.5</LocPinX>
@ -41791,11 +41791,11 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
<Y F='Height*0'>0</Y>
</LineTo>
</Geom>
<Text><cp IX='0'/>192.168.1.254</Text>
<Text><cp IX='0'/>192.168.1.254/24</Text>
</Shape>
<Shape ID='33' Type='Shape' LineStyle='1' FillStyle='1' TextStyle='3'>
<XForm>
<PinX>45</PinX>
<PinX>45.4</PinX>
<PinY>47.5</PinY>
<Width>14</Width>
<Height>3</Height>
@ -41855,7 +41855,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
<Y F='Height*0'>0</Y>
</LineTo>
</Geom>
<Text><cp IX='0'/>192.168.3.254</Text>
<Text><cp IX='0'/>192.168.3.254/24</Text>
</Shape>
<Shape ID='34' Type='Shape' LineStyle='1' FillStyle='1' TextStyle='3'>
<XForm>
@ -41936,7 +41936,7 @@ B/wAAA/8AAB//AAAf/wAAH/8AAA//AAAP/wAAD/8AAA//AAAP/wAAD/+AAA//4AAf//gAP///////
<Y F='Height*0'>0</Y>
</LineTo>
</Geom>
<Text><cp IX='0'/>192.168.2.254</Text>
<Text><cp IX='0'/>206.124.146.176/32</Text>
</Shape>
<Shape ID='44' NameU='Comm-link' Type='Shape' Master='12'>
<XForm>
@ -71384,7 +71384,7 @@ www.xxx.yyy.zzz/
</Page>
</Pages>
<Windows ClientWidth='1280' ClientHeight='850'>
<Window ID='0' WindowType='Drawing' WindowState='1073741824' WindowLeft='-4' WindowTop='-30' WindowWidth='1288' WindowHeight='884' ContainerType='Page' Page='0' ViewScale='1' ViewCenterX='35.9' ViewCenterY='27.65'>
<Window ID='0' WindowType='Drawing' WindowState='1073741824' WindowLeft='-4' WindowTop='-30' WindowWidth='1288' WindowHeight='884' ContainerType='Page' Page='0' ViewScale='1' ViewCenterX='35.9' ViewCenterY='91.65'>
<ShowRulers>1</ShowRulers>
<ShowGrid>1</ShowGrid>
<ShowPageBreaks>0</ShowPageBreaks>

46
Shorewall-docs/myfiles.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-20</pubdate>
<pubdate>2004-02-13</pubdate>
<copyright>
<year>2001-2004</year>
@ -51,10 +51,11 @@
</caution>
<para>I have DSL service and have 5 static IP addresses
(206.124.146.176-180). My DSL <quote>modem</quote> (Fujitsu Speedport) is
connected to eth0. I have a local network connected to eth2 (subnet
192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24) and a Wireless
network connected to eth3 (192.168.3.0/24).</para>
(206.124.146.176-180/24). My DSL <quote>modem</quote> (Fujitsu Speedport)
is connected to eth0. I have a local network connected to eth2 (subnet
192.168.1.0/24), a DMZ connected to eth1 (206.124.146.176/24) and a
Wireless network connected to eth3 (192.168.3.0/24). Note that the IP
address of eth1 is a duplicate of one on eth0.</para>
<para>I use:</para>
@ -202,7 +203,7 @@ tx Texas Peer Network in Dallas
<programlisting>#ZONE INERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags
loc eth2 192.168.1.255 dhcp
dmz eth1 192.168.2.255
dmz eth1 -
WiFi eth3 192.168.3.255 dhcp,maclist
- texas 192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -453,33 +454,11 @@ ACCEPT dmz fw tcp
ACCEPT dmz fw udp snmp
REJECT dmz fw tcp auth
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
ACCEPT dmz net udp domain
ACCEPT dmz net:$POPSERVERS tcp pop3
#ACCEPT dmz net:206.191.151.2 tcp pop3
#ACCEPT dmz net:66.216.26.115 tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn&#39;t understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG dmz net tcp 1024: 20
###############################################################################################################################################################################
# DMZ to Firewall -- ntp &#38; snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp snmp,ssh
ACCEPT dmz fw udp snmp
REJECT dmz fw tcp auth
###############################################################################################################################################################################
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp,6001:6010
ACCEPT dmz loc tcp 111
ACCEPT dmz loc udp
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp#
###############################################################################################################################################################################
# Internet to Firewall
#
@ -555,10 +534,9 @@ ACCEPT all all icmp
<programlisting>...
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
address 206.124.146.176
netmask 255.255.255.266
broadcast 0.0.0.0
<emphasis role="bold">up ip route add 206.124.146.177 dev eth1
</emphasis>...</programlisting>
</blockquote>

75
Shorewall-docs/myfiles2.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-02-08</pubdate>
<pubdate>2004-02-22</pubdate>
<copyright>
<year>2001-2004</year>
@ -47,15 +47,16 @@
<caution>
<para>The configuration shown here corresponds to Shorewall version
2.0.0-Beta1. It may use features not available in earlier Shorewall
2.0.0-Beta2. It may use features not available in earlier Shorewall
releases.</para>
</caution>
<para>I have DSL service and have 5 static IP addresses
(206.124.146.176-180). My DSL <quote>modem</quote> (Fujitsu Speedport) is
connected to eth0. I have a local network connected to eth2 (subnet
192.168.1.0/24), a DMZ connected to eth1 (192.168.2.0/24) and a Wireless
network connected to eth3 (192.168.3.0/24).</para>
192.168.1.0/24), a DMZ connected to eth1 (206.124.146.176/32) and a
Wireless network connected to eth3 (192.168.3.0/24). Note that the IP
address of eth1 is a duplicate of one on eth0.</para>
<para>I use:</para>
@ -204,7 +205,7 @@ tx Texas Peer Network in Dallas
<programlisting>#ZONE INERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags,nosmurfs
loc eth2 192.168.1.255 dhcp,detectnets
dmz eth1 192.168.2.255
dmz eth1 -
WiFi eth3 192.168.3.255 dhcp,maclist,detectnets
- texas 192.168.9.255
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -261,6 +262,7 @@ eth3 192.168.3.0/24
<programlisting>#ADDRESS/SUBNET PROTOCOL PORT
0.0.0.0/0 udp 1434
0.0.0.0/0 tcp 1433
0.0.0.0/0 tcp 3127
0.0.0.0/0 tcp 8081
0.0.0.0/0 tcp 57
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
@ -292,7 +294,7 @@ all all REJECT $LOG # Reje
<blockquote>
<para>Although most of our internal systems use one-to-one NAT, my
wife&#39;s system (192.168.1.4) uses IP Masquerading (actually SNAT)
as does my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
as do my SuSE system (192.168.1.3), our laptop (192.168.3.8) and
visitors with laptops.</para>
<programlisting>#INTERFACE SUBNET ADDRESS
@ -346,18 +348,7 @@ gre net $TEXAS
<blockquote>
<programlisting>#ACTION
DropSMB #Silently Drops Microsoft SMB Traffic
RejectSMB #Silently Reject Microsoft SMB Traffic
DropUPnP #Silently Drop UPnP Probes
RejectAuth #Silently Reject Auth
DropPing #Silently Drop Ping
DropDNSrep #Silently Drop DNS Replies
AllowPing #Accept Ping
Mirrors #Accept traffic from the Shorewall Mirror sites
MyDrop:DROP #My DROP common action
MyReject:REJECT #My REJECT common action
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</programlisting>
</blockquote>
</section>
@ -378,11 +369,11 @@ ACCEPT $MIRRORS
</section>
<section>
<title>action.MyDrop</title>
<title>/etc/shorewall/action.Drop</title>
<blockquote>
<para>This is my common action for the DROP policy. It is like the
standard <emphasis role="bold">Reject</emphasis> action except that it
standard <emphasis role="bold">Drop</emphasis> action except that it
allows <quote>Ping</quote>.</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
@ -398,12 +389,13 @@ DropDNSrep</programlisting>
</section>
<section>
<title>action.MyReject</title>
<title>/etc/shorewall/action.Reject</title>
<blockquote>
<para>This is my common action for the REJECT policy. It is like the
standard <emphasis role="bold">Drop</emphasis> action except that it
allows <quote>Ping</quote>.</para>
standard <emphasis role="bold">Reject</emphasis> action except that it
allows <quote>Ping</quote> and contains one rule that guards against
log flooding by broken software running in my local zone.</para>
<programlisting>#TARGET SOURCE DEST PROTO DEST SOURCE RATE USER/
# PORT(S) PORT(S) LIMIT GROUP
@ -437,15 +429,12 @@ REJECT:$LOG loc net tcp
REJECT loc net tcp 137,445
REJECT loc net udp 137:139
#
DROP loc:!192.168.1.0/24 net
QUEUE loc net udp
QUEUE loc fw udp
QUEUE loc net tcp
###############################################################################################################################################################################
# Local Network to Firewall
#
DROP loc:!192.168.1.0/24 fw
ACCEPT loc fw tcp ssh,time,10000,swat,137,139,445
ACCEPT loc fw udp snmp,ntp,445
ACCEPT loc fw udp 137:139
@ -453,7 +442,6 @@ ACCEPT loc fw udp
###############################################################################################################################################################################
# Local Network to DMZ
#
DROP loc:!192.168.1.0/24 dmz
REJECT loc dmz tcp 465
ACCEPT loc dmz udp domain,xdmcp
ACCEPT loc dmz tcp www,smtp,domain,ssh,imap,https,imaps,cvspserver,ftp,10000,8080,10027,pop3 -
@ -509,33 +497,11 @@ ACCEPT dmz fw tcp
ACCEPT dmz fw udp snmp
REJECT dmz fw tcp auth
###############################################################################################################################################################################
# DMZ to Internet
#
ACCEPT dmz net tcp smtp,domain,www,https,whois,echo,2702,21,2703,ssh,8080
ACCEPT dmz net udp domain
ACCEPT dmz net:$POPSERVERS tcp pop3
#ACCEPT dmz net:206.191.151.2 tcp pop3
#ACCEPT dmz net:66.216.26.115 tcp pop3
#
# Something is wrong with the FTP connection tracking code or there is some client out there
# that is sending a PORT command which that code doesn&#39;t understand. Either way,
# the following works around the problem.
#
ACCEPT:$LOG dmz net tcp 1024: 20
###############################################################################################################################################################################
# DMZ to Firewall -- ntp &#38; snmp, Silently reject Auth
#
ACCEPT dmz fw udp ntp ntp
ACCEPT dmz fw tcp snmp,ssh
ACCEPT dmz fw udp snmp
REJECT dmz fw tcp auth
###############################################################################################################################################################################
#
# DMZ to Local Network
#
ACCEPT dmz loc tcp smtp,6001:6010
ACCEPT dmz loc tcp 111
ACCEPT dmz loc udp
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 tcp 111
ACCEPT dmz:206.124.146.177 loc:192.168.1.3 udp
###############################################################################################################################################################################
# Internet to Firewall
#
@ -598,7 +564,7 @@ ACCEPT all all icmp
</blockquote>
</section>
<section>
<section id="Interfaces">
<title>/etc/network/interfaces</title>
<blockquote>
@ -611,10 +577,9 @@ ACCEPT all all icmp
<programlisting>...
auto eth1
iface eth1 inet static
address 192.168.2.1
netmask 255.255.255.0
network 192.168.2.0
broadcast 192.168.2.255
address 206.124.146.176
netmask 255.255.255.255
broadcast 0.0.0.0
<emphasis role="bold">up ip route add 206.124.146.177 dev eth1
</emphasis>...</programlisting>
</blockquote>

26
Shorewall-docs/ports.xml
View File

@ -13,7 +13,7 @@
</author>
</authorgroup>
<pubdate>2004-02-05</pubdate>
<pubdate>2004-02-18</pubdate>
<copyright>
<year>2001-2002</year>
@ -118,15 +118,9 @@ ACCEPT <emphasis>&#60;destination&#62;</emphasis> <emphasis>&#60;source&#62
<section>
<title>NFS</title>
<para>I personally use the following rules for opening access from zone z1
to a server with IP address a.b.c.d in zone z2. I have found though that
different distributions behave differently so your milage may vary.</para>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d tcp 111
ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d udp 111
ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d udp 2049
ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d udp 32700:</programlisting>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;z1&#62;</emphasis>:&#60;list of client IPs&#62; <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d tcp 111
ACCEPT <emphasis>&#60;z1&#62;</emphasis>:&#60;list of client IPs&#62; <emphasis> &#60;z2&#62;</emphasis>:a.b.c.d udp</programlisting>
</section>
<section>
@ -136,6 +130,14 @@ ACCEPT <emphasis>&#60;z1&#62;</emphasis> <emphasis> &#60;z2&#62;</emphas
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 123</programlisting>
</section>
<section>
<title><trademark>PCAnywhere</trademark></title>
<programlisting>#ACTION SOURCE DESTINATION PROTO DEST PORT(S)
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> udp 5632
ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62;</emphasis> tcp 5631</programlisting>
</section>
<section>
<title>Pop3</title>
@ -255,7 +257,9 @@ ACCEPT <emphasis>&#60;source&#62;</emphasis> <emphasis>&#60;destination&#62
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added
<para><revhistory><revision><revnumber>1.7</revnumber><date>2004-02-12</date><authorinitials>TE</authorinitials><revremark>Make
NFS work for everyone</revremark></revision><revision><revnumber>1.6</revnumber><date>2004-02-12</date><authorinitials>TE</authorinitials><revremark>Added
PCAnywhere</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-02-05</date><authorinitials>TE</authorinitials><revremark>Added
information about VNC viewers in listen mode.</revremark></revision><revision><revnumber>1.4</revnumber><date>2004-01-26</date><authorinitials>TE</authorinitials><revremark>Correct
ICQ.</revremark></revision><revision><revnumber>1.3</revnumber><date>2004-01-04</date><authorinitials>TE</authorinitials><revremark>Alphabetize</revremark></revision><revision><revnumber>1.2</revnumber><date>2004-01-03</date><authorinitials>TE</authorinitials><revremark>Add
rules file entries.</revremark></revision><revision><revnumber>1.1</revnumber><date>2002-07-30</date><authorinitials>TE</authorinitials><revremark>Initial

11
Shorewall-docs/support.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-01</pubdate>
<pubdate>2004-02-19</pubdate>
<copyright>
<year>2001-2004</year>
@ -121,6 +121,12 @@
questions but we can&#39;t do your job for you.</para>
</listitem>
<listitem>
<para>Please do NOT include the output of <command>iptables -L</command>
— the output of <emphasis role="bold">shorewall show</emphasis> or
<command>shorewall status</command> is much more useful.</para>
</listitem>
<listitem>
<para>When reporting a problem, <emphasis role="bold">ALWAYS</emphasis>
include this information:</para>
@ -296,7 +302,8 @@
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.2</revnumber><date>2003-01-01</date><authorinitials>TE</authorinitials><revremark>Removed
<para><revhistory><revision><revnumber>1.3</revnumber><date>2003-02-19</date><authorinitials>TE</authorinitials><revremark>Admonish
against including &#34;iptables -L&#34; output.</revremark></revision><revision><revnumber>1.2</revnumber><date>2003-01-01</date><authorinitials>TE</authorinitials><revremark>Removed
.GIF and moved note about unsupported releases. Move Revision History to
this Appendix.</revremark></revision><revision><revnumber>1.1</revnumber><date>2003-12-19</date><authorinitials>TE</authorinitials><revremark>Corrected
URL for Newbies List</revremark></revision></revhistory></para>

6
Shorewall-docs/three-interface.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-12-05</pubdate>
<pubdate>2004-02-12</pubdate>
<copyright>
<year>2002</year>
@ -530,6 +530,10 @@ fw net ACCEPT</programlisting>
<filename class="directory">/etc/shorewall/</filename><filename>masq</filename>
and change it to match your configuration.</para>
<para>If, despite all advice to the contrary, you are using this guide and
want to use one-to-one NAT or Proxy ARP for your DMZ, remove the entry for
eth2 from <filename>/etc/shorewall/masq</filename>.</para>
<para><inlinegraphic fileref="images/BD21298_.gif" format="GIF" /></para>
<para>If your external IP is static, you can enter it in the third column

136
Shorewall-docs/traffic_shaping.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-01-21</pubdate>
<pubdate>2004-02-11</pubdate>
<copyright>
<year>2001-2004</year>
@ -46,8 +46,7 @@
<itemizedlist>
<listitem>
<para>A new <emphasis role="bold">TC_ENABLED</emphasis> parameter in
/etc/shorewall.conf. Traffic Shaping also requires that you enable
packet mangling.</para>
/etc/shorewall.conf.</para>
</listitem>
<listitem>
@ -229,12 +228,11 @@
column may only be non-empty if the SOURCE is the firewall itself.
When this column is non-empty, the rule applies only if the program
generating the output is running under the effective user and/or
group. It may contain : </para>
group. It may contain :</para>
<para>[&#60;user name or number&#62;]:[&#60;group name or number&#62;]
</para>
<para>[&#60;user name or number&#62;]:[&#60;group name or number&#62;]</para>
<para>The colon is optionnal when specifying only a user. </para>
<para>The colon is optionnal when specifying only a user.</para>
<para>Examples : john: / john / :users / john:users</para>
</listitem>
@ -247,63 +245,11 @@
arriving on eth2 and eth3 should be marked with 2. All packets
originating on the firewall itself should be marked with 3.</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">MARK</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
</row>
</thead>
<tbody>
<row>
<entry>1</entry>
<entry>eth1</entry>
<entry>0.0.0.0/0</entry>
<entry>all</entry>
</row>
<row>
<entry>2</entry>
<entry>eth2</entry>
<entry>0.0.0.0/0</entry>
<entry>all</entry>
</row>
<row>
<entry>2</entry>
<entry>eth3</entry>
<entry>0.0.0.0/0</entry>
<entry>all</entry>
</row>
<row>
<entry>3</entry>
<entry>fw</entry>
<entry>0.0.0.0/0</entry>
<entry>all</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP
1 eth1 0.0.0.0/0 all
2 eth2 0.0.0.0/0 all
2 eth3 0.0.0.0/0 all
3 fw 0.0.0.0/0 all</programlisting>
</example>
<example>
@ -312,33 +258,8 @@
<para>All GRE (protocol 47) packets not originating on the firewall and
destined for 155.186.235.151 should be marked with 12.</para>
<informaltable>
<tgroup cols="4">
<thead>
<row>
<entry align="center">MARK</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
</row>
</thead>
<tbody>
<row>
<entry>12</entry>
<entry>0.0.0.0/0</entry>
<entry>155.186.235.151</entry>
<entry>47</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP
12 0.0.0.0/0 155.182.235.151 47</programlisting>
</example>
<example>
@ -347,37 +268,8 @@
<para>All SSH packets originating in 192.168.1.0/24 and destined for
155.186.235.151 should be marked with 22.</para>
<informaltable>
<tgroup cols="5">
<thead>
<row>
<entry align="center">MARK</entry>
<entry align="center">SOURCE</entry>
<entry align="center">DESTINATION</entry>
<entry align="center">PROTOCOL</entry>
<entry align="center">PORT(S)</entry>
</row>
</thead>
<tbody>
<row>
<entry>22</entry>
<entry>192.168.1.0/24</entry>
<entry>155.186.235.151</entry>
<entry>tcp</entry>
<entry>22</entry>
</row>
</tbody>
</tgroup>
</informaltable>
<programlisting>#MARK SOURCE DESTINATION PROTOCOL USER/GROUP
22 192.168.1.0/24 155.182.235.151 tcp 22</programlisting>
</example>
</section>

49
Shorewall-docs/troubleshoot.xml
View File

@ -13,7 +13,7 @@
<surname>Eastep</surname>
</author>
<pubdate>2004-01-06</pubdate>
<pubdate>2004-02-02</pubdate>
<copyright>
<year>2001-2004</year>
@ -119,6 +119,50 @@ iptables: No chain/target/match by that name
</example>
</section>
<section>
<title>Some Things to Keep in Mind</title>
<itemizedlist>
<listitem>
<para><emphasis role="bold">You cannot test your firewall from the
inside</emphasis>. Just because you send requests to your firewall
external IP address does not mean that the request will be associated
with the external interface or the <quote>net</quote> zone. Any
traffic that you generate from the local network will be associated
with your local interface and will be treated as loc-&#62;fw traffic.</para>
</listitem>
<listitem>
<para><emphasis role="bold">IP addresses are properties of systems,
not of interfaces</emphasis>. It is a mistake to believe that your
firewall is able to forward packets just because you can ping the IP
address of all of the firewall&#39;s interfaces from the local
network. The only conclusion you can draw from such pinging success is
that the link between the local system and the firewall works and that
you probably have the local system&#39;s default gateway set
correctly.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Reply packets do NOT automatically follow
the reverse path of the one taken by the original request</emphasis>.
All packets are routed according to the routing table of the host at
each step of the way. This issue commonly comes up when people install
a Shorewall firewall parallel to an existing gateway and try to use
DNAT through Shorewall without changing the default gateway of the
system receiving the forwarded requests. Requests come in through the
Shorewall firewall where the destination IP address gets rewritten but
replies go out unmodified through the old gateway.</para>
</listitem>
<listitem>
<para><emphasis role="bold">Shorewall itself has no notion of inside
or outside</emphasis>. These concepts are embodied in how Shorewall is
configured. </para>
</listitem>
</itemizedlist>
</section>
<section>
<title>Your Network Environment</title>
@ -355,7 +399,8 @@ DROP net fw icmp echo-request</programlist
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.6</revnumber><date>2005-01-06</date><authorinitials>TE</authorinitials><revremark>Add
<para><revhistory><revision><revnumber>1.7</revnumber><date>2005-02-02</date><authorinitials>TE</authorinitials><revremark>Add
hint about testing from inside the firewall.</revremark></revision><revision><revnumber>1.6</revnumber><date>2005-01-06</date><authorinitials>TE</authorinitials><revremark>Add
pointer to Site and Mailing List Archives Searches.</revremark></revision><revision><revnumber>1.5</revnumber><date>2004-01-01</date><authorinitials>TE</authorinitials><revremark>Added
information about eliminating ping-generated log messages.</revremark></revision><revision><revnumber>1.4</revnumber><date>2003-12-22</date><authorinitials>TE</authorinitials><revremark>Initial
Docbook Conversion</revremark></revision></revhistory></para>

32
Shorewall-docs2/FAQ.xml
View File

@ -17,7 +17,7 @@
</author>
</authorgroup>
<pubdate>2004-06-11</pubdate>
<pubdate>2004-06-18</pubdate>
<copyright>
<year>2001-2004</year>
@ -58,9 +58,9 @@
class="directory">/etc/shorewall</filename> and modify the copies.</para>
<para>Note that you must copy <filename class="directory">/usr/share/doc/shorewall/default-config/shorewall.conf</filename>
and /usr/share/doc/shorewall/default-config/modules to <filename
class="directory">/etc/shorewall</filename> even if you do not modify
those files.</para>
and <filename>/usr/share/doc/shorewall/default-config/modules</filename>
to <filename class="directory">/etc/shorewall</filename> even if you do
not modify those files.</para>
</section>
</section>
@ -407,16 +407,17 @@ eth2 192.168.2.0/24</programlisting>
following:</para>
<blockquote>
<para>&#62; I know PoM -ng is going to address this issue, but till it
is ready, and &#62; all the extras are ported to it, is there any way
to use the h.323 &#62; contrack module kernel patch with a 2.6 kernel?
&#62; Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade
is not &#62; an option... The module is not ported yet to 2.6, sorry.
&#62; Do I have any options besides a gatekeeper app (does not work in
my &#62; network) or a proxy (would prefer to avoid them)? I suggest
everyone to setup a proxy (gatekeeper) instead: the module is really
dumb and does not deserve to exist at all. It was an excellent tool to
debug/develop the newnat interface.</para>
<para><programlisting>&#62; I know PoM -ng is going to address this issue, but till it is ready, and
&#62; all the extras are ported to it, is there any way to use the h.323
&#62; contrack module kernel patch with a 2.6 kernel?
&#62; Running 2.6.1 - no 2.4 kernel stuff on the system, so downgrade is not
&#62; an option... The module is not ported yet to 2.6, sorry.
&#62; Do I have any options besides a gatekeeper app (does not work in my
&#62; network) or a proxy (would prefer to avoid them)?
I suggest everyone to setup a proxy (gatekeeper) instead: the module is
really dumb and does not deserve to exist at all. It was an excellent tool
to debug/develop the newnat interface.</programlisting></para>
</blockquote>
<para>Look <ulink url="http://linux-igd.sourceforge.net">here</ulink>
@ -1734,7 +1735,8 @@ iptables: Invalid argument
<appendix>
<title>Revision History</title>
<para><revhistory><revision><revnumber>1.26</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Delete
<para><revhistory><revision><revnumber>1.27</revnumber><date>2004-06-18</date><authorinitials>TE</authorinitials><revremark>Correct
formatting in H323 quote.</revremark></revision><revision><revnumber>1.26</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Delete
obsolete ping information.</revremark></revision><revision><revnumber>1.25</revnumber><date>2004-05-18</date><authorinitials>TE</authorinitials><revremark>Empty
/etc/shorewall on Debian.</revremark></revision><revision><revnumber>1.25</revnumber><date>2004-05-08</date><authorinitials>TE</authorinitials><revremark>Update
for Shorewall 2.0.2</revremark></revision><revision><revnumber>1.24</revnumber><date>2004-04-25</date><authorinitials>TE</authorinitials><revremark>Add

2
Shorewall2/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=2.0.3-RC1
VERSION=2.0.3-RC2
usage() # $1 = exit status
{

2
Shorewall2/install.sh
View File

@ -22,7 +22,7 @@
# Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA
#
VERSION=2.0.3-RC1
VERSION=2.0.3-RC2
usage() # $1 = exit status
{

4
Shorewall2/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 2.0.3
%define release 0RC1
%define release 0RC2
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -141,6 +141,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Sat Jun 19 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-0RC2
* Tue Jun 15 2004 Tom Eastep tom@shorewall.net
- Updated to 2.0.2-0RC1
* Mon Jun 14 2004 Tom Eastep tom@shorewall.net

2
Shorewall2/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=2.0.3-RC1
VERSION=2.0.3-RC2
usage() # $1 = exit status
{