extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-22 13:39:06 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.6

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@667 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-19 15:07:31 +00:00
parent afd7840558
commit e80d8ca732
15 changed files with 4816 additions and 4538 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

462
Shorewall-docs/CorpNetwork.htm
View File

@ -1,293 +1,281 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
<title>Corporate Shorewall Configuration</title>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Corporate Shorewall Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Graeme Boyle">
<meta content="Microsoft FrontPage 5.0" name="GENERATOR">
<meta content="FrontPage.Editor.Document" name="ProgId">
<meta content="none" name="Microsoft Theme">
<meta content="Graeme Boyle" name="author">
</head>
<body>
<script><!--
function PrivoxyWindowOpen(){return(null);}
//--></script>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
//--></script>
<table id="AutoNumber1" style="border-collapse: collapse;" height="90"
cellspacing="0" cellpadding="0" width="100%" bgcolor="#3366ff"
border="0">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and
Internal Servers</font></h1>
</td>
</tr>
</tbody>
Internal Servers</font></h1>
</td>
</tr>
</tbody>
</table>
<blockquote> </blockquote>
<blockquote></blockquote>
<h1>Corporate Network</h1>
<p><font size="4" color="#ff0000"><b>Notes</b></font><big><font
<p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
color="#ff0000"><b>:</b></font></big></p>
<blockquote>
<blockquote>
<ul>
<li><b>This configuration is used on a corporate network that
has a Linux (RedHat 8.0) server with three interfaces, running Shorewall
1.4.5 release,</b></li>
<li><b>Make sure you know what public IP addresses are currently
being used and verify these </b><i>before</i><b> starting.</b></li>
<li><b>Verify you DNS settings </b><i>before</i><b> starting any
Shorewall configuration especially if you have split DNS.</b></li>
<li><b>System names and Internet IP addresses have been changed
to protect the innocent.</b></li>
<li><b>This configuration is used on a corporate network that has a
Linux (RedHat 8.0) server with three interfaces, running Shorewall 1.4.5
release,</b> </li>
<li><b>Make sure you know what public IP addresses are currently being
used and verify these </b><i>before</i><b> starting.</b> </li>
<li><b>Verify your DNS settings </b><i>before</i><b> starting any Shorewall
configuration especially if you have split DNS.</b> </li>
<li><b>System names and Internet IP addresses have been changed to protect
the innocent.</b> </li>
</ul>
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This configuration
uses a combination of Static NAT and Proxy ARP. This is generally not
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see
here won't apply to your setup so beware of copying parts of this
configuration and expecting them to work for you. What you copy may
or may not work in your configuration.<br>
</small></b></big><br>
</p>
<p> I have a T1 with 64 static IP addresses (63.123.106.65-127/26). The
internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
have an IPSec tunnel connecting our offices in Germany to our offices
in the US. I host two Microsoft Exchange servers for two different companies
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This
configuration uses a combination of Static NAT and Proxy ARP. This is
generally not relevant to a simple configuration with a single public IP
address.</small></b></big><big><b><small> If you have just a single public
IP address, most of what you see here won't apply to your setup so beware
of copying parts of this configuration and expecting them to work for
you. What you copy may or may not work in your configuration.<br>
</small></b></big><br>
</p>
<p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
an IPSec tunnel connecting our offices in Germany to our offices in the
US. I host two Microsoft Exchange servers for two different companies
behind the firewall hence, the two Exchange servers in the diagram below.</p>
<p> Summary:<br>
</p>
<p>Summary:<br>
</p>
<ul>
<li>SNAT for all systems connected to the LAN
- Internal addresses 10.10.x.x to external address 63.123.106.127.</li>
<li>Static NAT for <i>Polaris</i> (Exchange Server
#2). Internal address 10.10.1.8 and external address 63.123.106.70.</li>
<li>Static NAT for <i>Sims</i> (Inventory Management server).
Internal address 10.10.1.56 and external address 63.123.106.75.<br>
</li>
<li>Static NAT for <i>Project</i> (Project Web
Server). Internal address 10.10.1.55 and external
address 63.123.106.84.</li>
<li>Static NAT for <i>Fortress</i> (Exchange
Server). Internal address 10.10.1.252 and external
address 63.123.106.93.</li>
<li>Static NAT for <i>BBSRV</i> (Blackberry Server).
Internal address 10.10.1.230 and external address
63.123.106.97.</li>
<li>Static NAT for <i>Intweb</i> (Intranet Web
Server). Internal address 10.10.1.60 and external
address 63.123.106.115.</li>
<li>SNAT for all systems connected to the LAN - Internal addresses 10.10.x.x
to external address 192.0.18.127. </li>
<li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal address
10.10.1.8 and external address 192.0.18.70. </li>
<li>Static NAT for <i>Sims</i> (Inventory Management server). Internal
address 10.10.1.56 and external address 192.0.18.75.<br>
</li>
<li>Static NAT for <i>Project</i> (Project Web Server). Internal address
10.10.1.55 and external address 192.0.18.84. </li>
<li>Static NAT for <i>Fortress</i> (Exchange Server). Internal address
10.10.1.252 and external address 192.0.18.93. </li>
<li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal address
10.10.1.230 and external address 192.0.18.97. </li>
<li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal address
10.10.1.60 and external address 192.0.18.115. </li>
</ul>
<p> The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
RH8.0.</p>
<p> The Firewall is also a proxy server running Privoxy 3.0.</p>
<p> The single system in the DMZ (address 63.123.106.80) runs sendmail,
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0).
That server is managed through Proxy ARP.</p>
<p> All administration and publishing is done using ssh/scp. I have X installed
on the firewall and the system in the DMZ. X applications tunnel
through SSH to Hummingbird Exceed running on a PC located in the LAN.
Access to the firewall using SSH is restricted to systems in the LAN, DMZ
or the system Kaos which is on the Internet and managed by me.</p>
<p align="center"> <img border="0"
src="images/CorpNetwork.gif" width="770" height="1000"
alt="(Corporate Network Diagram)">
</p>
<p> </p>
<p>The Ethernet 0 interface in the Server is configured with IP
address 63.123.106.68, netmask 255.255.255.192. The server's default
gateway is 63.123.106.65, the Router connected to my network and
the ISP. This is the same default gateway used by the firewall
itself. On the firewall, Shorewall automatically
adds a host route to 63.123.106.80 through Ethernet
2 (192.168.21.1) because of the entry in
/etc/shorewall/proxyarp (see below). I modified the start, stop and
init scripts to include the fixes suggested when having an IPSec tunnel.</p>
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
RH8.0.</p>
<p>The Firewall is also a proxy server running Privoxy 3.0.</p>
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail, imap,
pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0). That
server is managed through Proxy ARP.</p>
<p>All administration and publishing is done using ssh/scp. I have X installed
on the firewall and the system in the DMZ. X applications tunnel through
SSH to Hummingbird Exceed running on a PC located in the LAN. Access to
the firewall using SSH is restricted to systems in the LAN, DMZ or the
system Kaos which is on the Internet and managed by me.</p>
<p align="center"><img height="1000" alt="(Corporate Network Diagram)"
src="images/CorpNetwork.gif" width="770" border="0">
</p>
<p></p>
<p>The Ethernet 0 interface in the Server is configured with IP address
192.0.18.68, netmask 255.255.255.192. The server's default gateway is
192.0.18.65, the Router connected to my network and the ISP. This is the
same default gateway used by the firewall itself. On the firewall, Shorewall
automatically adds a host route to 192.0.18.80 through Ethernet 2 (192.168.21.1)
because of the entry in /etc/shorewall/proxyarp (see below). I modified
the start, stop and init scripts to include the fixes suggested when having
an IPSec tunnel.</p>
<p><b>Some Mistakes I Made:</b></p>
<p>Yes, believe it or not, I made some really basic mistakes when building
this firewall. Firstly, I had the new firewall setup in parallel with
this firewall. Firstly, I had the new firewall setup in parallel with
the old firewall so that there was no interruption of service to my users.
During my out-bound testing, I set up systems on the LAN to utilize the
firewall which worked fine. When testing my NAT connections, from the
outside, these would fail and I could not understand why. Eventually,
I changed the default route on the internal system I was trying to access,
to point to the new firewall and "bingo", everything worked as expected.
This oversight delayed my deployment by a couple of days not to mention
level of frustration it produced. </p>
During my out-bound testing, I set up systems on the LAN to utilize the
firewall which worked fine. When testing my NAT connections, from the
outside, these would fail and I could not understand why. Eventually,
I changed the default route on the internal system I was trying to access,
to point to the new firewall and "bingo", everything worked as expected.
This oversight delayed my deployment by a couple of days not to mention
level of frustration it produced. </p>
<p>Another problem that I encountered was in setting up the Proxyarp system
in the DMZ. Initially I forgot to remove the entry for the eth2 from
the /etc/shorewall/masq file. Once my file settings were correct, I started
verifying that the ARP caches on the firewall, as well as the outside
system "kaos", were showing the correct Ethernet MAC address. However,
in testing remote access, I could access the system in the DMZ only from
the firewall and LAN but not from the Internet. The message I received
was "connection denied" on all protocols. What I did not realize was that
a "helpful" administrator that had turned on an old system and assigned
the same address as the one I was using for Proxyarp without notifying
me. How did I work this out. I shutdown the system in the DMZ, rebooted
the router and flushed the ARP cache on the firewall and kaos. Then, from
kaos, I started pinging that IP address and checked the updated ARP cache
and lo-and-behold a different MAC address showed up. High levels of frustration
etc., etc. The administrator will <i>not</i> be doing that again! :-)</p>
in the DMZ. Initially I forgot to remove the entry for the eth2 from the
/etc/shorewall/masq file. Once my file settings were correct, I started
verifying that the ARP caches on the firewall, as well as the outside
system "kaos", were showing the correct Ethernet MAC address. However,
in testing remote access, I could access the system in the DMZ only from
the firewall and LAN but not from the Internet. The message I received
was "connection denied" on all protocols. What I did not realize was that
a "helpful" administrator that had turned on an old system and assigned
the same address as the one I was using for Proxyarp without notifying
me. How did I work this out. I shutdown the system in the DMZ, rebooted
the router and flushed the ARP cache on the firewall and kaos. Then, from
kaos, I started pinging that IP address and checked the updated ARP cache
and lo-and-behold a different MAC address showed up. High levels of frustration
etc., etc. The administrator will <i>not</i> be doing that again! :-)</p>
<p><b>Lessons Learned:</b></p>
<ul>
<li>Read the documentation.</li>
<li>Draw your network topology before starting.</li>
<li>Understand what services you are going to allow in and out of
the firewall, whether they are TCP or UDP packets and make a note
of these port numbers.</li>
<li>Try to get quiet time to build the firewall - you need to focus
on the job at hand.</li>
<li>When asking for assistance, be honest and include as much detail
as requested. Don't try and hide IP addresses etc., you will probably
screw up the logs and make receiving assistance harder.</li>
<li>Read the documentation.</li>
<li>Read the documentation. </li>
<li>Draw your network topology before starting. </li>
<li>Understand what services you are going to allow in and out of the
firewall, whether they are TCP or UDP packets and make a note of these
port numbers. </li>
<li>Try to get quiet time to build the firewall - you need to focus on
the job at hand. </li>
<li>When asking for assistance, be honest and include as much detail
as requested. Don't try and hide IP addresses etc., you will probably
screw up the logs and make receiving assistance harder. </li>
<li>Read the documentation. </li>
</ul>
<p><b>Futures:</b></p>
<p>This is by no means the final configuration. In the near future, I will
be moving more systems from the LAN to the DMZ. I will also be watching
the logs for port scan programs etc. but, this should be standard security
maintenance.</p>
be moving more systems from the LAN to the DMZ. I will also be watching
the logs for port scan programs etc. but, this should be standard security
maintenance.</p>
<p>Here are copies of my files. I have removed most of the internal
documentation for the purpose of this space however, my system still has
the original files with all the comments and I highly recommend you do
the same.</p>
</blockquote>
the same.</p>
</blockquote>
<h3>Shorewall.conf</h3>
<blockquote>
<blockquote>
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
</blockquote>
</blockquote>
<h3>Zones File</h3>
<blockquote>
<blockquote>
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
face="Courier" size="2"><br></font></pre>
</blockquote>
</blockquote>
<h3>Interfaces File: </h3>
<blockquote>
<p> ##############################################################################<br>
#ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br>
vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</p>
</blockquote>
<blockquote>
<p>##############################################################################<br>
#ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br>
vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
</blockquote>
<h3>Routestopped File:</h3>
<blockquote>
<blockquote>
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
face="Courier" size="2"> </font></pre>
</blockquote>
</blockquote>
<h3>Policy File:</h3>
<blockquote>
<blockquote>
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
</blockquote>
<h3>Masq File: </h3>
<blockquote>
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 163.123.106.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<blockquote>
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>NAT File: </h3>
<blockquote>
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>63.123.106.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>63.123.106.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>63.123.106.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>63.123.106.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>63.123.106.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>63.123.106.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<blockquote>
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>Proxy ARP File:</h3>
<blockquote>
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>63.123.106.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
</blockquote>
<blockquote>
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
</blockquote>
<h3>Tunnels File:</h3>
<blockquote>
<blockquote>
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
<blockquote>
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:63.123.106.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
</blockquote>
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
<blockquote>
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
<h3>Start File:</h3>
<blockquote>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
</blockquote>
</blockquote>
<h3>Stop File:</h3>
<blockquote>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
</blockquote>
</blockquote>
<h3>Init File:</h3>
<blockquote>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
</blockquote>
<p><font size="2">Last updated 7/16/2003</font>
</blockquote>
<p><font size="2">Last updated 7/16/2003</font>
<script><!--
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
//</script><br>
</p>
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep and
Graeme Boyle</a></small><br>
</p>
<br>
//</script>
<br>
</p>
<p><small><a
href="file:///C:/Documents%20and%20Settings/Graeme%20Boyle/Local%20Settings/Temporary%20Internet%20Files/OLKD/GnuCopyright.htm">Copyright
2003 Thomas M. Eastep and Graeme Boyle</a></small><br>
</p>
<br>
</body>
</html>

5468
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

922
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -2,411 +2,372 @@
<html>
<head>
<title>Shorewall Squid Usage</title>
<meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep">
</head>
<body>
<table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#3366ff">
<tbody>
<tr>
<td valign="middle" width="33%" bgcolor="#3366ff"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4">
</a><br>
</td>
<td valign="middle" height="90" align="center"
width="34%">
<h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
<h1> </h1>
</td>
<td valign="middle" height="90" width="33%"
align="right"><a href="http://www.squid-cache.org/"><img
src="images/cache_now.gif" alt="" width="100" height="31" hspace="4">
</a><br>
</td>
</tr>
</tbody>
</table>
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<br>
<img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
to run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the
files /etc/shorewall/start and /etc/shorewall/init -- if you don't have
those files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ
zone or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP
addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on
your Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier
than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running
in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running
in the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT
those to your own
http server (206.124.146.177)
to a Squid
transparent proxy running on the firewall and listening on port
3128. Squid will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case,
you must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to
a Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on
port 3128. Your local interface is eth1. There may also be a web server
running on 192.168.1.3. It is assumed that web access is already enabled
from the local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic
shaping and route redirection. For that reason, <b>I don't recommend
it</b>.<br>
</p>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote>
<ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
please upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
<td valign="middle" width="33%" bgcolor="#3366ff"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4">
</a><br>
</td>
<td valign="top">INTERFACE<br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
<td valign="middle" height="90" align="center"
width="34%">
<h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
<h1> </h1>
</td>
<td valign="middle" height="90" width="33%"
align="right"><a href="http://www.squid-cache.org/"><img
src="images/cache_now.gif" alt="" width="100" height="31" hspace="4">
</a><br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
</tbody>
</table>
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<br>
<img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
to run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the
files /etc/shorewall/start and /etc/shorewall/init -- if you don't have
those files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ
zone or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets
being routed to the Squid server still have their original destination
IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on
your Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier
than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running
in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running
in the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT
those to your
own http server (206.124.146.177)
to a Squid
transparent proxy running on the firewall and listening on
port 3128. Squid will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests
to a Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on
port 3128. Your local interface is eth1. There may also be a web server
running on 192.168.1.3. It is assumed that web access is already enabled
from the local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic
shaping and route redirection. For that reason, <b>I don't recommend
it</b>.<br>
</p>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote>
<ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
please upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
</td>
<td valign="top">INTERFACE<br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/rules:<br>
<br>
<br>
</li>
<li>In /etc/shorewall/rules:<br>
<br>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>ACCEPT<br>
</td>
<td>loc</td>
<td>loc<br>
</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td><br>
</td>
</tr>
</tbody>
</table>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have
the following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have
the following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/start add:<br>
</li>
<br>
</li>
<li>In /etc/shorewall/start add:<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote>
</blockquote>
<ul>
<li>On 192.168.1.3, arrange for the following command to
<li>On 192.168.1.3, arrange for the following command to
be executed after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote>
<blockquote>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command
above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote>
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address
192.0.2.177. You want to run both a web server and Squid on that system.
Your DMZ interface is eth1 and your local interface is eth2.<br>
You have a single Linux system in your DMZ with IP address
192.0.2.177. You want to run both a web server and Squid on that system.
Your DMZ interface is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote>
</blockquote>
<ul>
<li>&nbsp;Do<b> one </b>of the following:<br>
<br>
A) In /etc/shorewall/start add<br>
</li>
<li>&nbsp;Do<b> one </b>of the following:<br>
<br>
A) In /etc/shorewall/start add<br>
</li>
</ul>
<blockquote>
<blockquote>
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in
/etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
</blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
@ -424,7 +385,7 @@ Your DMZ interface is eth1 and your local interface is eth2.<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
@ -437,106 +398,147 @@ Your DMZ interface is eth1 and your local interface is eth2.<br>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</tbody>
</table>
</blockquote>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in
/etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<ul>
<li>In /etc/shorewall/rules, you will need:</li>
<li>In /etc/shorewall/rules, you will need:</li>
</ul>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
<tbody>
<tr>
<td valign="top">ACTION<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DEST<br>
</td>
<td valign="top">PROTO<br>
</td>
<td valign="top">DEST<br>
PORT(S)<br>
</td>
<td valign="top">CLIENT<br>
PORT(2)<br>
</td>
<td valign="top">ORIGINAL<br>
DEST<br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
<tr>
<td valign="top">ACCEPT<br>
</td>
<td valign="top">dmz<br>
</td>
<td valign="top">net<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for
the following command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
<br>
</blockquote>
<blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for
the following command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command
above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
</blockquote>
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<p><font size="-1"> Updated 6/27/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<p><font size="-1"> Updated 7/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2003 Thomas M. Eastep.</font></a><br>
<a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
<br>
</body>
</html>

166
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -1,153 +1,147 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base
target="main">
<base
target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td
width="100%" height="90">
<tbody>
<tr>
<td
width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td
width="100%" bgcolor="#ffffff">
</td>
</tr>
<tr>
<td
width="100%" bgcolor="#ffffff">
<ul>
<li> <a
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
<li>
<a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
</li>
<li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a
<li> <a
href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="1.3"
target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
</li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a
<li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a
<li><a
target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a
<li><a
target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl"
<li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net"
<li><a href="http://argentina.shorewall.net"
target="_top">Argentina</a></li>
<li><a href="http://shorewall.securityopensource.org.br"
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">Brazil</a><br>
</li>
<li><a
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</li>
</ul>
</li>
</li>
</ul>
<ul>
<li> <a
<li> <a
href="News.htm">News Archive</a></li>
<li> <a
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li>GSLUG Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul>
<li> <a
<li> <a
href="shoreline.htm">About the Author</a></li>
<li> <a
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</p>
</body>
</html>

179
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -1,151 +1,144 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base
target="main">
<base
target="main">
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%"
height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<tbody>
<tr>
<td
width="100%" height="90">
<li> <b><a
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td
width="100%" bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
<li> <a href="FAQ.htm">FAQs</a></li>
<li><a
href="useful_links.html">Useful Links</a><br>
</li>
<li> <a
</li>
<li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a
<li> <a
href="errata.htm">Errata</a></li>
<li> <a
<li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a
href="support.htm">Getting help or Answers to Questions</a>
</li>
<li><a
<li> <a
href="support.htm">Getting help or Answers to Questions</a>
</li>
<li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
</li>
<li><a
href="shorewall_mirrors.htm">Mirrors</a>
<ul>
<li><a
<li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a
<li><a
target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a
<li><a
target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top"
<li><a target="_top"
href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl"
<li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com"
<li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net"
<li><a href="http://argentina.shorewall.net"
target="_top">Argentina</a></li>
<li><a href="http://shorewall.securityopensource.org.br"
<li><a href="http://shorewall.securityopensource.org.br"
target="_top">Brazil</a><br>
</li>
<li><a
</li>
<li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li>
</li>
</ul>
</li>
</li>
</ul>
<ul>
<li> <a
<li> <a
href="News.htm">News Archive</a></li>
<li> <a
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li>GSLUG Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul>
<li> <a
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li> <a
<li> <a
href="shoreline.htm">About the Author</a></li>
<li> <a
<li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</tbody>
</td>
</tr>
</tbody>
</table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</p>
</body>
</html>

BIN
Shorewall-docs/images/CorpNetwork.gif
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 48 KiB

After

Width:  |  Height:  |  Size: 48 KiB

BIN
Shorewall-docs/images/Logo1.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

770
Shorewall-docs/seattlefirewall_index.htm
View File

@ -3,91 +3,93 @@
<head>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base
target="_self">
<base target="_self">
</head>
<body>
<table cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#3366ff">
<tbody>
<tbody>
<tr>
<tr>
<td width="33%" height="90"
<td width="33%" height="90"
valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0">
</a></td>
<td valign="middle" width="34%" align="center"
bgcolor="#ffffff">
</a></td>
<td valign="middle" width="34%" align="center"
bgcolor="#3366ff">
<div align="center">
<img
src="images/Logo1.png" alt="(Shorewall Logo)" width="341" height="80">
</div>
</td>
<td valign="middle" width="33%">
src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
</div>
</td>
<td valign="middle" width="33%">
<h1 align="center"><a href="http://www.shorewall.net"
target="_top"><img border="0" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1>
<br>
</td>
</tr>
</a></h1>
<br>
</td>
</tr>
</tbody>
</tbody>
</table>
<div align="center">
<div align="center">
<div align="center"> </div>
<center>
<center>
<div align="center"> </div>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody>
<tbody>
<tr>
<tr>
<td width="90%">
<td width="90%">
<div align="center">
<br>
</div>
</div>
<h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
@ -96,37 +98,39 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
Foundation.<br>
<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
This program is distributed
in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more
details.<br>
<br>
<br>
You should have received a copy
of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
You should have received a
copy of the GNU General Public License
along with this program; if not,
write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -137,449 +141,479 @@ General Public License</a> as published by the Free Software
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
<li>The 1.3 site is <a
href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
</li>
</li>
</ul>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most closely match your environment and follow the step
by step instructions.<br>
New to Shorewall? Start by selecting
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most closely match your environment and follow the
step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will
not apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
for details.<br>
If so, the documentation<b> </b>on this site
will not apply directly to your setup. If you want to use the
documentation that you find here, you will want to consider uninstalling
what you have and installing a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
<h2>News</h2>
<ol>
</ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.<br>
<p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<blockquote><b><a
href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
ftp://shorewall.net/pub/shorewall/testing</a><br>
</b></blockquote>
<br>
</b></p>
<blockquote> </blockquote>
<p><b>Problems Corrected:</b><br>
</p>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column
of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in
the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column
of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
</li>
<li>The message "Adding rules for DHCP" is now suppressed if there
are no DHCP rules to add.<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed
entries in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
have been removed from /etc/shorewall/shorewall.conf. These capabilities
are now automatically detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have
been removed from /etc/shorewall/shorewall.conf. These capabilities are
now automatically detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br>
</p>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
address ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other than
the first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the
outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has
been added. This extension is available in recent kernel/iptables releases
and allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li>
<li>A 'newnotsyn' interface option has been added. This
option may be specified in /etc/shorewall/interfaces and overrides the
setting NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in
/etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
is enabled for address ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other
than the first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br>
Example:<br>
<br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the
outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension
has been added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in netfilter's
connection tracking table. Shorewall automatically detects the availability
of this extension and reports its availability in the output of the start,
restart and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
   Packet Mangling: Available<br>
   Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br>
</li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
<br>
Examples:<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall.
<br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct an
efficient set of rules that accept connections from a range of network addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or
dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>
      192.168.1.8/29<br>
      192.168.1.16/28<br>
      192.168.1.32/27<br>
      192.168.1.64/26<br>
      192.168.1.128/25<br>
      192.168.2.0/23<br>
      192.168.4.0/22<br>
      192.168.8.0/22<br>
      192.168.12.0/29<br>
      192.168.12.8/31<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
</li>
</ol>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones
file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br>
<li>To handle 'norfc1918' filtering, Shorewall will not
create chains in the mangle table but will rather do all 'norfc1918'
filtering in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br>
</li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
<br>
Examples:<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall.
<br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to construct
an efficient set of rules that accept connections from a range of network
addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash
or dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>
      192.168.1.8/29<br>
      192.168.1.16/28<br>
      192.168.1.32/27<br>
      192.168.1.64/26<br>
      192.168.1.128/25<br>
      192.168.2.0/23<br>
      192.168.4.0/22<br>
      192.168.8.0/22<br>
      192.168.12.0/29<br>
      192.168.12.8/31<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The "shorewall check" command now includes the chain name when
printing the applicable policy for each pair of zones.<br>
 <br>
    Example:<br>
 <br>
        Policy for dmz to net is REJECT using chain all2all<br>
 <br>
This means that the policy for connections from the dmz to the internet is
REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br>
<br>
</li>
<li>Support for the 2.6 Kernel series has been added.<br>
</li>
</ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>New Features:<br>
</p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the
zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br>
</li>
</ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with
"!' then the rule will take effect only if the original destination
address in the connection request does not match any of the addresses
listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p>
</b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No
problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p>
version 1.4.4.</p>
<p><b></b></p>
<ol>
</ol>
<p><a href="News.htm">More News</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
</a>Jacques Nilo and Eric
Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that
features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a>Jacques Nilo and Eric
Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution
called <i>Bering</i> that
features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p>
</a></p>
<b>Congratulations to Jacques and Eric on
the recent release of Bering 1.2!!! </b><br>
<b>Congratulations to Jacques and Eric
on the recent release of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#3366ff"
</td>
<td width="88" bgcolor="#3366ff"
valign="top" align="center">
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
<font
<font
color="#ffffff"><b>Note: </b></font></strong><font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong>
<strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text"
<font face="Arial" size="-1"> <input type="text"
name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p>
<font face="Arial"> <input type="hidden"
<font face="Arial"> <input type="hidden"
name="exclude" value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form>
</form>
<p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p>
<br>
</td>
<br>
</td>
</tr>
</tr>
</tbody>
</tbody>
</table>
</center>
</center>
</div>
</div>
<table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#3366ff">
<tbody>
<tbody>
<tr>
<tr>
<td width="100%" style="margin-top: 1px;"
valign="middle">
<td width="100%"
style="margin-top: 1px;" valign="middle">
<p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10" alt="(Starlight Logo)">
</a></p>
</a></p>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you
try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
<font size="+2"> Shorewall is free but if
you try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a>
Thanks!</font></font></p>
</td>
</td>
</tr>
</tr>
</tbody>
</tbody>
</table>
<p><font size="2">Updated 7/16/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
<p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>
</html>

521
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -1,332 +1,357 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br>
</font></h1>
</td>
</tr>
</tbody>
(HOWTO's)<br>
</font></h1>
</td>
</tr>
</tbody>
</table>
<p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
The French Translations are courtesy of Patrice Vetsel<br>
</p>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
in common firewall setups.</p>
<p>If you have a <font color="#ff0000"><big><big><b>single public IP address</b></big></big></font>:</p>
<blockquote>
<ul>
<li><a href="standalone.htm">Standalone</a>
Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local
network (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local
network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.
If you want to learn more about Shorewall than is explained in the above
simple guides,  the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
(See Index Below) is for you.</p>
</blockquote>
<p>If you have <font color="#ff0000"><big><big><b>more than one public IP
address</b></big></big></font>:<br>
</p>
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
(See Index Below) outlines the steps necessary to set up
a firewall where there are <small><small><big><big>multiple
public IP addresses</big></big></small></small> involved or if you
want to learn more about Shorewall than is explained in the
single-address guides above.</blockquote>
<ul>
<li><a href="standalone.htm">Standalone</a>
Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local
network (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local
network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See
Index Below) outlines the steps necessary to set up a firewall
where <b>there are multiple public IP addresses involved
or if you want to learn more about Shorewall than is explained
in the single-address guides above.</b></p>
<ul>
</ul>
<h2><a name="Documentation"></a>Documentation Index</h2>
<h2><b><a name="Documentation"></a></b>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart
the <a href="shorewall_quickstart_guide.htm">QuickStart
Guides</a> described above</b>. Please review the appropriate
guide before trying to use this documentation directly.</p>
<ul>
<li><a
<li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
(e.g., eth0:0)</a><br>
</li>
<li><a href="blacklisting_support.htm">Blacklisting</a>
<ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a
</li>
<li><a
href="configuration_file_basics.htm">Common configuration file
features</a>
features</a>
<ul>
<li><a
<li><a
href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li>
<li><a
files</a></li>
<li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a><br>
</li>
<li><a
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE
Directive</a><br>
</li>
<li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a
<li><a
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a
<li><a
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li><a
<li><a
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
</li>
<li><a
</li>
<li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li>
<li><a
or Subnet</a></li>
<li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
a test configuration)</a></li>
<li><a
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration
File Reference Manual</a>
</li>
<li><a href="Documentation.htm">Configuration
File Reference Manual</a>
<ul>
<li> <a
<li> <a
href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li>
<li><a
<li><a
href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a
<li><a
href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a
<li><a
href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a>
</li>
<li><a
<li><a
href="Documentation.htm#TOS">tos</a> </li>
<li><a
href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a
<li><a
href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a
<li><a
href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="CorpNetwork.htm">Corporate
Network Example</a> (Contributed by a Graeme Boyle)<br>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling by
host or subnet</a></li>
<li><a href="errata.htm">Errata</a><br>
</li>
<li><a href="CorpNetwork.htm">Corporate
Network Example</a> (Contributed by a Graeme Boyle)<br>
</li>
<li><font color="#000099"><a
<li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling
by host or subnet</a></li>
<li><a href="errata.htm">Errata</a><br>
</li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code through the
use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="FAQ.htm">FAQs</a><br>
</li>
<li><a href="shorewall_features.htm">Features</a><br>
</li>
<li><a
use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="FAQ.htm">FAQs</a><br>
</li>
<li><a href="shorewall_features.htm">Features</a><br>
</li>
<li><a
href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><a href="support.htm">Getting help or answers to questions</a></li>
<li><a href="Install.htm">Installation/Upgrade</a><br>
</li>
<li><font color="#000099"><a
<li><a href="support.htm">Getting help or answers to questions</a></li>
<li>Greater Seattle Linux Users Group Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a></li>
</ul>
<li><a href="Install.htm">Installation/Upgrade</a><br>
</li>
<li><font color="#000099"><a
href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC
Verification</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall
Configuration (How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC
Verification</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
</li>
<li><a href="myfiles.htm">My
Shorewall Configuration (How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
<li><a href="ports.htm">Port Information</a>
<ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
</li>
<li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
</li>
<li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration
change<br>
</li>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0
Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1
IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2
Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration
change<br>
</li>
</ul>
<li><font color="#000099"><a
href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
Proxy with Shorewall</a></li>
<li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it doesn't
work)</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
<li>VPN
<li><a href="Shorewall_Squid_Usage.html">Squid as a
Transparent Proxy with Shorewall</a></li>
<li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
doesn't work)</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
<li>VPN
<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="6to4.htm">6t04</a><br>
</li>
<li><a href="VPN.htm">IPSEC/PPTP</a>
from a system behind your firewall to a remote network.</li>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br>
</li>
<li><a href="PPTP.htm">PPTP</a></li>
<li><a href="6to4.htm">6t04</a><br>
</li>
<li><a href="VPN.htm">IPSEC/PPTP</a>
from a system behind your firewall to a remote network.</li>
</ul>
</li>
<li><a
</li>
<li><a
href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 7/16/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 7/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p>
<br>
Eastep</font></a><br>
</p>
<br>
</body>
</html>

856
Shorewall-docs/sourceforge_index.htm
View File

File diff suppressed because it is too large Load Diff

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.6RC1
VERSION=1.4.6
usage() # $1 = exit status
{

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.6RC1
VERSION=1.4.6
usage() # $1 = exit status
{

4
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 1.4.6
%define release 0RC1
%define release 1
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-1
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0RC1
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6RC1
VERSION=1.4.6
usage() # $1 = exit status
{