extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-24 19:51:40 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.8

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@789 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-11-17 21:06:32 +00:00
parent d0595fc651
commit dbfc838988
78 changed files with 6992 additions and 7957 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
STABLE/changelog.txt
View File

@ -6,13 +6,35 @@ Changes since 1.4.7
2) Applied Andrew Zhoglo's patch that avoids using multiport match for
ICMP.
3) Fix error handling after "Unable to determine the routes..."
3) Added support for QUEUE target.
4) Corrected handling of LOGUNCLEAN.
4) Fix error handling after "Unable to determine the routes..."
5) Corrected handling of "complex" zones.
5) Fix handling of LOGUNCLEAN
6) Fix tcrules processing.
6) Added BLACKLISTNEWONLY support.
7) Correct correction for handling of complex zones (twice).
7) Correct optimization for 'complex' zones.
8) Fix tcrules processing.
9) Liberalize chain names used in the accounting file.
10) Fix the fix for 'complex' zones (twice).
11) Remove incorrect comment from shorewall.conf regarding Debian
lockfiles.
12) Change "_exists" suffix (including _nat_exists) to an "exists_"
prefix to allow chain names beginning with a digit without
lengthening the variable name.
13) Applied and improved Eric Bowles's fix for route filtering.
14) Corrected handling of /32 addresses with broadcast in maclist
processing.
15) Generate error for NONE policy where source or destination zone is
the firewall itself.
16) Fix 'routeback' for wildcard interfaces.

201
STABLE/documentation/6to4.htm
View File

@ -1,144 +1,113 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>6to4 Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">6to4 Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">6to4 Tunnels<br>
</h1>
<h3>The 6to4 tunnel documentation is provided by Eric de Thouars.<br>
</h3>
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of Shorewall
only facilitates IPv6 over IPv4 tunneling. It does not provide any IPv6
security measures.</h3>
<p>6to4 tunneling with Shorewall can be used to connect your IPv6 network
to another IPv6 network over an IPv4 infrastructure</p>
<p>More information on Linux and IPv6 can be found in the <a
</h3>
<h3><font color="#ff6633">Warning: </font>The 6to4 tunnel feature of
Shorewall only facilitates IPv6 over IPv4 tunneling. It does not
provide any IPv6
security measures.</h3>
<p>6to4 tunneling with Shorewall can be used to connect your IPv6
network to another IPv6 network over an IPv4 infrastructure</p>
<p>More information on Linux and IPv6 can be found in the <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO">Linux IPv6 HOWTO</a>.
Details on how to setup a 6to4 tunnels are described in the section <a
Details on how to setup a 6to4 tunnels are described in the section <a
href="http://www.tldp.org/HOWTO/Linux+IPv6-HOWTO/configuring-ipv6to4-tunnels.html">Setup
of 6to4 tunnels</a>.</p>
of 6to4 tunnels</a>.</p>
<h2>Connecting two IPv6 Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"> <img border="0" src="images/TwoIPv6Nets1.png"
width="745" height="427" alt="">
</p>
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to be
able to communicate with the systems in the 2002:488:999::/64 network. This
is accomplished through use of the /etc/shorewall/tunnels file and the "ip"
utility for network interface and routing configuration.</p>
<p align="left">Unlike GRE and IPIP tunneling, the /etc/shorewall/policy,
/etc/shorewall/interfaces and /etc/shorewall/zones files are not used. There
is no need to declare a zone to represent the remote IPv6 network. This
remote network is not visible on IPv4 interfaces and to iptables. All that
is visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
width="745" height="427" alt=""> </p>
<p align="left">We want systems in the 2002:100:333::/64 subnetwork to
be able to communicate with the systems in the 2002:488:999::/64
network. This is accomplished through use of the /etc/shorewall/tunnels
file and the "ip" utility for network interface and routing
configuration.</p>
<p align="left">Unlike GRE and IPIP tunneling, the
/etc/shorewall/policy, /etc/shorewall/interfaces and
/etc/shorewall/zones files are not used. There is no need to declare a
zone to represent the remote IPv6 network. This
remote network is not visible on IPv4 interfaces and to iptables. All
that
is visible on the IPv4 level is an IPv4 stream which contains IPv6
traffic. Separate IPv6 interfaces and ip6tables rules need to be
defined to handle
this traffic. </p>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>6to4</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>6to4</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IPv6
encapsulation protocol (41) will be accepted to/from the remote gateway.</p>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
IPv6 encapsulation protocol (41) will be accepted to/from the remote
gateway.</p>
<p>Use the following commands to setup system A:</p>
<blockquote>
<blockquote>
<p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 134.28.54.2<br>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
&gt;ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
</blockquote>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::1/64 dev tun6to4<br>
&gt;ip route add 2002:488:999::/64 via 3ffe:8280:0:2001::2</p>
</blockquote>
<p>Similarly, in /etc/shorewall/tunnels on system B we have:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>6to4</td>
<td>net</td>
<td>206.191.148.9</td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>6to4</td>
<td>net</td>
<td>206.191.148.9</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p>And use the following commands to setup system B:</p>
<blockquote>
<blockquote>
<p>&gt;ip tunnel add tun6to4 mode sit ttl 254 remote 206.191.148.9<br>
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
&gt;ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
</blockquote>
<p>On both systems, restart Shorewall and issue the configuration commands
as listed above. The systems in both IPv6 subnetworks can now talk to each
other using IPv6.</p>
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
&gt;ip link set dev tun6to4 up<br>
&gt;ip addr add 3ffe:8280:0:2001::2/64 dev tun6to4<br>
&gt;ip route add 2002:100:333::/64 via 3ffe:8280:0:2001::1</p>
</blockquote>
<p>On both systems, restart Shorewall and issue the configuration
commands as listed above. The systems in both IPv6 subnetworks can now
talk to each other using IPv6.</p>
<p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep and Eric de Thouars.</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

43
STABLE/documentation/Accounting.html
View File

@ -10,18 +10,8 @@
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and Traffic
Accounting</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall and Traffic Accounting<br>
</h1>
Shorewall Traffic Accounting support was added in Shorewall release
1.4.7.<br>
<br>
@ -38,10 +28,12 @@ accounting chain.<br>
<br>
The columns in the accounting file are as follows:<br>
<ul>
<li><span style="font-weight: bold;">ACTION</span> - What to do when a
<li><span style="font-weight: bold;">ACTION</span> - What to do when
a
match is found. Possible values are:</li>
<ul>
<li>COUNT- Simply count the match and  continue trying to match the
<li>COUNT- Simply count the match and&nbsp; continue trying to
match the
packet with the following accounting rules</li>
<li>DONE- Count the match and don't attempt to match any following
accounting rules.</li>
@ -49,11 +41,16 @@ accounting rules.</li>
name of a chain to jump to. Shorewall will create the chain
automatically. If the name of the chain is followed by ":COUNT" then a
COUNT rule matching this rule will automatically be added to &lt;<span
style="font-style: italic;">chain</span>&gt;<br>
style="font-style: italic;">chain</span>&gt;. Chain names must start
with a letter, must be composed of letters and digits, and may contain
underscores ("_") and periods ("."). Beginning with Shorewall version
1.4.8, chain names man also contain embedded dashes ("-") and are not
required to start with a letter.<br>
</li>
</ul>
<li><span style="font-weight: bold;">CHAIN </span>- The name of the
chain where the accounting rule is to be added. If empty or "-" then the
chain where the accounting rule is to be added. If empty or "-" then
the
"accounting" chain is assumed.<br>
</li>
<li><span style="font-weight: bold;">SOURCE</span> - Packet Source.
@ -61,10 +58,12 @@ The name of an interface, an address (host or net) or an interface name
followed by ":" and a host or net address.</li>
<li><span style="font-weight: bold;">DESTINATION</span> - Packet
Destination Format the same as the SOURCE column.</li>
<li><span style="font-weight: bold;">PROTOCOL</span> - A protocol name
<li><span style="font-weight: bold;">PROTOCOL</span> - A protocol
name
(from /etc/protocols) or a protocol number.</li>
<li><span style="font-weight: bold;">DEST PORT</span> - Destination
Port number. Service name from /etc/services or port number. May only be
Port number. Service name from /etc/services or port number. May only
be
specified if the protocol is TCP or UDP (6 or 17).</li>
<li><span style="font-weight: bold;">SOURCE PORT</span>- Source Port
number. Service name from /etc/services or port number. May only be
@ -73,16 +72,16 @@ specified if the protocol is TCP or UDP (6 or 17).<br>
</ul>
In all columns except ACTION and CHAIN, the values "-","any" and "all"
are treated as wild-cards.<br>
 <br>
&nbsp;<br>
The accounting rules are evaluated in the Netfilter 'filter' table.
This is the same environment where the 'rules' file rules are evaluated
and in this environment, DNAT has already occurred in inbound packets
and SNAT has not yet occurred on outbound ones.<br>
 <br>
&nbsp;<br>
Accounting rules are not stateful -- each rule only handles traffic in
one direction. For example, if eth0 is your internet interface and you
have a web server in your DMZ connected to eth1 then to count HTTP
traffic in both directions requires two rules: <br>
traffic in both directions requires two rules:&nbsp;<br>
<pre> #ACTION CHAIN SOURCE DESTINATION PROTOCOL DEST SOURCE<br> # PORT PORT<br> DONE - eth0 eth1 tcp 80<br> DONE - eth1 eth0 tcp - 80</pre>
Associating a counter with a chain allows for nice reporting. For
example:<br>
@ -105,7 +104,7 @@ the DESTINATION (for output rules) is specified in each rule.<br>
<br>
Here's the output:<br>
<pre style="margin-left: 40px;">[root@mail shorewall]# shorewall show accounting web <br>Shorewall-1.4.7 Chains accounting web at mail.shorewall.net - Sun Oct 12 10:27:21 PDT 2003<br> <br>Counters reset Sat Oct 11 08:12:57 PDT 2003<br> <br>Chain accounting (3 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:80<br> 0 0 web tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 tcp dpt:443<br>11506 13M web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:80<br> 0 0 web tcp -- * eth0 0.0.0.0/0 0.0.0.0/0 tcp spt:443<br>Chain web (4 references)<br> pkts bytes target prot opt in out source destination<br> 8767 727K all -- eth0 * 0.0.0.0/0 0.0.0.0/0<br>11506 13M all -- * eth0 0.0.0.0/0 0.0.0.0/0<br>[root@mail shorewall]#<br></pre>
<p align="left"><font size="2">Last updated 10/12/2003 - <a
<p align="left"><font size="2">Last updated 10/30/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep.</font></a></font></p>

399
STABLE/documentation/CorpNetwork.htm
View File

@ -1,285 +1,226 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
<title>Corporate Shorewall Configuration</title>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta content="Microsoft FrontPage 5.0" name="GENERATOR">
<meta content="FrontPage.Editor.Document" name="ProgId">
<meta content="none" name="Microsoft Theme">
<meta content="Graeme Boyle" name="author">
</head>
<body>
<body>
<script><!--
function PrivoxyWindowOpen(){return(null);}
//--></script>
<table id="AutoNumber1" style="border-collapse: collapse;" height="90"
cellspacing="0" cellpadding="0" width="100%" bgcolor="#3366ff"
border="0">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and Internal
Servers</font></h1>
</td>
</tr>
</tbody>
</table>
//--></script>
<blockquote></blockquote>
<h1>Corporate Network</h1>
<h1 style="text-align: center;">Corporate Network</h1>
<p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
color="#ff0000"><b>:</b></font></big></p>
<blockquote>
<blockquote>
<ul>
<li><b>This configuration is used on a corporate network that has a
Linux (RedHat 8.0) server with three interfaces, running Shorewall 1.4.5
release,</b> </li>
<li><b>Make sure you know what public IP addresses are currently being
used and verify these </b><i>before</i><b> starting.</b> </li>
<li><b>Verify your DNS settings </b><i>before</i><b> starting any Shorewall
configuration especially if you have split DNS.</b> </li>
<li><b>System names and Internet IP addresses have been changed to protect
the innocent.</b> </li>
<li><b>This configuration is used on a corporate network that has a
Linux (RedHat 8.0) server with three interfaces, running Shorewall
1.4.5 release,</b> </li>
<li><b>Make sure you know what public IP addresses are currently
being used and verify these </b><i>before</i><b> starting.</b> </li>
<li><b>Verify your DNS settings </b><i>before</i><b> starting any
Shorewall configuration especially if you have split DNS.</b> </li>
<li><b>System names and Internet IP addresses have been changed to
protect the innocent.</b> </li>
</ul>
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This configuration
uses a combination of Static NAT and Proxy ARP. This is generally not
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see here
won't apply to your setup so beware of copying parts of this configuration
and expecting them to work for you. What you copy may or may not work
in your configuration.<br>
</small></b></big><br>
</p>
<p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
an IPSec tunnel connecting our offices in Germany to our offices in the
US. I host two Microsoft Exchange servers for two different companies behind
the firewall hence, the two Exchange servers in the diagram below.</p>
<p>Summary:<br>
</p>
<ul>
<li>SNAT for all systems connected to the LAN - Internal addresses
10.10.x.x to external address 192.0.18.127. </li>
<li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal address
10.10.1.8 and external address 192.0.18.70. </li>
<li>Static NAT for <i>Sims</i> (Inventory Management server). Internal
address 10.10.1.56 and external address 192.0.18.75.<br>
</li>
<li>Static NAT for <i>Project</i> (Project Web Server). Internal address
10.10.1.55 and external address 192.0.18.84. </li>
<li>Static NAT for <i>Fortress</i> (Exchange Server). Internal address
10.10.1.252 and external address 192.0.18.93. </li>
<li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal address
10.10.1.230 and external address 192.0.18.97. </li>
<li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal address
10.10.1.60 and external address 192.0.18.115. </li>
</ul>
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
RH8.0.</p>
<p>The Firewall is also a proxy server running Privoxy 3.0.</p>
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail, imap,
pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0). That
server is managed through Proxy ARP.</p>
<p>All administration and publishing is done using ssh/scp. I have X installed
on the firewall and the system in the DMZ. X applications tunnel through
SSH to Hummingbird Exceed running on a PC located in the LAN. Access to
the firewall using SSH is restricted to systems in the LAN, DMZ or the
system Kaos which is on the Internet and managed by me.</p>
<p align="center"><img height="1000" alt="(Corporate Network Diagram)"
src="images/CorpNetwork.gif" width="770" border="0">
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This
configuration
uses a combination of Static NAT and Proxy ARP. This is generally not
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see here
won't apply to your setup so beware of copying parts of this
configuration
and expecting them to work for you. What you copy may or may not work
in your configuration.<br>
</small></b></big><br>
</p>
<p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
have an IPSec tunnel connecting our offices in Germany to our offices
in the US. I host two Microsoft Exchange servers for two different
companies behind
the firewall hence, the two Exchange servers in the diagram below.</p>
<p>Summary:<br>
</p>
<p></p>
<p>The Ethernet 0 interface in the Server is configured with IP address
192.0.18.68, netmask 255.255.255.192. The server's default gateway is
192.0.18.65, the Router connected to my network and the ISP. This is the
same default gateway used by the firewall itself. On the firewall, Shorewall
automatically adds a host route to 192.0.18.80 through Ethernet 2 (192.168.21.1)
because of the entry in /etc/shorewall/proxyarp (see below). I modified
the start, stop and init scripts to include the fixes suggested when having
an IPSec tunnel.</p>
<p><b>Some Mistakes I Made:</b></p>
<p>Yes, believe it or not, I made some really basic mistakes when building
this firewall. Firstly, I had the new firewall setup in parallel with the
old firewall so that there was no interruption of service to my users.
During my out-bound testing, I set up systems on the LAN to utilize the
firewall which worked fine. When testing my NAT connections, from the outside,
these would fail and I could not understand why. Eventually, I changed
the default route on the internal system I was trying to access, to point
to the new firewall and "bingo", everything worked as expected. This oversight
delayed my deployment by a couple of days not to mention level of frustration
it produced. </p>
<p>Another problem that I encountered was in setting up the Proxyarp system
in the DMZ. Initially I forgot to remove the entry for the eth2 from the
/etc/shorewall/masq file. Once my file settings were correct, I started
verifying that the ARP caches on the firewall, as well as the outside system
"kaos", were showing the correct Ethernet MAC address. However, in testing
remote access, I could access the system in the DMZ only from the firewall
and LAN but not from the Internet. The message I received was "connection
denied" on all protocols. What I did not realize was that a "helpful"
administrator that had turned on an old system and assigned the same address
as the one I was using for Proxyarp without notifying me. How did I work
this out. I shutdown the system in the DMZ, rebooted the router and flushed
the ARP cache on the firewall and kaos. Then, from kaos, I started pinging
that IP address and checked the updated ARP cache and lo-and-behold a
different MAC address showed up. High levels of frustration etc., etc.
The administrator will <i>not</i> be doing that again! :-)</p>
<p><b>Lessons Learned:</b></p>
<ul>
<li>Read the documentation. </li>
<li>Draw your network topology before starting. </li>
<li>Understand what services you are going to allow in and out of the
firewall, whether they are TCP or UDP packets and make a note of these
port numbers. </li>
<li>Try to get quiet time to build the firewall - you need to focus
on the job at hand. </li>
<li>When asking for assistance, be honest and include as much detail
as requested. Don't try and hide IP addresses etc., you will probably
screw up the logs and make receiving assistance harder. </li>
<li>Read the documentation. </li>
<li>SNAT for all systems connected to the LAN - Internal addresses
10.10.x.x to external address 192.0.18.127. </li>
<li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal
address 10.10.1.8 and external address 192.0.18.70. </li>
<li>Static NAT for <i>Sims</i> (Inventory Management server).
Internal address 10.10.1.56 and external address 192.0.18.75.<br>
</li>
<li>Static NAT for <i>Project</i> (Project Web Server). Internal
address 10.10.1.55 and external address 192.0.18.84. </li>
<li>Static NAT for <i>Fortress</i> (Exchange Server). Internal
address 10.10.1.252 and external address 192.0.18.93. </li>
<li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal
address 10.10.1.230 and external address 192.0.18.97. </li>
<li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal
address 10.10.1.60 and external address 192.0.18.115. </li>
</ul>
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard
with RH8.0.</p>
<p>The Firewall is also a proxy server running Privoxy 3.0.</p>
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail,
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd
1.1.0). That server is managed through Proxy ARP.</p>
<p>All administration and publishing is done using ssh/scp. I have X
installed on the firewall and the system in the DMZ. X applications
tunnel through SSH to Hummingbird Exceed running on a PC located in the
LAN. Access to the firewall using SSH is restricted to systems in the
LAN, DMZ or the system Kaos which is on the Internet and managed by me.</p>
<p align="center"><img height="1000" alt="(Corporate Network Diagram)"
src="images/CorpNetwork.gif" width="770" border="0"> </p>
<p></p>
<p>The Ethernet 0 interface in the Server is configured with IP
address 192.0.18.68, netmask 255.255.255.192. The server's default
gateway is 192.0.18.65, the Router connected to my network and the ISP.
This is the same default gateway used by the firewall itself. On the
firewall, Shorewall automatically adds a host route to 192.0.18.80
through Ethernet 2 (192.168.21.1) because of the entry in
/etc/shorewall/proxyarp (see below). I modified the start, stop and
init scripts to include the fixes suggested when having an IPSec tunnel.</p>
<p><b>Some Mistakes I Made:</b></p>
<p>Yes, believe it or not, I made some really basic mistakes when
building this firewall. Firstly, I had the new firewall setup in
parallel with the
old firewall so that there was no interruption of service to my users.
During my out-bound testing, I set up systems on the LAN to utilize the
firewall which worked fine. When testing my NAT connections, from the
outside,
these would fail and I could not understand why. Eventually, I changed
the default route on the internal system I was trying to access, to
point
to the new firewall and "bingo", everything worked as expected. This
oversight
delayed my deployment by a couple of days not to mention level of
frustration
it produced. </p>
<p>Another problem that I encountered was in setting up the Proxyarp
system in the DMZ. Initially I forgot to remove the entry for the eth2
from the /etc/shorewall/masq file. Once my file settings were correct,
I started verifying that the ARP caches on the firewall, as well as the
outside system "kaos", were showing the correct Ethernet MAC address.
However, in testing remote access, I could access the system in the DMZ
only from the firewall
and LAN but not from the Internet. The message I received was
"connection
denied" on all protocols. What I did not realize was that a "helpful"
administrator that had turned on an old system and assigned the same
address
as the one I was using for Proxyarp without notifying me. How did I
work
this out. I shutdown the system in the DMZ, rebooted the router and
flushed
the ARP cache on the firewall and kaos. Then, from kaos, I started
pinging
that IP address and checked the updated ARP cache and lo-and-behold a
different MAC address showed up. High levels of frustration etc., etc.
The administrator will <i>not</i> be doing that again! :-)</p>
<p><b>Lessons Learned:</b></p>
<ul>
<li>Read the documentation. </li>
<li>Draw your network topology before starting. </li>
<li>Understand what services you are going to allow in and out of
the firewall, whether they are TCP or UDP packets and make a note of
these port numbers. </li>
<li>Try to get quiet time to build the firewall - you need to focus
on the job at hand. </li>
<li>When asking for assistance, be honest and include as much
detail as requested. Don't try and hide IP addresses etc., you will
probably screw up the logs and make receiving assistance harder. </li>
<li>Read the documentation. </li>
</ul>
<p><b>Futures:</b></p>
<p>This is by no means the final configuration. In the near future, I will
be moving more systems from the LAN to the DMZ. I will also be watching
the logs for port scan programs etc. but, this should be standard security
maintenance.</p>
<p>Here are copies of my files. I have removed most of the internal documentation
for the purpose of this space however, my system still has the original
files with all the comments and I highly recommend you do the same.</p>
</blockquote>
<p>This is by no means the final configuration. In the near future, I
will be moving more systems from the LAN to the DMZ. I will also be
watching the logs for port scan programs etc. but, this should be
standard security maintenance.</p>
<p>Here are copies of my files. I have removed most of the internal
documentation
for the purpose of this space however, my system still has the original
files with all the comments and I highly recommend you do the same.</p>
</blockquote>
<h3>Shorewall.conf</h3>
<blockquote>
<blockquote>
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
</blockquote>
</blockquote>
<h3>Zones File</h3>
<blockquote>
<blockquote>
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
face="Courier" size="2"><br></font></pre>
</blockquote>
</blockquote>
<h3>Interfaces File: </h3>
<blockquote>
<blockquote>
<p>##############################################################################<br>
#ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br>
vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
</blockquote>
#ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br>
vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
</blockquote>
<h3>Routestopped File:</h3>
<blockquote>
<blockquote>
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
face="Courier" size="2"> </font></pre>
</blockquote>
</blockquote>
<h3>Policy File:</h3>
<blockquote>
<blockquote>
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
</blockquote>
<h3>Masq File: </h3>
<blockquote>
<blockquote>
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
</blockquote>
<h3>NAT File: </h3>
<blockquote>
<blockquote>
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
</blockquote>
<h3>Proxy ARP File:</h3>
<blockquote>
<blockquote>
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
</blockquote>
</blockquote>
<h3>Tunnels File:</h3>
<blockquote>
<blockquote>
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
</blockquote>
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
<blockquote>
<blockquote>
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
</blockquote>
<h3>Start File:</h3>
<blockquote>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
</blockquote>
</blockquote>
<h3>Stop File:</h3>
<blockquote>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
</blockquote>
</blockquote>
<h3>Init File:</h3>
<blockquote>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
</blockquote>
<p><font size="2">Last updated 7/16/2003</font>
</blockquote>
<p><font size="2">Last updated 7/16/2003</font>
<script><!--
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
//</script>
<br>
</p>
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep and
<br>
</p>
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep
and
Graeme Boyle</a></small><br>
</p>
<br>
<br>
</p>
<br>
<br>
</body>
</html>

22
STABLE/documentation/Documentation.htm
View File

@ -12,17 +12,8 @@
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall 1.4 Reference</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall 1.4 Reference<br>
</h1>
<h2 align="center">This documentation is intended primarily for
reference. Step-by-step instructions for configuring Shorewall in
common setups may be found in the <a
@ -1190,6 +1181,13 @@ header-rewriting rule.<br>
</li>
<li>LOG - Log the packet -- requires
a syslog level (see below).</li>
<li>QUEUE - Forward the packet to a user-space application. This
facility is provided to allow interfacing to <a
href="http://p2pwall.sourceforge.net">ftwall</a> for <a
href="Shorewall_and_Kazaa.html">Kazaa filtering</a>. Note: When the
protocol specified in the PROTO column is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
</ul>
<p>Beginning with Shorewall version 1.4.7, you may rate-limit the
rule by optionally following ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
@ -2842,7 +2840,7 @@ Validation Documentation</a>.<br>
<h2><a name="ECN"></a>/etc/shorewall/ecn (Added in Version 1.4.0)</h2>
This file is described in the <a href="ECN.html">ECN Control
Documentation</a>.<br>
<p><font size="-1"> Updated 8/21/2003 - <a href="support.htm">Tom
<p><font size="-1"> Updated 8/30/2003 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font

133
STABLE/documentation/ECN.html
View File

@ -2,90 +2,75 @@
<html>
<head>
<title>Shorewall and ECN</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td
width="100%">
<h1 align="center"><font color="#ffffff">ECN</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Explicit Congestion Notification (ECN) is described in RFC 3168 and is a
proposed internet standard. Unfortunately, not all sites support ECN and when
a TCP connection offering ECN is sent to sites that don't support it, the
<body>
<br>
<h1 style="text-align: center;">ECN<br>
</h1>
Explicit Congestion Notification (ECN) is described in RFC 3168 and is
a proposed internet standard. Unfortunately, not all sites support ECN
and when
a TCP connection offering ECN is sent to sites that don't support it,
the
result is often that the connection request is ignored.<br>
<br>
To allow ECN to be used, Shorewall allows you to enable ECN on your Linux
systems then disable it in your firewall when the destination matches a list
that you create (the /etc/shorewall/ecn file).<br>
<br>
You enable ECN by<br>
<br>
<blockquote>
<br>
To allow ECN to be used, Shorewall allows you to enable ECN on your
Linux systems then disable it in your firewall when the destination
matches a list that you create (the /etc/shorewall/ecn file).<br>
<br>
You enable ECN by<br>
<br>
<blockquote>
<pre><b><font color="#009900">echo 1 &gt; /proc/sys/net/ipv4/tcp_ecn</font></b></pre>
</blockquote>
You must arrange for that command to be executed at system boot. Most distributions
have a method for doing that -- on RedHat, you make an entry in /etc/sysctl.conf.<br>
<br>
<blockquote>
</blockquote>
You must arrange for that command to be executed at system boot. Most
distributions have a method for doing that -- on RedHat, you make an
entry in /etc/sysctl.conf.<br>
<br>
<blockquote>
<pre><b><font color="#009900">net.ipv4.tcp_ecn = 1<br><br></font></b></pre>
</blockquote>
Entries in /etc/shorewall/ecn have two columns as follows:<br>
<br>
INTERFACE&nbsp;&nbsp;&nbsp; - The name of an interface on your system<br>
<br>
HOST(S)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; - An address (host or subnet)
of a system or group of systems accessed through the &nbsp;interface in the
first column. You may include a comma-separated list of such addresses in
this column. <br>
<br>
Example: Your external interface is eth0 and you want to disable ECN for
tcp connections to 192.0.2.0/24:<br>
<br>
In /etc/shorewall/ecn:<br>
<br>
<blockquote>
</blockquote>
Entries in /etc/shorewall/ecn have two columns as follows:<br>
<br>
INTERFACE&nbsp;&nbsp;&nbsp; - The name of an interface on your system<br>
<br>
HOST(S)&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; - An address (host or
subnet) of a system or group of systems accessed through the
&nbsp;interface in the first column. You may include a comma-separated
list of such addresses in this column. <br>
<br>
Example: Your external interface is eth0 and you want to disable ECN
for tcp connections to 192.0.2.0/24:<br>
<br>
In /etc/shorewall/ecn:<br>
<br>
<blockquote>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>HOST(S)<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">192.0.2.0/24<br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top"><b>INTERFACE<br>
</b></td>
<td valign="top"><b>HOST(S)<br>
</b></td>
</tr>
<tr>
<td valign="top">eth0<br>
</td>
<td valign="top">192.0.2.0/24<br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</blockquote>
<font size="2">Last updated 3/28/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</p>
<br>
</body>
</html>

95
STABLE/documentation/FAQ.htm
View File

@ -10,20 +10,11 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall FAQs</font></h1>
</td>
</tr>
</tbody>
</table>
<h1>Looking for Step by Step Configuration Instructions? Check out the <a
href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
<h1 style="text-align: center;">Shorewall FAQs<br>
</h1>
<h2>Looking for Step by Step Configuration Instructions? Check out the <a
href="shorewall_quickstart_guide.htm">QuickStart Guides</a>. <br>
</h2>
<h1>PORT FORWARDING<br>
</h1>
<p align="left"><b>1. </b><a href="#faq1"> I want to <b>forward</b>
@ -140,6 +131,9 @@ your <b>web site</b>?</a><br>
<b><br>
25. </b><a href="#faq25">How to I tell <b>which version of Shorewall</b>
I am <b>running</b>?</a><br>
<br>
<span style="font-weight: bold;">31. </span><a href="#faq31">Does
Shorewall provide protection against...</a><br>
<h1>RFC 1918<br>
</h1>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable
@ -992,9 +986,46 @@ cause of packets being logged in the FORWARD chain.<br>
</li>
<li><b>logflags </b>- The packet is being logged because it failed
the checks implemented by the <b>tcpflags </b><a
href="Documentation.htm#Interfaces">interface option</a>.<br>
</li>
href="Documentation.htm#Interfaces">interface option</a>.</li>
</ol>
<p align="left">Here is an example:</p>
<font face="Century Gothic, Arial, Helvetica">
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
Shorewall:<span style="text-decoration: underline;">all2all:REJECT</span>:<span
style="text-decoration: underline;">IN=eth2</span> <span
style="text-decoration: underline;">OUT=eth1</span> <span
style="text-decoration: underline;">SRC=192.168.2.2</span>
<span style="text-decoration: underline;">DST=192.168.1.3</span> LEN=67
TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF <span
style="text-decoration: underline;">PROTO=UDP</span>
SPT=1803 <span style="text-decoration: underline;">DPT=53</span> LEN=47</font></p>
</font>
<p align="left">Let's look at the important parts of this message:</p>
<ul>
<li>all2all:REJECT - This packet was REJECTed out of the <span
style="font-weight: bold;">all2all</span> chain -- the packet
was rejected under the "all"-&gt;"all"
REJECT policy (number 3 above).<a
href="file:///vfat/Shorewall-docs/FAQ.htm#faq17"><br>
</a></li>
<li>IN=eth2 - the packet entered the firewall via eth2. If you see
"IN=" with no interface name, the packet originated on the firewall
itself.<br>
</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1. If you
see "OUT=" with no interface name, the packet would be processed by the
firewall itself.<br>
</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - The destination port is 53 (DNS)<br>
</li>
</ul>
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and
192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;
loc&nbsp;&nbsp;&nbsp; udp&nbsp;&nbsp;&nbsp; 53
<h4><a name="faq18"></a>18. Is there any way to use <b>aliased ip
addresses</b> with Shorewall, and maintain separate rulesets for
different IPs?</h4>
@ -1135,8 +1166,38 @@ to allow connections from the internet to your local network. In all
other cases, you use ACCEPT unless you need to hijack connections as
they go through your firewall and handle them on the firewall box
itself; in that case, you use a REDIRECT rule.<br>
<br>
<font size="2">Last updated 10/04/2003 - <a href="support.htm">Tom
<h4><a name="faq31"></a>31. Does Shorewall provide protection
against....</h4>
<ol>
<li>IP Spoofing: Sending packets over the WAN interface using an
internal LAP IP address as the source address? <span
style="font-weight: bold;">Answer: </span>Yes.</li>
<li>Tear Drop: Sending packets that contain overlapping fragments? <span
style="font-weight: bold;">Answer: </span>This is the responsibility
of the IP stack, not the Netfilter-based firewall since fragment
reassembly occurs before the stateful packet filter ever touches each
packet.</li>
<li>Smurf and Fraggle: Sending packets that use the WAN or LAN
broadcast address as the source address? <span
style="font-weight: bold;">Answer: </span>Shorewall can be configured
to do that using the <a href="blacklisting_support.htm">blacklisting</a>
facility.</li>
<li>Land Attack: Sending packets that use the same address as the
source and destination address? <span style="font-weight: bold;">Answer:
</span>Yes, if the <a href="Documentation.htm#Interfaces">routefilter
interface option</a> is selected.</li>
<li>DOS:<br>
&nbsp;&nbsp; - SYN Dos<br>
&nbsp;&nbsp; - ICMP Dos<br>
&nbsp;&nbsp; - Per-host Dos protection<br>
<span style="font-weight: bold;">Answer: </span>Shorewall has
facilities for limiting SYN and ICMP packets. Netfilter as included in
standard Linux kernels doesn't support per-remote-host limiting except
by explicit rule that specifies the host IP address; that form of
limiting is supported by Shorewall.<br>
</li>
</ol>
<font size="2">Last updated 10/28/2003 - <a href="support.htm">Tom
Eastep</a></font>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

13
STABLE/documentation/FTP.html
View File

@ -8,19 +8,10 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall and FTP</font></h1>
</td>
</tr>
</tbody>
</table>
<h2></h2>
<blockquote> </blockquote>
<h1 style="text-align: center;">Shorewall and FTP<br>
</h1>
<p>FTP transfers involve two TCP connections. The first <u>control</u>
connection goes from the FTP client to port 21 on the FTP server. This
connection is used for logon and to send commands and responses between

13
STABLE/documentation/GenericTunnels.html
View File

@ -8,17 +8,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Generic Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Generic Tunnels<br>
</h1>
Shorewall includes built-in support for a wide range of VPN solutions.
If you have need for a tunnel type that does not have explicit support,
you can generally describe the tunneling software using "generic

651
STABLE/documentation/GnuCopyright.htm
View File

@ -1,341 +1,420 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h2 align="center"><font color="#ffffff">GNU Free Documentation License</font></h2>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">GNU Free Documentation License<br>
</h1>
<p>Version 1.1, March 2000 </p>
<pre>Copyright (C) 2000 Free Software Foundation, Inc.<br>59 Temple Place, Suite 330, Boston, MA 02111-1307 USA<br>Everyone is permitted to copy and distribute verbatim copies<br>of this license document, but changing it is not allowed.<br></pre>
<p><strong>0. PREAMBLE</strong> </p>
<p>The purpose of this License is to make a manual, textbook, or other written
document "free" in the sense of freedom: to assure everyone the effective
freedom to copy and redistribute it, with or without modifying it, either
commercially or noncommercially. Secondarily, this License preserves for
the author and publisher a way to get credit for their work, while not being
considered responsible for modifications made by others. </p>
<p>This License is a kind of "copyleft", which means that derivative works
of the document must themselves be free in the same sense. It complements
the GNU General Public License, which is a copyleft license designed for
<p>The purpose of this License is to make a manual, textbook, or other
written document "free" in the sense of freedom: to assure everyone the
effective freedom to copy and redistribute it, with or without
modifying it, either commercially or noncommercially. Secondarily, this
License preserves for
the author and publisher a way to get credit for their work, while not
being considered responsible for modifications made by others. </p>
<p>This License is a kind of "copyleft", which means that derivative
works
of the document must themselves be free in the same sense. It
complements
the GNU General Public License, which is a copyleft license designed
for
free software. </p>
<p>We have designed this License in order to use it for manuals for free software,
because free software needs free documentation: a free program should come
with manuals providing the same freedoms that the software does. But this
License is not limited to software manuals; it can be used for any textual
work, regardless of subject matter or whether it is published as a printed
book. We recommend this License principally for works whose purpose is instruction
<p>We have designed this License in order to use it for manuals for
free software,
because free software needs free documentation: a free program should
come
with manuals providing the same freedoms that the software does. But
this License is not limited to software manuals; it can be used for any
textual
work, regardless of subject matter or whether it is published as a
printed
book. We recommend this License principally for works whose purpose is
instruction
or reference. </p>
<p><strong>1. APPLICABILITY AND DEFINITIONS</strong> </p>
<p>This License applies to any manual or other work that contains a notice
placed by the copyright holder saying it can be distributed under the terms
of this License. The "Document", below, refers to any such manual or work.
<p>This License applies to any manual or other work that contains a
notice placed by the copyright holder saying it can be distributed
under the terms
of this License. The "Document", below, refers to any such manual or
work.
Any member of the public is a licensee, and is addressed as "you". </p>
<p>A "Modified Version" of the Document means any work containing the Document
or a portion of it, either copied verbatim, or with modifications and/or translated
<p>A "Modified Version" of the Document means any work containing the
Document or a portion of it, either copied verbatim, or with
modifications and/or translated
into another language. </p>
<p>A "Secondary Section" is a named appendix or a front-matter section of
the Document that deals exclusively with the relationship of the publishers
or authors of the Document to the Document's overall subject (or to related
matters) and contains nothing that could fall directly within that overall
subject. (For example, if the Document is in part a textbook of mathematics,
a Secondary Section may not explain any mathematics.) The relationship could
be a matter of historical connection with the subject or with related matters,
or of legal, commercial, philosophical, ethical or political position regarding
<p>A "Secondary Section" is a named appendix or a front-matter section
of
the Document that deals exclusively with the relationship of the
publishers
or authors of the Document to the Document's overall subject (or to
related matters) and contains nothing that could fall directly within
that overall subject. (For example, if the Document is in part a
textbook of mathematics,
a Secondary Section may not explain any mathematics.) The relationship
could
be a matter of historical connection with the subject or with related
matters,
or of legal, commercial, philosophical, ethical or political position
regarding
them. </p>
<p>The "Invariant Sections" are certain Secondary Sections whose titles are
designated, as being those of Invariant Sections, in the notice that says
<p>The "Invariant Sections" are certain Secondary Sections whose titles
are designated, as being those of Invariant Sections, in the notice
that says
that the Document is released under this License. </p>
<p>The "Cover Texts" are certain short passages of text that are listed,
as Front-Cover Texts or Back-Cover Texts, in the notice that says that the
<p>The "Cover Texts" are certain short passages of text that are
listed,
as Front-Cover Texts or Back-Cover Texts, in the notice that says that
the
Document is released under this License. </p>
<p>A "Transparent" copy of the Document means a machine-readable copy, represented
in a format whose specification is available to the general public, whose
contents can be viewed and edited directly and straightforwardly with generic
text editors or (for images composed of pixels) generic paint programs or
(for drawings) some widely available drawing editor, and that is suitable
for input to text formatters or for automatic translation to a variety of
formats suitable for input to text formatters. A copy made in an otherwise
Transparent file format whose markup has been designed to thwart or discourage
subsequent modification by readers is not Transparent. A copy that is not
<p>A "Transparent" copy of the Document means a machine-readable copy,
represented
in a format whose specification is available to the general public,
whose
contents can be viewed and edited directly and straightforwardly with
generic
text editors or (for images composed of pixels) generic paint programs
or
(for drawings) some widely available drawing editor, and that is
suitable
for input to text formatters or for automatic translation to a variety
of
formats suitable for input to text formatters. A copy made in an
otherwise
Transparent file format whose markup has been designed to thwart or
discourage
subsequent modification by readers is not Transparent. A copy that is
not
"Transparent" is called "Opaque". </p>
<p>Examples of suitable formats for Transparent copies include plain ASCII
without markup, Texinfo input format, LaTeX input format, SGML or XML using
a publicly available DTD, and standard-conforming simple HTML designed for
human modification. Opaque formats include PostScript, PDF, proprietary formats
that can be read and edited only by proprietary word processors, SGML or
XML for which the DTD and/or processing tools are not generally available,
and the machine-generated HTML produced by some word processors for output
<p>Examples of suitable formats for Transparent copies include plain
ASCII without markup, Texinfo input format, LaTeX input format, SGML or
XML using
a publicly available DTD, and standard-conforming simple HTML designed
for
human modification. Opaque formats include PostScript, PDF, proprietary
formats
that can be read and edited only by proprietary word processors, SGML
or
XML for which the DTD and/or processing tools are not generally
available,
and the machine-generated HTML produced by some word processors for
output
purposes only. </p>
<p>The "Title Page" means, for a printed book, the title page itself, plus
such following pages as are needed to hold, legibly, the material this License
requires to appear in the title page. For works in formats which do not have
any title page as such, "Title Page" means the text near the most prominent
appearance of the work's title, preceding the beginning of the body of the
<p>The "Title Page" means, for a printed book, the title page itself,
plus
such following pages as are needed to hold, legibly, the material this
License requires to appear in the title page. For works in formats
which do not have
any title page as such, "Title Page" means the text near the most
prominent appearance of the work's title, preceding the beginning of
the body of the
text. </p>
<p><strong>2. VERBATIM COPYING</strong> </p>
<p>You may copy and distribute the Document in any medium, either commercially
or noncommercially, provided that this License, the copyright notices, and
the license notice saying this License applies to the Document are reproduced
in all copies, and that you add no other conditions whatsoever to those of
this License. You may not use technical measures to obstruct or control the
reading or further copying of the copies you make or distribute. However,
you may accept compensation in exchange for copies. If you distribute a large
enough number of copies you must also follow the conditions in section 3.
<p>You may copy and distribute the Document in any medium, either
commercially or noncommercially, provided that this License, the
copyright notices, and
the license notice saying this License applies to the Document are
reproduced
in all copies, and that you add no other conditions whatsoever to those
of
this License. You may not use technical measures to obstruct or control
the
reading or further copying of the copies you make or distribute.
However,
you may accept compensation in exchange for copies. If you distribute a
large
enough number of copies you must also follow the conditions in section
3.
</p>
<p>You may also lend copies, under the same conditions stated above, and
<p>You may also lend copies, under the same conditions stated above,
and
you may publicly display copies. </p>
<p><strong>3. COPYING IN QUANTITY</strong> </p>
<p>If you publish printed copies of the Document numbering more than 100,
and the Document's license notice requires Cover Texts, you must enclose
the copies in covers that carry, clearly and legibly, all these Cover Texts:
Front-Cover Texts on the front cover, and Back-Cover Texts on the back cover.
Both covers must also clearly and legibly identify you as the publisher of
these copies. The front cover must present the full title with all words
of the title equally prominent and visible. You may add other material on
the covers in addition. Copying with changes limited to the covers, as long
as they preserve the title of the Document and satisfy these conditions,
<p>If you publish printed copies of the Document numbering more than
100,
and the Document's license notice requires Cover Texts, you must
enclose
the copies in covers that carry, clearly and legibly, all these Cover
Texts:
Front-Cover Texts on the front cover, and Back-Cover Texts on the back
cover.
Both covers must also clearly and legibly identify you as the publisher
of
these copies. The front cover must present the full title with all
words
of the title equally prominent and visible. You may add other material
on
the covers in addition. Copying with changes limited to the covers, as
long
as they preserve the title of the Document and satisfy these
conditions,
can be treated as verbatim copying in other respects. </p>
<p>If the required texts for either cover are too voluminous to fit legibly,
you should put the first ones listed (as many as fit reasonably) on the actual
cover, and continue the rest onto adjacent pages. </p>
<p>If you publish or distribute Opaque copies of the Document numbering more
than 100, you must either include a machine-readable Transparent copy along
with each Opaque copy, or state in or with each Opaque copy a publicly-accessible
computer-network location containing a complete Transparent copy of the Document,
free of added material, which the general network-using public has access
to download anonymously at no charge using public-standard network protocols.
If you use the latter option, you must take reasonably prudent steps, when
you begin distribution of Opaque copies in quantity, to ensure that this Transparent
copy will remain thus accessible at the stated location until at least one
year after the last time you distribute an Opaque copy (directly or through
<p>If the required texts for either cover are too voluminous to fit
legibly,
you should put the first ones listed (as many as fit reasonably) on the
actual cover, and continue the rest onto adjacent pages. </p>
<p>If you publish or distribute Opaque copies of the Document numbering
more than 100, you must either include a machine-readable Transparent
copy along
with each Opaque copy, or state in or with each Opaque copy a
publicly-accessible computer-network location containing a complete
Transparent copy of the Document,
free of added material, which the general network-using public has
access
to download anonymously at no charge using public-standard network
protocols.
If you use the latter option, you must take reasonably prudent steps,
when
you begin distribution of Opaque copies in quantity, to ensure that
this Transparent
copy will remain thus accessible at the stated location until at least
one
year after the last time you distribute an Opaque copy (directly or
through
your agents or retailers) of that edition to the public. </p>
<p>It is requested, but not required, that you contact the authors of the
Document well before redistributing any large number of copies, to give them
<p>It is requested, but not required, that you contact the authors of
the Document well before redistributing any large number of copies, to
give them
a chance to provide you with an updated version of the Document. </p>
<p><strong>4. MODIFICATIONS</strong> </p>
<p>You may copy and distribute a Modified Version of the Document under the
conditions of sections 2 and 3 above, provided that you release the Modified
Version under precisely this License, with the Modified Version filling the
role of the Document, thus licensing distribution and modification of the
Modified Version to whoever possesses a copy of it. In addition, you must
<p>You may copy and distribute a Modified Version of the Document under
the conditions of sections 2 and 3 above, provided that you release the
Modified Version under precisely this License, with the Modified
Version filling the
role of the Document, thus licensing distribution and modification of
the
Modified Version to whoever possesses a copy of it. In addition, you
must
do these things in the Modified Version: </p>
<p> </p>
<p>&nbsp;</p>
<ul>
<li><strong>A.</strong> Use in the Title Page (and on the covers, if any)
a title distinct from that of the Document, and from those of previous
versions (which should, if there were any, be listed in the History section
of the Document). You may use the same title as a previous version if the
original publisher of that version gives permission. </li>
<li><strong>B.</strong> List on the Title Page, as authors, one or more
persons or entities responsible for authorship of the modifications in
the Modified Version, together with at least five of the principal authors
of the Document (all of its principal authors, if it has less than five).
</li>
<li><strong>C.</strong> State on the Title page the name of the publisher
of the Modified Version, as the publisher. </li>
<li><strong>D.</strong> Preserve all the copyright notices of the Document.
</li>
<li><strong>E.</strong> Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices. </li>
<li><strong>F.</strong> Include, immediately after the copyright notices,
a license notice giving the public permission to use the Modified Version
under the terms of this License, in the form shown in the Addendum below.
</li>
<li><strong>G.</strong> Preserve in that license notice the full lists
of Invariant Sections and required Cover Texts given in the Document's
license notice. </li>
<li><strong>H.</strong> Include an unaltered copy of this License. </li>
<li><strong>I.</strong> Preserve the section entitled "History", and its
title, and add to it an item stating at least the title, year, new authors,
and publisher of the Modified Version as given on the Title Page. If there
is no section entitled "History" in the Document, create one stating the
title, year, authors, and publisher of the Document as given on its Title
Page, then add an item describing the Modified Version as stated in the
previous sentence. </li>
<li><strong>J.</strong> Preserve the network location, if any, given in
the Document for public access to a Transparent copy of the Document, and
likewise the network locations given in the Document for previous versions
it was based on. These may be placed in the "History" section. You may
omit a network location for a work that was published at least four years
before the Document itself, or if the original publisher of the version
it refers to gives permission. </li>
<li><strong>K.</strong> In any section entitled "Acknowledgements" or
"Dedications", preserve the section's title, and preserve in the section
all the substance and tone of each of the contributor acknowledgements
and/or dedications given therein. </li>
<li><strong>L.</strong> Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers or the equivalent
are not considered part of the section titles. </li>
<li><strong>M.</strong> Delete any section entitled "Endorsements". Such
a section may not be included in the Modified Version. </li>
<li><strong>N.</strong> Do not retitle any existing section as "Endorsements"
or to conflict in title with any Invariant Section. </li>
<li><strong>A.</strong> Use in the Title Page (and on the covers, if
any)
a title distinct from that of the Document, and from those of previous
versions (which should, if there were any, be listed in the History
section
of the Document). You may use the same title as a previous version if
the
original publisher of that version gives permission. </li>
<li><strong>B.</strong> List on the Title Page, as authors, one or
more persons or entities responsible for authorship of the
modifications in
the Modified Version, together with at least five of the principal
authors
of the Document (all of its principal authors, if it has less than
five). </li>
<li><strong>C.</strong> State on the Title page the name of the
publisher
of the Modified Version, as the publisher. </li>
<li><strong>D.</strong> Preserve all the copyright notices of the
Document. </li>
<li><strong>E.</strong> Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices. </li>
<li><strong>F.</strong> Include, immediately after the copyright
notices,
a license notice giving the public permission to use the Modified
Version
under the terms of this License, in the form shown in the Addendum
below. </li>
<li><strong>G.</strong> Preserve in that license notice the full
lists
of Invariant Sections and required Cover Texts given in the Document's
license notice. </li>
<li><strong>H.</strong> Include an unaltered copy of this License. </li>
<li><strong>I.</strong> Preserve the section entitled "History", and
its title, and add to it an item stating at least the title, year, new
authors, and publisher of the Modified Version as given on the Title
Page. If there
is no section entitled "History" in the Document, create one stating
the
title, year, authors, and publisher of the Document as given on its
Title
Page, then add an item describing the Modified Version as stated in the
previous sentence. </li>
<li><strong>J.</strong> Preserve the network location, if any, given
in
the Document for public access to a Transparent copy of the Document,
and
likewise the network locations given in the Document for previous
versions
it was based on. These may be placed in the "History" section. You may
omit a network location for a work that was published at least four
years
before the Document itself, or if the original publisher of the version
it refers to gives permission. </li>
<li><strong>K.</strong> In any section entitled "Acknowledgements" or
"Dedications", preserve the section's title, and preserve in the
section
all the substance and tone of each of the contributor acknowledgements
and/or dedications given therein. </li>
<li><strong>L.</strong> Preserve all the Invariant Sections of the
Document, unaltered in their text and in their titles. Section numbers
or the equivalent are not considered part of the section titles. </li>
<li><strong>M.</strong> Delete any section entitled "Endorsements".
Such
a section may not be included in the Modified Version. </li>
<li><strong>N.</strong> Do not retitle any existing section as
"Endorsements" or to conflict in title with any Invariant Section. </li>
</ul>
<p>If the Modified Version includes new front-matter sections or appendices
that qualify as Secondary Sections and contain no material copied from the
Document, you may at your option designate some or all of these sections
as invariant. To do this, add their titles to the list of Invariant Sections
in the Modified Version's license notice. These titles must be distinct from
<p>If the Modified Version includes new front-matter sections or
appendices
that qualify as Secondary Sections and contain no material copied from
the
Document, you may at your option designate some or all of these
sections
as invariant. To do this, add their titles to the list of Invariant
Sections
in the Modified Version's license notice. These titles must be distinct
from
any other section titles. </p>
<p>You may add a section entitled "Endorsements", provided it contains nothing
but endorsements of your Modified Version by various parties--for example,
statements of peer review or that the text has been approved by an organization
as the authoritative definition of a standard. </p>
<p>You may add a passage of up to five words as a Front-Cover Text, and a
passage of up to 25 words as a Back-Cover Text, to the end of the list of
Cover Texts in the Modified Version. Only one passage of Front-Cover Text
and one of Back-Cover Text may be added by (or through arrangements made
by) any one entity. If the Document already includes a cover text for the
same cover, previously added by you or by arrangement made by the same entity
you are acting on behalf of, you may not add another; but you may replace
the old one, on explicit permission from the previous publisher that added
<p>You may add a section entitled "Endorsements", provided it contains
nothing but endorsements of your Modified Version by various
parties--for example, statements of peer review or that the text has
been approved by an organization as the authoritative definition of a
standard. </p>
<p>You may add a passage of up to five words as a Front-Cover Text, and
a passage of up to 25 words as a Back-Cover Text, to the end of the
list of
Cover Texts in the Modified Version. Only one passage of Front-Cover
Text
and one of Back-Cover Text may be added by (or through arrangements
made
by) any one entity. If the Document already includes a cover text for
the
same cover, previously added by you or by arrangement made by the same
entity
you are acting on behalf of, you may not add another; but you may
replace
the old one, on explicit permission from the previous publisher that
added
the old one. </p>
<p>The author(s) and publisher(s) of the Document do not by this License
give permission to use their names for publicity for or to assert or imply
endorsement of any Modified Version. </p>
<p>The author(s) and publisher(s) of the Document do not by this
License
give permission to use their names for publicity for or to assert or
imply endorsement of any Modified Version. </p>
<p><strong>5. COMBINING DOCUMENTS</strong> </p>
<p>You may combine the Document with other documents released under this License,
under the terms defined in section 4 above for modified versions, provided
that you include in the combination all of the Invariant Sections of all
of the original documents, unmodified, and list them all as Invariant Sections
<p>You may combine the Document with other documents released under
this License,
under the terms defined in section 4 above for modified versions,
provided
that you include in the combination all of the Invariant Sections of
all
of the original documents, unmodified, and list them all as Invariant
Sections
of your combined work in its license notice. </p>
<p>The combined work need only contain one copy of this License, and multiple
identical Invariant Sections may be replaced with a single copy. If there
are multiple Invariant Sections with the same name but different contents,
make the title of each such section unique by adding at the end of it, in
parentheses, the name of the original author or publisher of that section
if known, or else a unique number. Make the same adjustment to the section
titles in the list of Invariant Sections in the license notice of the combined
<p>The combined work need only contain one copy of this License, and
multiple identical Invariant Sections may be replaced with a single
copy. If there
are multiple Invariant Sections with the same name but different
contents,
make the title of each such section unique by adding at the end of it,
in
parentheses, the name of the original author or publisher of that
section
if known, or else a unique number. Make the same adjustment to the
section
titles in the list of Invariant Sections in the license notice of the
combined
work. </p>
<p>In the combination, you must combine any sections entitled "History" in
the various original documents, forming one section entitled "History"; likewise
combine any sections entitled "Acknowledgements", and any sections entitled
"Dedications". You must delete all sections entitled "Endorsements." </p>
<p>In the combination, you must combine any sections entitled "History"
in
the various original documents, forming one section entitled "History";
likewise combine any sections entitled "Acknowledgements", and any
sections entitled "Dedications". You must delete all sections entitled
"Endorsements." </p>
<p><strong>6. COLLECTIONS OF DOCUMENTS</strong> </p>
<p>You may make a collection consisting of the Document and other documents
released under this License, and replace the individual copies of this License
in the various documents with a single copy that is included in the collection,
provided that you follow the rules of this License for verbatim copying of
<p>You may make a collection consisting of the Document and other
documents released under this License, and replace the individual
copies of this License in the various documents with a single copy that
is included in the collection, provided that you follow the rules of
this License for verbatim copying of
each of the documents in all other respects. </p>
<p>You may extract a single document from such a collection, and distribute
it individually under this License, provided you insert a copy of this License
into the extracted document, and follow this License in all other respects
<p>You may extract a single document from such a collection, and
distribute
it individually under this License, provided you insert a copy of this
License
into the extracted document, and follow this License in all other
respects
regarding verbatim copying of that document. </p>
<p><strong>7. AGGREGATION WITH INDEPENDENT WORKS</strong> </p>
<p>A compilation of the Document or its derivatives with other separate and
independent documents or works, in or on a volume of a storage or distribution
medium, does not as a whole count as a Modified Version of the Document, provided
no compilation copyright is claimed for the compilation. Such a compilation
is called an "aggregate", and this License does not apply to the other self-contained
works thus compiled with the Document, on account of their being thus compiled,
<p>A compilation of the Document or its derivatives with other separate
and independent documents or works, in or on a volume of a storage or
distribution medium, does not as a whole count as a Modified Version of
the Document, provided
no compilation copyright is claimed for the compilation. Such a
compilation
is called an "aggregate", and this License does not apply to the other
self-contained
works thus compiled with the Document, on account of their being thus
compiled,
if they are not themselves derivative works of the Document. </p>
<p>If the Cover Text requirement of section 3 is applicable to these copies
of the Document, then if the Document is less than one quarter of the entire
aggregate, the Document's Cover Texts may be placed on covers that surround
only the Document within the aggregate. Otherwise they must appear on covers
<p>If the Cover Text requirement of section 3 is applicable to these
copies
of the Document, then if the Document is less than one quarter of the
entire aggregate, the Document's Cover Texts may be placed on covers
that surround
only the Document within the aggregate. Otherwise they must appear on
covers
around the whole aggregate. </p>
<p><strong>8. TRANSLATION</strong> </p>
<p>Translation is considered a kind of modification, so you may distribute
translations of the Document under the terms of section 4. Replacing Invariant
Sections with translations requires special permission from their copyright
holders, but you may include translations of some or all Invariant Sections
in addition to the original versions of these Invariant Sections. You may
include a translation of this License provided that you also include the
original English version of this License. In case of a disagreement between
the translation and the original English version of this License, the original
<p>Translation is considered a kind of modification, so you may
distribute translations of the Document under the terms of section 4.
Replacing Invariant Sections with translations requires special
permission from their copyright holders, but you may include
translations of some or all Invariant Sections
in addition to the original versions of these Invariant Sections. You
may
include a translation of this License provided that you also include
the
original English version of this License. In case of a disagreement
between
the translation and the original English version of this License, the
original
English version will prevail. </p>
<p><strong>9. TERMINATION</strong> </p>
<p>You may not copy, modify, sublicense, or distribute the Document except
as expressly provided for under this License. Any other attempt to copy,
modify, sublicense or distribute the Document is void, and will automatically
terminate your rights under this License. However, parties who have received
copies, or rights, from you under this License will not have their licenses
<p>You may not copy, modify, sublicense, or distribute the Document
except
as expressly provided for under this License. Any other attempt to
copy,
modify, sublicense or distribute the Document is void, and will
automatically
terminate your rights under this License. However, parties who have
received
copies, or rights, from you under this License will not have their
licenses
terminated so long as such parties remain in full compliance. </p>
<p><strong>10. FUTURE REVISIONS OF THIS LICENSE</strong> </p>
<p>The Free Software Foundation may publish new, revised versions of the
GNU Free Documentation License from time to time. Such new versions will
be similar in spirit to the present version, but may differ in detail to
<p>The Free Software Foundation may publish new, revised versions of
the
GNU Free Documentation License from time to time. Such new versions
will
be similar in spirit to the present version, but may differ in detail
to
address new problems or concerns. See http://www.gnu.org/copyleft/. </p>
<p>Each version of the License is given a distinguishing version number.
If the Document specifies that a particular numbered version of this License
"or any later version" applies to it, you have the option of following the
terms and conditions either of that specified version or of any later version
that has been published (not as a draft) by the Free Software Foundation.
If the Document does not specify a version number of this License, you may
choose any version ever published (not as a draft) by the Free Software Foundation.
<p>Each version of the License is given a distinguishing version
number.
If the Document specifies that a particular numbered version of this
License
"or any later version" applies to it, you have the option of following
the
terms and conditions either of that specified version or of any later
version
that has been published (not as a draft) by the Free Software
Foundation.
If the Document does not specify a version number of this License, you
may
choose any version ever published (not as a draft) by the Free Software
Foundation.
</p>
<p align="left"> </p>
<br>
<p align="left">&nbsp;</p>
<br>
</body>
</html>

299
STABLE/documentation/IPIP.htm
View File

@ -1,98 +1,71 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>GRE/IPIP Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">GRE and IPIP Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are insecure
when used over the internet; use them at your own risk</h3>
<p>GRE and IPIP tunneling with Shorewall can be used to bridge two masqueraded
networks.</p>
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
Advanced Routing and Shaping HOWTO</a> work fine with Shorewall. Shorewall
also includes a tunnel script for automating tunnel configuration. If you
have installed the RPM, the tunnel script may be found in the Shorewall documentation
directory (usually /usr/share/doc/shorewall-&lt;version&gt;/).</p>
<body>
<h1 style="text-align: center;">GRE and IPIP Tunnels<br>
</h1>
<h3><font color="#ff6633">Warning: </font>GRE and IPIP Tunnels are
insecure when used over the internet; use them at your own risk</h3>
<p>GRE and IPIP tunneling with Shorewall can be used to bridge two
masqueraded networks.</p>
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux
Advanced Routing and Shaping HOWTO</a> work fine with Shorewall.
Shorewall also includes a tunnel script for automating tunnel
configuration. If you have installed the RPM, the tunnel script may be
found in the Shorewall documentation directory (usually
/usr/share/doc/shorewall-&lt;version&gt;/).</p>
<h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"> <img border="0" src="images/TwoNets1.png" width="745"
height="427">
</p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able
to communicate with the systems in the 10.0.0.0/8 network. This is accomplished
through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy
file and the /etc/shorewall/tunnel script that is included with Shorewall.</p>
<p align="left">The 'tunnel' script is not installed in /etc/shorewall by
default -- If you install using the tarball, the script is included in the
tarball; if you install using the RPM, the file is in your Shorewall documentation
directory (normally /usr/share/doc/shorewall-&lt;version&gt;).</p>
<p align="left">In the /etc/shorewall/tunnel script, set the 'tunnel_type'
parameter to the type of tunnel that you want to create.</p>
<p align="center"> <img border="0" src="images/TwoNets1.png"
width="745" height="427"> </p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
able to communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file, the
/etc/shorewall/policy file and the /etc/shorewall/tunnel script that is
included with Shorewall.</p>
<p align="left">The 'tunnel' script is not installed in /etc/shorewall
by default -- If you install using the tarball, the script is included
in the tarball; if you install using the RPM, the file is in your
Shorewall documentation directory (normally
/usr/share/doc/shorewall-&lt;version&gt;).</p>
<p align="left">In the /etc/shorewall/tunnel script, set the
'tunnel_type' parameter to the type of tunnel that you want to create.</p>
<p align="left">Example:</p>
<blockquote>
<blockquote>
<p align="left">tunnel_type=gre</p>
</blockquote>
<p align="left">On each firewall, you will need to declare a zone to represent
the remote subnet. We'll assume that this zone is called 'vpn' and declare
it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote>
</blockquote>
<p align="left">On each firewall, you will need to declare a zone to
represent the remote subnet. We'll assume that this zone is called
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone.
In /etc/shorewall/interfaces:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
@ -102,19 +75,17 @@ In /etc/shorewall/interfaces:</p>
<td>vpn</td>
<td>tosysb</td>
<td>10.255.255.255</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<blockquote>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
@ -124,34 +95,29 @@ In /etc/shorewall/interfaces:</p>
<td>ipip</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP
encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the
IP encapsulation protocol (4) will be accepted to/from the remote
gateway.</p>
<p>In the tunnel script on system A:</p>
<blockquote>
<blockquote>
<p>tunnel=tosysb<br>
myrealip=206.161.148.9 (for GRE tunnel only)<br>
myip=192.168.1.1<br>
hisip=10.0.0.1<br>
gateway=134.28.54.2<br>
subnet=10.0.0.0/8</p>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
myrealip=206.161.148.9 (for GRE tunnel only)<br>
myip=192.168.1.1<br>
hisip=10.0.0.1<br>
gateway=134.28.54.2<br>
subnet=10.0.0.0/8</p>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
@ -161,19 +127,16 @@ zone. In /etc/shorewall/interfaces:</p>
<td>vpn</td>
<td>tosysa</td>
<td>192.168.1.255</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
@ -183,67 +146,59 @@ zone. In /etc/shorewall/interfaces:</p>
<td>ipip</td>
<td>net</td>
<td>206.191.148.9</td>
<td> </td>
<td>&nbsp;</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</blockquote>
<p>And in the tunnel script on system B:</p>
<blockquote>
<blockquote>
<p>tunnel=tosysa<br>
myrealip=134.28.54.2 (for GRE tunnel only)<br>
myip=10.0.0.1<br>
hisip=192.168.1.1<br>
gateway=206.191.148.9<br>
subnet=192.168.1.0/24</p>
</blockquote>
<p>You can rename the modified tunnel scripts if you like; be sure that they
are secured so that root can execute them. </p>
<p align="left"> You will need to allow traffic between the "vpn" zone and
the "loc" zone on both systems -- if you simply want to admit all traffic
in both directions, you can use the policy file:</p>
<blockquote>
myrealip=134.28.54.2 (for GRE tunnel only)<br>
myip=10.0.0.1<br>
hisip=192.168.1.1<br>
gateway=206.191.148.9<br>
subnet=192.168.1.0/24</p>
</blockquote>
<p>You can rename the modified tunnel scripts if you like; be sure that
they are secured so that root can execute them. </p>
<p align="left"> You will need to allow traffic between the "vpn" zone
and the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td> </td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>On both systems, restart Shorewall and run the modified tunnel script with
the "start" argument on each system. The systems in the two masqueraded subnetworks
</blockquote>
<p>On both systems, restart Shorewall and run the modified tunnel
script with
the "start" argument on each system. The systems in the two masqueraded
subnetworks
can now talk to each other</p>
<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 2/22/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
<br>
</body>
</html>

57
STABLE/documentation/IPSEC.htm
View File

@ -8,17 +8,8 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">IPSEC Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">IPSEC Tunnels<br>
</h1>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a
href="http://www.geocities.com/jixen66/">
@ -34,10 +25,40 @@ to debug this problem so I can't say if it is a bug in the Kernel or in
FreeS/Wan.&nbsp;</p>
<p>You <b>might</b> be able to work around this problem using the
following (I haven't tried it):</p>
<p>In /etc/shorewall/init, include:</p>
<p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
<p>In /etc/shorewall/start, include:</p>
<p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
<p style="margin-left: 40px;">In /etc/shorewall/init, include:</p>
<div style="margin-left: 40px;"></div>
<p style="margin-left: 40px;">&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec
stop</p>
<div style="margin-left: 40px;"></div>
<p style="margin-left: 40px;">In /etc/shorewall/start, include:</p>
<div style="margin-left: 40px;"></div>
<p style="margin-left: 40px;">&nbsp;&nbsp;&nbsp; qt service ipsec start<br>
</p>
<p>Also, the documentation below assumes that you have disabled
opportunistic encryption feature in FreeS/Wan 2.0 using the following
additional entries in ipsec.conf:<br>
</p>
<p style="margin-left: 40px;"><tt>conn block<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn private<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn private-or-clear<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn clear-or-private<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn clear<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
<br>
conn packetdefault<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; auto=ignore<br>
</tt></p>
For further information see <a
href="http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html">http://www.freeswan.org/freeswan_trees/freeswan-2.03/doc/policygroups.html</a>.<tt><br>
</tt>
<h2> <font color="#660066">IPSec Gateway on the Firewall System </font></h2>
<p>Suppose that we have the following sutuation:</p>
<font color="#660066">
@ -631,7 +652,7 @@ issue the command":<br>
<blockquote>/sbin/shorewall add ipsec0:134.28.54.2 vpn2<br>
</blockquote>
and the 'down' part will:<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn<br>
<blockquote>/sbin/shorewall delete ipsec0:134.28.54.2 vpn2<br>
<br>
</blockquote>
<h3>Limitations of Dynamic Zones</h3>
@ -664,7 +685,7 @@ DESTINATION<br>
<tr>
<td valign="top">DNAT<br>
</td>
<td valign="top">z:dyn<br>
<td valign="top">z!dyn<br>
</td>
<td valign="top">loc:192.168.1.3<br>
</td>
@ -682,7 +703,7 @@ DESTINATION<br>
</blockquote>
Dynamic changes to the zone <b>dyn</b> will have no effect on the
above rule.
<p><font size="2">Last updated 8/12//2003 - </font><font size="2"> <a
<p><font size="2">Last updated 10/292003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>

344
STABLE/documentation/Install.htm
View File

@ -1,221 +1,189 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Installation and
Upgrade</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">Shorewall Installation and Upgrade<br>
</h1>
<p align="center"><b>Before upgrading, be sure to review the <a
href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p>
<div align="left"><b>Before attempting installation, I strongly urge you
to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b><br>
</div>
</a></b></p>
<div align="left"><b>Before attempting installation, I strongly urge
you
to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b><br>
</div>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<a href="#Install_Tarball">Install using tarball<br>
</a><a href="#LRP">Install the .lrp</a><br>
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
<a href="#Config_Files">Configuring Shorewall</a><br>
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at
a shell prompt, type "/sbin/iptables --version"), you must upgrade to
version 1.2.4 either from the <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat
update site</a> or from the <a href="errata.htm">Shorewall Errata page</a>
before attempting to start Shorewall.</b></p>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note1: </b>Some SuSE  users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm
(rpm -ivh --nodeps &lt;shorewall rpm&gt;.<br>
<br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the installation of Shorewall to fail with the
diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.x-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
</li>
<li>Edit the <a href="#Config_Files"> configuration files</a>
to match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
<u>NOT</u> SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START.
IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR
SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE
A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note1: </b>Some SuSE&nbsp; users have encountered a problem
whereby rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4
kernel is installed. If this happens, simply use the --nodeps option to
rpm (rpm -ivh --nodeps &lt;shorewall rpm&gt;.<br>
<br>
<b>Note2: </b>Beginning with Shorewall 1.4.0, Shorewall is
dependent on the iproute package. Unfortunately, some distributions
call this package iproute2 which will cause the installation of
Shorewall to fail with the diagnostic:<br>
<br>
&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
shorewall-1.4.x-1 <br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -ivh
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start"
COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START.
IF YOU ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR
SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE
A "shorewall clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li>
</ul>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p>
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
and install script: </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in
the directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-1.1.10").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a>
then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your
distribution installs init scripts and type "./install.sh
&lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a>
to match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall
to be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a>
then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to
match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall
to be started automatically at boot, see <a
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
</ul>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file
that you downloaded. See the <a href="two-interface.htm">two-interface
QuickStart Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
details.</p>
<p><a name="LRP"></a>To install my version of Shorewall on a fresh
Bering disk, simply replace the "shorwall.lrp" file on the image with
the file that you downloaded. See the <a href="two-interface.htm">two-interface
QuickStart Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM
installed and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version or
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an
entry for each interface mentioned in the hosts file. Also, there are
certain 1.2 rule forms that are no longer supported under 1.4 (you must
use the new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade
issues </a>for details.</p>
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm
(e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
is installed. If this happens, simply use the --nodeps option to rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
<b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is dependent
on the iproute package. Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;). </p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem
whereby rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4
kernel is installed. If this happens, simply use the --nodeps option to
rpm (rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
<b>Note3: </b>Beginning with Shorewall 1.4.0, Shorewall is
dependent on the iproute package. Unfortunately, some distributions
call this package iproute2 which will cause the upgrade of Shorewall to
fail with the diagnostic:<br>
<br>
&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
shorewall-1.4.0-1 <br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm
-Uvh --nodeps &lt;shorewall rpm&gt;).&nbsp;</p>
</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall
installed
and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file.  Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4
version
and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an
entry
for each interface mentioned in the hosts file.&nbsp; Also, there are
certain
1.2 rule forms that are no longer supported under 1.4 (you must use the
new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
for details. </p>
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in
the directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in "shorewall-3.0.1").</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.redhat.com">RedHat</a>, <a
href="http://www.linux-mandrake.com">Mandrake</a>, <a
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a>
then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your
distribution installs init scripts and type "./install.sh
&lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
href="http://www.corel.com">Corel</a>, <a
href="http://www.slackware.com/">Slackware</a> or <a
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a>
then type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d or
/etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution
installs init scripts and type "./install.sh &lt;init script
directory&gt;</li>
<li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as
necessary.</li>
<li>Restart the firewall by typing "shorewall restart"</li>
</ul>
<a name="LRP_Upgrade"></a>If you already have a running
Bering installation and wish to upgrade to a later version of Shorewall:<br>
<br>
    <b>UNDER CONSTRUCTION...</b><br>
<a name="LRP_Upgrade"></a>If you already have a running
Bering installation and wish to upgrade to a later version of Shorewall:<br>
<br>
&nbsp;&nbsp;&nbsp; <b>UNDER CONSTRUCTION...</b><br>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<p>You will need to edit some or all of the configuration files to
match your setup. In most cases, the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
contain all of the information you need.</p>
<ul>
</ul>
<p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><font size="2">Updated 4/8/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</p>
<br>
<br>
</body>
</html>

186
STABLE/documentation/MAC_Validation.html
View File

@ -2,123 +2,103 @@
<html>
<head>
<title>MAC Verification</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">MAC Verification</font><br>
</h1>
<br>
</td>
</tr>
</tbody>
</table>
<br>
All traffic from an interface or from a subnet on an interface
can be verified to originate from a defined set of MAC addresses. Furthermore,
each MAC address may be optionally associated with one or more IP addresses.
<br>
<br>
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
- module name ipt_mac.o).</b><br>
<br>
There are four components to this facility.<br>
<body>
<br>
<h1 style="text-align: center;">MAC Verification<br>
</h1>
All traffic from an interface or from a subnet on an interface can be
verified to originate from a defined set of MAC addresses. Furthermore,
each MAC address may be optionally associated with one or more IP
addresses. <br>
<br>
<b>Your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC -
module name ipt_mac.o).</b><br>
<br>
There are four components to this facility.<br>
<ol>
<li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
this option is specified, all traffic arriving on the interface is subjet
<li>The <b>maclist</b> interface option in <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
When
this option is specified, all traffic arriving on the interface is
subjet
to MAC verification.</li>
<li>The <b>maclist </b>option in <a
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
is specified for a subnet, all traffic from that subnet is subject to
MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL
</b>variables in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC verification.
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
requests that fail verification are to be logged. If set the the empty
value (e.g., MACLIST_LOG_LEVEL="") then failing connection requests are
not logged.<br>
</li>
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
When this option is specified for a subnet, all traffic from that
subnet is subject to
MAC verification.</li>
<li>The /etc/shorewall/maclist file. This file is used to associate
MAC addresses with interfaces and to optionally associate IP addresses
with MAC addresses.</li>
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT
and determines the disposition of connection requests that fail MAC
verification. The MACLIST_LOG_LEVEL variable gives the syslogd level at
which connection requests that fail verification are to be logged. If
set the the empty value (e.g., MACLIST_LOG_LEVEL="") then failing
connection requests are not logged.<br>
</li>
</ol>
The columns in /etc/shorewall/maclist are:<br>
The columns in /etc/shorewall/maclist are:<br>
<ul>
<li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li>
<li>MAC - The MAC address of a device on the ethernet segment
connected by INTERFACE. It is not necessary to use the Shorewall MAC
format in this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses
for the device whose MAC is listed in the MAC column.</li>
<li>INTERFACE - The name of an ethernet interface on the Shorewall
system.</li>
<li>MAC - The MAC address of a device on the ethernet segment
connected by INTERFACE. It is not necessary to use the Shorewall MAC
format in this column although you may use that format if you so choose.</li>
<li>IP Address - An optional comma-separated list of IP addresses for
the device whose MAC is listed in the MAC column.</li>
</ul>
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a> for
details about my setup):</h3>
<b>/etc/shorewall/shorewall.conf:<br>
</b>
<h3>Example 1: Here are my files (look <a href="myfiles.htm">here</a>
for details about my setup):</h3>
<b>/etc/shorewall/shorewall.conf:<br>
</b>
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
<b>/etc/shorewall/interfaces:</b><br>
<blockquote>
<b>/etc/shorewall/interfaces:</b><br>
<blockquote>
<pre>#ZONE INTERFACE BROADCAST OPTIONS<br>net eth0 206.124.146.255 dhcp,norfc1918,routefilter,blacklist,tcpflags<br>loc eth2 192.168.1.255 dhcp<br>dmz eth1 192.168.2.255<br>WiFi eth3 192.168.3.255 dhcp,maclist<br>- texas 192.168.9.255</pre>
</blockquote>
<b>/etc/shorewall/maclist:</b><br>
<blockquote>
</blockquote>
<b>/etc/shorewall/maclist:</b><br>
<blockquote>
<pre>#INTERFACE MAC IP ADDRESSES (Optional)<br>eth3 00:A0:CC:A2:0C:A0 192.168.3.7 #Work Laptop<br>eth3 00:04:5a:fe:85:b9 192.168.3.250 #WAP11<br>eth3 00:06:25:56:33:3c 192.168.3.225,192.168.3.8 #WET11<br>eth3 00:0b:cd:C4:cc:97 192.168.3.8 #TIPPER</pre>
</blockquote>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves like
a wireless router with DHCP relay. When forwarding DHCP traffic, it uses the
MAC address of the host (TIPPER) but for other forwarded traffic it uses it's
own MAC address. Consequently, I list the IP addresses of both devices in
</blockquote>
As shown above, I use MAC Verification on my wireless zone.<br>
<br>
<b>Note: </b>While marketed as a wireless bridge, the WET11 behaves
like a wireless router with DHCP relay. When forwarding DHCP traffic,
it uses the
MAC address of the host (TIPPER) but for other forwarded traffic it
uses it's
own MAC address. Consequently, I list the IP addresses of both devices
in
/etc/shorewall/maclist.<br>
<h3>Example 2: Router in Wireless Zone</h3>
Suppose now that I add a second wireless segment to my wireless
zone and gateway that segment via a router with MAC address 00:06:43:45:C6:15
and IP address 192.168.3.253. Hosts in the second segment have IP addresses
in the subnet 192.168.4.0/24. I would add the following entry to my /etc/shorewall/maclist
file:<br>
Suppose now that I add a second wireless segment to my wireless zone
and gateway that segment via a router with MAC address
00:06:43:45:C6:15 and IP address 192.168.3.253. Hosts in the second
segment have IP addresses in the subnet 192.168.4.0/24. I would add the
following entry to my /etc/shorewall/maclist file:<br>
<pre> eth3 00:06:43:45:C6:15 192.168.3.253,192.168.4.0/24<br></pre>
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that
all traffic being sent to my firewall from the 192.168.4.0/24 segment
will be forwarded by the router so that traffic's MAC address will be
that of the router (00:06:43:45:C6:15) and not that of the host sending
the traffic.
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy;
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
This entry accomodates traffic from the router itself (192.168.3.253)
and from the second wireless segment (192.168.4.0/24). Remember that
all traffic being sent to my firewall from the 192.168.4.0/24 segment
will be forwarded by the router so that traffic's MAC address will be
that of the router (00:06:43:45:C6:15) and not that of the host sending
the traffic.
<p><font size="2"> Updated 6/30/2002 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

185
STABLE/documentation/NAT.htm
View File

@ -1,119 +1,98 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall NAT</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Static Nat</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<br>
<br>
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static
NAT. Port forwarding can be accomplished with simple entries in the
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<blockquote> </blockquote>
<p>Static NAT is a way to make systems behind a firewall and configured
with private IP addresses (those reserved for private use in RFC1918)
appear to have public IP addresses. Before you try to use this technique,
I strongly recommend that you read the <a
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<blockquote> </blockquote>
<p>The following figure represents a static NAT environment.</p>
<blockquote>
<p align="center"><strong> <img src="images/staticnat.png"
width="435" height="397">
</strong></p>
<blockquote> </blockquote>
</blockquote>
<p align="left">Static NAT can be used to make the systems with the 10.1.1.*
addresses appear to be on the upper (130.252.100.*) subnet. If we assume
that the interface to the upper subnet is eth0, then the following /etc/shorewall/NAT
file would make the lower left-hand system appear to have IP address
130.252.100.18 and the right-hand one to have IP address 130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>EXTERNAL</b></td>
<td><b>INTERFACE</b></td>
<td><b>INTERNAL</b></td>
<td><b>ALL INTERFACES</b></td>
<td><b>LOCAL</b></td>
</tr>
<tr>
<td>130.252.100.18</td>
<td>eth0</td>
<td>10.1.1.2</td>
<td>yes</td>
<td>yes</td>
</tr>
<tr>
<td>130.252.100.19</td>
<td>eth0</td>
<td>10.1.1.3</td>
<td>yes</td>
<td>yes</td>
</tr>
</tbody>
</table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is used
to specify whether access to the external IP from all firewall interfaces
should undergo NAT (Yes or yes) or if only access from the interface in
the INTERFACE column should undergo NAT. If you leave this column empty,
"Yes" is assumed. The ALL INTERFACES column was added in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
if you set it to "Yes" or "yes" then you must NOT configure your own alias(es).
<b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6 can only add
external addresses to an interface that is configured with a single subnetwork
-- if your external interface has addresses in more than one subnetwork,
Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
determine whether packets originating on the firewall itself and destined
for the EXTERNAL address are redirected to the internal ADDRESS. If
this column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN
also contains "Yes" or "yes") then such packets are redirected; otherwise,
such packets are not redirected. The LOCAL column was added in version
1.1.8.</p>
<h1 style="text-align: center;">Static NAT<br>
</h1>
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static
NAT. Port forwarding can be accomplished with simple entries in the <a
href="Documentation.htm#Rules">rules file</a>.</b></font></p>
<blockquote> </blockquote>
<p>Static NAT is a way to make systems behind a firewall and configured
with private IP addresses (those reserved for private use in RFC1918)
appear to have public IP addresses. Before you try to use this
technique, I strongly recommend that you read the <a
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<blockquote> </blockquote>
<p>The following figure represents a static NAT environment.</p>
<blockquote>
<p align="center"><strong> <img src="images/staticnat.png"
width="435" height="397"> </strong></p>
<blockquote> </blockquote>
</blockquote>
<p align="left">Static NAT can be used to make the systems with the
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
we assume that the interface to the upper subnet is eth0, then the
following /etc/shorewall/NAT file would make the lower left-hand system
appear to have IP address 130.252.100.18 and the right-hand one to have
IP address 130.252.100.19.</p>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>EXTERNAL</b></td>
<td><b>INTERFACE</b></td>
<td><b>INTERNAL</b></td>
<td><b>ALL INTERFACES</b></td>
<td><b>LOCAL</b></td>
</tr>
<tr>
<td>130.252.100.18</td>
<td>eth0</td>
<td>10.1.1.2</td>
<td>yes</td>
<td>yes</td>
</tr>
<tr>
<td>130.252.100.19</td>
<td>eth0</td>
<td>10.1.1.3</td>
<td>yes</td>
<td>yes</td>
</tr>
</tbody>
</table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the
above example) is (are) not included in any specification in
/etc/shorewall/masq or /etc/shorewall/proxyarp.</p>
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column is
used to specify whether access to the external IP from all firewall
interfaces should undergo NAT (Yes or yes) or if only access from the
interface in the INTERFACE column should undergo NAT. If you leave this
column empty, "Yes" is assumed.&nbsp;The ALL INTERFACES column was
added in version 1.1.6.</p>
<p>Note 2: Shorewall will automatically add the external address to the
specified interface unless you specify <a
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or
if you set it to "Yes" or "yes" then you must NOT configure your own
alias(es). <b>RESTRICTION: </b>Shorewall versions earlier than 1.4.6
can only add external addresses to an interface that is configured with
a single subnetwork -- if your external interface has addresses in more
than one subnetwork,
Shorewall 1.4.5 and earlier can only add addresses to the first one.</p>
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"
column determine whether packets originating on the firewall itself and
destined for the EXTERNAL address are redirected to the internal
ADDRESS. If this column contains "yes" or "Yes" (and the ALL INTERFACES
COLUMN
also contains "Yes" or "yes") then such packets are redirected;
otherwise,
such packets are not redirected. The LOCAL column was added in version
1.1.8.</p>
<blockquote> </blockquote>
<p><font size="2">Last updated 7/6/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
</body>
</html>

248
STABLE/documentation/News.htm
View File

@ -8,17 +8,239 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall News Archive</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall News Archive<br>
</h1>
<p><b>11/07/2003 - Shorewall 1.4.8<br>
<br>
</b>Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying to use
the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued, Shorewall
was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This optimization
involved creating a chain named "&lt;zone&gt;_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant rules
and that the "optimization" turns out to be less than optimal. The
implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F" or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.</li>
<li>An incorrect comment concerning Debian's use of the SYBSYSLOCK
option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor the
ROUTE_FILTER parameter were working properly. This has been corrected
(thanks to Eric Bowles for his analysis and patch). The definition of
the ROUTE_FILTER option has changed however. Previously,
ROUTE_FILTER=Yes was documented as enabling route filtering on all
interfaces (which didn't work). Beginning with this release, setting
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
coexist with the use of the 'routefilter' option in the interfaces file.</li>
<li>If MAC verification was enabled on an interface with a /32
address and a broadcast address then an error would occur during
startup.</li>
<li>The NONE policy's intended use is to suppress the generating of
rules that can't possibly be traversed. This means that a policy of
NONE is inappropriate where the source or destination zone is $FW or
"all". Shorewall now generates an error message if such a policy is
given in /etc/shorewall/policy. Previously such a policy caused
"shorewall start" to fail.</li>
<li>The 'routeback' option was broken for wildcard interfaces (e.g.,
"tun+"). This has been corrected so that 'routeback' now works as
expected in this case.<br>
</li>
</ol>
Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf has
changed as described in item 8) above.<br>
</li>
</ol>
New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE allows
you to pass connection requests to a user-space filter such as ftwall
(http://p2pwall.sourceforge.net). The ftwall program allows for
effective filtering of p2p applications such as Kazaa. For example, to
use ftwall to filter P2P clients in the 'loc' zone, you would add the
following rules:<br>
<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br>
You would normally want to place those three rules BEFORE any ACCEPT
rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
this option is set to "Yes", the blacklists (dynamic and static) are
only consulted for new connection requests. When set to "No" (the
default if the variable is not set), the blacklists are consulted on
every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may now
begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
</ol>
<p><b>10/30/2003 - Shorewall 1.4.8 RC1<br>
</b></p>
Given the small number of new features and the relatively few lines of
code that were changed, there will be no Beta for 1.4.8.<br>
<p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
<br>
</b>Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying to use
the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued, Shorewall
was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has been
corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This optimization
involved creating a chain named "&lt;zone&gt;_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant rules
and that the "optimization" turns out to be less than optimal. The
implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F" or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.</li>
<li>An incorrect comment concerning Debian's use of the SYBSYSLOCK
option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor the
ROUTE_FILTER parameter were working properly. This has been corrected
(thanks to Eric Bowles for his analysis and patch). The definition of
the ROUTE_FILTER option has changed however. Previously,
ROUTE_FILTER=Yes was documented as enabling route filtering on all
interfaces (which didn't work). Beginning with this release, setting
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
coexist with the use of the 'routefilter' option in the interfaces file.</li>
</ol>
Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf has
changed as described in item 8) above.<br>
</li>
</ol>
New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE allows
you to pass connection requests to a user-space filter such as ftwall
(http://p2pwall.sourceforge.net). The ftwall program allows for
effective filtering of p2p applications such as Kazaa. For example, to
use ftwall to filter P2P clients in the 'loc' zone, you would add the
following rules:<br>
<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br>
You would normally want to place those three rules BEFORE any ACCEPT
rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
this option is set to "Yes", the blacklists (dynamic and static) are
only consulted for new connection requests. When set to "No" (the
default if the variable is not set), the blacklists are consulted on
every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may now
begin with a digit ([0-9]) and may contain embedded dashes ("-").<br>
</li>
</ol>
<b></b>
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper bag
awards </b><b><img
style="border: 0px solid ; width: 50px; height: 80px;"
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
1.4.7c released.</b></p>
<ol>
<li>The saga with "&lt;zone&gt;_frwd" chains continues. The 1.4.7c
script produces a ruleset that should work for everyone even if it is
not quite optimal. My apologies for this ongoing mess.<br>
</li>
</ol>
<p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
This is a bugfx rollup of the 1.4.7a fixes plus:<br>
<ol>
<li>The fix for problem 5 in 1.4.7a was wrong with the result that
"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
is corrected in this release.<br>
</li>
</ol>
<p><b>10/21/2003 - Shorewall 1.4.7a<br>
</b></p>
<p>This is a bugfix rollup of the following problem corrections:<br>
@ -50,7 +272,7 @@ icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<li>Previously, if the following error message was issued, Shorewall
was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes routes through
&nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br>
<br>
</li>
@ -4598,7 +4820,7 @@ deleted.</li>
an additional "gw" (gateway) zone for tunnels and it supports IPSEC
tunnels with end-points on the firewall. There is also a .lrp available
now.</b></p>
<p><font size="2">Updated 10/06/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated 11/07/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2"> Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>

456
STABLE/documentation/OPENVPN.html
View File

@ -1,284 +1,232 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>OpenVPN Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">OpenVPN Tunnels</font></h1>
</td>
</tr>
</tbody>
</table>
<h3><br>
</h3>
<p>OpenVPN is a robust and highly configurable VPN (Virtual Private Network)
daemon which can be used to securely link two or more private networks using
an encrypted tunnel over the internet. OpenVPN is an Open Source project
and is <a href="http://openvpn.sourceforge.net/license.html">licensed under
the GPL</a>. OpenVPN can be downloaded from <a
<body>
<h1 style="text-align: center;">OpenVPN Tunnels<br>
</h1>
<p>OpenVPN is a robust and highly configurable VPN (Virtual Private
Network) daemon which can be used to securely link two or more private
networks using an encrypted tunnel over the internet. OpenVPN is an
Open Source project and is <a
href="http://openvpn.sourceforge.net/license.html">licensed under the
GPL</a>. OpenVPN can be downloaded from <a
href="http://openvpn.sourceforge.net/">http://openvpn.sourceforge.net/</a>.<br>
</p>
</p>
<p>OpenVPN support was added to Shorewall in version 1.3.14.<br>
</p>
</p>
<h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"><img border="0" src="images/TwoNets1.png" width="745"
height="427">
</p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able
to communicate with the systems in the 10.0.0.0/8 network. This is accomplished
through use of the /etc/shorewall/tunnels file and the /etc/shorewall/policy
file and OpenVPN.</p>
<p align="left">While it was possible to use the Shorewall start and stop
script to start and stop OpenVPN, I decided to use the init script of OpenVPN
to start and stop it.</p>
<p align="left">On each firewall, you will need to declare a zone to represent
the remote subnet. We'll assume that this zone is called 'vpn' and declare
it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote>
height="427"> </p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be
able to communicate with the systems in the 10.0.0.0/8 network. This is
accomplished through use of the /etc/shorewall/tunnels file and the
/etc/shorewall/policy file and OpenVPN.</p>
<p align="left">While it was possible to use the Shorewall start and
stop script to start and stop OpenVPN, I decided to use the init script
of OpenVPN to start and stop it.</p>
<p align="left">On each firewall, you will need to declare a zone to
represent the remote subnet. We'll assume that this zone is called
'vpn' and declare it in /etc/shorewall/zones on both systems as follows.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
<tbody>
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b> zone.
</blockquote>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>vpn</b>
zone.
In /etc/shorewall/interfaces:</p>
<blockquote>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>vpn</td>
<td>tun0</td>
<td><br>
</td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>vpn</td>
<td>tun0</td>
<td><br>
</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<blockquote>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the
following:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>openvpn</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>openvpn</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels opens the firewall so that OpenVPN
traffic on the default port 5000/udp will be accepted to/from the remote
gateway. If you change the port used by OpenVPN to 7777, you can define /etc/shorewall/tunnels
like this:<br>
</p>
<blockquote>
</blockquote>
<p>This entry in /etc/shorewall/tunnels opens the firewall so that
OpenVPN traffic on the default port 5000/udp will be accepted to/from
the remote gateway. If you change the port used by OpenVPN to 7777, you
can define&nbsp;/etc/shorewall/tunnels like this:<br>
</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>openvpn:7777</td>
<td>net</td>
<td>134.28.54.2</td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>openvpn:7777</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<p>This is the OpenVPN config on system A:</p>
<blockquote>
<blockquote>
<p></p>
</blockquote>
<blockquote>
</blockquote>
<blockquote>
<p>dev tun<br>
local 206.162.148.9<br>
remote 134.28.54.2<br>
ifconfig 192.168.99.1 192.168.99.2<br>
up ./route-a.up<br>
tls-server<br>
dh dh1024.pem<br>
ca ca.crt<br>
cert my-a.crt<br>
key my-a.key<br>
comp-lzo<br>
verb 5<br>
</p>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>vpn</td>
<td>tun0</td>
<td>192.168.1.255</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>openvpn</td>
<td>net</td>
<td>206.191.148.9</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>And in the OpenVPN config on system B:</p>
<blockquote>
<p>dev tun<br>
local 134.28.54.2<br>
remote 206.162.148.9<br>
ifconfig 192.168.99.2 192.168.99.1<br>
up ./route-b.up<br>
tls-client<br>
ca ca.crt<br>
cert my-b.crt<br>
key my-b.key<br>
comp-lzo<br>
verb 5<br>
</p>
</blockquote>
<p align="left">You will need to allow traffic between the "vpn" zone and
the "loc" zone on both systems -- if you simply want to admit all traffic
in both directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td> </td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td> </td>
</tr>
</tbody>
</table>
</blockquote>
<p>On both systems, restart Shorewall and start OpenVPN. The systems in the
two masqueraded subnetworks can now talk to each other.</p>
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
<small>and Simon Mater</small><br>
local 206.162.148.9<br>
remote 134.28.54.2<br>
ifconfig 192.168.99.1 192.168.99.2<br>
up ./route-a.up<br>
tls-server<br>
dh dh1024.pem<br>
ca ca.crt<br>
cert my-a.crt<br>
key my-a.key<br>
comp-lzo<br>
verb 5<br>
</p>
</blockquote>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>vpn</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>vpn</td>
<td>tun0</td>
<td>192.168.1.255</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td>openvpn</td>
<td>net</td>
<td>206.191.148.9</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>And in the&nbsp;OpenVPN config on system B:</p>
<blockquote>
<p>dev tun<br>
local 134.28.54.2<br>
remote 206.162.148.9<br>
ifconfig 192.168.99.2 192.168.99.1<br>
up ./route-b.up<br>
tls-client<br>
ca ca.crt<br>
cert my-b.crt<br>
key my-b.key<br>
comp-lzo<br>
verb 5<br>
</p>
</blockquote>
<p align="left">You will need to allow traffic between the "vpn" zone
and the "loc" zone on both systems -- if you simply want to admit all
traffic in both directions, you can use the policy file:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>On both systems, restart Shorewall and start OpenVPN. The systems in
the two masqueraded subnetworks can now talk to each other.</p>
<p><font size="2">Updated 2/4/2003 - <a href="support.htm">Tom Eastep</a></font>
<small>and Simon Mater</small><br>
</p>
<p><font size="2"> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
</font></a></font></p>
<br>
<br>
<br>
<br>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2003 Thomas M. Eastep. and Simon Mater<br>
</font></a></font></p>
<br>
<br>
<br>
<br>
</body>
</html>

13
STABLE/documentation/PPTP.htm
View File

@ -9,17 +9,8 @@
<title>Shorewall PPTP</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">PPTP</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">PPTP<br>
</h1>
<h4>NOTE: I am no longer attempting to maintain MPPE patches for
current
Linux kernel's and pppd. I recommend that you refer to the following

311
STABLE/documentation/ProxyARP.htm
View File

@ -1,192 +1,165 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Proxy ARP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
</td>
</tr>
</tbody>
</table>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet.
Before you try to use this technique, I strongly recommend that you read
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
<p>The following figure represents a Proxy ARP environment.</p>
<blockquote>
<p align="center"><strong> <img src="images/proxyarp.png"
width="519" height="397">
</strong></p>
<blockquote> </blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.  Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries
in /etc/shorewall/proxyarp:</p>
<blockquote>
<body>
<h1 style="text-align: center;">Proxy ARP<br>
</h1>
<p>Proxy ARP allows you to insert a firewall in front of a set of
servers without changing their IP addresses and without having to
re-subnet. Before you try to use this technique, I strongly recommend
that you read the <a href="shorewall_setup_guide.htm">Shorewall Setup
Guide.</a></p>
<p>The following figure represents a Proxy ARP environment.</p>
<blockquote>
<p align="center"><strong> <img src="images/proxyarp.png" width="519"
height="397"> </strong></p>
<blockquote> </blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with
addresses 130.252.100.18 and 130.252.100.19 appear to be on the upper
(130.252.100.*) subnet.&nbsp; Assuming that the upper firewall
interface is eth0 and the lower interface is eth1, this is accomplished
using the following entries in /etc/shorewall/proxyarp:</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ADDRESS</b></td>
<td><b>INTERFACE</b></td>
<td><b>EXTERNAL</b></td>
<td><b>HAVEROUTE</b></td>
</tr>
<tr>
<td>130.252.100.18</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
<tr>
<td>130.252.100.19</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
</tbody>
<tbody>
<tr>
<td><b>ADDRESS</b></td>
<td><b>INTERFACE</b></td>
<td><b>EXTERNAL</b></td>
<td><b>HAVEROUTE</b></td>
</tr>
<tr>
<td>130.252.100.18</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
<tr>
<td>130.252.100.19</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19 
in the above example) are not included in any specification in /etc/shorewall/masq
or /etc/shorewall/nat.</p>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
irrelevant. </p>
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
subnet mask and default gateway configured exactly the same way that
the Firewall system's eth0 is configured. In other words, they should
be configured just like they would be if they were parallel to the firewall
rather than behind it.<br>
</p>
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed address(es)
(130.252.100.18 and 130.252.100.19 in the above example)  to the external
interface (eth0 in this example) of the firewall.</b></font><br>
</p>
<div align="left"> </div>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it
will probably be HOURS before that system can communicate with the internet.
There are a couple of things that you can try:<br>
</p>
</blockquote>
<p>Be sure that the internal systems (130.242.100.18 and
130.252.100.19&nbsp; in the above example) are not included in any
specification in /etc/shorewall/masq or /etc/shorewall/nat.</p>
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address
is irrelevant. </p>
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have
their subnet mask and default gateway configured exactly the same way
that the Firewall system's eth0 is configured. In other words, they
should be configured just like they would be if they were parallel to
the firewall rather than behind it.<br>
</p>
<p><font color="#ff0000"><b>NOTE: Do not add the Proxy ARP'ed
address(es) (130.252.100.18 and 130.252.100.19 in the above
example)&nbsp; to the external interface (eth0 in this example) of the
firewall.</b></font><br>
</p>
<div align="left"> </div>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically
configure their routers with a long ARP cache timeout. If you move a
system from parallel to your firewall to behind your firewall with
Proxy ARP, it
will probably be HOURS before that system can communicate with the
internet. There are a couple of things that you can try:<br>
</p>
<ol>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
Illustrated, Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting the
MAC address for its own IP; in addition to ensuring that the IP address
isn't a duplicate...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in its
cache for the old hardware address to update its ARP cache entry accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch a host
from being exposed to the Internet to behind Shorewall using proxy ARP (or
static NAT for that matter). Happily enough, recent versions of Redhat's
iputils package include "arping", whose "-U" flag does just that:<br>
<br>
    <font color="#009900"><b>arping -U -I <i>&lt;net if&gt; &lt;newly
proxied IP&gt;</i></b></font><br>
    <font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly to
gratuitous ARPs, but googling for "arping -U" seems to support the idea
that it works most of the time.<br>
<br>
To use arping with Proxy ARP in the above example, you would have to:<br>
<br>
<font color="#009900"><b>    shorewall clear<br>
</b></font>    <font color="#009900"><b>ip addr add 130.252.100.18
dev eth0<br>
    ip addr add 130.252.100.19 dev eth0</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 130.252.100.18</b></font><br>
    <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
    <b><font color="#009900">ip addr del 130.252.100.18 dev eth0<br>
    ip addr del 130.252.100.19 dev eth0<br>
    shorewall start</font></b><br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP
Illustrated, Vol 1</i> reveals that a <br>
<br>
"gratuitous" ARP packet should cause the ISP's router to refresh their
ARP cache (section 4.7). A gratuitous ARP is simply a host requesting
the MAC address for its own IP; in addition to ensuring that the IP
address
isn't a duplicate...<br>
<br>
"if the host sending the gratuitous ARP has just changed its hardware
address..., this packet causes any other host...that has an entry in
its cache for the old hardware address to update its ARP cache entry
accordingly."<br>
<br>
Which is, of course, exactly what you want to do when you switch a host
from being exposed to the Internet to behind Shorewall using proxy ARP
(or static NAT for that matter). Happily enough, recent versions of
Redhat's iputils package include "arping", whose "-U" flag does just
that:<br>
<br>
&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I <i>&lt;net
if&gt; &lt;newly proxied IP&gt;</i></b></font><br>
&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
66.58.99.83 # for example</b></font><br>
<br>
Stevens goes on to mention that not all systems respond correctly to
gratuitous ARPs, but googling for "arping -U" seems to support the idea
that it works most of the time.<br>
<br>
To use arping with Proxy ARP in the above example, you would have to:<br>
<br>
<font color="#009900"><b>&nbsp; &nbsp; shorewall clear<br>
</b></font>&nbsp; &nbsp; <font color="#009900"><b>ip addr add
130.252.100.18 dev eth0<br>
&nbsp; &nbsp; ip addr add 130.252.100.19 dev eth0</b></font><br>
&nbsp;&nbsp;&nbsp; <font color="#009900"><b>arping -U -I eth0
130.252.100.18</b></font><br>
&nbsp; &nbsp; <font color="#009900"><b>arping -U -I eth0 130.252.100.19</b></font><br>
&nbsp; &nbsp; <b><font color="#009900">ip addr del 130.252.100.18 dev
eth0<br>
&nbsp; &nbsp; ip addr del 130.252.100.19 dev eth0<br>
&nbsp; &nbsp; shorewall start</font></b><br>
<br>
</li>
<li>You can call your ISP and ask them to purge the stale ARP cache
entry but many either can't or won't purge individual entries.</li>
</ol>
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a stale
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
<div align="left">
You can determine if your ISP's gateway ARP cache is stale using ping
and tcpdump. Suppose that we suspect that the gateway router has a
stale ARP cache entry for 130.252.100.19. On the firewall, run tcpdump
as follows:</div>
<div align="left">
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
</div>
<div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
will assume is 130.252.100.254):</p>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which
we will assume is 130.252.100.254):</p>
</div>
<div align="left">
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">We can now observe the tcpdump output:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
</div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words,
the gateway's ARP cache still associates 130.252.100.19 with the NIC
in that system rather than with the firewall's eth0.</p>
</div>
</div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request
is different from the destination MAC address in the echo reply!! In
this case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while
0:c0:a8:50:b2:57 was the MAC address of the system on the lower left.
In other words,
the gateway's ARP cache still associates 130.252.100.19 with the NIC
in that system rather than with the firewall's eth0.</p>
</div>
<p><font size="2">Last updated 3/21/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

59
STABLE/documentation/SeattleInTheSpring.html
View File

@ -1,53 +1,34 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Springtime in Seattle!!!</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Visit Seattle in the Springtime!!!!</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
-+
<h3><font color="#ff6633"></font></h3>
<img src="images/P1000048.jpg" alt="" width="640" height="480">
<br>
<br>
<b>March 6, 2003 - Nice day for a walk....</b><br>
<br>
<img src="images/P1000050.jpg" alt="" width="640" height="480">
<br>
<br>
<br>
<img src="images/P1000049.jpg" alt="" width="480" height="640">
<p><b>The view from my office window -- think I'll go out and enjoy the deck
(Yes -- that is snow on the deck...)</b>.<br>
</p>
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
<h1 style="text-align: center;">Visit Seattle in the Springtime!!!<br>
</h1>
<img src="images/P1000048.jpg" alt="" width="640" height="480"> <br>
<br>
<b>March 6, 2003 - Nice day for a walk....</b><br>
<br>
<img src="images/P1000050.jpg" alt="" width="640" height="480"> <br>
<br>
<br>
<img src="images/P1000049.jpg" alt="" width="480" height="640">
<p><b>The view from my office window -- think I'll go out and enjoy the
deck (Yes -- that is snow on the deck...)</b>.<br>
</p>
<p><font size="2">Updated 3/7/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

134
STABLE/documentation/Shorewall_CA_html.html
View File

@ -2,93 +2,79 @@
<html>
<head>
<title>Shorewall Certificate Authority</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
(CA) Certificate</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Given that I develop and support Shorewall without asking for any renumeration,
I can hardly justify paying $200US+ a year to a Certificate Authority such
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
I am who I am. I have therefore established my own Certificate Authority
(CA) and sign my own X.509 certificates. I use these certificates on my list
server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
<body>
<h1 style="text-align: center;">Shorewall Certificate Authority (CA)
Certificate<br>
</h1>
Given that I develop and support Shorewall without asking for any
renumeration, I can hardly justify paying $200US+ a year to a
Certificate Authority such as Thawte (A Division of VeriSign) for an
X.509 certificate to prove that I am who I am. I have therefore
established my own Certificate Authority (CA) and sign my own X.509
certificates. I use these certificates on my list server (<a
href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
which hosts parts of this web site.<br>
<br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
part of establishing an SSL session (URL https://...), your browser verifies
the X.509 certificate supplied by the HTTPS server against the set of Certificate
Authority Certificates that were shipped with your browser. It is expected
that the server's certificate was issued by one of the authorities whose
identities are known to your browser. <br>
<br>
This mechanism, while supposedly guaranteeing that when you connect to
https://www.foo.bar you are REALLY connecting to www.foo.bar, means that
the CAs literally have a license to print money -- they are selling a string
of bits (an X.509 certificate) for $200US+ per year!!!I <br>
<br>
I wish that I had decided to become a CA rather that designing and writing
Shorewall.<br>
<br>
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of the
authorities known to your browser. If you try to connect to my server using
SSL, your browser will frown and give you a dialog box asking if you want
to accept the sleezy X.509 certificate being presented by my server. <br>
<br>
There are two things that you can do:<br>
<br>
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
part of establishing an SSL session (URL https://...), your browser
verifies the X.509 certificate supplied by the HTTPS server against the
set of Certificate Authority Certificates that were shipped with your
browser. It is expected that the server's certificate was issued by one
of the authorities whose identities are known to your browser. <br>
<br>
This mechanism, while supposedly guaranteeing that when you connect to
https://www.foo.bar you are REALLY connecting to www.foo.bar, means
that the CAs literally have a license to print money -- they are
selling a string of bits (an X.509 certificate) for $200US+ per
year!!!I <br>
<br>
I wish that I had decided to become a CA rather that designing and
writing Shorewall.<br>
<br>
What does this mean to you? It means that the X.509 certificate that my
server will present to your browser will not have been signed by one of
the authorities known to your browser. If you try to connect to my
server using SSL, your browser will frown and give you a dialog box
asking if you want to accept the sleezy X.509 certificate being
presented by my server. <br>
<br>
There are two things that you can do:<br>
<ol>
<li>You can accept the mail.shorewall.net certificate when your browser
asks -- your acceptence of the certificate can be temporary (for that access
only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed) CA
certificate.</a> This will make my Certificate Authority known to your browser
so that it will accept any certificate signed by me. <br>
</li>
<li>You can accept the mail.shorewall.net certificate when your
browser asks -- your acceptence of the certificate can be temporary
(for that access only) or perminent.</li>
<li>You can download and install <a href="ca.crt">my (self-signed)
CA certificate.</a> This will make my Certificate Authority known to
your browser so that it will accept any certificate signed by me. <br>
</li>
</ol>
What are the risks?<br>
What are the risks?<br>
<ol>
<li>If you install my CA certificate then you assume that I am trustworthy
and that Shorewall running on your firewall won't redirect HTTPS requests
intented to go to your bank's server to one of my systems that will present
your browser with a bogus certificate claiming that my server is that of
<li>If you install my CA certificate then you assume that I am
trustworthy and that Shorewall running on your firewall won't redirect
HTTPS requests intented to go to your bank's server to one of my
systems that will present your browser with a bogus certificate
claiming that my server is that of
your bank.</li>
<li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to https://mail.shorewall.net,
the server you are connecting to might not be mine.</li>
<li>If you only accept my server's certificate when prompted then the
most that you have to loose is that when you connect to
https://mail.shorewall.net, the server you are connecting to might not
be mine.</li>
</ol>
I have my CA certificate loaded into all of my browsers but I certainly
I have my CA certificate loaded into all of my browsers but I certainly
won't be offended if you decline to load it into yours... :-)<br>
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003 Thomas M.
size="2">Copyright</font> &copy; <font size="2">2001, 2002, 2003
Thomas M.
Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

74
STABLE/documentation/Shorewall_CVS_Access.html
View File

@ -2,56 +2,38 @@
<html>
<head>
<title>Shorewall CVS Access</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall CVS Access</font>
</h1>
<br>
</td>
</tr>
</tbody>
</table>
<br>
Lots of people try to download the entire Shorewall website for off-line
browsing, including the CVS portion. In addition to being an enormous volume
of data (HTML versions of all versions of all Shorewall files), all of the
pages in Shorewall CVS access are cgi-generated which places a tremendous
load on my little server. I have therefore resorted to making CVS access
password controlled. When you are asked to log in, enter "Shorewall" (NOTE
THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
<br>
<div align="center">
<body>
<br>
<h1 style="text-align: center;">Shorewall CVS Access<br>
</h1>
Lots of people try to download the entire Shorewall website for
off-line browsing, including the CVS portion. In addition to being an
enormous volume of data (HTML versions of all versions of all Shorewall
files), all of the pages in Shorewall CVS access are cgi-generated
which places a tremendous load on my little server. I have therefore
resorted to making CVS access password controlled. When you are asked
to log in, enter "Shorewall" (NOTE THE CAPITALIZATION!!!!!) for both
the user name and the password.<br>
<br>
<div align="center">
<h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
target="_top">CVS Login</a> &nbsp;<br>
</h3>
</div>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 1/14/2002
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
target="_top">CVS Login</a> &nbsp;<br>
</h3>
</div>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
1/14/2002 - <a href="support.htm">Tom Eastep</a> </font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

17
STABLE/documentation/Shorewall_Doesnt.html
View File

@ -9,20 +9,11 @@
<body>
<small> </small><small> </small><small> </small><small> </small><small>
</small> <small> </small>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%"><small> </small>
<h1 align="center"><small><font color="#ffffff">Some things that
Shorewall <b>Cannot</b> Do</font></small></h1>
<small> </small></td>
</tr>
</tbody>
</table>
<small><br>
</small>Shorewall cannot:<br>
</small>
<h1 style="text-align: center;">Some things that Shorewall Cannot Do<br>
</h1>
Shorewall cannot:<br>
<ul>
<li>Be used to filter traffic through a Layer 2 Bridge</li>
<li>Act as a "Personal Firewall" that allows internet access by

15
STABLE/documentation/Shorewall_Squid_Usage.html
View File

@ -7,19 +7,22 @@
<meta name="author" content="Tom Eastep">
</head>
<body>
<table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#3366ff">
<table cellpadding="0" cellspacing="0" border="0"
style="background-color: rgb(51, 102, 255); height: 84px; width: 100%;">
<tbody>
<tr>
<td valign="middle" width="33%" bgcolor="#3366ff"><a
<td valign="middle" width="33%" bgcolor="#3366ff"
style="background-color: rgb(255, 255, 255);"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4"> </a><br>
</td>
<td valign="middle" height="90" align="center" width="34%">
<h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
<td valign="middle" height="90" align="center" width="34%"
style="background-color: rgb(255, 255, 255);">
<h1 style="color: rgb(51, 0, 51);"><b>Using Shorewall with Squid</b></h1>
<h1> </h1>
</td>
<td valign="middle" height="90" width="33%" align="right"><a
<td valign="middle" height="90" width="33%" align="right"
style="background-color: rgb(255, 255, 255);"><a
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
alt="" width="100" height="31" hspace="4"> </a><br>
</td>

1173
STABLE/documentation/Shorewall_and_Aliased_Interfaces.html
View File

File diff suppressed because it is too large Load Diff

156
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -1,138 +1,66 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td
width="100%" height="90" align="center">
<div align="center">
</div>
<a href="http://www.shorewall.net" target="_top"><img
border="0" src="images/ProtectedBy.png" width="200" height="42"
hspace="4" alt="(Shorewall Logo)" align="middle" vspace="4">
</a><br>
<br>
</td>
</tr>
<tr>
<td
width="100%" bgcolor="#ffffff">
<tbody>
<tr>
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li>
<a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a
href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing
Lists</a><a href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Things to try if it doesn't
work</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
</ul>
</li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a
href="quotes.htm">Quotes from Users</a></li>
</li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<ul>
</ul>
<li> <a
href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
</p>
</body>
</html>

144
STABLE/documentation/Shorewall_sfindex_frame.htm
View File

@ -1,120 +1,68 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base
target="main">
<base target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td
width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td
width="100%" bgcolor="#ffffff">
<tbody>
<tr>
<td width="100%" bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li>
<a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a
href="support.htm">Getting help or Answers to Questions</a>
</li>
<li><a
href="http://lists.shorewall.net">Mailing Lists</a></li>
<li><a
href="shorewall_mirrors.htm">Mirrors</a></li>
<li><a
href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="seattlefirewall_index.htm">Home</a></li>
<li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a href="download.htm">Download</a><br>
</li>
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a><br>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
Guides (HOWTOs)</a><br>
</li>
<li> <b><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a href="useful_links.html">Useful Links</a><br>
</li>
<li> <a href="troubleshoot.htm">Things to try if it doesn't
work</a></li>
<li> <a href="errata.htm">Errata</a></li>
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
</ul>
</li>
<li> <a href="News.htm">News Archive</a></li>
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a href="quotes.htm">Quotes from Users</a></li>
<ul>
</ul>
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li> <a
href="shoreline.htm">About the Author</a></li>
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
<li> <a href="shoreline.htm">About the Author</a></li>
<li> <a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
</p>
<br>
<br>
</body>
</html>

112
STABLE/documentation/VPN.htm
View File

@ -1,78 +1,59 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>VPN</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">VPN</font></h1>
</td>
</tr>
</tbody>
</table>
<p>It is often the case that a system behind the firewall needs to be able
to access a remote network through Virtual Private Networking (VPN). The
two most common means for doing this are IPSEC and PPTP. The basic setup
is shown in the following diagram:</p>
<body>
<h1 style="text-align: center;">VPN<br>
</h1>
<p>It is often the case that a system behind the firewall needs to be
able to access a remote network through Virtual Private Networking
(VPN). The two most common means for doing this are IPSEC and PPTP. The
basic setup is shown in the following diagram:</p>
<p align="center"><img border="0" src="images/VPN.png" width="568"
height="796">
</p>
<p align="left">A system with an RFC 1918 address needs to access a remote
network through a remote gateway. For this example, we will assume that the
local system has IP address 192.168.1.12 and that the remote gateway has
IP address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall requirements
beyond the default loc-&gt;net ACCEPT policy. There is one restriction however:
Only one local system at a time can be connected to a single remote gateway
unless you patch your kernel from the 'Patch-o-matic' patches available at
height="796"> </p>
<p align="left">A system with an RFC 1918 address needs to access a
remote network through a remote gateway. For this example, we will
assume that the local system has IP address 192.168.1.12 and that the
remote gateway has
IP address 192.0.2.224.</p>
<p align="left">If PPTP is being used, there are no firewall
requirements beyond the default loc-&gt;net ACCEPT policy. There is one
restriction however: Only one local system at a time can be connected
to a single remote gateway unless you patch your kernel from the
'Patch-o-matic' patches available at
<a href="http://www.netfilter.org">http://www.netfilter.org</a>. </p>
<p align="left">If IPSEC is being used then only one system may connect to
the remote gateway and there are firewall configuration requirements as follows:</p>
<blockquote>
<p align="left">If IPSEC is being used then only one system may connect
to the remote gateway and there are firewall configuration requirements
as follows:</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
bordercolor="#111111" id="AutoNumber2" height="98">
<tbody>
<tr>
<tbody>
<tr>
<td height="38"><u><b>ACTION</b></u></td>
<td height="38"><u><b>SOURCE</b></u></td>
<td height="38"><u><b>DESTINATION</b></u></td>
<td height="38"><u><b>PROTOCOL</b></u></td>
<td height="38"><u><b>PORT</b></u></td>
<td height="38"><u><b>CLIENT<br>
PORT</b></u></td>
PORT</b></u></td>
<td height="38"><u><b>ORIGINAL<br>
DEST</b></u></td>
DEST</b></u></td>
</tr>
<tr>
<td height="19">DNAT</td>
<td height="19">net:192.0.2.224</td>
<td height="19">loc:192.168.1.12</td>
<td height="19">50</td>
<td height="19"> </td>
<td height="19"> </td>
<td height="19"> </td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
</tr>
<tr>
<td height="19">DNAT</td>
@ -80,27 +61,24 @@ the remote gateway and there are firewall configuration requirements as follows
<td height="19">loc:192.168.1.12</td>
<td height="19">udp</td>
<td height="19">500</td>
<td height="19"> </td>
<td height="19"> </td>
<td height="19">&nbsp;</td>
<td height="19">&nbsp;</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
<p>If you want to be able to give access to all of your local systems to the
remote network, you should consider running a VPN client on your firewall.
As starting points, see <a
href="http://www.shorewall.net/Documentation.htm#Tunnels"> http://www.shorewall.net/Documentation.htm#Tunnels</a>
or <a href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
</blockquote>
<p>If you want to be able to give access to all of your local systems
to the remote network, you should consider running a VPN client on your
firewall. As starting points, see <a
href="http://www.shorewall.net/Documentation.htm#Tunnels">
http://www.shorewall.net/Documentation.htm#Tunnels</a> or <a
href="http://www.shorewall.net/PPTP.htm">http://www.shorewall.net/PPTP.htm</a>.</p>
<p><font size="2">Last modified 12/21/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<p> </p>
<br>
<br>
<p>&nbsp;</p>
<br>
<br>
</body>
</html>

129
STABLE/documentation/blacklisting_support.htm
View File

@ -1,102 +1,77 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
</td>
</tr>
</tbody>
</table>
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
<body>
<h1 style="text-align: center;">Shorewall Blacklisting Support<br>
</h1>
<p>Shorewall supports two different forms of blacklisting; static and
dynamic.</p>
<h2>Static Blacklisting</h2>
<p>Shorewall static blacklisting support has the following configuration
<p>Shorewall static blacklisting support has the following
configuration
parameters:</p>
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped
or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged
and at what syslog level using the <a
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
/etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in
<a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL and
Port numbers/Service names in the blacklist file.<br>
</li>
<li>You specify the interfaces whose incoming packets you want checked
against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
<li>You specify whether you want packets from blacklisted hosts
dropped or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts
logged and at what syslog level using the <a
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
/etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in <a
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a>
Beginning with Shorewall version 1.3.8, you may also specify PROTOCOL
and
Port numbers/Service names in the blacklist file.<br>
</li>
<li>You specify the interfaces whose incoming packets you want
checked against the blacklist using the "<a
href="Documentation.htm#Interfaces">blacklist</a>" option in
/etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the "<a
href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
</ul>
<h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic
blacklisting doesn't use any configuration parameters but is rather
controlled using /sbin/shorewall commands:</p>
<ul>
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets
from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
<li>drop <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the
listed IP addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of
packets from hosts previously blacklisted by a <i>drop</i> or <i>reject</i>
command.</li>
<li>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
<li>save - save the dynamic blacklisting configuration so that it
will be automatically restored the next time that the firewall is
restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul>
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
in /etc/shorewall/interfaces.<br>
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option
in /etc/shorewall/interfaces.<br>
<p>Example 1:</p>
<pre> <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
<p>    Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and
192.0.2.125</p>
<p>Example 2:</p>
<pre> <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
<p>    Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 7/27/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 7/27/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

26
STABLE/documentation/configuration_file_basics.htm
View File

@ -9,17 +9,8 @@
<title>Configuration File Basics</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Configuration Files<br>
</h1>
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a
@ -254,18 +245,21 @@ that you can then use in some of the other configuration files.</p>
<p>It is suggested that variable names begin with an upper case letter<font
size="1"> </font>to distinguish them from variables used internally
within the Shorewall programs</p>
<p>Example:</p>
<p>Example:<br>
</p>
<p>&nbsp;&nbsp;&nbsp; /etc/shorewall/params<br>
</p>
<blockquote>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918</pre>
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=routefilter,norfc1918<br></pre>
</blockquote>
<p><br>
Example (/etc/shorewall/interfaces record):</p>
<p>&nbsp;&nbsp;&nbsp; /etc/shorewall/interfaces record:</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
<p>The result will be the same as if the record had been written</p>
<p>&nbsp;&nbsp;&nbsp; The result will be the same as if the record had
been written</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<pre>net eth0 130.252.100.255 routefilter,norfc1918</pre>

52
STABLE/documentation/copyright.htm
View File

@ -1,46 +1,30 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Copyright</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Copyright</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="left">Copyright <font face="Trebuchet MS">©</font>  2000, 2001,
2003 Thomas M Eastep<br>
 </p>
<blockquote>
<p align="left">Permission is granted to copy, distribute and/or modify
this document under the terms of the GNU Free Documentation License, Version
1.1 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
A copy of the license is included in the section entitled "<a
href="GnuCopyright.htm">GNU Free Documentation License</a>".<br>
 </p>
</blockquote>
<br>
<br>
<body>
<h1 style="text-align: center;">Copyright<br>
</h1>
<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp;
2000, 2001, 2003 Thomas M Eastep<br>
&nbsp;</p>
<blockquote>
<p align="left">Permission is granted to copy, distribute and/or
modify this document under the terms of the GNU Free Documentation
License, Version 1.1 or any later version published by the Free
Software Foundation; with no Invariant Sections, with no Front-Cover,
and with no Back-Cover Texts. A copy of the license is included in the
section entitled "<a href="GnuCopyright.htm">GNU Free Documentation
License</a>".<br>
&nbsp;</p>
</blockquote>
<br>
<br>
</body>
</html>

110
STABLE/documentation/dhcp.htm
View File

@ -1,85 +1,65 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">DHCP</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">DHCP<br>
</h1>
<h2 align="left">If you want to Run a DHCP Server on your firewall</h2>
<ul>
<li>
<p align="left">Specify the "dhcp" option on each interface to be served
by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your firewall
system. </p>
</li>
<li>
<p align="left">When starting "dhcpd", you need to list those interfaces
on the run line. On a RedHat system, this is done by modifying /etc/sysconfig/dhcpd.
</p>
</li>
<li>
<p align="left">Specify the "dhcp" option on each interface to be
served
by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your
firewall
system. </p>
</li>
<li>
<p align="left">When starting "dhcpd", you need to list those
interfaces on the run line. On a RedHat system, this is done by
modifying /etc/sysconfig/dhcpd. </p>
</li>
</ul>
<h2 align="left">If a Firewall Interface gets its IP Address via DHCP</h2>
<ul>
<li>
<p align="left">Specify the "dhcp" option for this interface in the
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. This will generate rules that will allow DHCP to and from your firewall
system. </p>
</li>
<li>
<p align="left">If you know that the dynamic address is always going to
be in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. </p>
</li>
<li>
<p align="left">If you don't know the subnet address in advance, you should
specify "detect" for the interface's subnet address in the <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
and start Shorewall after the interface has started. </p>
</li>
<li>
<p align="left">In the event that the subnet address might change while
Shorewall is started, you need to arrange for a "shorewall refresh"
command to be executed when a new dynamic IP address gets assigned to
the interface. Check your DHCP client's documentation. </p>
</li>
<li>
<p align="left">Specify the "dhcp" option for this interface in the
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.&nbsp;This will generate rules that will allow DHCP to and from
your firewall system. </p>
</li>
<li>
<p align="left">If you know that the dynamic address is always
going to
be in the same subnet, you can specify the subnet address in the
interface's entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file. </p>
</li>
<li>
<p align="left">If you don't know the subnet address in advance,
you should specify "detect" for the interface's subnet address in the <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file
and start Shorewall after the interface has started. </p>
</li>
<li>
<p align="left">In the event that the subnet address might change
while Shorewall is started, you need to arrange for a "shorewall
refresh" command to be executed when a new dynamic IP address gets
assigned to the interface. Check your DHCP client's documentation. </p>
</li>
</ul>
<p align="left"><font size="2">Last updated 11/03/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
</body>
</html>

13
STABLE/documentation/download.htm
View File

@ -9,17 +9,8 @@
<title>Download</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall Download<br>
</h1>
<p><b>I strongly urge you to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.<br>

91
STABLE/documentation/errata.htm
View File

@ -10,25 +10,17 @@
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade
Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <b><u>IMPORTANT</u></b></p>
<p align="center"> </p>
<h1 style="text-align: center;">Shorewall Errata<br>
</h1>
<p align="center"><b><u>IMPORTANT</u></b></p>
<ol>
<li>
<p align="left"> <b><u>I</u>f you use a Windows system to download
a corrected script, be sure to run the script through <u> <a
href="http://www.megaloman.com/%7Ehany/software/hd2u/"
style="text-decoration: none;"> dos2unix</a></u> after you have moved it
style="text-decoration: none;"> dos2unix</a></u> after you have moved
it
to your Linux system.</b></p>
</li>
<li>
@ -45,7 +37,8 @@ rename the existing file before copying in the new file.</b></p>
<li>
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED
COMPONENTS ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER
BELOW. For example, do NOT install the 1.3.9a firewall script if you are
BELOW. For example, do NOT install the 1.3.9a firewall script if you
are
running 1.3.7c.</font></b><br>
</p>
</li>
@ -79,13 +72,15 @@ REJECT (also applies to 2.4.21-RC1) <img src="images/new10.gif"
<li>Using some versions of 'ash' (such as from RH8) as the
SHOREWALL_SHELL causes "shorewall [re]start" to fail with:<br>
<br>
   local: --limit: bad variable name<br>
   iptables v1.2.8: Couldn't load match
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so: <br>
   cannot open shared object file: No such file or directory<br>
   Try `iptables -h' or 'iptables --help' for more information.</li>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>When more than one ICMP type is listed in a rule and your kernel
includes multiport match support,  the firewall fails to start. </li>
includes multiport match support,&nbsp; the firewall fails to
start.&nbsp;</li>
<li>Regardless of the setting of LOGUNCLEAN, the value
LOGUNCLEAN=info was used.</li>
<li>After the following error message, Shorewall was left in an
@ -101,7 +96,8 @@ described above.<br>
<h3>1.4.6</h3>
<ul>
<li>If TC_ENABLED is set to yes in shorewall.conf then Shorewall
would fail to start with the error "ERROR:  Traffic Control requires
would fail to start with the error "ERROR:&nbsp; Traffic Control
requires
Mangle"; that problem has been corrected in <a
href="http://shorewall.net/pub/shorewall/errata/1.4.6/firewall">this
firewall script</a> which may be installed in
@ -111,7 +107,7 @@ corrected in bugfix release 1.4.6a.</li>
If a MAC address is used in the SOURCE column, an error occurs as
follows:<br>
<br>
     <font size="3"><tt>iptables v1.2.8: Bad mac adress
&nbsp; &nbsp; &nbsp;<font size="3"><tt>iptables v1.2.8: Bad mac adress
`00:08:B5:35:52:E7-d`</tt></font><br>
<br>
For Shorewall 1.4.6 and 1.4.6a users, this problem has been corrected
@ -122,11 +118,13 @@ versions, you will have to edit your 'firewall' script (in versions
1.4.*, it is located in /usr/share/shorewall/firewall). Locate the
function add_tcrule_() and in that function, replace this line:<br>
<br>
    <span style="font-family: monospace;">r=`mac_match $source` </span><br>
&nbsp; &nbsp; <span style="font-family: monospace;">r=`mac_match
$source`&nbsp;</span><br>
<br>
with<br>
<br>
     <span style="font-family: monospace;">r="`mac_match $source` "</span><br>
&nbsp; &nbsp; &nbsp;<span style="font-family: monospace;">r="`mac_match
$source` "</span><br>
<br>
Note that there must be a space before the ending quote!<br>
</li>
@ -137,7 +135,8 @@ Note that there must be a space before the ending quote!<br>
have an empty second column (HOSTS). This problem may be corrected by
installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4b/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall
as described above.</li>
<li>The INCLUDE directive doesn't work when placed in the
/etc/shorewall/zones file. This problem may be corrected by installing <a
@ -153,7 +152,8 @@ though the log level for the console is set properly according to <a
href="FAQ.htm#faq16">FAQ 16</a>. This problem may be corrected by
installing <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.4a/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall
as described above.<br>
</li>
</ul>
@ -162,7 +162,8 @@ as described above.<br>
<ul>
<li> If you have zone names that are 5 characters long, you may
experience problems starting Shorewall because the --log-prefix in a
logging rule is too long. Upgrade to Version 1.4.4a to fix this problem..</li>
logging rule is too long. Upgrade to Version 1.4.4a to fix this
problem..</li>
</ul>
<h3>1.4.3</h3>
<ul>
@ -171,7 +172,8 @@ to allow integration of Shorewall with Fireparse
(http://www.firewparse.com). Unfortunately, LOGMARKER only solved part
of the integration problem. I have implimented a new LOGFORMAT variable
which will replace LOGMARKER which has completely solved this problem
and is currently in production with fireparse here at shorewall.net. The
and is currently in production with fireparse here at shorewall.net.
The
updated files may be found at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/1.4.3/fireparse/</a>.
@ -184,7 +186,8 @@ See the 0README.txt file for details.<br>
directory created in /tmp is not being removed. This problem may be
corrected by installing <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.4.2/firewall"
target="_top">this firewall script</a> in /usr/share/shorewall/firewall
target="_top">this firewall script</a> in
/usr/share/shorewall/firewall
as described above. <br>
</li>
</ul>
@ -203,7 +206,8 @@ in /etc/shorewall/common.def.<br>
<li>When a "shorewall check" command is executed, each "rule"
produces the harmless additional message:<br>
<br>
     /usr/share/shorewall/firewall: line 2174: [: =: unary operator
&nbsp; &nbsp; &nbsp;/usr/share/shorewall/firewall: line 2174: [: =:
unary operator
expected<br>
<br>
You may correct the problem by installing <a
@ -231,14 +235,17 @@ with iptables version 1.2.3</font></h3>
<blockquote>
<p align="left">There are a couple of serious bugs in iptables 1.2.3
that prevent it from working with Shorewall. Regrettably, RedHat
released this buggy iptables in RedHat 7.2. </p>
released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="left"> I have built a <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>  and I have also
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have
also
built an <a
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If you are currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u> </b>you
iptables-1.2.4 rpm which you can download here</a>. If you are
currently
running RedHat 7.1, you can install either of these RPMs <b><u>before</u>
</b>you
upgrade to RedHat 7.2.</p>
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
has released an iptables-1.2.4 RPM of their own which you can download
@ -251,7 +258,7 @@ the patches are available for download. This <a
which corrects a problem with parsing of the --log-level specification
while this <a
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the  TOS target.</p>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
@ -268,7 +275,8 @@ iptables</h3>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in
the Netfilter 'mangle' table. You can correct the problem by installing <a
the Netfilter 'mangle' table. You can correct the problem by installing
<a
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm
@ -284,7 +292,8 @@ option to rpm.</p>
MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made an incompatible
change to the syntax used to specify multiport match rules; as a
consequence, if you install iptables 1.2.7 you must be running Shorewall
consequence, if you install iptables 1.2.7 you must be running
Shorewall
1.3.7a or later or:</p>
<ul>
<li>set MULTIPORT=No in /etc/shorewall/shorewall.conf; or </li>
@ -298,7 +307,7 @@ above.</li>
/etc/shorewall/nat entries of the following form will result in
Shorewall being unable to start:<br>
<br>
<pre>#EXTERNAL       INTERFACE       INTERNAL        ALL INTERFACES          LOCAL<br>192.0.2.22    eth0    192.168.9.22   yes     yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<pre>#EXTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; INTERNAL&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ALL INTERFACES&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOCAL<br>192.0.2.22&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; 192.168.9.22&nbsp;&nbsp; yes&nbsp;&nbsp;&nbsp;&nbsp; yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
Error message is:<br>
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
The solution is to put "no" in the LOCAL column. Kernel support for
@ -306,11 +315,13 @@ LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
2.4.19 kernel contains corrected support under a new kernel
configuraiton option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
<br>
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9 and
<h3><a name="REJECT"></a><b> Problems with RH Kernels after 2.4.20-9
and
REJECT (also applies to 2.4.21-RC1)</b></h3>
Beginning with errata kernel 2.4.20-13.9, "REJECT --reject-with
tcp-reset" is broken. The symptom most commonly seen is that REJECT
rules act just like DROP rules when dealing with TCP. A kernel patch and
rules act just like DROP rules when dealing with TCP. A kernel patch
and
precompiled modules to fix this problem are available at <a
href="ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel"
target="_top">ftp://ftp1.shorewall.net/pub/shorewall/errata/kernel</a>.<br>

84
STABLE/documentation/fallback.htm
View File

@ -1,77 +1,61 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Fallback and Uninstall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Fallback and Uninstall</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<div style="text-align: left;">
<h1 style="text-align: center;">Fallback and Uninstall<br>
</h1>
<h1><strong></strong></h1>
<h1><strong></strong></h1>
</div>
<p><strong>Shorewall includes a </strong><a href="#fallback"><strong>fallback
script</strong></a><strong> and an </strong><a href="#uninstall"><strong>uninstall
script</strong></a><strong>.</strong></p>
<h2><a name="fallback"></a>Falling Back to the Previous Version of Shorewall
using the Fallback Script</h2>
<p>If you install Shorewall and discover that it doesn't work for you, you
<h2><a name="fallback"></a>Falling Back to the Previous Version of
Shorewall using the Fallback Script</h2>
<p>If you install Shorewall and discover that it doesn't work for you,
you
can fall back to your previously installed version. To do that:</p>
<ul>
<li>cd to the distribution directory for the version of Seattle
Firewall <u>that you are currently running </u>(NOT the version
that you want to fall back to).</li>
<li>Type "./fallback.sh"</li>
<li>cd to the distribution directory for the version of Seattle
Firewall <u>that you are currently running </u>(NOT the version that
you want to fall back to).</li>
<li>Type "./fallback.sh"</li>
</ul>
<h3><strong><u>Warning:</u> The fallback script will replace /etc/shorewall/policy,
/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat, /etc/shorewall/proxyarp
and /etc/shorewall/masq with the version of these files from before the current
<h3><strong><u>Warning:</u> The fallback script will replace
/etc/shorewall/policy,
/etc/shorewall/rules, /etc/shorewall/interfaces, /etc/shorewall/nat,
/etc/shorewall/proxyarp
and /etc/shorewall/masq with the version of these files from before the
current
version was installed. Any changes to any of these files will be lost.</strong></h3>
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using
rpm</h2>
<p>If your previous version of Shorewall was installed using RPM, you may
fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;" at
a root shell prompt (Example: "rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm"
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall
using rpm</h2>
<p>If your previous version of Shorewall was installed using RPM, you
may
fall back to that version by typing "rpm -Uvh --force &lt;old rpm&gt;"
at
a root shell prompt (Example: "rpm -Uvh --force
/downloads/shorewall-3.1=0noarch.rpm"
would fall back to the 3.1-0 version of Shorewall).</p>
<h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
<p>If you no longer wish to use Shorewall, you may remove it by:</p>
<ul>
<li>cd to the distribution directory for the version of Shorewall
<li>cd to the distribution directory for the version of Shorewall
that you have installed.</li>
<li>type "./uninstall.sh"</li>
<li>type "./uninstall.sh"</li>
</ul>
<p>If you installed using an rpm, at a root shell prompt type "rpm -e shorewall".</p>
<p>If you installed using an rpm, at a root shell prompt type "rpm -e
shorewall".</p>
<p><font size="2">Last updated 3/26/2001 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
</body>
</html>

105
STABLE/documentation/gnu_mailman.htm
View File

@ -1,80 +1,57 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>GNU Mailman</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy
Way</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 align="center"> </h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.</h4>
<body>
<h1 align="center">GNU Mailman/Postfix the Easy Way&nbsp;</h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by
Michael Tokarev as a suggested addition to the Postfix FAQ.</h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
<br>
A: Mailman uses a setgid wrapper that is designed to be used in system-wide
aliases file so that rest of mailman's mail handling processes will run
with proper uid/gid. Postfix has an ability to run a command specified in
an alias as owner of that alias, thus mailman's wrapper is not needed here.
The best method to invoke mailman's mail handling via aliases is to use
separate alias file especially for mailman, and made it owned by mailman
and group mailman. Like:<br>
<br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
<br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this
may be done by executing postalias as mailman userid).<br>
<br>
Next, instead of using mailman-suggested aliases entries with wrapper,
use the following:<br>
<br>
instead of<br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
...<br>
<br>
use<br>
mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p>
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted something
very similar so that no workaround is necessary. See the README.POSTFIX file
included with Mailman-2.1. </h4>
<br>
A: Mailman uses a setgid wrapper that is designed to be used in
system-wide aliases file so that rest of mailman's mail handling
processes will run with proper uid/gid. Postfix has an ability to run a
command specified in an alias as owner of that alias, thus mailman's
wrapper is not needed here. The best method to invoke mailman's mail
handling via aliases is to use separate alias file especially for
mailman, and made it owned by mailman and group mailman. Like:<br>
<br>
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
<br>
Make sure that /var/mailman/aliases.db is owned by mailman user (this
may be done by executing postalias as mailman userid).<br>
<br>
Next, instead of using mailman-suggested aliases entries with wrapper,
use the following:<br>
<br>
instead of<br>
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
...<br>
<br>
use<br>
mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p>
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted
something very similar so that no workaround is necessary. See the
README.POSTFIX file included with Mailman-2.1.&nbsp;</h4>
<p align="left"><font size="2">Last updated 12/29/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M.
Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
</body>
</html>

33
STABLE/documentation/index.htm
View File

@ -1,22 +1,19 @@
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01
Frameset//EN""http://www.w3.org/TR/html4/frameset.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shoreline Firewall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<frameset cols="242,*">
<frame name="contents" target="main" src="Shorewall_index_frame.htm">
<frame name="main" src="seattlefirewall_index.htm" target="_self" scrolling="auto">
<noframes>
<body>
<p>This page uses frames, but your browser doesn't support them.</p>
</body>
</noframes>
<meta http-equiv="Content-Type" content="text/html;
charset=iso-8859-1"></head>
<frameset rows="110,*" cols="*" frameborder="yes"
border="1"framespacing="0"> <frame
src="Banner.html" name="topFrame"scrolling="NO"
noresize >
<frameset cols="242,*" frameborder="yes" border="1" framespacing="0">
<frame src="Shorewall_index_frame.htm" name="contents"> <frame src="seattlefirewall_index.htm"
name="main">
</frameset>
</html>
</frameset>
<noframes><body><p>This page uses frames, but your browser doesn't
support them.</p></body></noframes>
</html>

83
STABLE/documentation/kernel.htm
View File

@ -1,46 +1,28 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Kernel Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Kernel Configuration</font></h1>
</td>
</tr>
</tbody>
</table>
<p>For information regarding configuring and building GNU/Linux kernels, see
<body>
<h1 style="text-align: center;">Kernel Configuration<br>
</h1>
<p>For information regarding configuring and building GNU/Linux
kernels, see
<a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
<p>Here's a screen shot of my Network Options Configuration:</p>
<blockquote>
<p> <img border="0" src="images/netopts.jpg" width="609" height="842">
</p>
</blockquote>
<p>While not all of the options that I've selected are required, they should
be sufficient for most applications. Here's an excerpt from the corresponding
.config file (Note: If you are running a kernel older than 2.4.17, be sure
to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
<blockquote> <font size="2">
<blockquote>
<p>&nbsp;<img border="0" src="images/netopts.jpg" width="609"
height="842"> </p>
</blockquote>
<p>While not all of the options that I've selected are required, they
should be sufficient for most applications. Here's an excerpt from the
corresponding .config file (Note: If you are running a kernel older
than 2.4.17, be sure to select CONFIG_NETLINK and CONFIG_RTNETLINK):</p>
<blockquote> <font size="2">
<p>#<br>
# Networking options<br>
#<br>
@ -70,33 +52,30 @@ CONFIG_NET_IPGRE=y<br>
CONFIG_INET_ECN=y<br>
CONFIG_SYN_COOKIES=y<br>
</p>
</font> </blockquote>
</font> </blockquote>
<p>Here's a screen shot of my Netfilter configuration:</p>
<blockquote>
<blockquote>
<p><img src="images/menuconfig1.jpg" alt="(Netfilter Options)"
width="589" height="849">
<br>
</p>
</blockquote>
<p>Note that I have built everything I need as modules. You can also build
everything into your kernel but if you want to be able to deal with FTP running
on a non-standard port then I recommend that you modularize FTP Protocol
width="589" height="849"> <br>
</p>
</blockquote>
<p>Note that I have built everything I need as modules. You can also
build
everything into your kernel but if you want to be able to deal with FTP
running
on a non-standard port then I recommend that you modularize FTP
Protocol
support.<br>
</p>
<p>Here's the corresponding part of my .config file:<br>
</p>
<blockquote>
<pre>#<br>#   IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
</blockquote>
<blockquote>
<pre>#<br>#&nbsp;&nbsp; IP: Netfilter Configuration<br>#<br>CONFIG_IP_NF_CONNTRACK=m<br>CONFIG_IP_NF_FTP=m<br>CONFIG_IP_NF_AMANDA=m<br>CONFIG_IP_NF_TFTP=m<br># CONFIG_IP_NF_IRC is not set<br># CONFIG_IP_NF_QUEUE is not set<br>CONFIG_IP_NF_IPTABLES=m<br>CONFIG_IP_NF_MATCH_LIMIT=m<br>CONFIG_IP_NF_MATCH_MAC=m<br>CONFIG_IP_NF_MATCH_PKTTYPE=m<br>CONFIG_IP_NF_MATCH_MARK=m<br>CONFIG_IP_NF_MATCH_MULTIPORT=m<br>CONFIG_IP_NF_MATCH_TOS=m<br>CONFIG_IP_NF_MATCH_ECN=m<br>CONFIG_IP_NF_MATCH_DSCP=m<br>CONFIG_IP_NF_MATCH_AH_ESP=m<br>CONFIG_IP_NF_MATCH_LENGTH=m<br># CONFIG_IP_NF_MATCH_TTL is not set<br>CONFIG_IP_NF_MATCH_TCPMSS=m<br>CONFIG_IP_NF_MATCH_HELPER=m<br>CONFIG_IP_NF_MATCH_STATE=m<br>CONFIG_IP_NF_MATCH_CONNTRACK=m<br>CONFIG_IP_NF_MATCH_UNCLEAN=m<br># CONFIG_IP_NF_MATCH_OWNER is not set<br>CONFIG_IP_NF_FILTER=m<br>CONFIG_IP_NF_TARGET_REJECT=m<br># CONFIG_IP_NF_TARGET_MIRROR is not set<br>CONFIG_IP_NF_NAT=m<br>CONFIG_IP_NF_NAT_NEEDED=y<br>CONFIG_IP_NF_TARGET_MASQUERADE=m<br>CONFIG_IP_NF_TARGET_REDIRECT=m<br>CONFIG_IP_NF_NAT_AMANDA=m<br>CONFIG_IP_NF_NAT_LOCAL=y<br># CONFIG_IP_NF_NAT_SNMP_BASIC is not set<br>CONFIG_IP_NF_NAT_FTP=m<br>CONFIG_IP_NF_NAT_TFTP=m<br>CONFIG_IP_NF_MANGLE=m<br>CONFIG_IP_NF_TARGET_TOS=m<br>CONFIG_IP_NF_TARGET_ECN=m<br>CONFIG_IP_NF_TARGET_DSCP=m<br>CONFIG_IP_NF_TARGET_MARK=m<br>CONFIG_IP_NF_TARGET_LOG=m<br>CONFIG_IP_NF_TARGET_ULOG=m<br>CONFIG_IP_NF_TARGET_TCPMSS=m<br>CONFIG_IP_NF_ARPTABLES=m<br>CONFIG_IP_NF_ARPFILTER=m<br># CONFIG_IP_NF_COMPAT_IPCHAINS is not set<br># CONFIG_IP_NF_COMPAT_IPFWADM is not set<br></pre>
</blockquote>
<p><font size="2">Last updated 7/20/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003,  Thomas M. Eastep.</font></a><br>
<br>
<a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003,&nbsp; Thomas M. Eastep.</font></a><br>
<br>
</body>
</html>

20
STABLE/documentation/mailing_list.htm
View File

@ -15,7 +15,8 @@
border="0">
<tbody>
<tr>
<td width="33%" valign="middle" align="left">
<td width="33%" valign="middle" align="left"
style="background-color: rgb(255, 255, 255);">
<h1 align="center"><a
href="http://www.centralcommand.com/linux_products.html"><img
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
@ -23,15 +24,18 @@
<a href="http://www.gnu.org/software/mailman/mailman.html"> <img
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
height="35" alt=""> </a>
<p align="right"><font color="#ffffff"><b>&nbsp; </b></font><a
<p align="right" style="background-color: rgb(255, 255, 255);"><font
color="#ffffff"><b>&nbsp; </b></font><a
href="http://razor.sourceforge.net/"><img src="images/razor.gif"
alt="(Razor Logo)" width="100" height="22" align="left" border="0"> </a>
</p>
</td>
<td valign="middle" width="34%" align="center">
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
<td valign="middle" width="34%" align="center"
style="color: rgb(51, 0, 51); background-color: rgb(255, 255, 255);">
<h1 align="center">Shorewall Mailing Lists</h1>
</td>
<td valign="middle" width="33%"> <a
<td valign="middle" width="33%"
style="background-color: rgb(255, 255, 255);"> <a
href="http://www.postfix.org/"> <img src="images/postfix-white.gif"
align="right" border="0" width="158" height="84" alt="(Postfix Logo)">
</a><br>
@ -158,7 +162,9 @@ reporting guidelines</a>.<br>
</ul>
<p align="left"> To post to the list, post to <a
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.
<br>
<span style="font-weight: bold;">IMPORTANT: </span>If you are not
subscribed to the list, please say so -- otherwise, you will not be
included in any replies.<br>
</p>
<p align="left">The list archives are at <a
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
@ -230,7 +236,7 @@ to be emailed to you.</p>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with
Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 9/17/2003 - <a
<p align="left"><font size="2">Last updated 10/27/2003 - <a
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
©

13
STABLE/documentation/myfiles.htm
View File

@ -9,18 +9,9 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">About My Network</font></h1>
</td>
</tr>
</tbody>
</table>
<blockquote> </blockquote>
<h1 style="text-align: center;">About My Network<br>
</h1>
<a href="http://www.redhat.com"><img
style="border: 0px solid ; width: 88px; height: 31px;"
src="images/poweredby.png" title="" alt="(RedHat Logo)"> </a><a

13
STABLE/documentation/ping.html
View File

@ -7,18 +7,9 @@
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
<h1 style="text-align: center;">ICMP Echo-request (Ping)<br>
</h1>
Shorewall 'Ping' management has evolved over time with the latest
change coming in Shorewall version 1.4.0. To find out which version of
Shorewall you are running, at a shell prompt type "<font color="#009900"><b>/sbin/shorewall

266
STABLE/documentation/ports.htm
View File

@ -1,201 +1,147 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Port Information</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Ports required for Various
Services/Applications</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">Ports Required for Various
Services/Applications<br>
</h1>
<p>In addition to those applications described in <a
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
are some other services/applications that you may need to configure
your firewall to accommodate.</p>
href="Documentation.htm">the /etc/shorewall/rules documentation</a>,
here are some other services/applications that you may need to
configure
your firewall to accommodate.</p>
<p>NTP (Network Time Protocol)</p>
<blockquote>
<blockquote>
<p>UDP Port 123</p>
</blockquote>
</blockquote>
<p>rdate</p>
<blockquote>
<blockquote>
<p>TCP Port 37</p>
</blockquote>
</blockquote>
<p>UseNet (NNTP)</p>
<blockquote>
<blockquote>
<p>TCP Port 119</p>
</blockquote>
</blockquote>
<p>DNS</p>
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will probably
want to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if
you will return long replies to queries or if you need to enable ZONE
transfers. In the latter case, be sure that your server is properly
<blockquote>
<p>UDP Port 53. If you are configuring a DNS client, you will
probably
want to open TCP Port 53 as well.<br>
If you are configuring a server, only open TCP Port 53 if
you will return long replies to queries or if you need to enable ZONE
transfers.&nbsp;In the latter case, be sure that your server is
properly
configured.</p>
</blockquote>
<p>ICQ   </p>
<blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports which
you can specify to your ICQ client. By default, clients use 4000-4100.</p>
</blockquote>
</blockquote>
<p>ICQ&nbsp;&nbsp;&nbsp;</p>
<blockquote>
<p>UDP Port 4000. You will also need to open a range of TCP ports
which you can specify to your ICQ client. By default, clients use
4000-4100.</p>
</blockquote>
<p>PPTP</p>
<blockquote>
<blockquote>
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
href="PPTP.htm">Lots more information here</a>).</p>
</blockquote>
href="PPTP.htm">Lots more information here</a>).</p>
</blockquote>
<p>IPSEC</p>
<blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
500. These should be opened in both directions (Lots more information
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
</blockquote>
<blockquote>
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP
Port 500. These should be opened in both directions (Lots more
information <a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
</blockquote>
<p>SMTP (Email)</p>
<blockquote>
<p> TCP Port 25.</p>
</blockquote>
<blockquote>
<p>&nbsp;TCP Port 25.</p>
</blockquote>
<p>RealPlayer<br>
</p>
<blockquote>
</p>
<blockquote>
<p>UDP Port 6790 inbound<br>
</p>
</blockquote>
<p>POP3</p>
<blockquote>
<p>TCP Port 110 (Secure = TCP Port 995)<br>
</p>
</blockquote>
<p>IMAP<br>
</p>
<blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
</blockquote>
<p>TELNET</p>
<blockquote>
<p>TCP Port 23.</p>
</blockquote>
<p>SSH</p>
<blockquote>
<p>TCP Port 22.</p>
</blockquote>
<p>Auth (identd)</p>
<blockquote>
<p>TCP Port 113</p>
</blockquote>
<p>Web Access</p>
<blockquote>
<p>TCP Ports 80 and 443.</p>
</blockquote>
<p>FTP<br>
</p>
<blockquote>
<p>TCP port 21 plus <a href="FTP.html">look here for much more information</a>.<br>
</blockquote>
<p>POP3</p>
<blockquote>
<p>TCP Port 110 (Secure = TCP Port 995)<br>
</p>
</blockquote>
<p>IMAP<br>
</p>
<blockquote>TCP Port 143 (Secure = TCP Port 993)<br>
</blockquote>
<p>TELNET</p>
<blockquote>
<p>TCP Port 23.</p>
</blockquote>
<p>SSH</p>
<blockquote>
<p>TCP Port 22.</p>
</blockquote>
<p>Auth (identd)</p>
<blockquote>
<p>TCP Port 113</p>
</blockquote>
<p>Web Access</p>
<blockquote>
<p>TCP Ports 80 and 443.</p>
</blockquote>
<p>FTP<br>
</p>
<blockquote>
<p>TCP port 21 plus <a href="FTP.html">look here for much more
information</a>.<br>
</p>
</blockquote>
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
<blockquote> </blockquote>
<blockquote>
<blockquote>
<p>TCP Ports 137, 139 and 445.<br>
UDP Ports 137-139.<br>
<br>
Also, <a href="samba.htm">see this page</a>.</p>
</blockquote>
UDP Ports 137-139.<br>
<br>
Also, <a href="samba.htm">see this page</a>.</p>
</blockquote>
<p>Traceroute</p>
<blockquote>
<blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1<br>
ICMP type 8 ('ping')<br>
</p>
</blockquote>
ICMP type 8 ('ping')<br>
</p>
</blockquote>
<p>NFS<br>
</p>
<blockquote>
<p>I personally use the following rules for opening access from zone z1
to a server with IP address a.b.c.d in zone z2:<br>
</p>
</p>
<blockquote>
<p>I personally use the following rules for opening access from zone
z1 to a server with IP address a.b.c.d in zone z2:<br>
</p>
<pre>ACCEPT z1 z2:a.b.c.d udp 111<br>ACCEPT z1 z2:a.b.c.d tcp 111<br>ACCEPT z1 z2:a.b.c.d udp 2049<br>ACCEPT z1 z2:a.b.c.d udp 32700:<br></pre>
</blockquote>
<blockquote>
<p>Note that my rules only cover NFS using UDP (the normal case). There
is lots of additional information at  <a
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
</blockquote>
<blockquote>
<p>Note that my rules only cover NFS using UDP (the normal case).
There is lots of additional information at&nbsp; <a
href="http://nfs.sourceforge.net/nfs-howto/security.html">
http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>VNC<br>
</p>
<blockquote>
</p>
<blockquote>
<p>TCP port 5900 + &lt;display number&gt;</p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
file? </p>
<p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own
/etc/services file? </p>
<p>Still looking? Try <a
href="http://www.networkice.com/advice/Exploits/Ports">
http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 7/30/2003 - </font><font size="2"> <a
href="support.htm">Tom Eastep</a></font> </p>
<a href="copyright.htm"><font size="2">Copyright</font> ©
<a href="copyright.htm"><font size="2">Copyright</font> ©
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

183
STABLE/documentation/quotes.htm
View File

@ -1,153 +1,134 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Quotes from Shorewall Users</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Quotes from Shorewall Users</font></h1>
</td>
</tr>
</tbody>
</table>
<body>
<h1 style="text-align: center;">Quotes from Shorewall Users<br>
</h1>
<ul>
<li><font size="3">"I have fought with IPtables for untold hours. First
I tried the SuSE firewall, which worked for 80% of what I needed. Then gShield,
which also worked for 80%. Then I set out to write my own IPtables parser
in shell and awk, which was a lot of fun but never got me past the "hey, cool"
stage. Then I discovered Shorewall. After about an hour, everything just
<li><font size="3">"I have fought with IPtables for untold hours.
First
I tried the SuSE firewall, which worked for 80% of what I needed. Then
gShield, which also worked for 80%. Then I set out to write my own
IPtables parser in shell and awk, which was a lot of fun but never got
me past the "hey, cool"
stage. Then I discovered Shorewall. After about an hour, everything
just
worked. I am stunned, and very grateful"</font> -- ES, Phoenix AZ, USA.<br>
<br>
</li>
<li>"The configuration is intuitive and flexible, and much easier than
any of the other iptables-based firewall programs out there. After sifting
through many other scripts, it is obvious that yours is the most well thought-out
and complete one available." -- BC, USA<br>
<li>"The configuration is intuitive and flexible, and much easier
than
any of the other iptables-based firewall programs out there. After
sifting
through many other scripts, it is obvious that yours is the most well
thought-out and complete one available." -- BC, USA<br>
<br>
</li>
<li>"I just installed Shorewall after weeks of messing with ipchains/iptables
and I had it up and running in under 20 minutes!" -- JL, Ohio<br>
<li>"I just installed Shorewall after weeks of messing with
ipchains/iptables and I had it up and running in under 20 minutes!" --
JL, Ohio<br>
<br>
</li>
<li>"My case was almost like [the one above]. Well. instead of 'weeks'
it was 'months' for me, and I think I needed two minutes more:<br>
<li>"My case was almost like [the one above]. Well. instead of
'weeks'
it was 'months' for me, and I think I needed two minutes more:<br>
</li>
</ul>
<ul>
<ul>
<li>One to see that I had no Internet access from the firewall itself.</li>
<li>One to see that I had no Internet access from the firewall
itself.</li>
</ul>
<ul>
<li>Other to see that this was the default configuration, and it was
enough to uncomment a line in /etc/shorewall/policy.<br>
</li>
<li>Other to see that this was the default configuration, and it
was enough to uncomment a line in /etc/shorewall/policy.<br>
</li>
</ul>
</ul>
<ul>
<li> Minutes instead of months! Congratulations and thanks for such
a simple and well documented thing for something as huge as iptables." --
JV, Spain. </li>
<li> Minutes instead of months! Congratulations and thanks for such
a simple and well documented thing for something as huge as iptables."
--
JV, Spain. </li>
</ul>
<ul>
<li>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1
without any problems. Your documentation is great and I really appreciate
your network configuration info. That really helped me out alot. THANKS!!!"
-- MM. </li>
<li>"I downloaded Shorewall 1.2.0 and installed it on Mandrake 8.1
without any problems. Your documentation is great and I really
appreciate
your network configuration info. That really helped me out alot.
THANKS!!!" -- MM. </li>
</ul>
<ul>
<li>"[Shorewall is a] great, great project. I've used/tested may
firewall scripts but this one is till now the best." -- B.R, Netherlands
</li>
<li>"[Shorewall is a] great, great project. I've used/tested may
firewall scripts but this one is till now the best." -- B.R,
Netherlands </li>
</ul>
<ul>
<li>"Never in my +12 year career as a sys admin have I witnessed
someone so relentless in developing a secure, state of the art, safe and
useful product as the Shorewall firewall package for no cost or obligation
involved." -- Mario Kerecki, Toronto </li>
<li>"Never in my +12 year career as a sys admin have I witnessed
someone so relentless in developing a secure, state of the art, safe
and useful product as the Shorewall firewall package for no cost or
obligation involved." -- Mario Kerecki, Toronto </li>
</ul>
<ul>
<li>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions
- starting with 1.2.2 up to the new 1.2.9 and I never have encountered
<li>"one time more to report, that your great shorewall in the latest
release 1.2.9 is working fine for me with SuSE Linux 7.3! I now
have 7 machines up and running with shorewall on several versions
- starting with 1.2.2 up to the new 1.2.9 and I never have encountered
any problems!" -- SM, Germany</li>
</ul>
<ul>
<li>"You have the best support of any other package I've ever used."
-- SE, US </li>
<li>"You have the best support of any other package I've ever used."
-- SE, US </li>
</ul>
<ul>
<li>"Because our company has information which has been classified by the
national government as secret, our security doesn't stop by putting a fence
around our company. Information security is a hot issue. We also make use
of checkpoint firewalls, but not all of the internet servers are guarded
by checkpoint, some of them are running....Shorewall." -- Name withheld
by request, Europe</li>
<li>"Because our company has information which has been classified by
the national government as secret, our security doesn't stop by putting
a fence around our company. Information security is a hot issue. We
also make use of checkpoint firewalls, but not all of the internet
servers are guarded by checkpoint, some of them are
running....Shorewall." -- Name withheld by request, Europe</li>
</ul>
<ul>
<li>"thanx for all your efforts you put into shorewall - this product stands
out against a lot of commercial stuff i´ve been working with in terms of
flexibillity, quality &amp; support" -- RM, Austria</li>
<li>"thanx for all your efforts you put into shorewall - this product
stands out against a lot of commercial stuff i´ve been working with in
terms of flexibillity, quality &amp; support" -- RM, Austria</li>
</ul>
<ul>
<li>"I have never seen such a complete firewall package that is so easy
to configure. I searched the Debian package system for firewall scripts
and Shorewall won hands down." -- RG, Toronto</li>
<li>"I have never seen such a complete firewall package that is so
easy
to configure. I searched the Debian package system for firewall scripts
and Shorewall won hands down." -- RG, Toronto</li>
</ul>
<p></p>
<ul>
<li>"My respects... I've just found and installed Shorewall 1.3.3-1 and
it is a wonderful piece of software. I've just sent out an email to about
30 people recommending it. :-)<br>
<li>"My respects... I've just found and installed Shorewall 1.3.3-1
and
it is a wonderful piece of software. I've just sent out an email to
about 30 people recommending it. :-)<br>
<br>
While I had previously taken the time (maybe 40 hours) to really understand
ipchains, then spent at least an hour per server customizing and carefully
scrutinizing firewall rules, I've got shorewall running on my home firewall,
with rulesets and policies that I know make sense, in under 20 minutes."
-- RP, Guatamala<br>
While I had previously taken the time (maybe 40 hours) to really
understand ipchains, then spent at least an hour per server customizing
and carefully scrutinizing firewall rules, I've got shorewall running
on my home firewall, with rulesets and policies that I know make sense,
in under 20 minutes." -- RP, Guatamala<br>
</li>
</ul>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 7/1/2003
- <a href="support.htm">Tom Eastep</a> </font>
</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated
7/1/2003 - <a href="support.htm">Tom Eastep</a> </font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

106
STABLE/documentation/samba.htm
View File

@ -9,17 +9,8 @@
<title>Samba</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Samba</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Samba/SMB<br>
</h1>
<p>If you wish to run Samba on your firewall and access shares between
the firewall and local hosts, you need the following rules:</p>
<h4>/etc/shorewall/rules:</h4>
@ -95,7 +86,98 @@ DEST</b></td>
</tbody>
</table>
</blockquote>
<p><font size="2">Last modified 8/17/2002 - <a href="support.htm">Tom
<p>To pass traffic SMB/Samba traffic between zones Z1 and Z2:</p>
<h4>/etc/shorewall/rules:</h4>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z1<br>
</td>
<td>Z2<br>
</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z1<br>
</td>
<td>Z2<br>
</td>
<td>tcp</td>
<td>137,139,445</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z1<br>
</td>
<td>Z2<br>
</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z2<br>
</td>
<td>Z1<br>
</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z2<br>
</td>
<td>Z1<br>
</td>
<td>tcp</td>
<td>137,139,445</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>Z2<br>
</td>
<td>Z1<br>
</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<br>
To make network browsing ("Network Neighborhood") work properly between
Z1 and Z2 requires a Windows Domain Controller and/or a WINS server. I
run Samba on my firewall to handle browsing between two zones connected
to my firewall. Details are <a href="myfiles.htm">here</a>.<br>
<p><font size="2">Last modified 10/22/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>

539
STABLE/documentation/seattlefirewall_index.htm
View File

@ -7,30 +7,29 @@
<base target="_self">
</head>
<body>
<table cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#3366ff">
<tbody>
<tr>
<td width="33%" height="90" valign="middle" align="center"><a
href="http://www.cityofshoreline.com"> </a>
<div align="center"> <img src="images/Logo1.png"
alt="(Shorewall Logo)" width="430" height="90" align="middle"> </div>
</td>
</tr>
</tbody>
</table>
<div align="center">
<div align="center"> </div>
<center>
<div align="center"> </div>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
style="border-collapse: collapse; width: 100%; height: 100%;"
id="AutoNumber4">
<tbody>
<tr>
<td width="90%">
<h2>Introduction<br>
<h2>Introduction to Shorewall<br>
</h2>
<h3>This is the Shorewall 1.4 Web Site</h3>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.</li>
</ul>
<h3>Glossary<br>
</h3>
<ul>
<li><a href="http://www.netfilter.org">Netfilter</a> - the
packet filter facility built into the 2.4 and later Linux kernels.</li>
@ -42,9 +41,10 @@ compatibility mode.<br>
<li>iptables - the utility program used to configure and
control Netfilter. The term 'iptables' is often used to refer to the
combination of iptables+Netfilter (with Netfilter not in ipchains
compatibility mode).<br>
</li>
compatibility mode).</li>
</ul>
<h3>What is Shorewall?<br>
</h3>
The Shoreline Firewall, more commonly known as "Shorewall", is
high-level tool for configuring Netfilter. You describe your
firewall/gateway requirements using entries in a set of configuration
@ -56,6 +56,20 @@ system. Shorewall does not use Netfilter's ipchains compatibility mode
and can thus take advantage of Netfilter's connection state tracking
capabilities.<br>
<br>
Shorewall is <span style="text-decoration: underline;">not</span> a
daemon. Once Shorewall has configured Netfilter, it's job is complete
although the <a href="starting_and_stopping_shorewall.htm">/sbin/shorewall
program can be used at any time to monitor the Netfilter firewall</a>.<br>
<h3>Getting Started with Shorewall</h3>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
closely match your environment and follow the step by step instructions.<br>
<h3>Looking for Information?</h3>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search in the frame
above.
<h3>License<br>
</h3>
This program is free software; you can redistribute it and/or modify it
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free
@ -70,26 +84,9 @@ You should have received a copy of the GNU General Public License along
with this program; if not, write to the Free Software Foundation, Inc.,
675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M.
Eastep</a></p>
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of
Shorewall. For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
</li>
</ul>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most
closely match your environment and follow the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your
right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
Eastep</a><br>
</p>
<h3>Running Shorewall on Mandrake with a two-interface setup?</h3>
If so, the documentation<b> </b>on this site will not apply directly
to
your setup. If you want to use the documentation that you find here,
@ -98,9 +95,148 @@ setup that matches the documentation on this site. See the <a
href="two-interface.htm">Two-interface QuickStart Guide</a> for
details.<br>
<h2>News</h2>
<p><b>10/21/2003 - Shorewall 1.4.7a</b><b> <img
<p><b>11/07/2003 - Shorewall 1.4.8</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b></p>
src="images/new10.gif" alt="(New)" title=""></b><b><br>
<br>
</b>Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that
occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
to use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
been corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization
involved creating a chain named "&lt;zone&gt;_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant rules
and that the "optimization" turns out to be less than optimal. The
implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.</li>
<li>An incorrect comment concerning Debian's use of the
SYBSYSLOCK option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor
the
ROUTE_FILTER parameter were working properly. This has been corrected
(thanks to Eric Bowles for his analysis and patch). The definition of
the ROUTE_FILTER option has changed however. Previously,
ROUTE_FILTER=Yes was documented as enabling route filtering on all
interfaces (which didn't work). Beginning with this release, setting
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
coexist with the use of the 'routefilter' option in the interfaces file.</li>
<li>If MAC verification was enabled on an interface with a /32
address and
a broadcast address then an error would occur during startup.</li>
<li>he NONE policy's intended use is to suppress the generating
of
rules that can't possibly be traversed. This means that a policy of
NONE is inappropriate where the source or destination zone is $FW or
"all". Shorewall now generates an error message if such a policy is
given in /etc/shorewall/policy. Previously such a policy caused
"shorewall start" to fail.</li>
<li>The 'routeback' option was broken for wildcard interfaces
(e.g.,
"tun+"). This has been corrected so that 'routeback' now works as
expected in this case.<br>
</li>
</ol>
Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf
has changed as described in item 8) above.<br>
</li>
</ol>
New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE
allows
you to pass connection requests to a user-space filter such as ftwall
(http://p2pwall.sourceforge.net). The ftwall program
allows for effective filtering of p2p applications such as Kazaa. For
example, to use ftwall to filter P2P clients in the 'loc' zone, you
would add the following rules:<br>
<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br>
You would normally want to place those three rules BEFORE any ACCEPT
rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A BLACKLISTNEWNONLY option has been added to
shorewall.conf. When this option is set to "Yes", the blacklists
(dynamic and static) are only consulted for new connection requests.
When set to "No" (the default if the variable is not set), the
blacklists are consulted on every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may
now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
</ol>
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
bag awards </b><b><img
style="border: 0px solid ; width: 50px; height: 80px;"
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
1.4.7c released.</b> </p>
<ol>
<li>The saga with "&lt;zone&gt;_frwd" chains continues. The
1.4.7c
script produces a ruleset that should work for everyone even if it is
not
quite optimal. My apologies for this ongoing mess.<br>
</li>
</ol>
<p><b>10/24/2003 - Shorewall 1.4.7b</b></p>
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
</p>
<ol>
<li>The fix for problem 5 in 1.4.7a was wrong with the result
that
"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
is corrected in this release.<br>
</li>
</ol>
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
<p>This is a bugfix rollup of the following problem corrections:<br>
</p>
<ol>
@ -131,7 +267,7 @@ icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes routes through
&nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br>
<br>
</li>
@ -150,271 +286,7 @@ or
Netfilter rule generated by the entry. It is now applied to all entries.<br>
</li>
</ol>
<p><b>10/06/2003 - Shorewall 1.4.7</b><b><br>
</b></p>
<b>Problems Corrected since version 1.4.6 (Those in bold font
were corrected since 1.4.7 RC2)</b><br>
<ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of
the tcrules file. Previously, these addresses resulted in an invalid
iptables command.</li>
<li>The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages
during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
were being added to a PPP interface; the addresses were successfully
added in spite of the messages.<br>
&nbsp;&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages</li>
<li>Interface-specific dynamic blacklisting chains are now
displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").</li>
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
<li>The 'shorewall reject' and 'shorewall drop' commands now
delete any existing rules for the subject IP address before adding a
new DROP or REJECT rule. Previously, there could be many rules for the
same IP address in the dynamic chain so that multiple 'allow' commands
were required to re-enable traffic to/from the address.</li>
<li>When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following
entry in /etc/shorewall/masq resulted in a startup error:<br>
&nbsp;<br>
&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
206.124.146.20-206.124.146.24<br>
<br>
</li>
<li>Shorewall previously choked over IPV6 addresses configured
on interfaces in contexts where Shorewall needed to detect something
about the interface (such as when "detect" appears in the BROADCAST
column of the /etc/shorewall/interfaces file).</li>
<li>Shorewall will now load module files that are formed from
the module name by appending ".o.gz".</li>
<li>When Shorewall adds a route to a proxy ARP host and such a
route already exists, two routes resulted previously. This has been
corrected so that the existing route is replaced if it already exists.</li>
<li>The rfc1918 file has been updated to reflect recent
allocations.</li>
<li>The documentation of the USER SET column in the rules file
has been corrected.</li>
<li>If there is no policy defined for the zones specified in a
rule, the firewall script previously encountered a shell syntax error:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
Now, the absence of a policy generates an error message and the
firewall is stopped:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
&lt;source&gt; to zone &lt;dest&gt;<br>
<br>
</li>
<li>Previously, if neither /etc/shorewall/common nor
/etc/shorewall/common.def existed, Shorewall would fail to start and
would not remove the lock file. Failure to remove the lock file
resulted in the following during subsequent attempts to start:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
<br>
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.</li>
<li>The order of processing the various options has been
changed such that blacklist entries now take precedence over the 'dhcp'
interface setting.</li>
<li>The log message generated from the 'logunclean' interface
option has been changed to reflect a disposition of LOG rather than
DROP.</li>
<li><span style="font-weight: bold;">When a user name and/or a
group name was specified in the USER SET column and the destination
zone
was qualified with a IP address, the user and/or group name was not
being used to qualify the rule.<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; Example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
<br>
</span></li>
<li><span style="font-weight: bold;">The /etc/shorewall/masq
file has had the spurious "/" character at the front removed.</span></li>
</ol>
<b>Migration Issues:</b><br>
<ol>
<li>Shorewall IP Traffic Accounting has changed since snapshot
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
details.</li>
<li>The Uset Set capability introduced in SnapShot 20030821 has
changed -- see the <a href="UserSets.html">User Set page</a> for
details.</li>
<li>The per-interface Dynamic Blacklisting facility introduced
in the first post-1.4.6 Snapshot has been removed. The facility had too
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
</li>
</ol>
<b>New Features:</b><br>
<ol>
<li>Thanks to Steve Herber, the 'help' command can now give
command-specific help (e.g., shorewall help &lt;command&gt;).</li>
<li>A new option "ADMINISABSENTMINDED" has been added to
/etc/shorewall/shorewall.conf. This option has a default value of "No"
for existing users which causes Shorewall's 'stopped' state &nbsp;to
continue
as it has been; namely, in the stopped state only traffic to/from hosts
listed in /etc/shorewall/routestopped is accepted.<br>
<br>
With ADMINISABSENTMINDED=Yes (the default for new installs), in
addition to traffic to/from the hosts listed in
/etc/shorewall/routestopped, Shorewall will allow:<br>
<br>
&nbsp;&nbsp; a) All traffic originating from the firewall itself; and<br>
&nbsp;&nbsp; b) All traffic that is part of or related to an
already-existing
connection.<br>
<br>
&nbsp;In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
entered through an ssh session will not kill the session.<br>
<br>
&nbsp;Note though that even with ADMINISABSENTMINDED=Yes, it is still
possible for people to shoot themselves in the foot.<br>
<br>
&nbsp;Example:<br>
<br>
&nbsp;/etc/shorewall/nat:<br>
<br>
&nbsp; &nbsp; &nbsp;206.124.146.178&nbsp;&nbsp;&nbsp;
eth0:0&nbsp;&nbsp;&nbsp; 192.168.1.5&nbsp;&nbsp;&nbsp; <br>
<br>
&nbsp;/etc/shorewall/rules:<br>
<br>
&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
<br>
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
connection with local system 192.168.1.5. I then create a second SSH
connection from that computer to the firewall and confidently type
"shorewall stop". As part of its stop processing, Shorewall removes
eth0:0 which kills my SSH connection to 192.168.1.5!!!</li>
<li>Given the wide range of VPN software, I can never hope to
add specific support for all of it. I have therefore decided to add
"generic" tunnel support.<br>
&nbsp;<br>
Generic tunnels work pretty much like any of the other tunnel types.
You usually add a zone to represent the systems at the other end of the
tunnel and you add the appropriate rules/policies to<br>
implement your security policy regarding traffic to/from those systems.<br>
&nbsp;<br>
In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
<br>
generic:&lt;protocol&gt;[:&lt;port&gt;]&nbsp; &lt;zone&gt;&nbsp; &lt;ip
address&gt;&nbsp;&nbsp;&nbsp; &lt;gateway zones&gt;<br>
&nbsp;<br>
where:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;protocol&gt; is the protocol
used by the tunnel<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port&gt;&nbsp; if the protocol
is 'udp' or 'tcp' then this is the
destination port number used by the tunnel.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;zone&gt;&nbsp; is the zone of
the remote tunnel gateway<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
address of the remote tunnel
gateway.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
Optional. A comma-separated list of zone
names. If specified, the remote gateway is to be considered part of
these zones.</li>
<li>An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
result that this interface will only answer ARP 'who-has' requests from
hosts that are routed out through that interface. Setting this option
facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly
recommended
against.</li>
<li>The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \</li>
<li>An /etc/shorewall/accounting file has been added to allow
for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
documentation</a> for a description of this facility.</li>
<li>Bridge interfaces (br[0-9]) may now be used in
/etc/shorewall/maclist.</li>
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate limited. If
you want to limit the filter table rule, you will need o create two
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
separately.<br>
&nbsp;<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
fields,
the limit will apply to each pair of zones individually rather than as
a single limit for all pairs of covered by the rule.<br>
&nbsp;<br>
To specify a rate limit, <br>
<br>
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
&nbsp;<br>
&nbsp; where<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
&lt;interval&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
accepted within an
&lt;interval&gt;. If not given, the default of 5 is assumed.<br>
&nbsp;<br>
There may be no white space between the ACTION and "&lt;" nor there may
be any white space within the burst specification. If you want to
specify logging of a rate-limited rule, the ":" and log level comes
after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
<br>
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
file. You may specify the rate limit there in the format:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
&nbsp;<br>
Let's take an example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate<br>
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit
the rule for 2 second, the burst will be fully recharged; back where we
started.<br>
</li>
<li>Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
details.<br>
</li>
</ol>
<p><b></b></p>
<ol>
@ -430,55 +302,32 @@ You can find their work at: <a
http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
<b>Congratulations to Jacques and Eric on the recent release of
Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#3366ff" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> <strong><br>
<font color="#ffffff"><b>Note: </b></font></strong><font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font> <font face="Arial"
size="-1"> <input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font>
</p>
<font face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p>
Bering 1.2!!! <br>
<br>
</b>
<div style="text-align: center;">
<div style="text-align: center;"><a
href="http://www.shorewall.net" target="_top"><img
src="images/ProtectedBy.png" title="" alt="(Protected by Shorewall)"
style="border: 0px solid ; width: 216px; height: 45px;"></a></div>
</div>
<h2><a name="Donations"></a>Donations</h2>
<p style="text-align: left;"><a href="http://www.starlight.org"> <img
style="border: 4px solid ; width: 57px; height: 100px;"
src="images/newlog.gif" align="left" hspace="10" alt="(Starlight Logo)"
title=""></a><br>
<big>Shorewall is free but if you try it and find it useful,
please consider making a donation to <a href="http://www.starlight.org">Starlight
Children's Foundation</a>. Thanks!</big><br>
<a href="http://www.starlight.org"> </a></p>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#3366ff">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;" valign="middle">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10" alt="(Starlight Logo)"> </a></p>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you try it and find it
useful, please consider making a donation to <a
href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
</td>
</tr>
</tbody>
</table>
<p><font size="2">Updated 10/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 11/07/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<br>
</body>
</html>

16
STABLE/documentation/shoreline.htm
View File

@ -9,18 +9,10 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center"> <img border="3" src="images/Tom.jpg"
<p align="center"> </p>
<h1 style="text-align: center;">Tom Eastep<br>
</h1>
<p align="center"><img border="3" src="images/Tom.jpg"
alt="Aging Geek - June 2003" width="320" height="240"> </p>
<p align="center">"The Aging Geek" -- June 2003<br>
<br>

161
STABLE/documentation/shorewall_extension_scripts.htm
View File

@ -1,118 +1,89 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall Extension Scripts</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Extension Scripts</font></h1>
</td>
</tr>
</tbody>
</table>
<p> Extension scripts are user-provided scripts that are invoked at various
points during firewall start, restart, stop and clear. The scripts are
placed in /etc/shorewall and are processed using the Bourne shell "source"
mechanism.<br>
</p>
<body>
<h1 style="text-align: center;">Extension Scripts<br>
</h1>
<p>Extension scripts are user-provided scripts that are invoked at
various points during firewall start, restart, stop and clear. The
scripts are placed in /etc/shorewall and are processed using the Bourne
shell "source" mechanism.<br>
</p>
<p><font color="#ff0000"><b>Caution: <br>
</b></font></p>
</b></font></p>
<ol>
<li><font color="#ff0000"><b>Be sure that you actually need to use an
extension script to do what you want. Shorewall has a wide range of features
that cover most requirements.</b></font></li>
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND ON
THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT BREAK
SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT YOU ARE
<li><font color="#ff0000"><b>Be sure that you actually need to use an
extension script to do what you want. Shorewall has a wide range of
features
that cover most requirements.</b></font></li>
<li><font color="#ff0000"><b>DO NOT SIMPLY COPY RULES THAT YOU FIND
ON THE NET INTO AN EXTENSION SCRIPT AND EXPECT THEM TO WORK AND TO NOT
BREAK SHOREWALL. TO USE SHOREWALL EXTENSION SCRIPTS YOU MUST KNOW WHAT
YOU ARE
DOING WITH RESPECT TO iptables/Netfilter</b></font></li>
</ol>
<p>The following scripts can be supplied:</p>
<p>The following scripts can be supplied:</p>
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall
restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but
before the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn'
chain has been created but before any rules have been added to it.</li>
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being
stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but
before the common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the
'newnotsyn' chain has been created but before any rules have been added
to it.</li>
</ul>
<p><u><b>If your version of Shorewall doesn't have the file that you want
to use from the above list, you can simply create the file yourself.</b></u></p>
<p> You can also supply a script with the same name as any of the filter
chains in the firewall and the script will be invoked after the /etc/shorewall/rules
file has been processed but before the /etc/shorewall/policy file has
been processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this file
is present, the rules that it defines will totally replace the default
rules in the common chain. These default rules are contained in the
file /etc/shorewall/common.def which may be used as a starting point
for making your own customized file.</p>
<p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly, you
should use run_ip. These functions accept the same arguments as the underlying
command but cause the firewall to be stopped if an error occurs during
<p><u><b>If your version of Shorewall doesn't have the file that you
want to use from the above list, you can simply create the file
yourself.</b></u></p>
<p> You can also supply a script with the same name as any of the
filter chains in the firewall and the script will be invoked after the
/etc/shorewall/rules file has been processed but before the
/etc/shorewall/policy file has been processed.</p>
<p>The /etc/shorewall/common file receives special treatment. If this
file is present, the rules that it defines will totally replace the
default rules in the common chain. These default rules are contained in
the file /etc/shorewall/common.def which may be used as a starting
point for making your own customized file.</p>
<p> Rather than running iptables directly, you should run it using the
function run_iptables. Similarly, rather than running "ip" directly,
you should use run_ip. These functions accept the same arguments as the
underlying command but cause the firewall to be stopped if an error
occurs during
processing of the command.</p>
<p> If you decide to create /etc/shorewall/common it is a good idea to
use the following technique</p>
<p> /etc/shorewall/common:</p>
<blockquote>
<p> If you decide to create /etc/shorewall/common it is a good idea to
use the following technique</p>
<p> /etc/shorewall/common:</p>
<blockquote>
<pre>. /etc/shorewall/common.def<br>&lt;add your rules here&gt;</pre>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can
add the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p>Remember that /etc/shorewall/common defines rules that are only applied
if the applicable policy is DROP or REJECT. These rules are NOT applied
if the policy is ACCEPT or CONTINUE<br>
</p>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you
can add the superceding rule before the '.' command. Using this
technique allows you to add new rules while still getting the benefit
of the latest common.def file.</p>
<p>Remember that /etc/shorewall/common defines rules that are only
applied if the applicable policy is DROP or REJECT. These rules are NOT
applied if the policy is ACCEPT or CONTINUE<br>
</p>
<p> </p>
<p align="left"><font size="2">Last updated 6/30/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
2003 Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

40
STABLE/documentation/shorewall_features.htm
View File

@ -9,28 +9,19 @@
<title>Shorewall Features</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall Features<br>
</h1>
<ul>
<li>Uses Netfilter's connection tracking facilities for stateful
packet filtering.</li>
packet filtering.</li>
<li>Can be used in a <b> wide range of router/firewall/gateway
applications</b>.
<ul>
<li>Completely customizable using configuration files.</li>
<li>No limit on the number of network interfaces.</li>
<li>Allows you to partitions the network into <i><a
href="Documentation.htm#Zones">zones</a></i> and gives you complete
control over the connections permitted between each pair of
href="Documentation.htm#Zones">zones</a></i> and gives you complete
control over the connections permitted between each pair of
zones.</li>
<li>Multiple interfaces per zone and multiple zones per interface
permitted.</li>
@ -38,7 +29,7 @@ permitted.</li>
</ul>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides
(HOWTOs)</a> to help get your first firewall up and running quickly</li>
(HOWTOs)</a> to help get your first firewall up and running quickly</li>
<li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
href="http://www.webmin.com">http://www.webmin.com</a>)<br>
</li>
@ -46,7 +37,7 @@ permitted.</li>
href="shorewall_quickstart_guide.htm#Documentation">documentation</a> </b>
included in the .tgz and .rpm downloads.</li>
<li><b>Flexible address management/routing support</b> (and you can
use all types in the same firewall):
use all types in the same firewall):
<ul>
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
@ -61,14 +52,15 @@ individual IP addresses and subnetworks is supported.</li>
support</a></b>:
<ul>
<li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring with an audible
alarm when an "interesting" packet is detected.</li>
<li>Supports status monitoring with an audible
alarm when an "interesting" packet is detected.</li>
<li>Wide variety of informational commands.</li>
</ul>
</li>
<li><b>VPN Support</b>
<ul>
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE,  IPIP and
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE,&nbsp; IPIP
and
OpenVPN Tunnels</a>.</li>
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
</ul>
@ -76,13 +68,13 @@ OpenVPN Tunnels</a>.</li>
<li>Support for <a href="traffic_shaping.htm"><b>Traffic
Control/Shaping</b></a> integration.</li>
<li>Wide support for different <b>GNU/Linux Distributions</b>.
<ul>
<ul>
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
href="http://idea.sec.dico.unimi.it/%7Elorenzo/index.html#Debian"><b>Debian</b></a>
packages available.</li>
<li>Includes <a href="Install.htm"><b>automated install,
upgrade, fallback and uninstall facilities</b></a> for users
who can't use or choose not to use the RPM or Debian packages.</li>
upgrade, fallback and uninstall facilities</b></a> for users
who can't use or choose not to use the RPM or Debian packages.</li>
<li>Included as a standard part of<b> <a
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
on a floppy, CD or compact flash).</li>
@ -94,7 +86,7 @@ Address <b>Verification</b></a></li>
</a><br>
</li>
</ul>
<p><font size="2">Last updated 10/12/2003 - <a href="support.htm">Tom
<p><font size="2">Last updated 10/29/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>

46
STABLE/documentation/shorewall_logging.html
View File

@ -7,18 +7,37 @@
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Logging</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
<h1 style="text-align: center;">Logging</h1>
<h2>How to Log Traffic through a Shorewall Firewall</h2>
The disposition of packets entering a Shorewall firewall&nbsp; is
determined by one of a number of Shorewall facilities. Only some of
these facilities permit logging.<br>
<ol>
<li>The packet is part of an established connection. The packet is
accepted and cannot be logged.</li>
<li>The packet represents a connection request that is related to an
established connection (such as a <a href="FTP.html">data connection
associated with an FTP control connection</a>).&nbsp; These packets
also cannot be logged.</li>
<li>The packet is rejected because of an option in <a
href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a> or <a
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
These packets can be logged by setting the appropriate logging-related
option in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a></li>
<li>The packet matches a rule in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.
By including a syslog level (see below) in the ACTION column of a rule
(e.g., "ACCEPT<span
style="font-weight: bold; text-decoration: underline;">:info</span>
net fw tcp 22"), the connection attempt will be logged at that level.</li>
<li>The packet doesn't match a rule so is handled by a policy defined
in <a href="Documentation.htm#Policy">/etc/shorewall/policy</a>. These
may be logged by specifying a syslog level in the LOG LEVEL column of
the policy entry (e.g., "loc net ACCEPT <span
style="font-weight: bold; text-decoration: underline;">info</span>"<br>
</li>
</ol>
<h2>Where the Traffic is logged and how to Change the Destination<br>
</h2>
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
classifies log messages by a <i>facility</i> and a <i>priority</i>
(using the notation <i>facility.priority</i>). <br>
@ -149,7 +168,8 @@ and
<a
href="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</a>
is a post describing configuring syslog-ng to work with Shorewall.<br>
<p><font size="2"> Updated 9/29/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="2"> Updated 10/30/2003 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> &copy; <font
size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>

16
STABLE/documentation/shorewall_mirrors.htm
View File

@ -9,20 +9,12 @@
<title>Shorewall Mirrors</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Mirrors</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall Mirrors<br>
</h1>
<p align="left"><b>Remember that updates to the mirrors are often
delayed for 6-12 hours after an update to the primary rsync site. For
HTML content, the main web site (<a href="http://shorewall.sf.net">http://shorewall.sf.net</a>)
HTML content, the main web site (<a href="http://shorewall.sf.net"
target="_top">http://shorewall.sf.net</a>)
is updated at the same time as the rsync site.</b></p>
<p align="left">The main Shorewall Web Site is <a
href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>

104
STABLE/documentation/shorewall_prerequisites.htm
View File

@ -1,86 +1,56 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Prerequisites</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Requirements</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
Shorewall Requires:<br>
<body>
<h1 style="text-align: center;">Shorewall Requirements</h1>
Shorewall Requires:<br>
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 -
2.4.20. With current releases of Shorewall, Traffic Shaping/Control requires
at least 2.4.18.  <a href="kernel.htm"> Check here for kernel configuration
information.</a> If you are looking for a firewall for use with
2.2 kernels, <a href="http://seawall.sf.net"> see the Seattle
Firewall site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the
<a href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING:
</b></font>The buggy iptables version 1.2.3 is included in RedHat
7.2 and you should upgrade to iptables 1.2.4 prior to installing Shorewall.
Version 1.2.4 is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included
with most distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li>
<li>A Bourne shell or derivative such as bash or ash. This shell
must have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>Your shell must produce a sensible result when a number n (128 &lt;=
n &lt;= 255) is left shifted by 24 bits. You can check this at a shell prompt
by:</li>
<li>A kernel that supports netfilter. I've tested with 2.4.2 -
2.4.20. With current releases of Shorewall, Traffic Shaping/Control
requires at least 2.4.18.&nbsp; <a href="kernel.htm"> Check here for
kernel configuration information.</a> If you are looking for a firewall
for use with 2.2 kernels, <a href="http://seawall.sf.net"> see the
Seattle
Firewall site</a> .</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a
href="errata.htm">Errata</a>. <font color="#ff0000"><b>WARNING: </b></font>The
buggy iptables version 1.2.3 is included in RedHat 7.2 and you should
upgrade to iptables 1.2.4 prior to installing Shorewall. Version 1.2.4
is available <a
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from
RedHat</a> and in the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Iproute ("ip" utility). The iproute package is included with most
distributions but may not be installed by default. The official
download site is <a href="ftp://ftp.inr.ac.ru/ip-routing"
target="_blank"> <font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li>
<li>A Bourne shell or derivative such as bash or ash. This shell must
have correct support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>Your shell must produce a sensible result when a number n (128
&lt;= n &lt;= 255) is left shifted by 24 bits. You can check this at a
shell prompt by:</li>
<ul>
<li>echo $((128 &lt;&lt; 24))<br>
</li>
<li>The result must be either 2147483648 or -2147483648.<br>
</li>
<li>echo $((128 &lt;&lt; 24))<br>
</li>
<li>The result must be either 2147483648 or -2147483648.<br>
</li>
</ul>
<li>The firewall monitoring display is greatly improved if you
have awk (gawk) installed.</li>
<li>The firewall monitoring display is greatly improved if you have
awk (gawk) installed.</li>
</ul>
<p align="left"><font size="2">Last updated 7/8/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
Eastep.</font></a></font></p>
</body>
</html>

34
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -10,19 +10,8 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart
Guides (HOWTO's)<br>
</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Shorewall QuickStart Guides (HOWTOs)<br>
</h1>
<p align="center">With thanks to Richard who reminded me once again
that we must all first walk before we can run.<br>
The French Translations of the single-IP guides are courtesy of Patrice
@ -49,7 +38,8 @@ acting as a firewall/router for a small local network and a DMZ. (<a
<p>The above guides are designed to get your first firewall up and
running quickly in the three most common Shorewall configurations. If
you want to learn more about Shorewall than is explained in the above
simple guides,  the <a href="shorewall_setup_guide.htm">Shorewall Setup
simple guides,&nbsp; the <a href="shorewall_setup_guide.htm">Shorewall
Setup
Guide</a> (See Index Below) is for you.</p>
</blockquote>
<p>If you have <font color="#ff0000"><big><big><b>more than one public
@ -57,7 +47,8 @@ IP address</b></big></big></font>:<br>
</p>
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup
Guide</a> (See Index Below) outlines the steps necessary to set up a
firewall where there are multiple public IP addresses involved or if you
firewall where there are multiple public IP addresses involved or if
you
want to learn more about Shorewall than is explained in the
single-address guides above (<a href="shorewall_setup_guide_fr.htm">Version
Française</a>).</blockquote>
@ -83,7 +74,7 @@ Interfaces (e.g., eth0:0)</a><br>
<li><a href="starting_and_stopping_shorewall.htm">Commands</a>
(Description of all /sbin/shorewall commands)</li>
<li><a href="configuration_file_basics.htm">Common configuration file
features</a> </li>
features</a>&nbsp;</li>
<ul>
<li><a href="configuration_file_basics.htm#Comments">Comments in
configuration files</a></li>
@ -138,7 +129,8 @@ in Shorewall</a> </li>
</li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension
Scripts</a></font> (How to extend Shorewall without modifying Shorewall
code through the use of files in /etc/shorewall -- /etc/shorewall/start,
code through the use of files in /etc/shorewall --
/etc/shorewall/start,
/etc/shorewall/stopped, etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="FAQ.htm">FAQs</a><br>
@ -155,6 +147,8 @@ code through the use of files in /etc/shorewall -- /etc/shorewall/start,
</ul>
<li><a href="Install.htm">Installation/Upgrade</a><br>
</li>
<li><a href="Shorewall_and_Kazaa.html">Kazaa Filtering</a><br>
</li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
@ -262,9 +256,9 @@ firewall to a remote network.</li>
</li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 10/11/2003 - <a href="support.htm">Tom
<p>If you use one of these guides and have a suggestion for improvement
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 10/30/2003 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas
M. Eastep</font></a><br>

19
STABLE/documentation/shorewall_setup_guide.htm
View File

@ -10,18 +10,8 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Setup Guide</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
<h1 style="text-align: center;">Shorewall Setup Guide<br>
</h1>
<p><a href="#Introduction">1.0 Introduction</a><br>
<a href="#Concepts">2.0 Shorewall Concepts</a><br>
<a href="#Interfaces">3.0 Network Interfaces</a><br>
@ -1230,12 +1220,13 @@ your public IP addresses (<b>A)</b> and is assigned the same netmask <b>(M)
<p align="left">When <b>H</b> issues an ARP "who has" request for
an address in the subnetwork defined by <b>A</b> and <b>M</b>, the
firewall will
respond (with the MAC if the firewall interface to <b>H</b>). </p>
respond (with the MAC if the firewall interface) to <b>H</b>. </p>
</li>
</ul>
</div>
<div align="left">
<p align="left">Let suppose that we decide to use Proxy ARP on the DMZ
<p align="left">Let us suppose that we decide to use Proxy ARP on the
DMZ
in our example network.</p>
</div>
<div align="left">

16
STABLE/documentation/shorewall_setup_guide_fr.htm
View File

@ -7,20 +7,8 @@
<title>Shorewall Setup Guide</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Guide de Configuration
de Shorewall<br>
</font></h1>
</td>
</tr>
</tbody>
</table>
<br>
<h1 style="text-align: center;">Guide de Configuration de Shorewall<br>
</h1>
Note du traducteur : <br>
Je remercie <font size="2">l'équipe Shorewall,&nbsp; pour ce firewall
formidable et l'aide personnelle que m'a donné </font><font size="2">Tom

460
STABLE/documentation/sourceforge_index.htm
View File

@ -7,18 +7,6 @@
<base target="_self">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#3366ff">
<tbody>
<tr>
<td width="33%" height="90" valign="middle" align="center"><a
href="http://www.cityofshoreline.com"> </a><img src="images/Logo1.png"
alt="(Shorewall Logo)" width="430" height="90"> <br>
</td>
</tr>
</tbody>
</table>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0"
@ -84,8 +72,8 @@ New to Shorewall? Start by selecting the <a
closely match your environment and follow the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your
right.
Index</a> is a good place to start as is the Quick Search in the frame
above.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will not apply directly
to
@ -96,9 +84,141 @@ setup that matches the documentation on this site. See the <a
details.
<h2></h2>
<h2><b>News</b></h2>
<p><b>10/21/2003 - Shorewall 1.4.7a</b><b> <img
<p><b>11/01/2003 - Shorewall 1.4.8 RC2</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="file:///vfat/Shorewall-docs/images/new10.gif" alt="(New)" title=""></b><b>
</b></p>
Given the small number of new features and the relatively few lines of
code that were changed, there will be no Beta for 1.4.8.<br>
<p><b><a href="http://shorewall.net/pub/shorewall/Beta">http://shorewall.net/pub/shorewall/Beta</a><br>
<a href="ftp://shorewall.net/pub/shorewall/Beta" target="_top">ftp://shorewall.net/pub/shorewall/Beta</a><br>
<br>
</b>Problems Corrected since version 1.4.7:<br>
</p>
<ol>
<li>Tuomo Soini has supplied a correction to a problem that
occurs
using some versions of 'ash'. The symptom is that "shorewall start"
fails with:<br>
&nbsp;<br>
&nbsp;&nbsp; local: --limit: bad variable name<br>
&nbsp;&nbsp; iptables v1.2.8: Couldn't load match
`-j':/lib/iptables/libipt_-j.so:<br>
&nbsp;&nbsp; cannot open shared object file: No such file or directory<br>
&nbsp;&nbsp; Try `iptables -h' or 'iptables --help' for more
information.</li>
<li>Andres Zhoglo has supplied a correction that avoids trying
to use the multiport match iptables facility on ICMP rules.<br>
&nbsp;<br>
&nbsp;&nbsp; Example of rule that previously caused "shorewall start"
to fail:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; loc&nbsp; $FW&nbsp;
icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<br>
</li>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes through interface xxx<br>
<br>
</li>
<li>Handling of the LOGUNCLEAN option in shorewall.conf has
been corrected.</li>
<li>In Shorewall 1.4.2, an optimization was added. This
optimization
involved creating a chain named "&lt;zone&gt;_frwd" for most zones
defined using the /etc/shorewall/hosts file. It has since been
discovered that in many cases these new chains contain redundant rules
and that the "optimization" turns out to be less than optimal. The
implementation has now been corrected.</li>
<li>When the MARK value in a tcrules entry is followed by ":F"
or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.</li>
<li>An incorrect comment concerning Debian's use of the
SYBSYSLOCK option has been removed from shorewall.conf.</li>
<li>Previously, neither the 'routefilter' interface option nor
the
ROUTE_FILTER parameter were working properly. This has been corrected
(thanks to Eric Bowles for his analysis and patch). The definition of
the ROUTE_FILTER option has changed however. Previously,
ROUTE_FILTER=Yes was documented as enabling route filtering on all
interfaces (which didn't work). Beginning with this release, setting
ROUTE_FILTER=Yes will enable route filtering of all interfaces brought
up while Shorewall is started. As a consequence, ROUTE_FILTER=Yes can
coexist with the use of the 'routefilter' option in the interfaces file.</li>
<li>If MAC verification was enabled on an interface with a /32
address and
a broadcast address then an error would occur during startup.</li>
</ol>
Migration Issues:<br>
<ol>
<li>The definition of the ROUTE_FILTER option in shorewall.conf
has changed as described in item 8) above.<br>
</li>
</ol>
New Features:<br>
<ol>
<li>A new QUEUE action has been introduced for rules. QUEUE
allows
you to pass connection requests to a user-space filter such as ftwall
(http://p2pwall.sourceforge.net). The ftwall program
allows for effective filtering of p2p applications such as Kazaa. For
example, to use ftwall to filter P2P clients in the 'loc' zone, you
would add the following rules:<br>
<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; tcp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp; udp<br>
&nbsp;&nbsp; QUEUE&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
&nbsp;&nbsp;&nbsp;&nbsp; fw&nbsp;&nbsp;&nbsp;&nbsp; udp<br>
<br>
You would normally want to place those three rules BEFORE any ACCEPT
rules for loc-&gt;net udp or tcp.<br>
<br>
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.</li>
<li>A
BLACKLISTNEWNONLY option has been added to shorewall.conf. When this
option is set to "Yes", the blacklists (dynamic and static) are only
consulted for new connection requests. When set to "No" (the default if
the variable is not set), the blacklists are consulted on every packet.<br>
<br>
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.</li>
<li>Chain names used in the /etc/shorewall/accounting file may
now begin with a digit ([0-9]) and may contain embedded dashes ("-").</li>
</ol>
<p><b>10/26/2003 - Shorewall 1.4.7a and 1.4.7b win brown paper
bag awards </b><b><img
style="border: 0px solid ; width: 50px; height: 80px;"
src="images/j0233056.gif" align="middle" title="" alt="">Shorewall
1.4.7c released.</b> </p>
<ol>
<li>The saga with "&lt;zone&gt;_frwd" chains continues. The
1.4.7c script
produces a ruleset that should work for everyone even if it is not
quite optimal. My apologies for this ongoing mess.</li>
</ol>
<p><b>10/24/2003 - Shorewall 1.4.7b</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b></p>
<p>This is a bugfx rollup of the 1.4.7a fixes plus:<br>
</p>
<ol>
<li>The fix for problem 5 in 1.4.7a was wrong with the result
that
"&lt;zone&gt;_frwd" chains might contain too few rules. That wrong code
is corrected in this release.<br>
</li>
</ol>
<p><b>10/21/2003 - Shorewall 1.4.7a</b></p>
<p>This is a bugfix rollup of the following problem corrections:<br>
</p>
<ol>
@ -129,7 +249,7 @@ icmp&nbsp;&nbsp;&nbsp; 0,8,11,12<br>
<li>Previously, if the following error message was issued,
Shorewall was left in an inconsistent state.<br>
&nbsp;<br>
&nbsp;&nbsp; Error: Unable to determine the routes routes through
&nbsp;&nbsp; Error: Unable to determine the routes through
interface xxx<br>
<br>
</li>
@ -146,283 +266,6 @@ implementation has now been corrected.</li>
or
":P", the ":F" or ":P" was previously only applied to the first
Netfilter rule generated by the entry. It is now applied to all entries.</li>
</ol>
<b>10/06/2003 - Shorewall 1.4.7</b><b> <img
style="border: 0px solid ; width: 28px; height: 12px;"
src="images/new10.gif" alt="(New)" title=""></b><br>
<b><br>
Problems Corrected since version 1.4.6 (Those in bold font were
corrected since 1.4.7 RC2).</b><br>
<ol>
<li>Corrected problem in 1.4.6 where the MANGLE_ENABLED
variable was being tested before it was set.</li>
<li>Corrected handling of MAC addresses in the SOURCE column of
the tcrules file. Previously, these addresses resulted in an invalid
iptables command.</li>
<li>The "shorewall stop" command is now disabled when
/etc/shorewall/startup_disabled exists. This prevents people from
shooting themselves in the foot prior to having configured Shorewall.</li>
<li>A change introduced in version 1.4.6 caused error messages
during "shorewall [re]start" when ADD_IP_ALIASES=Yes and ip addresses
were being added to a PPP interface; the addresses were successfully
added in spite of the messages.<br>
&nbsp;&nbsp;&nbsp; <br>
The firewall script has been modified to eliminate the error messages</li>
<li>Interface-specific dynamic blacklisting chains are now
displayed by "shorewall monitor" on the "Dynamic Chains" page
(previously named "Dynamic Chain").</li>
<li>Thanks to Henry Yang, LOGRATE and LOGBURST now work again.</li>
<li value="7">The 'shorewall reject' and 'shorewall drop'
commands now delete any existing rules for the subject IP address
before adding a new DROP or REJECT rule. Previously, there could be
many rules for the same IP address in the dynamic chain so that
multiple 'allow' commands were required to re-enable traffic to/from
the address.</li>
<li>When ADD_SNAT_ALIASES=Yes in shorewall.conf, the following
entry in /etc/shorewall/masq resulted in a startup error:<br>
&nbsp;<br>
&nbsp;&nbsp; eth0 eth1&nbsp;&nbsp;&nbsp;&nbsp;
206.124.146.20-206.124.146.24<br>
<br>
</li>
<li>Shorewall previously choked over IPV6 addresses configured
on interfaces in contexts where Shorewall needed to detect something
about the interface (such as when "detect" appears in the BROADCAST
column of the /etc/shorewall/interfaces file).</li>
<li>Shorewall will now load module files that are formed from
the module name by appending ".o.gz".</li>
<li>When Shorewall adds a route to a proxy ARP host and such a
route already exists, two routes resulted previously. This has been
corrected so that the existing route is replaced if it already exists.</li>
<li>The rfc1918 file has been updated to reflect recent
allocations.</li>
<li>The documentation of the USER SET column in the rules file
has been corrected.</li>
<li>If there is no policy defined for the zones specified in a
rule, the firewall script previously encountered a shell syntax error:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; [: NONE: unexpected operator<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
Now, the absence of a policy generates an error message and the
firewall is stopped:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; No policy defined from zone
&lt;source&gt; to zone &lt;dest&gt;<br>
<br>
</li>
<li>Previously, if neither /etc/shorewall/common nor
/etc/shorewall/common.def existed, Shorewall would fail to start and
would not remove the lock file. Failure to remove the lock file
resulted in the following during subsequent attempts to start:<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<br>
&nbsp;&nbsp;&nbsp; Loading /usr/share/shorewall/functions...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/params ...<br>
&nbsp;&nbsp;&nbsp; Processing /etc/shorewall/shorewall.conf...<br>
&nbsp;&nbsp;&nbsp; Giving up on lock file /var/lib/shorewall/lock<br>
&nbsp;&nbsp;&nbsp; Shorewall Not Started<br>
<br>
Shorewall now reports a fatal error if neither of these two files exist
and correctly removes the lock fille.</li>
<li>The order of processing the various options has been
changed such that blacklist entries now take precedence over the 'dhcp'
interface setting.</li>
<li>The log message generated from the 'logunclean' interface
option has been changed to reflect a disposition of LOG rather than
DROP.</li>
<li><span style="font-weight: bold;">When a user name and/or a
group name was specified in the USER SET column and the destination
zone
was qualified with a IP address, the user and/or group name was not
being used to qualify the rule.<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; Example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp; ACCEPT fw&nbsp; net:192.0.2.12 tcp 23 - - - vladimir:<br>
<br>
</span></li>
<li><span style="font-weight: bold;">The /etc/shorewall/masq
file has had the spurious "/" character at the front removed.</span></li>
</ol>
<b>Migration Issues:</b><br>
<ol>
<li>Shorewall IP Traffic Accounting has changed since snapshot
20030813 -- see the <a href="Accounting.html">Accounting Page</a> for
details.</li>
<li>The Uset Set capability introduced in SnapShot 20030821 has
changed -- see the <a href="UserSets.html">User Set page</a> for
details.</li>
<li>The per-interface Dynamic Blacklisting facility introduced
in the first post-1.4.6 Snapshot has been removed. The facility had too
many idiosyncrasies for dial-up users to be a viable part of Shorewall.<br>
</li>
</ol>
<b></b><b>New Features:</b><br>
<ol>
<li>Shorewall now creates a dynamic blacklisting chain for each
interface defined in /etc/shorewall/interfaces. The 'drop' and 'reject'
commands use the routing table to determine which of these chains is to
be used for blacklisting the specified IP address(es).<br>
<br>
Two new commands ('dropall' and 'rejectall') have been introduced that
do what 'drop' and 'reject' used to do; namely, when an address is
blacklisted using these new commands, it will be blacklisted on all of
your firewall's interfaces.</li>
<li>Thanks to Steve Herber, the 'help' command can now give
command-specific help (e.g., shorewall help &lt;command&gt;).</li>
<li>A new option "ADMINISABSENTMINDED" has been added to
/etc/shorewall/shorewall.conf. This option has a default value of "No"
for existing users which causes Shorewall's 'stopped' state &nbsp;to
continue
as it has been; namely, in the stopped state only traffic to/from hosts
listed in /etc/shorewall/routestopped is accepted.<br>
<br>
With ADMINISABSENTMINDED=Yes (the default for new installs), in
addition to traffic to/from the hosts listed in
/etc/shorewall/routestopped, Shorewall will allow:<br>
<br>
&nbsp;&nbsp; a) All traffic originating from the firewall itself; and<br>
&nbsp;&nbsp; b) All traffic that is part of or related to an
already-existing
connection.<br>
<br>
&nbsp;In particular, with ADMINISABSENTMINDED=Yes, a "shorewall stop"
entered through an ssh session will not kill the session.<br>
<br>
&nbsp;Note though that even with ADMINISABSENTMINDED=Yes, it is still
possible for people to shoot themselves in the foot.<br>
<br>
&nbsp;Example:<br>
<br>
&nbsp;/etc/shorewall/nat:<br>
<br>
&nbsp; &nbsp; &nbsp;206.124.146.178&nbsp;&nbsp;&nbsp;
eth0:0&nbsp;&nbsp;&nbsp; 192.168.1.5&nbsp;&nbsp;&nbsp; <br>
<br>
&nbsp;/etc/shorewall/rules:<br>
<br>
&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; net&nbsp;&nbsp;&nbsp;
loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; loc&nbsp;&nbsp;&nbsp;
fw&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; 22<br>
<br>
From a remote system, I ssh to 206.124.146.178 which establishes an SSH
connection with local system 192.168.1.5. I then create a second SSH
connection from that computer to the firewall and confidently type
"shorewall stop". As part of its stop processing, Shorewall removes
eth0:0 which kills my SSH connection to 192.168.1.5!!!</li>
<li>Given the wide range of VPN software, I can never hope to
add specific support for all of it. I have therefore decided to add
"generic" tunnel support.<br>
&nbsp;<br>
Generic tunnels work pretty much like any of the other tunnel types.
You usually add a zone to represent the systems at the other end of the
tunnel and you add the appropriate rules/policies to<br>
implement your security policy regarding traffic to/from those systems.<br>
&nbsp;<br>
In the /etc/shorewall/tunnels file, you can have entries of the form:<br>
<br>
generic:&lt;protocol&gt;[:&lt;port&gt;]&nbsp; &lt;zone&gt;&nbsp; &lt;ip
address&gt;&nbsp;&nbsp;&nbsp; &lt;gateway zones&gt;<br>
&nbsp;<br>
where:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;protocol&gt; is the protocol
used by the tunnel<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;port&gt;&nbsp; if the protocol
is 'udp' or 'tcp' then this is the
destination port number used by the tunnel.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;zone&gt;&nbsp; is the zone of
the remote tunnel gateway<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;ip address&gt; is the IP
address of the remote tunnel
gateway.<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;gateway zone&gt;&nbsp;&nbsp;
Optional. A comma-separated list of zone
names. If specified, the remote gateway is to be considered part of
these zones.</li>
<li>An 'arp_filter' option has been added to the
/etc/shorewall/interfaces file. This option causes
/proc/sys/net/ipv4/conf/&lt;interface&gt;/arp_filter to be set with the
result that this interface will only answer ARP 'who-has' requests from
hosts that are routed out through that interface. Setting this option
facilitates testing of your firewall where multiple firewall interfaces
are connected to the same HUB/Switch (all interfaces connected to the
single HUB/Switch should have this option specified). Note that using
such a configuration in a production environment is strongly
recommended
against.</li>
<li>The ADDRESS column in /etc/shorewall/masq may now include a
comma-separated list of addresses and/or address ranges. Netfilter will
use all listed addresses/ranges in round-robin fashion. \</li>
<li>An /etc/shorewall/accounting file has been added to allow
for traffic accounting.&nbsp; See the <a href="Accounting.html">accounting
documentation</a> for a description of this facility.</li>
<li>Bridge interfaces (br[0-9]) may now be used in
/etc/shorewall/maclist.</li>
<li>ACCEPT, DNAT[-], REDIRECT[-] and LOG rules defined in
/etc/shorewall/rules may now be rate-limited. For DNAT and REDIRECT
rules, rate limiting occurs in the nat table DNAT rule; the
corresponding ACCEPT rule in the filter table is not rate limited. If
you want to limit the filter table rule, you will need o create two
rules; a DNAT- rule and an ACCEPT rule which can be rate-limited
separately.<br>
&nbsp;<br>
<span style="font-weight: bold;">Warning: </span>When rate
limiting is specified on a rule with "all" in the SOURCE or DEST
fields,
the limit will apply to each pair of zones individually rather than as
a single limit for all pairs of covered by the rule.<br>
&nbsp;<br>
To specify a rate limit, <br>
<br>
a) Follow ACCEPT, DNAT[-], REDIRECT[-] or LOG with<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;] &gt;<br>
&nbsp;<br>
&nbsp; where<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;rate&gt; is the sustained rate per
&lt;interval&gt;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;interval&gt; is "sec" or "min"<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;burst&gt; is the largest burst
accepted within an
&lt;interval&gt;. If not given, the default of 5 is assumed.<br>
&nbsp;<br>
There may be no white space between the ACTION and "&lt;" nor there may
be any white space within the burst specification. If you want to
specify logging of a rate-limited rule, the ":" and log level comes
after the "&gt;" (e.g., ACCEPT&lt;2/sec:4&gt;:info ).<br>
<br>
b) A new RATE LIMIT column has been added to the /etc/shorewall/rules
file. You may specify the rate limit there in the format:<br>
<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;rate&gt;/&lt;interval&gt;[:&lt;burst&gt;]<br>
&nbsp;<br>
Let's take an example:<br>
&nbsp;<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
ACCEPT&lt;2/sec:4&gt;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
net&nbsp;&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp;&nbsp;
tcp&nbsp;&nbsp;&nbsp;&nbsp; 80<br>
&nbsp;&nbsp;&nbsp; <br>
The first time this rule is reached, the packet will be accepted; in
fact, since the burst is 4, the first four packets will be accepted.
After this, it will be 500ms (1 second divided by the rate<br>
of 2) before a packet will be accepted from this rule, regardless of
how many packets reach it. Also, every 500ms which passes without
matching a packet, one of the bursts will be regained; if no packets
hit
the rule for 2 second, the burst will be fully recharged; back where we
started.<br>
</li>
<li>Multiple chains may now be displayed in one "shorewall
show" command (e.g., shorewall show INPUT FORWARD OUTPUT).</li>
<li>Output rules (those with $FW as the SOURCE) may now be
limited to a set of local users and/or groups. See <a
href="UserSets.html">http://shorewall.net/UserSets.html</a> for
details.</li>
</ol>
<p><b><a href="News.htm">More News</a></b></p>
<b> </b>
@ -449,40 +292,17 @@ Bering 1.2!!! </b><br>
<b> </b>
<h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td>
<td width="88" bgcolor="#3366ff" valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong> <font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
&nbsp;</p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text" name="words"
size="15"></font><font size="-1"> </font><font face="Arial" size="-1">
<input type="hidden" name="format" value="long"> <input
type="hidden" name="method" value="and"> <input type="hidden"
name="config" value="htdig"> <input type="submit" value="Search"></font>
</p>
<font face="Arial"> <input type="hidden" name="exclude"
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
<p><font color="#ffffff"><b> <a
href="http://lists.shorewall.net/htdig/search.html"> <font
color="#ffffff">Extended Search</font></a></b></font></p>
<a target="_top" href="1.3/index.html"><font color="#ffffff"> </font></a><a
target="_top" href="http://www1.shorewall.net/1.2/index.htm"><font
color="#ffffff"><small><small><small></small></small></small></font></a><br>
</td>
</tr>
</tbody>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#3366ff">
style="border-collapse: collapse; width: 100%; background-color: rgb(51, 102, 255);"
id="AutoNumber2">
<tbody>
<tr>
<td width="100%" style="margin-top: 1px;">
<td style="width: 100%; margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> </a></p>
@ -495,7 +315,7 @@ Children's Foundation.</font></a> Thanks!</font></font></p>
</tr>
</tbody>
</table>
<p><font size="2">Updated 10/21/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 11/01/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>

23
STABLE/documentation/standalone.htm
View File

@ -9,17 +9,8 @@
<title>Standalone Firewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Standalone Firewall<br>
</h1>
<p align="left">Setting up Shorewall on a standalone Linux system is
very easy if you understand the basics and follow the documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features
@ -365,9 +356,15 @@ to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
</p>
<h2>Additional Recommended Reading</h2>
I highly recommend that you review the <a
href="configuration_file_basics.htm">Common Configuration File
Features page</a> -- it contains helpful tips about Shorewall features
than make administering your firewall easier.<br>
</div>
<p align="left"><font size="2">Last updated 2/08/2003 - <a
<p align="left"><font size="2">Last updated 10/29/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
2003 Thomas M. Eastep</font></a></p>

769
STABLE/documentation/standalone_fr.html
View File

@ -1,471 +1,426 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Standalone Firewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber6" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<h2 align="center">Version 2.0.1 Française</h2>
<body>
<h1 style="text-align: center;">Standalone Firewall</h1>
<p align="left"><small><i><u>Notes du traducteur</u> :<br>
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à une
traduction exacte du texte, mais plutôt à en faire une version française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les retrouver
dans le reste des documentations ainsi que dans les fichiers de configuration.
Je ne prétends pas être un vrai traducteur dans le sens ou mon travail
n'est pas des plus précis (loin de là...). Je ne me suis pas attaché à
une traduction exacte du texte, mais plutôt à en faire une version
française intelligible
par tous (et par moi). Les termes techniques sont la plupart du temps
conservés
sous leur forme originale et mis entre parenthèses car vous pouvez les
retrouver
dans le reste des documentations ainsi que dans les fichiers de
configuration.
N?hésitez pas à me contacter afin d?améliorer ce document <a
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à JMM
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP pour
href="mailto:vetsel.patrice@wanadoo.fr">VETSEL Patrice</a> (merci à
JMM
pour sa relecture et ses commentaires pertinents, ainsi qu'à Tom EASTEP
pour
son formidable outil et sa disponibilité)</i><i>.</i></small></p>
<p align="left">Mettre en place un système Linux en tant que firewall (écluse)
pour un petit réseau est une chose assez simple, si vous comprenez les bases
et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall. Il
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans son
<p align="left">Mettre en place un système Linux en tant que firewall
(écluse) pour un petit réseau est une chose assez simple, si vous
comprenez les bases et suivez la documentation.</p>
<p>Ce guide ne veut pas vous apprendre tous les rouages de Shorewall.
Il
se focalise sur ce qui est nécessaire pour configurer Shorewall, dans
son
utilisation la plus courante :</p>
<ul>
<li>Un système Linux</li>
<li>Une seule adresse IP externe</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame Relay,
rtc...</li>
<li>Un système Linux</li>
<li>Une seule adresse IP externe</li>
<li>Une connexion passant par un modem câble, ADSL, ISDN, Frame
Relay, rtc...</li>
</ul>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2 d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du programme
ip sur votre système de firewall. Sous root, utilisez la commande 'which'
pour rechercher le programme :</p>
<p>Ce guide suppose que vous avez le paquet iproute/iproute2
d'installé.
Vous pouvez voir si le paquet est installé en vérifiant la présence du
programme ip sur votre système de firewall. Sous root, utilisez la
commande 'which' pour rechercher le programme :</p>
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
<p>Je vous recommande dans un premier temps de parcourir tout le guide pour
vous familiariser avec ce qu'il va se passer, et de revenir au début en
effectuant le changements dans votre configuration. Les points, où les changements
dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13">
.</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
Si vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte cette
option sinon vous devez les faire passer par dos2unix avant d'essayer de les
utiliser. De la même manière, si vous copiez un fichier de configuration depuis
votre disque dur Windows vers une disquette, vous devez lancer dos2unix sur
<p>Je vous recommande dans un premier temps de parcourir tout le guide
pour vous familiariser avec ce qu'il va se passer, et de revenir au
début en
effectuant le changements dans votre configuration. Les points, où les
changements
dans la configuration sont recommandées, sont signalés par une <img
border="0" src="images/BD21298_.gif" width="13" height="13"> .</p>
<p><img border="0" src="images/j0213519.gif" width="60" height="60"> Si
vous éditez vos fichiers de configuration sur un système Windows, vous
devez les sauver comme des fichiers Unix si votre éditeur supporte
cette option sinon vous devez les faire passer par dos2unix avant
d'essayer de les
utiliser. De la même manière, si vous copiez un fichier de
configuration depuis
votre disque dur Windows vers une disquette, vous devez lancer dos2unix
sur
la copie avant de l'utiliser avec Shorewall.</p>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
of dos2unix</a></li>
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
Version of dos2unix</a></li>
</ul>
<h2 align="left">Les Concepts de Shorewall</h2>
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
alt="">
Les fichiers de configuration pour Shorewall sont situés dans le répertoire
/etc/shorewall -- pour de simples paramétrages, vous n'avez à faire qu'avec
quelques un d'entre eux comme décris dans ce guide. Après avoir <a
href="Install.htm">installé Shorewall</a>, <b>téléchargez le <a
href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface sample</a>,
un-tarez le (tar -zxvf one-interface.tgz) et copiez les fichiers vers /etc/shorewall
(Ils remplaceront les fichiers de même nom déjà existant dans /etc/shorewall
installés lors de l'installation de Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à ceux
physiquement présents sur votre système -- chacun des fichiers contient
des instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble de
<i>zones.</i> Dans les fichiers de configuration fournis pour une unique
alt=""> Les fichiers de configuration pour Shorewall sont situés dans
le répertoire /etc/shorewall -- pour de simples paramétrages, vous
n'avez à faire qu'avec quelques un d'entre eux comme décris dans ce
guide. Après avoir <a href="Install.htm">installé Shorewall</a>, <b>téléchargez
le <a href="http://www1.shorewall.net/pub/shorewall/Samples/">one-interface
sample</a>, un-tarez le (tar -zxvf one-interface.tgz) et copiez les
fichiers vers /etc/shorewall (Ils remplaceront les fichiers de même nom
déjà existant dans /etc/shorewall installés lors de l'installation de
Shorewall)</b>.</p>
<p>Parallèlement à la description, je vous suggère de jeter un oeil à
ceux physiquement présents sur votre système -- chacun des fichiers
contient
des instructions de configuration détaillées et des entrées par défaut.</p>
<p>Shorewall voit le réseau où il tourne comme composé par un ensemble
de <i>zones.</i> Dans les fichiers de configuration fournis pour une
unique
interface, une seule zone est définie :</p>
<table border="0" style="border-collapse: collapse;" cellpadding="3"
cellspacing="0" id="AutoNumber2">
<tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody>
<tbody>
<tr>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</tbody>
</table>
<p>Les zones de Shorewall sont définies dans <a
href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre zone
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont exprimées
en utilisant les termes de zones.</p>
<p>Shorewall reconnaît aussi le système de firewall comme sa propre
zone
- par défaut, le firewall lui-même est connu en tant que <b>fw</b>.</p>
<p>Les règles concernant le trafic à autoriser ou à interdire sont
exprimées en utilisant les termes de zones.</p>
<ul>
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy"> /etc/shorewall/policy
</a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par défaut
dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
<li>Vous exprimez les politiques par défaut pour les connexions d'une
zone à une autre dans le fichier<a href="Documentation.htm#Policy">
/etc/shorewall/policy </a>.</li>
<li>Vous définissez les exceptions à ces règles de politiques par
défaut dans le fichier <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
</ul>
<p>Pour chacune des demandes de connexion entrantes dans le firewall, les
demandes sont en premier lieu comparées par rapport au fichier /etc/shorewall/rules.
Si aucune des règles dans ce fichier ne correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si cette
politique est REJECT ou DROP la requête est alors comparée par rapport aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous fournit
<p>Pour chacune des demandes de connexion entrantes dans le firewall,
les demandes sont en premier lieu comparées par rapport au fichier
/etc/shorewall/rules. Si aucune des règles dans ce fichier ne
correspondent, alors la première
politique dans /etc/shorewall/policy qui y correspond est appliquée. Si
cette
politique est REJECT ou DROP la requête est alors comparée par rapport
aux
règles contenues dans /etc/shorewall/common (l'archive d'exemple vous
fournit
ce fichier).</p>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive one-interface
a les politiques suivantes :</p>
<blockquote>
<p>Le fichier /etc/shorewall/policy d'exemple contenu dans l'archive
one-interface a les politiques suivantes :</p>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber3">
<tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr>
<td>fw</td>
<td>net</td>
<td>ACCEPT</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
<tr>
<td>net</td>
<td>all<br>
</td>
<td>DROP</td>
<td>info</td>
<td> <br>
</td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> <br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr>
<td>fw</td>
<td>net</td>
<td>ACCEPT</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
<tr>
<td>net</td>
<td>all<br>
</td>
<td>DROP</td>
<td>info</td>
<td> <br>
</td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<pre> </pre>
Ces politiques vont :
Ces politiques vont :
<ol>
<li>permettre toutes demandes de connexion depuis le firewall vers l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
vers votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à besoin
de cette politique).</li>
<li>permettre toutes demandes de connexion depuis le firewall vers
l'Internet</li>
<li>drop (ignorer) toutes les demandes de connexion depuis l'Internet
vers votre firewall</li>
<li>rejeter toutes les autres requêtes de connexion (Shorewall à
besoin de cette politique).</li>
</ol>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les changements
que vous désirez.</p>
<p>A ce point, éditez votre /etc/shorewall/policy et faites y les
changements que vous désirez.</p>
<h2 align="left">Interface Externe</h2>
<p align="left">Le firewall possède une seule interface réseau. Lorsque la
connexion Internet passe par un modem câble ou par un routeur ADSL (pas
un simple modem), l'<i>External Interface</i> (interface externe) sera l'adaptateur
ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u> vous vous connectiez
par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol over <u>E</u>thernet</i>
(PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous connectez
par un simple modem (RTC), votre interface externe sera aussi <b>ppp0</b>.
Si vous vous connectez en utilisant l'ISDN (numéris), votre interface externe
sera<b> ippp0.</b></p>
<p align="left">Le firewall possède une seule interface réseau. Lorsque
la connexion Internet passe par un modem câble ou par un routeur ADSL
(pas
un simple modem), l'<i>External Interface</i> (interface externe) sera
l'adaptateur ethernet (<b>eth0</b>) qui y est connecté <u>à moins que</u>
vous vous connectiez par <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
over <u>E</u>thernet</i> (PPPoE) ou <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling<u>P</u>rotocol</i>(PPTP)
dans ce cas l'interface externe sera <b>ppp0</b>. Si vous vous
connectez par un simple modem (RTC), votre interface externe sera aussi
<b>ppp0</b>. Si vous vous connectez en utilisant l'ISDN (numéris),
votre interface externe sera<b> ippp0.</b></p>
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
L'exemple de configuration de Shorewall pour une interface suppose que
votre interface externe est <b>eth0</b>. Si votre configuration est différente,
vous devrez modifier le fichier d'exemple /etc/shorewall/interfaces en conséquence.
Puisque vous y êtes, vous pourriez parcourir la liste d'options qui sont
spécifiées pour l'interface. Quelques astuces :</p>
height="13"> L'exemple de configuration de Shorewall pour une
interface suppose que votre interface externe est <b>eth0</b>. Si
votre configuration est différente, vous devrez modifier le fichier
d'exemple /etc/shorewall/interfaces en conséquence. Puisque vous y
êtes, vous pourriez parcourir la liste d'options qui sont spécifiées
pour l'interface. Quelques astuces :</p>
<ul>
<li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un "-".
</p>
</li>
<li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le "dhcp"
de la liste d'option. </p>
</li>
<li>
<p align="left">Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>,
vous pouvez remplacer le "detect" dans la seconde colonne par un "-". </p>
</li>
<li>
<p align="left"> Si votre interface externe est <b>ppp0</b> ou <b>ippp0</b>
ou bien si vous avez une adresse IP statique, vous pouvez enlever le
"dhcp" de la liste d'option. </p>
</li>
</ul>
<div align="left">
<div align="left">
<h2 align="left">Adresse IP</h2>
</div>
<div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP privée
</div>
<div align="left">
<p align="left">La RFC 1918 définie plusieurs plage d'adresses IP
privée
(<i>Private</i>IP) pour l'utilisation dans des réseaux privés :</p>
<div align="left">
<div align="left">
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
</div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les paquets
dont les adresses de destinations sont définies dans la RFC 1918. Dans certains
cas, les fournisseurs (provider ou ISP) utilisent ces adresses et utilisent
le <i>Network Address Translation </i>afin de récrire les entêtes des paquets
lorsqu'ils les font circuler depuis ou vers l'Internet.</p>
</div>
<p align="left">Ces adresses sont parfois désignées comme étant <i>non-routables</i>
car les routeurs sur les backbones Internet ne font pas passer les
paquets dont les adresses de destinations sont définies dans la RFC
1918. Dans certains cas, les fournisseurs (provider ou ISP) utilisent
ces adresses et utilisent le <i>Network Address Translation </i>afin
de récrire les entêtes des paquets lorsqu'ils les font circuler depuis
ou vers l'Internet.</p>
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
width="13" height="13">
Avant de lancer Shorewall, vous devriez regarder l'adresse de votre interface
externe et si elle est comprise dans une des plages précédentes, vous devriez
enlever l'option 'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div>
<div align="left">
width="13" height="13"> Avant de lancer Shorewall, vous devriez
regarder l'adresse de votre interface externe et si elle est comprise
dans une des plages précédentes, vous devriez enlever l'option
'norfc1918' dans le fichier /etc/shorewall/interfaces.</p>
</div>
<div align="left">
<h2 align="left">Permettre d'autres connexions</h2>
</div>
<div align="left">
<p align="left">Si vous désirez autoriser d'autres connexions depuis l'Internet
vers votre firewall, le format général est :</p>
</div>
<div align="left">
<blockquote>
</div>
<div align="left">
<p align="left">Si vous désirez autoriser d'autres connexions depuis
l'Internet vers votre firewall, le format général est :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et un
</blockquote>
</div>
<div align="left">
<p align="left">Exemple - Vous voulez faire tourner un serveur Web et
un
serveur POP3 sur votre système de firewall :</p>
</div>
<div align="left">
<blockquote>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber5">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une application
particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas d'autoriser le
telnet depuis ou vers l'Internet car il utilise du texte en clair (même
pour le login et le mot de passe !). Si vous voulez avoir un accès au shell
de votre firewall depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
<blockquote>
</blockquote>
</div>
<div align="left">
<p align="left">Si vous ne savez pas quel port ou protocole une
application particulière utilise, regardez <a href="ports.htm">ici</a>.</p>
</div>
<div align="left">
<p align="left"><b>Important: </b>Je ne vous recommande pas
d'autoriser le telnet depuis ou vers l'Internet car il utilise du texte
en clair (même
pour le login et le mot de passe !). Si vous voulez avoir un accès au
shell
de votre firewall depuis Internet, utilisez SSH :</p>
</div>
<div align="left">
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;"
id="AutoNumber4">
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</div>
<div align="left">
</blockquote>
</div>
<div align="left">
<pre> ACCEPT net fw tcp 22</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
height="13">
A ce point, éditez /etc/shorewall/rules pour rajouter les autres connexions
désirées.</p>
</div>
<div align="left">
height="13"> A ce point, éditez /etc/shorewall/rules pour rajouter les
autres connexions désirées.</p>
</div>
<div align="left">
<h2 align="left">Lancer et Arrêter son Firewall</h2>
</div>
<div align="left">
</div>
<div align="left">
<p align="left"> <img border="0" src="images/BD21298_2.gif" width="13"
height="13" alt="Arrow">
La <a href="Install.htm">procédure d'installation </a> configure votre
système pour lancer Shorewall au boot du système, mais au début avec la version
1.3.9 de Shorewall le lancement est désactivé, n'essayer pas de lancer Shorewall
avec que la configuration soit finie. Une fois que vous en aurez fini avec
la configuration du firewall, vous pouvez permettre le lancement de Shorewall
en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les utilisateurs
des paquets .deb doivent éditer /etc/default/shorewall et mettre 'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">Le firewall est activé en utilisant la commande "shorewall
start" et arrêté avec "shorewall stop". Lorsque le firewall est stoppé,
le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. Un
firewall qui tourne peut être relancé en utilisant la commande "shorewall
restart". Si vous voulez enlever toutes traces de Shorewall sur votre
configuration de Netfilter, utilisez "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre firewall
depuis Internet, n'essayez pas une commande "shorewall stop" tant que vous
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de laquelle
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall restart";
il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div>
height="13" alt="Arrow"> La <a href="Install.htm">procédure
d'installation </a> configure votre système pour lancer Shorewall au
boot du système, mais au début avec la version 1.3.9 de Shorewall le
lancement est désactivé, n'essayer pas de lancer Shorewall avec que la
configuration soit finie. Une fois que vous en aurez fini avec la
configuration du firewall, vous pouvez permettre le lancement de
Shorewall en supprimant le fichier /etc/shorewall/startup_disabled.<br>
</p>
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Les
utilisateurs
des paquets .deb doivent éditer /etc/default/shorewall et mettre
'startup=1'.</font><br>
</p>
</div>
<div align="left">
<p align="left">Le firewall est activé en utilisant la commande
"shorewall start" et arrêté avec "shorewall stop". Lorsque le firewall
est stoppé,
le routage est autorisé sur les hôtes qui possèdent une entrée dans <a
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
Un firewall qui tourne peut être relancé en utilisant la commande
"shorewall restart". Si vous voulez enlever toutes traces de Shorewall
sur votre
configuration de Netfilter, utilisez "shorewall clear".</p>
</div>
<div align="left">
<p align="left"><b>ATTENTION: </b>Si vous êtes connecté à votre
firewall
depuis Internet, n'essayez pas une commande "shorewall stop" tant que
vous
n'avez pas ajouté une entrée pour votre adresse IP (celle à partir de
laquelle
vous êtes connectée) dans <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
De la même manière, je ne vous recommande pas d'utiliser "shorewall
restart"; il est plus intéressant de créer une <i><a
href="configuration_file_basics.htm#Configs">configuration alternative</a></i>
et de la tester en utilisant la commande <a
href="starting_and_stopping_shorewall.htm">"shorewall try"</a>.</p>
</div>
<p align="left"><font size="2">Last updated 12/9/2002 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002
Thomas M. Eastep</font></a></p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

19
STABLE/documentation/starting_and_stopping_shorewall.htm
View File

@ -9,19 +9,12 @@
<title>Starting and Stopping Shorewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Starting/Stopping and
Monitoring the Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<p> If you have a permanent internet connection such as DSL or Cable, I
<div style="text-align: center;">
<h1>Starting/Stopping and Monitoring the Firewall<br>
</h1>
</div>
<p><br>
If you have a permanent internet connection such as DSL or Cable, I
recommend that you start the firewall automatically at boot. Once you
have installed "firewall" in your init.d directory, simply type
"chkconfig --add firewall". This will start the firewall in run levels

31
STABLE/documentation/support.htm
View File

@ -7,19 +7,11 @@
<title>Shorewall Support Guide</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Support Guide<img
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 align="center" style="background-color: rgb(255, 255, 255);">Shorewall
Support Guide <font><font color="#ffffff"><img
src="images/obrasinf.gif" alt=""
style="width: 90px; height: 90px; color: rgb(51, 0, 51);"
align="middle" title=""></font></font></h1>
<h2>Before Reporting a Problem or Asking a Question<br>
</h2>
There are a number of sources of Shorewall information. Please try
@ -143,7 +135,11 @@ problem is that some type of connection to/from or through your
firewall
isn't working then please perform the following four steps:<br>
<br>
1. <b><font color="#009900">/sbin/shorewall reset</font></b><br>
1. <b><font color="#009900"><span style="color: rgb(0, 0, 0);">If
shorewall isn't running then </span></font></b><font color="#009900"
style="font-weight: bold; color: rgb(0, 153, 0);">/sbin/shorewall/start</font><b><font
color="#009900"><span style="color: rgb(0, 0, 0);">. Otherwise</span>
/sbin/shorewall reset<span style="color: rgb(0, 0, 0);">.</span></font></b><br>
<br>
2. Try making the connection that is failing.<br>
<br>
@ -232,7 +228,10 @@ you can post non MNF-specific Shorewall questions to the </b><a
mailing list</a>. <b>Do not expect to get free MNF support on the list</b>
<p>Otherwise, please post your question or problem to the <a
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users
mailing list.</a> </p>
mailing list.</a><span style="font-weight: bold;"> IMPORTANT: </span>If
you are not subscribed to the list, please say so -- otherwise, you
will not be included in any replies.<br>
</p>
</blockquote>
<h2>Subscribing to the Users Mailing List<br>
</h2>
@ -245,7 +244,7 @@ mailing list.</a> </p>
<p>For information on other Shorewall mailing lists, go to <a
href="http://lists.shorewall.net">http://lists.shorewall.net</a><br>
</p>
<p align="left"><font size="2">Last Updated 9/17/2003 - Tom Eastep</font></p>
<p align="left"><font size="2">Last Updated 10/29/2003 - Tom Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M.
Eastep.</font></a></font><br>

23
STABLE/documentation/three-interface.htm
View File

@ -9,17 +9,8 @@
<title>Three-Interface Firewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber5" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Three-Interface Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Three-Interface Firewall<br>
</h1>
<p align="left">Setting up a Linux system as a firewall for a small
network with DMZ is a fairly straight-forward task if you understand
the basics and follow the documentation.</p>
@ -1064,9 +1055,15 @@ from to <a href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>
Also, I don't recommend using "shorewall restart"; it is better to
create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
</p>
<h2>Additional Recommended Reading</h2>
I highly recommend that you review the <a
href="configuration_file_basics.htm">Common Configuration File
Features page</a> -- it contains helpful tips about Shorewall features
than make administering your firewall easier.
</div>
<p align="left"><font size="2">Last updated 8/8/2003 - <a
<p align="left"><font size="2">Last updated 10/29/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
2003 Thomas M. Eastep</font></a><br>

2064
STABLE/documentation/three-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

13
STABLE/documentation/traffic_shaping.htm
View File

@ -9,17 +9,8 @@
<title>Traffic Shaping</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Traffic Shaping/Control<br>
</h1>
<p align="left">Shorewall has limited support for traffic
shaping/control. In order to use traffic shaping under Shorewall, it is
essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux

23
STABLE/documentation/troubleshoot.htm
View File

@ -8,19 +8,10 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
src="images/obrasinf.gif" alt="Beating head on table" width="90"
height="90" align="middle"> </font></h1>
</td>
</tr>
</tbody>
</table>
<h1 align="center" style="background-color: rgb(255, 255, 255);">Shorewall
Troubleshooting <img src="images/obrasinf.gif"
alt="Beating head on table" style="width: 90px; height: 90px;"
align="middle" title=""></h1>
<h3 style="text-align: center;"><span style="font-style: italic;">"If
you think you can you can; if you think you can't you're right.<br>
If you don't believe that you can, why should someone else?" -- Gunnar
@ -145,8 +136,8 @@ sending the packets or the destination host isn't in any zone (using an
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
are you?); or</li>
<li>the source and destination hosts are both connected to the
same interface and you don't have a policy or rule for the
source zone to or from the destination zone.</li>
same interface and you haven't specified the 'routeback' option on that
interface.</li>
</ol>
</li>
<li>Remember that Shorewall doesn't automatically allow ICMP type 8
@ -199,7 +190,7 @@ in /etc/shorewall/shorewall.conf.</li>
<font face="Century Gothic, Arial, Helvetica">
<blockquote> </blockquote>
</font>
<p><font size="2">Last updated 8/29/2003 - Tom Eastep</font> </p>
<p><font size="2">Last updated 11/1/2003 - Tom Eastep</font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
</p>

24
STABLE/documentation/two-interface.htm
View File

@ -10,18 +10,8 @@
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber5"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Basic Two-Interface
Firewall</font></h1>
</td>
</tr>
</tbody>
</table>
<h1 style="text-align: center;">Basic Two-Interface Firewall<br>
</h1>
<p align="left">Setting up a Linux system as a firewall for a small
network is a fairly straight-forward task if you understand the basics
and follow the documentation.</p>
@ -946,9 +936,15 @@ have added an entry for the IP address that you are connected from to <a
Also, I don't recommend using "shorewall restart"; it is better
to create an <i><a href="configuration_file_basics.htm#Configs">alternate
configuration</a></i> and test it using the <a
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.</p>
href="starting_and_stopping_shorewall.htm">"shorewall try" command</a>.<br>
</p>
<h2>Additional Recommended Reading</h2>
I highly recommend that you review the <a
href="configuration_file_basics.htm">Common Configuration File
Features page</a> -- it contains helpful tips about Shorewall features
than make administering your firewall easier.
</div>
<p align="left"><font size="2">Last updated 8/8/2003 - <a
<p align="left"><font size="2">Last updated 10/29/2003 - <a
href="support.htm">Tom Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002,
2003 Thomas M. Eastep</font></a><br>

2060
STABLE/documentation/two-interface_fr.html
View File

File diff suppressed because it is too large Load Diff

693
STABLE/documentation/upgrade_issues.htm
View File

@ -1,471 +1,378 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Upgrade Issues</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
</td>
</tr>
</tbody>
</table>
<p>For upgrade instructions see the <a
href="Install.htm">Install/Upgrade page</a>.<br>
</p>
<p>It is important that you read all of the sections on this page where the
version number mentioned in the section title is later than what you
are currently running.<br>
</p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
<body>
<h1 style="text-align: center;">Upgrade Issues<br>
</h1>
<p>For upgrade instructions see the <a href="Install.htm">Install/Upgrade
page</a>.<br>
</p>
<p>It is important that you read all of the sections on this page where
the version number mentioned in the section title is later than what
you are currently running.<br>
</p>
<p> In the descriptions that follows, the term <b><i>group </i></b>refers
to a particular network or subnetwork (which may be 0.0.0.0/0 or it may
be a host address) accessed through a particular interface.<br>
</p>
<p>Examples:<br>
    <br>
    eth0:0.0.0.0/0<br>
    eth2:192.168.1.0/24<br>
    eth3:192.0.2.123<br>
</p>
<p> You can use the "shorewall check" command to see the groups associated
with each of your zones.<br>
</p>
&nbsp;&nbsp;&nbsp; <br>
&nbsp;&nbsp;&nbsp; eth0:0.0.0.0/0<br>
&nbsp;&nbsp;&nbsp; eth2:192.168.1.0/24<br>
&nbsp;&nbsp;&nbsp; eth3:192.0.2.123<br>
</p>
<p> You can use the "shorewall check" command to see the groups
associated with each of your zones.<br>
</p>
<h3> </h3>
<h3>Version &gt;= 1.4.8</h3>
<ul>
<li>The meaning of ROUTE_FILTER=Yes has changed. Previously this
setting was documented as causing route filtering to occur on all
network interfaces; this didn't work. Beginning with this release,
ROUTE_FILTER=Yes causes route filtering to occur on all interfaces
brought up while Shorewall is running. This means that it may be
appropriate to set ROUTE_FILTER=Yes <span
style="text-decoration: underline;">and</span> use the routefilter
option in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
entries.<br>
</li>
</ul>
<h3>Version &gt;= 1.4.6</h3>
<ul>
<li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been removed
from shorewall.conf. These capabilities are now automatically detected by
Shorewall.</li>
<li>An undocumented <i>feature</i> previously allowed entries in the host
file as follows:<br>
<br>
<i>zone</i>    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to allow
entries of the following format:<br>
<br>
<i>zone</i>   eth1:192.168.1.0/24,192.168.2.0/24<br>
</li>
</ul>
<h3>Version &gt;= 1.4.4</h3>
If you are upgrading from 1.4.3 and have set the LOGMARKER variable
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>, then
you must set the new LOGFORMAT variable appropriately and remove your setting
of LOGMARKER<br>
<li> The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have been
removed from shorewall.conf. These capabilities are now automatically
detected by Shorewall.</li>
<li>An undocumented <i>feature</i> previously allowed entries in the
host file as follows:<br>
<br>
<i>zone</i> &nbsp; &nbsp;eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to
allow entries of the following format:<br>
<br>
<i>zone</i> &nbsp; eth1:192.168.1.0/24,192.168.2.0/24<br>
</li>
</ul>
<h3>Version &gt;= 1.4.4</h3>
If you are upgrading from 1.4.3 and have set the LOGMARKER variable
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>,
then you must set the new LOGFORMAT variable appropriately and remove
your setting of LOGMARKER<br>
<br>
<h3>Version 1.4.4<br>
</h3>
If you have zone names that are 5 characters long, you may experience
problems starting Shorewall because the --log-prefix in a logging rule
is too long. Upgrade to Version 1.4.4a to fix this problem..<br>
</h3>
If you have zone names that are 5 characters long, you may experience
problems starting Shorewall because the --log-prefix in a logging rule
is too long. Upgrade to Version 1.4.4a to fix this problem..<br>
<h3>Version &gt;= 1.4.2</h3>
There are some cases where you may want to handle traffic from a particular
group to itself. While I personally think that such a setups are ridiculous,
there are two cases covered in this documentation where it can occur:<br>
There are some cases where you may want to handle traffic from a
particular group to itself. While I personally think that such a setups
are ridiculous, there are two cases covered in this documentation where
it can occur:<br>
<ol>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a
transparent proxy in your local zone.</a></li>
<li><a href="FAQ.htm#faq2">In FAQ #2</a>.</li>
<li><a href="Shorewall_Squid_Usage.html">When running Squid as a
transparent proxy in your local zone.</a></li>
</ol>
If you have either of these cases, you will want to review the current
documentation and change your configuration accordingly.<br>
If you have either of these cases, you will want to review the current
documentation and change your configuration accordingly.<br>
<h3>Version &gt;= 1.4.1</h3>
<ul>
<li>Beginning with Version 1.4.1, traffic between groups in
the same zone is accepted by default. Previously, traffic from a zone
to itself was treated just like any other traffic; any matching rules
were applied followed by enforcement of the appropriate policy. With 1.4.1
and later versions, unless you have explicit rules for traffic from Z
to Z or you have an explicit Z to Z policy (where "Z" is some zone) then
traffic between the groups in zone Z will be accepted. If you do have one
or more explicit rules for Z to Z or if you have an explicit Z to Z policy
then the behavior is as it was in prior versions.</li>
<li>Beginning with Version 1.4.1, traffic between groups in
the same zone is accepted by default. Previously, traffic from a zone
to itself was treated just like any other traffic; any matching rules
were applied followed by enforcement of the appropriate policy. With
1.4.1
and later versions, unless you have explicit rules for traffic from Z
to Z or you have an explicit Z to Z policy (where "Z" is some zone)
then
traffic between the groups in zone Z will be accepted. If you do have
one
or more explicit rules for Z to Z or if you have an explicit Z to Z
policy
then the behavior is as it was in prior versions.</li>
</ul>
<blockquote>
<blockquote>
<ol>
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic
between two interfaces to the same zone, that policy can be removed
and traffic between the interfaces will traverse fewer rules than previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have
Z-&gt;Z rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one
that has "all" in either the SOURCE or DESTINATION column) to prevent
traffic between two interfaces to a zone Z and you have no rules for
Z-&gt;Z then you should add an explicit DROP or REJECT policy for Z to
<li>If you have a Z Z ACCEPT policy for a zone to allow traffic
between two interfaces to the same zone, that policy can be removed
and traffic between the interfaces will traverse fewer rules than
previously.</li>
<li>If you have a Z Z DROP or Z Z REJECT policy or you have Z-&gt;Z
rules then your configuration should not require any change.</li>
<li>If you are currently relying on a implicit policy (one
that has "all" in either the SOURCE or DESTINATION column) to prevent
traffic between two interfaces to a zone Z and you have no rules for
Z-&gt;Z then you should add an explicit DROP or REJECT policy for Z to
Z.<br>
</li>
</li>
</ol>
</blockquote>
</blockquote>
<ul>
<li> Sometimes, you want two separate zones on one interface but
you don't want Shorewall to set up any infrastructure to handle traffic
between them. </li>
<li> Sometimes, you want two separate zones on one interface but you
don't want Shorewall to set up any infrastructure to handle traffic
between them. </li>
</ul>
<blockquote>Example:<br>
<blockquote>
<blockquote>
<pre>/etc/shorewall/zones<br><br>z1 Zone1 The first Zone<br>z2 Zone2 The secont Zone<br><br>/etc/shorewall/interfaces<br><br>z2 eth1 192.168.1.255<br><br>/etc/shorewall/hosts<br><br>z1 eth1:192.168.1.3<br></pre>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going
to be involved in any traffic between these two zones. Beginning with
Shorewall 1.4.1, you can prevent Shorewall from setting up any infrastructure
to handle traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
</blockquote>
Here, zone z1 is nested in zone z2 and the firewall is not going to be
involved in any traffic between these two zones. Beginning with
Shorewall 1.4.1, you can prevent Shorewall from setting up any
infrastructure
to handle traffic between z1 and z2 by using the new NONE policy:<br>
<blockquote>
<pre>/etc/shorewall/policy<br><pre>z1 z2 NONE<br>z2 z1 NONE</pre></pre>
</blockquote>
Note that NONE policies are generally used in pairs unless there
is asymetric routing where only the traffic on one direction flows through
the firewall and you are using a NONE polciy in the other direction. </blockquote>
</blockquote>
Note that NONE policies are generally used in pairs unless there is
asymetric routing where only the traffic on one direction flows through
the firewall and you are using a NONE polciy in the other
direction.&nbsp;</blockquote>
<h3>Version 1.4.1<br>
</h3>
</h3>
<ul>
<li>In Version 1.4.1, Shorewall will never create rules to
deal with traffic from a given group back to itself. The <i>multi</i>
interface option is no longer available so if you want to route traffic
between two subnetworks on the same interface then I recommend that you
upgrade to Version 1.4.2 and use the 'routeback' interface or host option. </li>
<li>In Version 1.4.1, Shorewall will never create rules to deal with
traffic from a given group back to itself. The <i>multi</i> interface
option is no longer available so if you want to route traffic between
two subnetworks on the same interface then I recommend that you upgrade
to Version 1.4.2 and use the 'routeback' interface or host option.&nbsp;</li>
</ul>
<h3>Version &gt;= 1.4.0</h3>
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the
iproute package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the
<b>IMPORTANT: Shorewall &gt;=1.4.0 </b><b>requires</b> <b>the iproute
package ('ip' utility).</b><br>
<br>
<b>Note: </b>Unfortunately, some distributions call this package
iproute2 which will cause the upgrade of Shorewall to fail with the
diagnostic:<br>
<br>
     error: failed dependencies:iproute is needed by shorewall-1.4.0-1
<br>
<br>
This may be worked around by using the --nodeps option of rpm
(rpm -Uvh --nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<br>
&nbsp; &nbsp; &nbsp;error: failed dependencies:iproute is needed by
shorewall-1.4.0-1 <br>
<br>
This may be worked around by using the --nodeps option of rpm (rpm -Uvh
--nodeps &lt;shorewall rpm&gt;).<br>
<br>
If you are upgrading from a version &lt; 1.4.0, then:<br>
<ul>
<li>The <b>noping </b>and <b>forwardping</b> interface
options are no longer supported nor is the <b>FORWARDPING </b>option
in shorewall.conf. ICMP echo-request (ping) packets are treated just
like any other connection request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt;
in /etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when
there are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces
and hosts file has been eliminated; use entries in the routestopped
file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules
is no longer accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf
is no longer supported. Shorewall 1.4 behavior is the same as 1.3
with ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped
by default; there is no need for your own /etc/shorewall/common file
simply to avoid logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version'
file have been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you
include it from /etc/shorewall/icmpdef, you will need to modify that
file.</li>
<li>The <b>noping </b>and <b>forwardping</b> interface options are
no longer supported nor is the <b>FORWARDPING </b>option in
shorewall.conf. ICMP echo-request (ping) packets are treated just like
any other connection request and are subject to rules and policies.</li>
<li>Interface names of the form &lt;device&gt;:&lt;integer&gt; in
/etc/shorewall/interfaces now generate a Shorewall error at startup
(they always have produced warnings in iptables).</li>
<li>The MERGE_HOSTS variable has been removed from shorewall.conf.
Shorewall 1.4 behaves like 1.3 did when MERGE_HOSTS=Yes; that is zone
contents are determined by BOTH the interfaces and hosts files when
there are entries for the zone in both files.</li>
<li>The <b>routestopped</b> option in the interfaces
and hosts file has been eliminated; use entries in the routestopped
file instead.</li>
<li>The Shorewall 1.2 syntax for DNAT and REDIRECT rules is no longer
accepted; you must convert to using the new syntax.</li>
<li value="6">The ALLOWRELATED variable in shorewall.conf is no
longer supported. Shorewall 1.4 behavior is the same as 1.3 with
ALLOWRELATED=Yes.</li>
<li value="6">Late-arriving DNS replies are now dropped by default;
there is no need for your own /etc/shorewall/common file simply to
avoid logging these packets.</li>
<li value="6">The 'firewall', 'functions' and 'version' file have
been moved to /usr/share/shorewall.</li>
<li value="6">The icmp.def file has been removed. If you include it
from /etc/shorewall/icmpdef, you will need to modify that file.</li>
<ul>
</ul>
<li>If you followed the advice in FAQ #2 and call find_interface_address
in /etc/shorewall/params, that code should be moved to /etc/shorewall/init.<br>
</li>
<li>If you followed the advice in FAQ #2 and call
find_interface_address in /etc/shorewall/params, that code should be
moved to /etc/shorewall/init.<br>
</li>
</ul>
<ul>
</ul>
<h3>Version 1.4.0</h3>
<ul>
<li value="8">The 'multi' interface option is no longer supported.
 Shorewall will generate rules for sending packets back out the same
interface that they arrived on in two cases:</li>
<li value="8">The 'multi' interface option is no longer supported.
&nbsp;Shorewall will generate rules for sending packets back out the
same interface that they arrived on in two cases:</li>
</ul>
<blockquote>
<blockquote>
<ul>
<li>There is an <u>explicit</u> policy for the source zone
to or from the destination zone. An explicit policy names both zones
and does not use the 'all' reserved word.</li>
<li>There is an <u>explicit</u> policy for the source zone to or
from the destination zone. An explicit policy names both zones and does
not use the 'all' reserved word.</li>
</ul>
<ul>
<li>There are one or more rules for traffic for the source
zone to or from the destination zone including rules that use the 'all'
reserved word. Exception: if the source zone and destination zone are
the same then the rule must be explicit - it must name the zone in both
the SOURCE and DESTINATION columns.</li>
<li>There are one or more rules for traffic for the source zone to
or from the destination zone including rules that use the 'all'
reserved word. Exception: if the source zone and destination zone are
the same then the rule must be explicit - it must name the zone in both
the SOURCE and DESTINATION columns.</li>
</ul>
</blockquote>
</blockquote>
<h3>Version &gt;= 1.3.14</h3>
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
     Beginning in version 1.3.14, Shorewall treats entries
in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
The change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp; &nbsp; Beginning in version 1.3.14, Shorewall treats
entries in <a href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently.
The change involves entries with an <b>interface name</b> in the <b>SUBNET</b>
(second) <b>column</b>:<br>
<ul>
<li>Prior to 1.3.14, Shorewall would detect the FIRST
subnet on the interface (as shown by "ip addr show <i>interface</i>")
and would masquerade traffic from that subnet. Any other subnets that
routed through eth1 needed their own entry in /etc/shorewall/masq to
be masqueraded or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses
the firewall's routing table to determine ALL subnets routed through
the named interface. Traffic originating in ANY of those subnets is
masqueraded or has SNAT applied.</li>
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the
interface (as shown by "ip addr show <i>interface</i>") and would
masquerade traffic from that subnet. Any other subnets that routed
through eth1 needed their own entry in /etc/shorewall/masq to be
masqueraded or to have SNAT applied.</li>
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's
routing table to determine ALL subnets routed through the named
interface. Traffic originating in ANY of those subnets is
masqueraded or has SNAT applied.</li>
</ul>
You will need to make a change to your configuration
You will need to make a change to your configuration
if:<br>
<ol>
<li>You have one or more entries in /etc/shorewall/masq
with an interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li>
<li>You have one or more entries in /etc/shorewall/masq with an
interface name in the SUBNET (second) column; and</li>
<li>That interface connects to more than one subnetwork.</li>
</ol>
Two examples:<br>
<br>
 <b>Example 1</b> -- Suppose that your current config
is as follows:<br>
   <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE              SUBNET                  ADDRESS<br> eth0                    eth2                    206.124.146.176<br> eth0                    192.168.10.0/24         206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration
is like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    eth2                    206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24  scope link<br> 192.168.10.0/24  proto kernel  scope link  src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
to:<br>
</blockquote>
<pre> #INTERFACE              SUBNET                  ADDRESS <br> eth0                    192.168.1.0/24          206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13"
height="13">
    Version 1.3.14 also introduced simplified ICMP echo-request
(ping) handling. The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf
is used to specify that the old (pre-1.3.14) ping handling is to
be used (If the option is not set in your /etc/shorewall/shorewall.conf
then OLD_PING_HANDLING=Yes is assumed). I don't plan on supporting
the old handling indefinitely so I urge current users to migrate to using
the new handling as soon as possible. See the <a href="ping.html">'Ping'
handling documentation</a> for details.<br>
Two examples:<br>
<br>
&nbsp;<b>Example 1</b> -- Suppose that your current config is as
follows:<br>
&nbsp;&nbsp; <br>
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS<br> eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br> eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.10.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24&nbsp; scope link<br> 192.168.10.0/24&nbsp; proto kernel&nbsp; scope link&nbsp; src 192.168.10.254<br> [root@gateway test]#</pre>
<blockquote>In this case, the second entry in /etc/shorewall/masq is no
longer required.<br>
</blockquote>
<b>Example 2</b>-- What if your current configuration is like this?<br>
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS <br> eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; eth2&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24&nbsp; scope link<br> 192.168.10.0/24&nbsp; proto kernel&nbsp; scope link&nbsp; src 192.168.10.254 <br> [root@gateway test]#</pre>
<blockquote>In this case, you would want to change the entry in
/etc/shorewall/masq to:<br>
</blockquote>
<pre> #INTERFACE&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; SUBNET&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; ADDRESS <br> eth0&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 192.168.1.0/24&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
&nbsp;&nbsp;&nbsp; Version 1.3.14 also introduced simplified ICMP
echo-request (ping) handling. The option OLD_PING_HANDLING=Yes in
/etc/shorewall/shorewall.conf is used to specify that the old
(pre-1.3.14) ping handling is to be used (If the option is not set in
your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes is
assumed). I don't plan on supporting the old handling indefinitely so I
urge current users to migrate to using the new handling as soon as
possible. See the <a href="ping.html">'Ping' handling documentation</a>
for details.<br>
<h3>Version 1.3.10</h3>
If you have installed the 1.3.10 Beta 1 RPM and are
now upgrading to version 1.3.10, you will need to use the '--force'
If you have installed the 1.3.10 Beta 1 RPM and are
now upgrading to version 1.3.10, you will need to use the '--force'
option:<br>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
</blockquote>
<br>
<blockquote>
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm&nbsp;</pre>
</blockquote>
<h3>Version &gt;= 1.3.9</h3>
The 'functions' file has moved to /usr/lib/shorewall/functions.
If you have an application that uses functions from that file, your
application will need to be changed to reflect this change of location.<br>
The 'functions' file has moved to /usr/lib/shorewall/functions. If you
have an application that uses functions from that file, your
application will need to be changed to reflect this change of location.<br>
<h3>Version &gt;= 1.3.8</h3>
<p>If you have a pair of firewall systems configured for failover
or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall
versions &gt;= 1.3.8. Beginning with version 1.3.8,
you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<p>If you have a pair of firewall systems configured for failover or if
you have asymmetric routing, you will need to modify your firewall
setup slightly under Shorewall versions &gt;= 1.3.8. Beginning with
version 1.3.8, you must set NEWNOTSYN=Yes in your
/etc/shorewall/shorewall.conf file.</p>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
will need to include the following
rules in their /etc/shorewall/icmpdef file (creating this
file if necessary):</p>
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf will need to
include the following rules in their /etc/shorewall/icmpdef file
(creating this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
command from that file since the icmp.def file is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<p>Users having an /etc/shorewall/icmpdef file may remove the ".
/etc/shorewall/icmp.def" command from that file since the icmp.def file
is now empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version 1.3.3 and later:</p>
<ol>
<li>Be sure you
have a backup -- you will need
to transcribe any Shorewall configuration
changes that you have made to the new
configuration.</li>
<li>Replace the
shorwall.lrp package provided on
the Bering floppy with the later one. If you did
not obtain the later version from Jacques's site,
see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall
entry if present. Then do not
forget to backup root.lrp !</li>
<li>Be sure you have a backup -- you will need to transcribe any
Shorewall configuration changes that you have made to the new
configuration.</li>
<li>Replace the shorwall.lrp package provided on the Bering floppy
with the later one. If you did not obtain the later version from
Jacques's site, see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list file and remove the
/var/lib/shorewall entry if present. Then do not forget to backup
root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a
href="two-interface.htm">instructions for setting up a two-interface
firewall</a> plus you also need to add the following two Bering-specific
rules to /etc/shorewall/rules:</p>
<blockquote>
<p>The .lrp that I release isn't set up for a two-interface firewall
like Jacques's. You need to follow the <a href="two-interface.htm">instructions
for setting up a two-interface firewall</a> plus you also need to add
the following two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
</blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
</blockquote>
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
<p align="left">If you have a pair of firewall systems configured for
failover or if you have asymmetric routing, you will need to modify
your firewall setup slightly under Shorewall versions
1.3.6 and 1.3.7</p>
<ol>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A
newnotsyn -j RETURN # So that the connection tracking
table can be rebuilt<br>
                                   
# from non-SYN packets after takeover.<br>
 </font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A
common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
#Accept Acks to rebuild connection<br>
                                                                   
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
</li>
<li>
<p align="left">Create the file /etc/shorewall/newnotsyn and in it
add the following rule<br>
<br>
<font face="Courier">run_iptables -A
newnotsyn -j RETURN # So that the connection tracking
table can be rebuilt<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# from non-SYN packets after takeover.<br>
&nbsp;</font> </p>
</li>
<li>
<p align="left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A
common -p tcp --tcp-flags ACK,FIN,RST ACK -j ACCEPT
#Accept Acks to rebuild connection<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
#tracking table. <br>
. /etc/shorewall/common.def</font> </p>
</li>
</ol>
<h3 align="left">Versions &gt;= 1.3.5</h3>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
supported. </p>
<p align="left">Some forms of pre-1.3.0 rules file syntax are no longer
supported. </p>
<p align="left">Example 1:</p>
<div align="left">
<div align="left">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
</div>
<p align="left">Must be replaced with:</p>
<div align="left">
<div align="left">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Example 2:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
<div align="left">
</div>
<div align="left">
<p align="left">Must be replaced with:</p>
</div>
<div align="left">
</div>
<div align="left">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
</div>
<h3 align="left">Version &gt;= 1.3.2</h3>
<p align="left">The functions and versions files together with the 'firewall'
symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
If you have applications that access these files, those
applications should be modified accordingly.</p>
<p><font size="2"> Last updated 6/29/2003 - <a href="support.htm">Tom
<p align="left">The functions and versions files together with the
'firewall' symbolic link have moved from /etc/shorewall to
/var/lib/shorewall. If you have applications that access these files,
those applications should be modified accordingly.</p>
<p><font size="2"> Last updated 10/30/2003 - <a href="support.htm">Tom
Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
</p>
<br>
<br>
<br>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a></font><br>
</p>
</body>
</html>

64
STABLE/documentation/useful_links.html
View File

@ -2,65 +2,39 @@
<html>
<head>
<title>Useful Links</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Useful Links</font><br>
</h1>
<br>
</td>
</tr>
</tbody>
</table>
&nbsp;&nbsp; &nbsp;<br>
<body>
<h1 style="text-align: center;">Useful Links &nbsp; &nbsp;</h1>
<h3>NetFilter Site: <a href="http://www.netfilter.org">http://www.netfilter.org<img
src="images/netfilterlogo.png" alt="Netfilter Logo" width="94"
height="33" hspace="4" align="middle" border="0">
</a></h3>
height="33" hspace="4" align="middle" border="0"> </a></h3>
<h3>Linux Advanced Routing and Traffic Control Howto: <a
href="http://ds9a.nl/lartc">http://ds9a.nl/lartc</a></h3>
<h3>Iproute Downloads: <a href="ftp://ftp.inr.ac.ru/ip-routing">ftp://ftp.inr.ac.ru/ip-routing</a></h3>
<h3>LEAF Site: <a href="http://leaf-project.org">http://leaf-project.org<img
src="images/leaflogo.jpg" alt="Leaf Logo" width="64" height="48"
align="middle" hspace="4" border="0">
</a></h3>
align="middle" hspace="4" border="0"> </a></h3>
<h3>Bering LEAF Distribution: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></h3>
href="http://leaf.sourceforge.net/devel/jnilo">
http://leaf.sourceforge.net/devel/jnilo</a></h3>
<h3>Debian apt-get sources for Shorewall: <a
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html<img
src="images/openlogo-nd-50.png" alt="Open Logo" width="25" height="30"
align="middle" hspace="4" border="0">
<img src="images/debian.jpg" alt="Debian Logo" width="88" height="30"
align="middle" border="0">
</a><br>
</h3>
<br>
<font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom Eastep</a></font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
align="middle" hspace="4" border="0"> <img src="images/debian.jpg"
alt="Debian Logo" width="88" height="30" align="middle" border="0"> </a><br>
</h3>
<br>
<font size="2">Last updated 9/16/2002 - <a href="support.htm">Tom
Eastep</a></font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
<br>
<br>
</body>
</html>

502
STABLE/documentation/whitelisting_under_shorewall.htm
View File

@ -1,309 +1,267 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Whitelisting under Shorewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
id="AutoNumber1" bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Whitelisting under Shorewall</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="left">For a brief time, the 1.2 version of Shorewall supported
an /etc/shorewall/whitelist file. This file was intended to contain a list
of IP addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist
file was implemented as a stop-gap measure until the facilities necessary
for implementing white lists using zones was in place. As of Version 1.3
RC1, those facilities were available.</p>
<p align="left">White lists are most often used to give special privileges
to a set  of hosts within an organization. Let us suppose that we have the
following environment:</p>
<body>
<h1 style="text-align: center;">Whitelisting under Shorewall<br>
</h1>
<p align="left">For a brief time, the 1.2 version of Shorewall
supported
an /etc/shorewall/whitelist file. This file was intended to contain a
list
of IP addresses of hosts whose POLICY to all zones was ACCEPT. The
whitelist file was implemented as a stop-gap measure until the
facilities necessary for implementing white lists using zones was in
place. As of Version 1.3 RC1, those facilities were available.</p>
<p align="left">White lists are most often used to give special
privileges to a set&nbsp; of hosts within an organization. Let us
suppose that we have the following environment:</p>
<ul>
<li>A firewall with three interfaces -- one to the internet, one
to a local network and one to a DMZ.</li>
<li>The local network uses SNAT to the internet and is comprised
of the class B network 10.10.0.0/16 (Note: While this example uses an RFC
1918 local network, the technique described here in no way depends on
that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static
<li>A firewall with three interfaces -- one to the internet, one to a
local network and one to a DMZ.</li>
<li>The local network uses SNAT to the internet and is comprised of
the class B network 10.10.0.0/16 (Note: While this example uses an RFC
1918 local network, the technique described here in no way depends on
that or on SNAT. It may be used with Proxy ARP, Subnet Routing, Static
NAT, etc.).</li>
<li>The network operations staff have workstations with IP addresses
<li>The network operations staff have workstations with IP addresses
in the class C network 10.10.10.0/24</li>
<li>We want the network operations staff to have full access to all
<li>We want the network operations staff to have full access to all
other hosts.</li>
<li>We want the network operations staff to bypass the transparent
<li>We want the network operations staff to bypass the transparent
HTTP proxy running on our firewall.</li>
</ul>
<p align="left">The basic approach will be that we will place the operations
staff's class C in its own zone called <b>ops</b>. Here are the appropriate
configuration files:</p>
<p align="left">The basic approach will be that we will place the
operations staff's class C in its own zone called <b>ops</b>. Here are
the appropriate configuration files:</p>
<h2 align="left">Zone File</h2>
<blockquote>
<blockquote>
<table border="2">
<tbody>
<tr>
<td><b> ZONE</b></td>
<td><b> DISPLAY</b></td>
<td><b> COMMENTS</b></td>
</tr>
<tr>
<td>net</td>
<td>Net</td>
<td>Internet</td>
</tr>
<tr>
<td>ops</td>
<td>Operations</td>
<td>Operations Staff's Class C</td>
</tr>
<tr>
<td>loc</td>
<td>Local</td>
<td>Local Class B</td>
</tr>
<tr>
<td>dmz</td>
<td>DMZ</td>
<td>Demilitarized zone</td>
</tr>
</tbody>
<tbody>
<tr>
<td><b> ZONE</b></td>
<td><b> DISPLAY</b></td>
<td><b> COMMENTS</b></td>
</tr>
<tr>
<td>net</td>
<td>Net</td>
<td>Internet</td>
</tr>
<tr>
<td>ops</td>
<td>Operations</td>
<td>Operations Staff's Class C</td>
</tr>
<tr>
<td>loc</td>
<td>Local</td>
<td>Local Class B</td>
</tr>
<tr>
<td>dmz</td>
<td>DMZ</td>
<td>Demilitarized zone</td>
</tr>
</tbody>
</table>
</blockquote>
<p>The <b>ops </b>zone has been added to the standard 3-zone zones file --
since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
</blockquote>
<p>The <b>ops </b>zone has been added to the standard 3-zone zones
file -- since <b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u>
<b>loc</b>.</p>
<h2>Interfaces File</h2>
<blockquote>
<blockquote>
<table border="2">
<tbody>
<tr>
<td><b> ZONE</b></td>
<td><b> INTERFACE</b></td>
<td><b> BROADCAST</b></td>
<td><b> OPTIONS</b></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>&lt;whatever&gt;</td>
<td>&lt;options&gt;</td>
</tr>
<tr>
<td>dmz</td>
<td>eth1</td>
<td>&lt;whatever&gt;</td>
<td><br>
</td>
</tr>
<tr>
<td>-</td>
<td>eth2</td>
<td>10.10.255.255</td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><b> ZONE</b></td>
<td><b> INTERFACE</b></td>
<td><b> BROADCAST</b></td>
<td><b> OPTIONS</b></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>&lt;whatever&gt;</td>
<td>&lt;options&gt;</td>
</tr>
<tr>
<td>dmz</td>
<td>eth1</td>
<td>&lt;whatever&gt;</td>
<td><br>
</td>
</tr>
<tr>
<td>-</td>
<td>eth2</td>
<td>10.10.255.255</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>,
we don't specify a zone for it here.</p>
</blockquote>
<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>,
we don't specify a zone for it here.</p>
<h2>Hosts File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2">
<tbody>
<tr>
<td><b> ZONE</b></td>
<td><b> HOST(S)</b></td>
<td><b> OPTIONS</b></td>
</tr>
<tr>
<td>ops</td>
<td>eth2:10.10.10.0/24</td>
<td><br>
</td>
</tr>
<tr>
<td>loc</td>
<td>eth2:0.0.0.0/0</td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><b> ZONE</b></td>
<td><b> HOST(S)</b></td>
<td><b> OPTIONS</b></td>
</tr>
<tr>
<td>ops</td>
<td>eth2:10.10.10.0/24</td>
<td><br>
</td>
</tr>
<tr>
<td>loc</td>
<td>eth2:0.0.0.0/0</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is stopped,
only the hosts in the <b>ops</b> zone will be allowed to access the firewall
and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than 10.10.0.0/16
so that the limited broadcast address (255.255.255.255) falls into that
zone. If I used 10.10.0.0/16 then I would have to have a separate entry for
that special address.</p>
</blockquote>
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall
is stopped,
only the hosts in the <b>ops</b> zone will be allowed to access the
firewall
and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than
10.10.0.0/16
so that the limited broadcast address (255.255.255.255) falls into that
zone. If I used 10.10.0.0/16 then I would have to have a separate entry
for that special address.</p>
<h2>Policy File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica">
</font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2">
<tbody>
<tr>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> POLICY</b></td>
<td><b> LOG LEVEL</b></td>
<td><b>LIMIT:BURST</b></td>
</tr>
<tr>
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ACCEPT</font></td>
<td> </td>
<td> </td>
</tr>
<tr>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">CONTINUE</font></td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>loc</td>
<td>net</td>
<td>ACCEPT</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>net</td>
<td>all</td>
<td>DROP</td>
<td>info</td>
<td> </td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> POLICY</b></td>
<td><b> LOG LEVEL</b></td>
<td><b>LIMIT:BURST</b></td>
</tr>
<tr>
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ACCEPT</font></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><font color="#0000ff">all</font></td>
<td><font color="#0000ff">ops</font></td>
<td><font color="#0000ff">CONTINUE</font></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>loc</td>
<td>net</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>net</td>
<td>all</td>
<td>DROP</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy
file.<font color="#ff0000"><b></b></font></p>
</blockquote>
<p>Two entries for <b>ops</b> have been added to the standard 3-zone
policy file.<font color="#ff0000"><b></b></font></p>
<h2>Rules File</h2>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<blockquote> <font face="Century Gothic, Arial, Helvetica"> </font>
<table border="2">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc!ops</td>
<td>3128</td>
<td>tcp</td>
<td>http</td>
<td> </td>
<td> </td>
</tr>
<tr>
<td>...</td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
<td> </td>
</tr>
</tbody>
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc!ops</td>
<td>3128</td>
<td>tcp</td>
<td>http</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>...</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table>
</blockquote>
<p>This is the rule that transparently redirects web traffic to the transparent
proxy running on the firewall. The SOURCE column explicitly excludes the
<b>ops</b> zone from the rule.</p>
</blockquote>
<p>This is the rule that transparently redirects web traffic to the
transparent proxy running on the firewall. The SOURCE column explicitly
excludes the <b>ops</b> zone from the rule.</p>
<h2>Routestopped File</h2>
<blockquote>
<blockquote>
<table border="2">
<tbody>
<tr>
<td><b>INTERFACE</b><br>
</td>
<td><b> HOST(S)</b></td>
</tr>
<tr>
<td valign="top">eth1<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>eth2<br>
</td>
<td>10.10.10.0/24</td>
</tr>
</tbody>
<tbody>
<tr>
<td><b>INTERFACE</b><br>
</td>
<td><b> HOST(S)</b></td>
</tr>
<tr>
<td valign="top">eth1<br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td>eth2<br>
</td>
<td>10.10.10.0/24</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</blockquote>
<p><font size="2"> Updated 2/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002, 2003Thomas M. Eastep.</font></a></font></p>
<br>
<br>
<br>
</body>
</html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.7b
VERSION=1.4.8
usage() # $1 = exit status
{

142
STABLE/firewall
View File

@ -58,18 +58,18 @@ list_search() # $1 = element to search for , $2-$n = list
#
# Functions to count list elements
# - - - - - - - - - - - - - - - -
# Whitespace-separated list
#
list_count() {
arg_count() {
echo $#
}
arg_count `separate_list $@`
}
list_count1() {
echo $#
}
#
# Comma-separated list
#
list_count() {
list_count1 `separate_list $1`
}
#
# Mutual exclusion -- These functions are jackets for the mutual exclusion
@ -229,11 +229,13 @@ run_tc() {
#
# If the chain isn't one of the common chains then add a rule to the chain
# allowing packets that are part of an established connection. Create a
# variable ${1}_exists and set its value to Yes to indicate that the chain now
# variable exists_${1} and set its value to Yes to indicate that the chain now
# exists.
#
createchain() # $1 = chain name, $2 = If "yes", create default rules
{
local c=`chain_base $1`
run_iptables -N $1
if [ $2 = yes ]; then
@ -242,11 +244,13 @@ createchain() # $1 = chain name, $2 = If "yes", create default rules
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi
eval ${1}_exists=Yes
eval exists_${c}=Yes
}
createchain2() # $1 = chain name, $2 = If "yes", create default rules
{
local c=`chain_base $1`
if iptables -N $1; then
if [ $2 = yes ]; then
@ -255,20 +259,22 @@ createchain2() # $1 = chain name, $2 = If "yes", create default rules
run_iptables -A $1 -m state --state NEW -p tcp ! --syn -j newnotsyn
fi
eval ${1}_exists=Yes
eval exists_${c}=Yes
fi
}
#
# Determine if a chain exists
#
# When we create a chain "chain", we create a variable named chain_exists and
# set its value to Yes. This function tests for the "_exists" variable
# When we create a chain "chain", we create a variable named exists_chain and
# set its value to Yes. This function tests for the "exists_" variable
# corresponding to the passed chain having the value of "Yes".
#
havechain() # $1 = name of chain
{
eval test \"\$${1}_exists\" = Yes
local c=`chain_base $1`
eval test \"\$exists_${c}\" = Yes
}
#
@ -307,26 +313,26 @@ addrule() # $1 = chain name, remainder of arguments specify the rule
#
# Create a nat chain
#
# Create a variable ${1}_nat_exists and set its value to Yes to indicate that
# Create a variable exists_nat_${1} and set its value to Yes to indicate that
# the chain now exists.
#
createnatchain() # $1 = chain name
{
run_iptables -t nat -N $1
eval ${1}_nat_exists=Yes
eval exists_nat_${1}=Yes
}
#
# Determine if a nat chain exists
#
# When we create a chain "chain", we create a variable named chain_nat_exists
# and set its value to Yes. This function tests for the "_exists" variable
# When we create a chain "chain", we create a variable named exists_nat_chain
# and set its value to Yes. This function tests for the "exists_" variable
# corresponding to the passed chain having the value of "Yes".
#
havenatchain() # $1 = name of chain
{
eval test \"\$${1}_nat_exists\" = Yes
eval test \"\$exists_nat_${1}\" = Yes
}
#
@ -630,11 +636,11 @@ validate_interfaces_file() {
all_interfaces="$all_interfaces $interface"
options=`separate_list $options`
interface=`chain_base $interface`
iface=`chain_base $interface`
eval ${interface}_broadcast="$subnet"
eval ${interface}_zone="$z"
eval ${interface}_options=\"$options\"
eval ${iface}_broadcast="$subnet"
eval ${iface}_zone="$z"
eval ${iface}_options=\"$options\"
for option in $options; do
case $option in
@ -757,7 +763,14 @@ validate_policy()
esac
case $policy in
ACCEPT|REJECT|DROP|CONTINUE|NONE)
ACCEPT|REJECT|DROP|CONTINUE)
;;
NONE)
[ "$client" = "$FW" -o "$server" = "$FW" ] && \
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed to/from the $FW zone"
[ -n "$clientwild" -o -n "$serverwild" ] && \
startup_error " $client $server $policy $loglevel $synparams: NONE policy not allowed with \"all\""
;;
*)
startup_error "Invalid policy $policy"
@ -775,8 +788,6 @@ validate_policy()
[ "x$loglevel" = "x-" ] && loglevel=
chain=${client}2${server}
[ $policy = NONE ] || all_policy_chains="$all_policy_chains $chain"
eval ${chain}_is_policy=Yes
@ -1456,28 +1467,19 @@ setup_mac_lists() {
#
for interface in $maclist_interfaces; do
chain=`mac_chain $interface`
blob=`ip -f inet addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;'`
blob=`ip link show $interface 2> /dev/null`
[ -z "$blob" ] && \
fatal_error "Interface $interface must be up before Shorewall can start"
set -- $blob
while [ $# -gt 0 ]; do
address=${1%/*}
case $1 in
*/32)
;;
*)
run_iptables -A $chain -s $address -d $2 -j RETURN
shift
;;
esac
ip -f inet addr show $interface 2> /dev/null | grep inet | sed 's/inet //; s/brd //; s/scope.*//;' | while read address broadcast; do
if [ -n "$broadcast" ]; then
run_iptables -A $chain -s ${address%/*} -d $broadcast -j RETURN
fi
run_iptables -A $chain -s $address -d 255.255.255.255 -j RETURN
run_iptables -A $chain -s $address -d 224.0.0.0/4 -j RETURN
shift
done
if [ -n "$MACLIST_LOG_LEVEL" ]; then
@ -2396,6 +2398,7 @@ add_a_rule()
case $proto in
tcp|TCP|6)
do_ports
[ "$target" = QUEUE ] && proto="$proto --syn"
;;
udp|UDP|17)
do_ports
@ -2885,7 +2888,7 @@ process_rules()
while read xtarget xclients xservers xprotocol xports xcports xaddress xratelimit xuserset; do
temp="${xtarget%:*}"
case "${temp%<*}" in
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE)
ACCEPT|DROP|REJECT|DNAT|DNAT-|REDIRECT|REDIRECT-|LOG|CONTINUE|QUEUE)
expandv xclients xservers xprotocol xports xcports xaddress xratelimit xuserset
if [ "x$xclients" = xall ]; then
@ -3594,9 +3597,11 @@ setup_blacklist() {
createchain blacklst no
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
for interface in $interfaces; do
for chain in `first_chains $interface`; do
run_iptables -A $chain -j blacklst
run_iptables -A $chain $state -j blacklst
done
echo " Blacklisting enabled on $interface"
@ -3915,13 +3920,15 @@ initialize_netfilter () {
fi
fi
[ -n "$BLACKLISTNEWONLY" ] && state="-m state --state NEW" || state=
echo "Creating Interface Chains..."
for interface in $all_interfaces; do
createchain `forward_chain $interface` no
run_iptables -A `forward_chain $interface` -j dynamic
run_iptables -A `forward_chain $interface` $state -j dynamic
createchain `input_chain $interface` no
run_iptables -A `input_chain $interface` -j dynamic
run_iptables -A `input_chain $interface` $state -j dynamic
done
}
@ -4191,6 +4198,7 @@ add_common_rules() {
if [ -n "$interfaces" ]; then
echo "Setting up ARP Filtering..."
for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/arp_filter
if [ -f $file ]; then
@ -4204,28 +4212,28 @@ add_common_rules() {
#
# Route Filtering
#
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
interfaces="`find_interfaces_by_option routefilter`"
if [ -n "$interfaces" -o -n "$ROUTE_FILTER" ]; then
echo "Setting up Kernel Route Filtering..."
if [ -n "$ROUTE_FILTER" ]; then
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
else
for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/rp_filter
if [ -f $file ]; then
echo 1 > $file
else
error_message \
"Warning: Cannot set route filtering on $interface"
fi
done
fi
for f in /proc/sys/net/ipv4/conf/*/rp_filter; do
echo 0 > $f
done
for interface in $interfaces; do
file=/proc/sys/net/ipv4/conf/$interface/rp_filter
if [ -f $file ]; then
echo 1 > $file
else
error_message \
"Warning: Cannot set route filtering on $interface"
fi
done
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
[ -n "$ROUTE_FILTER" ] && echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
run_ip route flush cache
fi
#
# IP Forwarding
@ -4422,7 +4430,13 @@ activate_rules()
for host1 in $dest_hosts; do
interface1=${host1%:*}
subnet1=${host1#*:}
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
if [ `list_count1 $source_hosts` -eq 1 -a "$source_hosts" = "$host1" ]; then
if list_search $host1 $routeback; then
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
fi
else
run_iptables -A $frwd_chain -o $interface1 -d $subnet1 -j $chain
fi
done
else
for host in $source_hosts; do
@ -5042,6 +5056,7 @@ do_initialize() {
LOGFORMAT=
LOGRULENUMBERS=
ADMINISABSENTMINDED=
BLACKLISTNEWONLY=
stopping=
have_mutex=
@ -5191,6 +5206,7 @@ do_initialize() {
LOGFORMAT="Shorewall:%s:%s:"
fi
ADMINISABSENTMINDED=`added_param_value_no ADMINISABSENTMINDED $ADMINISABSENTMINDED`
BLACKLISTNEWONLY=`added_param_value_no BLACKLISTNEWONLY $BLACKLISTNEWONLY`
#
# Strip the files that we use often
#

3
STABLE/functions
View File

@ -425,6 +425,9 @@ chain_base() #$1 = interface
*.*)
c="${c%.*}_${c##*.}"
;;
*-*)
c="${c%-*}_${c##*-}"
;;
*)
echo ${c:=common}
return

2
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.7b
VERSION=1.4.8
usage() # $1 = exit status
{

4
STABLE/policy
View File

@ -43,7 +43,9 @@
# with this SOURCE and DEST in the
# /etc/shorewall/rules file. If such a
# packet _is_ received, the result is
# undefined.
# undefined. NONE may not be used if the
# SOURCE or DEST columns contain the
# firewall zone ($FW) or "all".
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no

75
STABLE/releasenotes.txt
View File

@ -1,6 +1,6 @@
This is a bugfix release of Shorewall.
This is a minor release of Shorewall.
Problems Corrected since version 1.4.6:
Problems Corrected since version 1.4.7:
1) Tuomo Soini has supplied a correction to a problem that occurs using
some versions of 'ash'. The symptom is that "shorewall start" fails
@ -39,12 +39,77 @@ Problems Corrected since version 1.4.6:
7) The original fix for item 5) above contained a bug which caused the
"<zone>_frwd" chain to have too few rules. That has been corrected
(twice).
(twice).
8) An incorrect comment concerning Debian's use of the SYBSYSLOCK
option has been removed from shorewall.conf.
9) Previously, neither the 'routefilter' interface option nor the
ROUTE_FILTER parameter were working properly. This has been
corrected (thanks to Eric Bowles for his patch). The definition
of the ROUTE_FILTER option has changed however. Previously,
ROUTE_FILTER=Yes was documented as enabling route filtering on all
interfaces (which didn't work). Beginning with this release, setting
ROUTE_FILTER=Yes will enable route filtering of all interfaces
brought up while Shorewall is started. As a consequence,
ROUTE_FILTER=Yes can coexist with the use of the 'routefilter'
option in the interfaces file.
10) If MAC verification was enabled on an interface that had a /32
address with a broadcast address then an error would occur during
startup.
11) The NONE policy's intended use is to suppress the generating of
rules that can't possibly be traversed. This means that a policy of
NONE is inappropriate where the source or destination zone is
$FW. Shorewall now generates an error message if such a policy is
given in /etc/shorewall/policy. Previously such a policy caused
"shorewall start" to fail.
12) The 'routeback' option was broken for wildcard interfaces (e.g.,
"tun+"). This has been corrected so that 'routeback' now works as
expected in this case.
Migration Issues:
None.
1. The definition of the ROUTE_FILTER option in shorewall.conf has
changed as described in item 9) above.
New Features:
None.
1. A new QUEUE action has been introduced for rules. QUEUE allows you
to pass connection requests to a user-space filter such as ftwall
(http://p2pwall.sourceforge.net). The ftwall program allows for
effective filtering of p2p applications such as Kazaa.
For example, to use ftwall to filter P2P clients in your 'loc' zone,
you would add the following rules:
QUEUE loc net tcp
QUEUE loc net udp
QUEUE loc fw udp
You would normally want to place those three rules BEFORE any ACCEPT
rules for loc->net or loc->fw udp or tcp.
Note: When the protocol specified is TCP ("tcp", "TCP" or "6"),
Shorewall will only pass connection requests (SYN packets) to user
space. This is for compatibility with ftwall.
2. A BLACKLISTNEWNONLY option has been added to shorewall.conf. When
this option is set to "Yes", the blacklists (dynamic and static)
are only consulted for new connection requests. When set to "No"
(the default if the variable is not set), the blacklists are
consulted on every packet.
Setting this option to "No" allows blacklisting to stop existing
connections from a newly blacklisted host but is more expensive in
terms of packet processing time. This is especially true if the
blacklists contain a large number of entries.
3. Chain names used in the /etc/shorewall/accounting file may now begin
with a digit ([0-9]) and may contain embedded dashes ("-").

2
STABLE/rules
View File

@ -46,6 +46,8 @@
# to the rules defined for that
# (those) zone(s).
# LOG -- Simply log the packet and continue.
# QUEUE -- Queue the packet to a user-space
# application such as p2pwall.
#
# You may rate-limit the rule by optionally
# following ACCEPT, DNAT[-], REDIRECT[-] or LOG with

34
STABLE/shorewall.conf
View File

@ -202,9 +202,8 @@ SHOREWALL_SHELL=/bin/sh
# SUBSYSTEM LOCK FILE
#
# Set this to the name of the lock file expected by your init scripts. For
# RedHat, this should be /var/lock/subsys/shorewall. On Debian, it
# should be /var/state/shorewall. If your init scripts don't use lock files,
# set this to "".
# RedHat, this should be /var/lock/subsys/shorewall. If your init scripts don't
# use lock files, set this to "".
#
SUBSYSLOCK=/var/lock/subsys/shorewall
@ -350,11 +349,12 @@ CLAMPMSS=No
# ROUTE FILTERING
#
# Set this variable to "Yes" or "yes" if you want kernel route filtering on all
# interfaces (anti-spoofing measure).
# interfaces started while Shorewall is started (anti-spoofing measure).
#
# If this variable is not set or is set to the empty value, "No" is assumed.
# In that case, you can still enable route filtering on individual interfaces
# in the /etc/shorewall/interfaces file.
# Regardless of the setting of ROUTE_FILTER, you can still enable route filtering
# on individual interfaces using the 'routefilter' option in the
# /etc/shorewall/interfaces file.
ROUTE_FILTER=No
@ -463,6 +463,28 @@ NEWNOTSYN=No
#
ADMINISABSENTMINDED=Yes
#
# BLACKLIST Behavior
#
# Shorewall offers two types of blacklisting:
#
# - static blacklisting through the /etc/shorewall/blacklist file together
# with the 'blacklist' interface option.
# - dynamic blacklisting using the 'drop', 'reject' and 'allow' commands.
#
# The following variable determines whether the blacklist is checked for each
# packet or for each new connection.
#
# BLACKLISTNEWONLY=Yes Only consult blacklists for new connection
# requests
#
# BLACKLISTNEWONLY=No Consult blacklists for all packets.
#
# If the BLACKLISTNEWONLY option is not set or is set to the empty value then
# BLACKLISTNEWONLY=No is assumed.
#
BLACKLISTNEWONLY=Yes
################################################################################
# P A C K E T D I S P O S I T I O N
################################################################################

12
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.4.7b
%define version 1.4.8
%define release 1
%define prefix /usr
@ -108,10 +108,12 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Fri Oct 24 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7b-1
* Tue Oct 21 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7a-1
* Fri Nov 07 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.8
* Sat Nov 01 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.8-0RC2
* Thu Oct 30 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.8-0RC1
* Sat Oct 04 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.7-1
- Removed conflict with 2.2 Kernels

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.7b
VERSION=1.4.8
usage() # $1 = exit status
{