extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-22 21:48:39 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.6

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@667 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-19 15:07:31 +00:00
parent afd7840558
commit e80d8ca732
15 changed files with 4816 additions and 4538 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

462
Shorewall-docs/CorpNetwork.htm
View File

@ -1,293 +1,281 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html> <html>
<head> <head>
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
<title>Corporate Shorewall Configuration</title>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Corporate Shorewall Configuration</title>
<meta content="Microsoft FrontPage 5.0" name="GENERATOR">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta content="FrontPage.Editor.Document" name="ProgId">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta content="none" name="Microsoft Theme">
<meta name="Microsoft Theme" content="none"> <meta content="Graeme Boyle" name="author">
<meta name="author" content="Graeme Boyle">
</head> </head>
<body> <body>
<script><!-- <script><!--
function PrivoxyWindowOpen(){return(null);} function PrivoxyWindowOpen(){return(null);}
//--></script> //--></script>
<table id="AutoNumber1" style="border-collapse: collapse;" height="90"
<table border="0" cellpadding="0" cellspacing="0" cellspacing="0" cellpadding="0" width="100%" bgcolor="#3366ff"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" border="0">
bgcolor="#3366ff" height="90"> <tbody>
<tbody> <tr>
<tr> <td width="100%">
<td width="100%">
<h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and <h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and
Internal Servers</font></h1> Internal Servers</font></h1>
</td> </td>
</tr> </tr>
</tbody>
</tbody>
</table> </table>
<blockquote> </blockquote> <blockquote></blockquote>
<h1>Corporate Network</h1> <h1>Corporate Network</h1>
<p><font size="4" color="#ff0000"><b>Notes</b></font><big><font <p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
color="#ff0000"><b>:</b></font></big></p> color="#ff0000"><b>:</b></font></big></p>
<blockquote> <blockquote>
<ul> <ul>
<li><b>This configuration is used on a corporate network that <li><b>This configuration is used on a corporate network that has a
has a Linux (RedHat 8.0) server with three interfaces, running Shorewall Linux (RedHat 8.0) server with three interfaces, running Shorewall 1.4.5
1.4.5 release,</b></li> release,</b> </li>
<li><b>Make sure you know what public IP addresses are currently <li><b>Make sure you know what public IP addresses are currently being
being used and verify these </b><i>before</i><b> starting.</b></li> used and verify these </b><i>before</i><b> starting.</b> </li>
<li><b>Verify you DNS settings </b><i>before</i><b> starting any <li><b>Verify your DNS settings </b><i>before</i><b> starting any Shorewall
Shorewall configuration especially if you have split DNS.</b></li> configuration especially if you have split DNS.</b> </li>
<li><b>System names and Internet IP addresses have been changed <li><b>System names and Internet IP addresses have been changed to protect
to protect the innocent.</b></li> the innocent.</b> </li>
</ul> </ul>
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This configuration <p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This
uses a combination of Static NAT and Proxy ARP. This is generally not configuration uses a combination of Static NAT and Proxy ARP. This is
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small> generally not relevant to a simple configuration with a single public IP
If you have just a single public IP address, most of what you see address.</small></b></big><big><b><small> If you have just a single public
here won't apply to your setup so beware of copying parts of this IP address, most of what you see here won't apply to your setup so beware
configuration and expecting them to work for you. What you copy may of copying parts of this configuration and expecting them to work for
or may not work in your configuration.<br> you. What you copy may or may not work in your configuration.<br>
</small></b></big><br> </small></b></big><br>
</p> </p>
<p> I have a T1 with 64 static IP addresses (63.123.106.65-127/26). The <p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
internet is connected to eth0. The local network is connected via eth1 internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I (10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
have an IPSec tunnel connecting our offices in Germany to our offices an IPSec tunnel connecting our offices in Germany to our offices in the
in the US. I host two Microsoft Exchange servers for two different companies US. I host two Microsoft Exchange servers for two different companies
behind the firewall hence, the two Exchange servers in the diagram below.</p> behind the firewall hence, the two Exchange servers in the diagram below.</p>
<p> Summary:<br> <p>Summary:<br>
</p> </p>
<ul> <ul>
<li>SNAT for all systems connected to the LAN <li>SNAT for all systems connected to the LAN - Internal addresses 10.10.x.x
- Internal addresses 10.10.x.x to external address 63.123.106.127.</li> to external address 192.0.18.127. </li>
<li>Static NAT for <i>Polaris</i> (Exchange Server <li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal address
#2). Internal address 10.10.1.8 and external address 63.123.106.70.</li> 10.10.1.8 and external address 192.0.18.70. </li>
<li>Static NAT for <i>Sims</i> (Inventory Management server). <li>Static NAT for <i>Sims</i> (Inventory Management server). Internal
Internal address 10.10.1.56 and external address 63.123.106.75.<br> address 10.10.1.56 and external address 192.0.18.75.<br>
</li> </li>
<li>Static NAT for <i>Project</i> (Project Web <li>Static NAT for <i>Project</i> (Project Web Server). Internal address
Server). Internal address 10.10.1.55 and external 10.10.1.55 and external address 192.0.18.84. </li>
address 63.123.106.84.</li> <li>Static NAT for <i>Fortress</i> (Exchange Server). Internal address
<li>Static NAT for <i>Fortress</i> (Exchange 10.10.1.252 and external address 192.0.18.93. </li>
Server). Internal address 10.10.1.252 and external <li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal address
address 63.123.106.93.</li> 10.10.1.230 and external address 192.0.18.97. </li>
<li>Static NAT for <i>BBSRV</i> (Blackberry Server). <li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal address
Internal address 10.10.1.230 and external address 10.10.1.60 and external address 192.0.18.115. </li>
63.123.106.97.</li>
<li>Static NAT for <i>Intweb</i> (Intranet Web
Server). Internal address 10.10.1.60 and external
address 63.123.106.115.</li>
</ul> </ul>
<p> The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with <p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
RH8.0.</p> RH8.0.</p>
<p> The Firewall is also a proxy server running Privoxy 3.0.</p> <p>The Firewall is also a proxy server running Privoxy 3.0.</p>
<p> The single system in the DMZ (address 63.123.106.80) runs sendmail, <p>The single system in the DMZ (address 192.0.18.80) runs sendmail, imap,
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0). pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0). That
That server is managed through Proxy ARP.</p> server is managed through Proxy ARP.</p>
<p> All administration and publishing is done using ssh/scp. I have X installed <p>All administration and publishing is done using ssh/scp. I have X installed
on the firewall and the system in the DMZ. X applications tunnel on the firewall and the system in the DMZ. X applications tunnel through
through SSH to Hummingbird Exceed running on a PC located in the LAN. SSH to Hummingbird Exceed running on a PC located in the LAN. Access to
Access to the firewall using SSH is restricted to systems in the LAN, DMZ the firewall using SSH is restricted to systems in the LAN, DMZ or the
or the system Kaos which is on the Internet and managed by me.</p> system Kaos which is on the Internet and managed by me.</p>
<p align="center"> <img border="0" <p align="center"><img height="1000" alt="(Corporate Network Diagram)"
src="images/CorpNetwork.gif" width="770" height="1000" src="images/CorpNetwork.gif" width="770" border="0">
alt="(Corporate Network Diagram)"> </p>
</p>
<p></p>
<p> </p>
<p>The Ethernet 0 interface in the Server is configured with IP address
<p>The Ethernet 0 interface in the Server is configured with IP 192.0.18.68, netmask 255.255.255.192. The server's default gateway is
address 63.123.106.68, netmask 255.255.255.192. The server's default 192.0.18.65, the Router connected to my network and the ISP. This is the
gateway is 63.123.106.65, the Router connected to my network and same default gateway used by the firewall itself. On the firewall, Shorewall
the ISP. This is the same default gateway used by the firewall automatically adds a host route to 192.0.18.80 through Ethernet 2 (192.168.21.1)
itself. On the firewall, Shorewall automatically because of the entry in /etc/shorewall/proxyarp (see below). I modified
adds a host route to 63.123.106.80 through Ethernet the start, stop and init scripts to include the fixes suggested when having
2 (192.168.21.1) because of the entry in an IPSec tunnel.</p>
/etc/shorewall/proxyarp (see below). I modified the start, stop and
init scripts to include the fixes suggested when having an IPSec tunnel.</p>
<p><b>Some Mistakes I Made:</b></p> <p><b>Some Mistakes I Made:</b></p>
<p>Yes, believe it or not, I made some really basic mistakes when building <p>Yes, believe it or not, I made some really basic mistakes when building
this firewall. Firstly, I had the new firewall setup in parallel with this firewall. Firstly, I had the new firewall setup in parallel with
the old firewall so that there was no interruption of service to my users. the old firewall so that there was no interruption of service to my users.
During my out-bound testing, I set up systems on the LAN to utilize the During my out-bound testing, I set up systems on the LAN to utilize the
firewall which worked fine. When testing my NAT connections, from the firewall which worked fine. When testing my NAT connections, from the
outside, these would fail and I could not understand why. Eventually, outside, these would fail and I could not understand why. Eventually,
I changed the default route on the internal system I was trying to access, I changed the default route on the internal system I was trying to access,
to point to the new firewall and "bingo", everything worked as expected. to point to the new firewall and "bingo", everything worked as expected.
This oversight delayed my deployment by a couple of days not to mention This oversight delayed my deployment by a couple of days not to mention
level of frustration it produced. </p> level of frustration it produced. </p>
<p>Another problem that I encountered was in setting up the Proxyarp system <p>Another problem that I encountered was in setting up the Proxyarp system
in the DMZ. Initially I forgot to remove the entry for the eth2 from in the DMZ. Initially I forgot to remove the entry for the eth2 from the
the /etc/shorewall/masq file. Once my file settings were correct, I started /etc/shorewall/masq file. Once my file settings were correct, I started
verifying that the ARP caches on the firewall, as well as the outside verifying that the ARP caches on the firewall, as well as the outside
system "kaos", were showing the correct Ethernet MAC address. However, system "kaos", were showing the correct Ethernet MAC address. However,
in testing remote access, I could access the system in the DMZ only from in testing remote access, I could access the system in the DMZ only from
the firewall and LAN but not from the Internet. The message I received the firewall and LAN but not from the Internet. The message I received
was "connection denied" on all protocols. What I did not realize was that was "connection denied" on all protocols. What I did not realize was that
a "helpful" administrator that had turned on an old system and assigned a "helpful" administrator that had turned on an old system and assigned
the same address as the one I was using for Proxyarp without notifying the same address as the one I was using for Proxyarp without notifying
me. How did I work this out. I shutdown the system in the DMZ, rebooted me. How did I work this out. I shutdown the system in the DMZ, rebooted
the router and flushed the ARP cache on the firewall and kaos. Then, from the router and flushed the ARP cache on the firewall and kaos. Then, from
kaos, I started pinging that IP address and checked the updated ARP cache kaos, I started pinging that IP address and checked the updated ARP cache
and lo-and-behold a different MAC address showed up. High levels of frustration and lo-and-behold a different MAC address showed up. High levels of frustration
etc., etc. The administrator will <i>not</i> be doing that again! :-)</p> etc., etc. The administrator will <i>not</i> be doing that again! :-)</p>
<p><b>Lessons Learned:</b></p> <p><b>Lessons Learned:</b></p>
<ul> <ul>
<li>Read the documentation.</li> <li>Read the documentation. </li>
<li>Draw your network topology before starting.</li> <li>Draw your network topology before starting. </li>
<li>Understand what services you are going to allow in and out of <li>Understand what services you are going to allow in and out of the
the firewall, whether they are TCP or UDP packets and make a note firewall, whether they are TCP or UDP packets and make a note of these
of these port numbers.</li> port numbers. </li>
<li>Try to get quiet time to build the firewall - you need to focus <li>Try to get quiet time to build the firewall - you need to focus on
on the job at hand.</li> the job at hand. </li>
<li>When asking for assistance, be honest and include as much detail <li>When asking for assistance, be honest and include as much detail
as requested. Don't try and hide IP addresses etc., you will probably as requested. Don't try and hide IP addresses etc., you will probably
screw up the logs and make receiving assistance harder.</li> screw up the logs and make receiving assistance harder. </li>
<li>Read the documentation.</li> <li>Read the documentation. </li>
</ul> </ul>
<p><b>Futures:</b></p> <p><b>Futures:</b></p>
<p>This is by no means the final configuration. In the near future, I will <p>This is by no means the final configuration. In the near future, I will
be moving more systems from the LAN to the DMZ. I will also be watching be moving more systems from the LAN to the DMZ. I will also be watching
the logs for port scan programs etc. but, this should be standard security the logs for port scan programs etc. but, this should be standard security
maintenance.</p> maintenance.</p>
<p>Here are copies of my files. I have removed most of the internal <p>Here are copies of my files. I have removed most of the internal
documentation for the purpose of this space however, my system still has documentation for the purpose of this space however, my system still has
the original files with all the comments and I highly recommend you do the original files with all the comments and I highly recommend you do
the same.</p> the same.</p>
</blockquote>
</blockquote>
<h3>Shorewall.conf</h3> <h3>Shorewall.conf</h3>
<blockquote> <blockquote>
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre> <pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
</blockquote> </blockquote>
<h3>Zones File</h3> <h3>Zones File</h3>
<blockquote> <blockquote>
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font <pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
face="Courier" size="2"><br></font></pre> face="Courier" size="2"><br></font></pre>
</blockquote> </blockquote>
<h3>Interfaces File: </h3> <h3>Interfaces File: </h3>
<blockquote> <blockquote>
<p> ##############################################################################<br> <p>##############################################################################<br>
#ZONE INTERFACE BROADCAST OPTIONS<br> #ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br> net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br> loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br> dmz eth2 detect<br>
vpn1 ipsec0<br> vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
</p> </blockquote>
</blockquote>
<h3>Routestopped File:</h3> <h3>Routestopped File:</h3>
<blockquote> <blockquote>
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font <pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
face="Courier" size="2"> </font></pre> face="Courier" size="2"> </font></pre>
</blockquote> </blockquote>
<h3>Policy File:</h3> <h3>Policy File:</h3>
<blockquote> <blockquote>
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre> <pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote> </blockquote>
<h3>Masq File: </h3> <h3>Masq File: </h3>
<blockquote> <blockquote>
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 163.123.106.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre> <pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote> </blockquote>
<h3>NAT File: </h3> <h3>NAT File: </h3>
<blockquote> <blockquote>
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>63.123.106.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>63.123.106.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>63.123.106.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>63.123.106.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>63.123.106.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>63.123.106.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre> <pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote> </blockquote>
<h3>Proxy ARP File:</h3> <h3>Proxy ARP File:</h3>
<blockquote> <blockquote>
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>63.123.106.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre> <pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
</blockquote> </blockquote>
<h3>Tunnels File:</h3> <h3>Tunnels File:</h3>
<blockquote> <blockquote>
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre> <pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote> </blockquote>
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3> <h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
<blockquote> <blockquote>
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:63.123.106.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre> <pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote> </blockquote>
<h3>Start File:</h3> <h3>Start File:</h3>
<blockquote> <blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre> <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
</blockquote> </blockquote>
<h3>Stop File:</h3> <h3>Stop File:</h3>
<blockquote> <blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre> <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
</blockquote> </blockquote>
<h3>Init File:</h3> <h3>Init File:</h3>
<blockquote> <blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre> <pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
</blockquote> </blockquote>
<p><font size="2">Last updated 7/16/2003</font> <p><font size="2">Last updated 7/16/2003</font>
<script><!-- <script><!--
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));} function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
//</script><br> //</script>
</p> <br>
</p>
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep and
Graeme Boyle</a></small><br>
</p>
<br>
<p><small><a
href="file:///C:/Documents%20and%20Settings/Graeme%20Boyle/Local%20Settings/Temporary%20Internet%20Files/OLKD/GnuCopyright.htm">Copyright
2003 Thomas M. Eastep and Graeme Boyle</a></small><br>
</p>
<br>
</body> </body>
</html> </html>

5468
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

922
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -2,411 +2,372 @@
<html> <html>
<head> <head>
<title>Shorewall Squid Usage</title> <title>Shorewall Squid Usage</title>
<meta http-equiv="content-type" <meta http-equiv="content-type"
content="text/html; charset=ISO-8859-1"> content="text/html; charset=ISO-8859-1">
<meta name="author" content="Tom Eastep"> <meta name="author" content="Tom Eastep">
</head> </head>
<body> <body>
<table cellpadding="0" cellspacing="0" border="0" width="100%" <table cellpadding="0" cellspacing="0" border="0" width="100%"
bgcolor="#3366ff"> bgcolor="#3366ff">
<tbody>
<tr>
<td valign="middle" width="33%" bgcolor="#3366ff"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4">
</a><br>
</td>
<td valign="middle" height="90" align="center"
width="34%">
<h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
<h1> </h1>
</td>
<td valign="middle" height="90" width="33%"
align="right"><a href="http://www.squid-cache.org/"><img
src="images/cache_now.gif" alt="" width="100" height="31" hspace="4">
</a><br>
</td>
</tr>
</tbody>
</table>
<br>
This page covers Shorewall configuration to use with <a
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
Proxy</b></u>. If you are running Shorewall 1.3, please see <a
href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
<br>
<img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle">
&nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
to run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the
files /etc/shorewall/start and /etc/shorewall/init -- if you don't have
those files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ
zone or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP
addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on
your Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier
than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running
in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running
in the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT
those to your own
http server (206.124.146.177)
to a Squid
transparent proxy running on the firewall and listening on port
3128. Squid will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case,
you must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to
a Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on
port 3128. Your local interface is eth1. There may also be a web server
running on 192.168.1.3. It is assumed that web access is already enabled
from the local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic
shaping and route redirection. For that reason, <b>I don't recommend
it</b>.<br>
</p>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote>
<ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
please upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ZONE<br> <td valign="middle" width="33%" bgcolor="#3366ff"><a
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
alt="" width="88" height="31" hspace="4">
</a><br>
</td> </td>
<td valign="top">INTERFACE<br> <td valign="middle" height="90" align="center"
</td> width="34%">
<td valign="top">BROADCAST<br> <h1><font color="#ffffff"><b>Using Shorewall with Squid</b></font></h1>
</td>
<td valign="top">OPTIONS<br> <h1> </h1>
</td>
<td valign="middle" height="90" width="33%"
align="right"><a href="http://www.squid-cache.org/"><img
src="images/cache_now.gif" alt="" width="100" height="31" hspace="4">
</a><br>
</td> </td>
</tr> </tr>
<tr>
<td valign="top">loc<br> </tbody>
</td> </table>
<td valign="top">eth1<br> <br>
</td> This page covers Shorewall configuration to use with <a
<td valign="top">detect<br> href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
</td> Proxy</b></u>. If you are running Shorewall 1.3, please see <a
<td valign="top"><b>routeback</b><br> href="1.3/Shorewall_Squid_Usage.html">this documentation</a>.<br>
</td> <br>
</tr> <img border="0" src="images/j0213519.gif" width="60"
height="60" alt="Caution" align="middle">
</tbody> &nbsp;&nbsp;&nbsp; Please observe the following general requirements:<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>In all cases, Squid should be configured
to run as a transparent proxy as described at <a
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
<b><br>
</b><b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
&nbsp;&nbsp;&nbsp; </b>The following instructions mention the
files /etc/shorewall/start and /etc/shorewall/init -- if you don't have
those files, siimply create them.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ
zone or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets
being routed to the Squid server still have their original destination
IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; You must have iptables installed on
your Squid server.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
</b>&nbsp;&nbsp;&nbsp; If you run a Shorewall version earlier
than 1.4.6, you must have NAT and MANGLE enabled in your /etc/shorewall/conf
file<br>
<br>
&nbsp;&nbsp;&nbsp; <b><font color="#009900">&nbsp;&nbsp;&nbsp;
NAT_ENABLED=Yes<br>
</font></b>&nbsp;&nbsp;&nbsp; &nbsp;&nbsp;&nbsp; <font
color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
<br>
Three different configurations are covered:<br>
<ol>
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running
on the Firewall.</a></li>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running
in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running
in the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT
those to your
own http server (206.124.146.177)
to a Squid
transparent proxy running on the firewall and listening on
port 3128. Squid will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
<blockquote>
<table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody>
<tr>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b> PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc</td>
<td>3128</td>
<td>tcp</td>
<td>www</td>
<td> -<br>
</td>
<td>!206.124.146.177</td>
</tr>
<tr>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>www</td>
<td> <br>
</td>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
</blockquote>
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
</blockquote>
&nbsp;To exclude additional hosts or networks, just add additional similar
rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests
to a Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on
port 3128. Your local interface is eth1. There may also be a web server
running on 192.168.1.3. It is assumed that web access is already enabled
from the local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic
shaping and route redirection. For that reason, <b>I don't recommend
it</b>.<br>
</p>
<ul>
<li>On your firewall system, issue the following command<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</font></b><br></pre>
</blockquote>
<ul>
<li>In /etc/shorewall/init, put:<br>
</li>
</ul>
<blockquote>
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 &gt; /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
</blockquote>
<ul>
<li>If you are running Shorewall 1.4.1 or Shorewall 1.4.1a,
please upgrade to Shorewall 1.4.2 or later.<br>
<br>
</li>
<li>If you are running Shorewall 1.4.2 or later, then in /etc/shorewall/interfaces:<br>
<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top">ZONE<br>
</td>
<td valign="top">INTERFACE<br>
</td>
<td valign="top">BROADCAST<br>
</td>
<td valign="top">OPTIONS<br>
</td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">eth1<br>
</td>
<td valign="top">detect<br>
</td>
<td valign="top"><b>routeback</b><br>
</td>
</tr>
</tbody>
</table> </table>
<br> <br>
</li> </li>
<li>In /etc/shorewall/rules:<br> <li>In /etc/shorewall/rules:<br>
<br> <br>
<table border="1" cellpadding="2" style="border-collapse: collapse;"> <table border="1" cellpadding="2" style="border-collapse: collapse;">
<tbody> <tbody>
<tr> <tr>
<td><b>ACTION</b></td> <td><b>ACTION</b></td>
<td><b>SOURCE</b></td> <td><b>SOURCE</b></td>
<td><b>DEST</b></td> <td><b>DEST</b></td>
<td><b> PROTO</b></td> <td><b> PROTO</b></td>
<td><b>DEST<br> <td><b>DEST<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>SOURCE<br> <td><b>SOURCE<br>
PORT(S)</b></td> PORT(S)</b></td>
<td><b>ORIGINAL<br> <td><b>ORIGINAL<br>
DEST</b></td> DEST</b></td>
</tr> </tr>
<tr> <tr>
<td>ACCEPT<br> <td>ACCEPT<br>
</td> </td>
<td>loc</td> <td>loc</td>
<td>loc<br> <td>loc<br>
</td> </td>
<td>tcp</td> <td>tcp</td>
<td>www</td> <td>www</td>
<td> <br> <td> <br>
</td> </td>
<td><br> <td><br>
</td> </td>
</tr> </tr>
</tbody>
</table>
</li>
<br>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have
the following policy in place of the above rule:<br>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody> </tbody>
</table> </table>
</li> <br>
<br> </li>
<li>Alternativfely, if you are running Shorewall 1.4.0 you can have <li>In /etc/shorewall/start add:<br>
the following policy in place of the above rule:<br> </li>
<table cellpadding="2" cellspacing="0" border="1">
<tbody>
<tr>
<td valign="top"><b>SOURCE<br>
</b></td>
<td valign="top"><b>DESTINATION<br>
</b></td>
<td valign="top"><b>POLICY<br>
</b></td>
<td valign="top"><b>LOG LEVEL<br>
</b></td>
<td valign="top"><b>BURST PARAMETERS<br>
</b></td>
</tr>
<tr>
<td valign="top">loc<br>
</td>
<td valign="top">loc<br>
</td>
<td valign="top">ACCEPT<br>
</td>
<td valign="top"><br>
</td>
<td valign="top"><br>
</td>
</tr>
</tbody>
</table>
<br>
</li>
<li>In /etc/shorewall/start add:<br>
</li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre> <pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>On 192.168.1.3, arrange for the following command to <li>On 192.168.1.3, arrange for the following command to
be executed after networking has come up<br> be executed after networking has come up<br>
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre> <pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
</li> </li>
</ul> </ul>
<blockquote> If you are running RedHat on the server, you can simply execute <blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br> the following commands after you have typed the iptables command
</blockquote> above:<br>
</blockquote>
<blockquote>
<blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2> <h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address You have a single Linux system in your DMZ with IP address
192.0.2.177. You want to run both a web server and Squid on that system. 192.0.2.177. You want to run both a web server and Squid on that system.
Your DMZ interface is eth1 and your local interface is eth2.<br> Your DMZ interface is eth1 and your local interface is eth2.<br>
<ul> <ul>
<li>On your firewall system, issue the following command<br> <li>On your firewall system, issue the following command<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre> <pre><font color="#009900"><b>echo 202 www.out &gt;&gt; /etc/iproute2/rt_tables</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>In /etc/shorewall/init, put:<br> <li>In /etc/shorewall/init, put:<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre> <pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
</blockquote> </blockquote>
<ul> <ul>
<li>&nbsp;Do<b> one </b>of the following:<br> <li>&nbsp;Do<b> one </b>of the following:<br>
<br> <br>
A) In /etc/shorewall/start add<br> A) In /etc/shorewall/start add<br>
</li> </li>
</ul> </ul>
<blockquote> <blockquote>
<pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre> <pre><b><font color="#009900"> iptables -t mangle -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
</blockquote> </blockquote>
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf <blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
and add the following entry in /etc/shorewall/tcrules:<br> and add the following entry in /etc/shorewall/tcrules:<br>
</blockquote> </blockquote>
<blockquote> <blockquote>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in
/etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
@ -424,7 +385,7 @@ Your DMZ interface is eth1 and your local interface is eth2.<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">202:P<br> <td valign="top">202<br>
</td> </td>
<td valign="top">eth2<br> <td valign="top">eth2<br>
</td> </td>
@ -437,106 +398,147 @@ Your DMZ interface is eth1 and your local interface is eth2.<br>
<td valign="top">-<br> <td valign="top">-<br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</blockquote> </blockquote>
</blockquote> C) Run Shorewall 1.3.14 or later and add the following entry in
/etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
<blockquote>
<table cellpadding="2" border="1" cellspacing="0">
<tbody>
<tr>
<td valign="top">MARK<br>
</td>
<td valign="top">SOURCE<br>
</td>
<td valign="top">DESTINATION<br>
</td>
<td valign="top">PROTOCOL<br>
</td>
<td valign="top">PORT<br>
</td>
<td valign="top">CLIENT PORT<br>
</td>
</tr>
<tr>
<td valign="top">202:P<br>
</td>
<td valign="top">eth2<br>
</td>
<td valign="top">0.0.0.0/0<br>
</td>
<td valign="top">tcp<br>
</td>
<td valign="top">80<br>
</td>
<td valign="top">-<br>
</td>
</tr>
</tbody>
</table>
</blockquote>
</blockquote>
<ul> <ul>
<li>In /etc/shorewall/rules, you will need:</li> <li>In /etc/shorewall/rules, you will need:</li>
</ul> </ul>
<blockquote> <blockquote>
<table cellpadding="2" border="1" cellspacing="0"> <table cellpadding="2" border="1" cellspacing="0">
<tbody> <tbody>
<tr> <tr>
<td valign="top">ACTION<br> <td valign="top">ACTION<br>
</td> </td>
<td valign="top">SOURCE<br> <td valign="top">SOURCE<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
</td> </td>
<td valign="top">PROTO<br> <td valign="top">PROTO<br>
</td> </td>
<td valign="top">DEST<br> <td valign="top">DEST<br>
PORT(S)<br> PORT(S)<br>
</td> </td>
<td valign="top">CLIENT<br> <td valign="top">CLIENT<br>
PORT(2)<br> PORT(2)<br>
</td> </td>
<td valign="top">ORIGINAL<br> <td valign="top">ORIGINAL<br>
DEST<br> DEST<br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">loc<br> <td valign="top">loc<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
<tr> <tr>
<td valign="top">ACCEPT<br> <td valign="top">ACCEPT<br>
</td> </td>
<td valign="top">dmz<br> <td valign="top">dmz<br>
</td> </td>
<td valign="top">net<br> <td valign="top">net<br>
</td> </td>
<td valign="top">tcp<br> <td valign="top">tcp<br>
</td> </td>
<td valign="top">80<br> <td valign="top">80<br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
<td valign="top"><br> <td valign="top"><br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<br> <br>
</blockquote>
<ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for
the following command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
</blockquote> </blockquote>
<blockquote> <ul>
<li>On 192.0.2.177 (your Web/Squid server), arrange for
the following command to be executed after networking has come up<br>
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
</li>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command
above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font <pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre> color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote> </blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><font size="-1"> Updated 6/27/2003 - <a href="support.htm">Tom Eastep</a> <p><font size="-1"> Updated 7/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p> </font></p>
<a href="copyright.htm"><font size="2">Copyright</font> <a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2003 Thomas M. Eastep.</font></a><br> &copy; <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br> <br>
<br>
</body> </body>
</html> </html>

166
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -1,153 +1,147 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base <base
target="main"> target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td <td
width="100%" height="90"> width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3> <h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td> </td>
</tr> </tr>
<tr> <tr>
<td <td
width="100%" bgcolor="#ffffff"> width="100%" bgcolor="#ffffff">
<ul> <ul>
<li> <a <li> <a
href="seattlefirewall_index.htm">Home</a></li> href="seattlefirewall_index.htm">Home</a></li>
<li> <a <li>
href="shorewall_features.htm">Features</a></li> <a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br> <li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li> </li>
<li> <a <li> <a
href="shorewall_prerequisites.htm">Requirements</a></li> href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a <li> <a
href="download.htm">Download</a><br> href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li> </li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a <li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li> href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a <li> <a
href="errata.htm">Errata</a></li> href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a <li> <a
href="support.htm">Getting help or Answers to Questions</a></li> href="support.htm">Getting help or Answers to Questions</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a <li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br> href="http://lists.shorewall.net"> </a><br>
</li> </li>
<li><a href="1.3"
target="_top">Shorewall 1.3 Site</a></li> <li><a href="shorewall_mirrors.htm">Mirrors</a>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a <li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li> target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a <li><a
target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li> target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a <li><a
target="_top" href="http://germany.shorewall.net">Germany</a></li> target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl" <li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li> target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com" <li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li> target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net" <li><a href="http://argentina.shorewall.net"
target="_top">Argentina</a></li> target="_top">Argentina</a></li>
<li><a href="http://shorewall.securityopensource.org.br" <li><a href="http://shorewall.securityopensource.org.br"
target="_top">Brazil</a><br> target="_top">Brazil</a><br>
</li> </li>
<li><a <li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br> href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a <li> <a
href="News.htm">News Archive</a></li> href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a <li> <a
href="quotes.htm">Quotes from Users</a></li> href="quotes.htm">Quotes from Users</a></li>
<li>GSLUG Presentation</li>
<ul> <ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul> </ul>
<li> <a <li> <a
href="shoreline.htm">About the Author</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br> size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

179
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -1,151 +1,144 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title> <title>Shorewall Index</title>
<base <base
target="main"> target="main">
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%" <td
height="90"> width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td
width="100%" bgcolor="#ffffff">
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
href="shorewall_prerequisites.htm">Requirements</a></li>
<li> <a
href="download.htm">Download</a><br>
</li>
<li> <a
href="Install.htm">Installation/Upgrade/</a><br>
<a
href="Install.htm">Configuration</a><br>
</li>
<li> <a
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
</li>
<li> <b><a
href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li> href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></b></li>
<li> <a href="FAQ.htm">FAQs</a></li> <li> <a href="FAQ.htm">FAQs</a></li>
<li><a <li><a
href="useful_links.html">Useful Links</a><br> href="useful_links.html">Useful Links</a><br>
</li> </li>
<li> <a <li> <a
href="troubleshoot.htm">Things to try if it doesn't work</a></li> href="troubleshoot.htm">Things to try if it doesn't work</a></li>
<li> <a <li> <a
href="errata.htm">Errata</a></li> href="errata.htm">Errata</a></li>
<li> <a <li> <a
href="upgrade_issues.htm">Upgrade Issues</a></li> href="upgrade_issues.htm">Upgrade Issues</a></li>
<li> <a <li> <a
href="support.htm">Getting help or Answers to Questions</a> href="support.htm">Getting help or Answers to Questions</a>
</li> </li>
<li><a <li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br> href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li> </li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li> <li><a
<li><a href="shorewall_mirrors.htm">Mirrors</a>
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
<ul> <ul>
<li><a <li><a
target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li> target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a <li><a
target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li> target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a <li><a
target="_top" href="http://germany.shorewall.net">Germany</a></li> target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" <li><a target="_top"
href="http://france.shorewall.net">France</a></li> href="http://france.shorewall.net">France</a></li>
<li><a href="http://shorewall.syachile.cl" <li><a href="http://shorewall.syachile.cl"
target="_top">Chile</a></li> target="_top">Chile</a></li>
<li><a href="http://shorewall.greshko.com" <li><a href="http://shorewall.greshko.com"
target="_top">Taiwan</a></li> target="_top">Taiwan</a></li>
<li><a href="http://argentina.shorewall.net" <li><a href="http://argentina.shorewall.net"
target="_top">Argentina</a></li> target="_top">Argentina</a></li>
<li><a href="http://shorewall.securityopensource.org.br" <li><a href="http://shorewall.securityopensource.org.br"
target="_top">Brazil</a><br> target="_top">Brazil</a><br>
</li> </li>
<li><a <li><a
href="http://www.shorewall.net" target="_top">Washington State, USA</a><br> href="http://www.shorewall.net" target="_top">Washington State, USA</a><br>
</li> </li>
</ul> </ul>
</li> </li>
</ul> </ul>
<ul> <ul>
<li> <a <li> <a
href="News.htm">News Archive</a></li> href="News.htm">News Archive</a></li>
<li> <a <li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li> href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li>GSLUG Presentation</li>
<ul> <ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul> </ul>
<li> <a <li> <a
href="quotes.htm">Quotes from Users</a></li> href="quotes.htm">Quotes from Users</a></li>
<li> <a <li> <a
href="shoreline.htm">About the Author</a></li> href="shoreline.htm">About the Author</a></li>
<li> <a <li> <a
href="seattlefirewall_index.htm#Donations">Donations</a></li> href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul> </ul>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br> size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p> </p>
<br>
<br>
<br>
</body> </body>
</html> </html>

BIN
Shorewall-docs/images/CorpNetwork.gif
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 48 KiB

After

Width:  |  Height:  |  Size: 48 KiB

BIN
Shorewall-docs/images/Logo1.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

770
Shorewall-docs/seattlefirewall_index.htm
View File

@ -3,91 +3,93 @@
<head> <head>
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shoreline Firewall (Shorewall) 1.4</title> <title>Shoreline Firewall (Shorewall) 1.4</title>
<base
target="_self"> <base target="_self">
</head> </head>
<body> <body>
<table cellpadding="0" cellspacing="4" <table cellpadding="0" cellspacing="4"
style="border-collapse: collapse;" width="100%" id="AutoNumber3" style="border-collapse: collapse;" width="100%" id="AutoNumber3"
bgcolor="#3366ff"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td width="33%" height="90" <td width="33%" height="90"
valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img valign="middle" align="left"><a href="http://www.cityofshoreline.com"><img
src="images/washington.jpg" alt="" width="97" height="80" hspace="4" src="images/washington.jpg" alt="" width="97" height="80" hspace="4"
border="0"> border="0">
</a></td> </a></td>
<td valign="middle" width="34%" align="center" <td valign="middle" width="34%" align="center"
bgcolor="#ffffff"> bgcolor="#3366ff">
<div align="center"> <div align="center">
<img <img
src="images/Logo1.png" alt="(Shorewall Logo)" width="341" height="80"> src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
</div> </div>
</td> </td>
<td valign="middle" width="33%"> <td valign="middle" width="33%">
<h1 align="center"><a href="http://www.shorewall.net" <h1 align="center"><a href="http://www.shorewall.net"
target="_top"><img border="0" src="images/shorewall.jpg" width="119" target="_top"><img border="0" src="images/shorewall.jpg" width="119"
height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4"> height="38" hspace="4" alt="(Shorewall Logo)" align="right" vspace="4">
</a></h1> </a></h1>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<div align="center"> <div align="center">
<div align="center"> </div> <div align="center"> </div>
<center> <center>
<div align="center"> </div> <div align="center"> </div>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
<td width="90%"> <td width="90%">
<div align="center"> <div align="center">
<br> <br>
</div> </div>
<h2 align="left">What is it?</h2> <h2 align="left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a <p>The Shoreline Firewall, more commonly known as "Shorewall", is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function that can be used on a dedicated firewall system, a multi-function
@ -96,37 +98,39 @@
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it under the terms of <a it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This program is distributed This program is distributed
in the hope that it will be useful, but in the hope that it will be useful,
WITHOUT ANY WARRANTY; without even but WITHOUT ANY WARRANTY; without
the implied warranty of MERCHANTABILITY even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the or FITNESS FOR A PARTICULAR PURPOSE.
GNU General Public License for more details.<br> See the GNU General Public License for more
details.<br>
<br> <br>
You should have received a copy You should have received a
of the GNU General Public License copy of the GNU General Public License
along with this program; if not, write along with this program; if not,
to the Free Software Foundation, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p> Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p> <p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
@ -137,449 +141,479 @@ General Public License</a> as published by the Free Software
<h2>This is the Shorewall 1.4 Web Site</h2> <h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall. The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br> For older versions:<br>
<ul> <ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3" <li>The 1.3 site is <a
target="_top">here.</a></li> href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/" <li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br> target="_top">here</a>.<br>
</li> </li>
</ul> </ul>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting New to Shorewall? Start by selecting
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a> the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most closely match your environment and follow the step that most closely match your environment and follow the
by step instructions.<br> step by step instructions.<br>
<h2>Looking for Information?</h2> <h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right. Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will If so, the documentation<b> </b>on this site
not apply directly to your setup. If you want to use the documentation will not apply directly to your setup. If you want to use the
that you find here, you will want to consider uninstalling what you have documentation that you find here, you will want to consider uninstalling
and installing a setup that matches the documentation on this site. what you have and installing a setup that matches the documentation
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a> on this site. See the <a href="two-interface.htm">Two-interface
for details.<br> QuickStart Guide</a> for details.<br>
<h2>News</h2> <h2>News</h2>
<ol> <ol>
</ol> </ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.<br>
<p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0" <p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
<br> <br>
</b></p> </b></p>
<blockquote><b><a
href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
ftp://shorewall.net/pub/shorewall/testing</a><br>
</b></blockquote>
<blockquote> </blockquote> <blockquote> </blockquote>
<p><b>Problems Corrected:</b><br> <p><b>Problems Corrected:</b><br>
</p> </p>
<ol> <ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered <li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked start errors when started using the "service" mechanism has been worked
around.<br> around.<br>
<br> <br>
</li> </li>
<li>Where a list of IP addresses appears in the DEST column <li>Where a list of IP addresses appears in the DEST column
of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
the nat table (one for each element in the list). Shorewall now correctly in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br> creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
<br> <br>
</li> </li>
<li>Corrected a problem in Beta 1 where DNS names containing <li>The message "Adding rules for DHCP" is now suppressed if there
a "-" were mis-handled when they appeared in the DEST column of a rule.<br> are no DHCP rules to add.<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed
entries in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br> <br>
</li> </li>
<li>A number of problems with rule parsing have been corrected. <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
Corrections involve the handling of "z1!z2" in the SOURCE column as well have been removed from /etc/shorewall/shorewall.conf. These capabilities
as lists in the ORIGINAL DESTINATION column.<br> are now automatically detected by Shorewall (see below).<br>
</li> </li>
</ol> </ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have
been removed from /etc/shorewall/shorewall.conf. These capabilities are
now automatically detected by Shorewall (see below).<br>
</li>
</ol>
<p><b>New Features:</b><br> <p><b>New Features:</b><br>
</p> </p>
<ol> <ol>
<li>A 'newnotsyn' interface option has been added. This option <li>A 'newnotsyn' interface option has been added. This
may be specified in /etc/shorewall/interfaces and overrides the setting option may be specified in /etc/shorewall/interfaces and overrides the
NEWNOTSYN=No for packets arriving on the associated interface.<br> setting NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br> <br>
</li> </li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq <li>The means for specifying a range of IP addresses in
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for /etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
address ranges.<br> is enabled for address ranges.<br>
<br> <br>
</li> </li>
<li>Shorewall can now add IP addresses to subnets other than <li>Shorewall can now add IP addresses to subnets other
the first one on an interface.<br> than the first one on an interface.<br>
<br> <br>
</li> </li>
<li>DNAT[-] rules may now be used to load balance (round-robin) <li>DNAT[-] rules may now be used to load balance (round-robin)
over a set of servers. Servers may be specified in a range of addresses over a set of servers. Servers may be specified in a range of addresses
given as &lt;first address&gt;-&lt;last address&gt;.<br> given as &lt;first address&gt;-&lt;last address&gt;.<br>
<br> <br>
Example:<br> Example:<br>
<br> <br>
    DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>     DNAT net loc:192.168.10.2-192.168.10.5 tcp 80<br>
<br> <br>
</li> </li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration <li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the of the start, restart and check commands have been enhanced to report the
outcome:<br> outcome:<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
</li> </li>
<li>Support for the Connection Tracking Match Extension has <li>Support for the Connection Tracking Match Extension
been added. This extension is available in recent kernel/iptables releases has been added. This extension is available in recent kernel/iptables
and allows for rules which match against elements in netfilter's connection releases and allows for rules which match against elements in netfilter's
tracking table. Shorewall automatically detects the availability of this connection tracking table. Shorewall automatically detects the availability
extension and reports its availability in the output of the start, restart of this extension and reports its availability in the output of the start,
and check commands.<br> restart and check commands.<br>
<br> <br>
Shorewall has detected the following iptables/netfilter capabilities:<br> Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>    NAT: Available<br>
   Packet Mangling: Available<br>    Packet Mangling: Available<br>
   Multi-port Match: Available<br>    Multi-port Match: Available<br>
   Connection Tracking Match: Available<br>    Connection Tracking Match: Available<br>
Verifying Configuration...<br> Verifying Configuration...<br>
<br> <br>
If this extension is available, the ruleset generated by Shorewall If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li> is changed in the following ways:</li>
<ul> <ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create <li>To handle 'norfc1918' filtering, Shorewall will not
chains in the mangle table but will rather do all 'norfc1918' filtering create chains in the mangle table but will rather do all 'norfc1918'
in the filter table (rfc1918 chain).</li> filtering in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter <li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br> specified (or defaulted to) in the DNAT rule.<br>
<br> <br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br>
</li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
<br>
Examples:<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall.
<br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct an
efficient set of rules that accept connections from a range of network addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or
dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>
      192.168.1.8/29<br>
      192.168.1.16/28<br>
      192.168.1.32/27<br>
      192.168.1.64/26<br>
      192.168.1.128/25<br>
      192.168.2.0/23<br>
      192.168.4.0/22<br>
      192.168.8.0/22<br>
      192.168.12.0/29<br>
      192.168.12.8/31<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
</li>
</ol>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>Problems Corrected:<br>
</p>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones
file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br>
</li> </li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
<br>
</li>
<li>An 'ipcalc' command has been added to /sbin/shorewall.<br>
<br>
      ipcalc [ &lt;address&gt; &lt;netmask&gt; | &lt;address&gt;/&lt;vlsm&gt;
]<br>
<br>
Examples:<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0/24<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
      [root@wookie root]# shorewall ipcalc 192.168.1.0 255.255.255.0<br>
         CIDR=192.168.1.0/24<br>
         NETMASK=255.255.255.0<br>
         NETWORK=192.168.1.0<br>
         BROADCAST=192.168.1.255<br>
      [root@wookie root]#<br>
<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall.
<br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to construct
an efficient set of rules that accept connections from a range of network
addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash
or dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
      [root@gateway root]# shorewall iprange 192.168.1.4-192.168.12.9<br>
      192.168.1.4/30<br>
      192.168.1.8/29<br>
      192.168.1.16/28<br>
      192.168.1.32/27<br>
      192.168.1.64/26<br>
      192.168.1.128/25<br>
      192.168.2.0/23<br>
      192.168.4.0/22<br>
      192.168.8.0/22<br>
      192.168.12.0/29<br>
      192.168.12.8/31<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The "shorewall check" command now includes the chain name when
printing the applicable policy for each pair of zones.<br>
 <br>
    Example:<br>
 <br>
        Policy for dmz to net is REJECT using chain all2all<br>
 <br>
This means that the policy for connections from the dmz to the internet is
REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br>
<br>
</li>
<li>Support for the 2.6 Kernel series has been added.<br>
</li>
</ol> </ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
<p>New Features:<br> <p>Problems Corrected:<br>
</p> </p>
<ol> <ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-] <li>The command "shorewall debug try &lt;directory&gt;"
rule may now contain a list of addresses. If the list begins with "!' now correctly traces the attempt.</li>
then the rule will take effect only if the original destination address <li>The INCLUDE directive now works properly in the
in the connection request does not match any of the addresses listed.</li> zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br>
</li>
</ol> </ol>
<p>New Features:<br>
</p>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with
"!' then the rule will take effect only if the original destination
address in the connection request does not match any of the addresses
listed.</li>
</ol>
<p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b> <p><b>6/15/2003 - Shorewall, Kernel 2.4.21 and iptables 1.2.8</b><b>
</b></p> </b></p>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel <p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No and iptables 1.2.8 (using the "official" RPM from netfilter.org).
problems have been encountered with this set of software. The Shorewall No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.<br> version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p> </p>
<p><b>6/8/2003 - Updated Samples</b><b> </b></p> <p><b>6/8/2003 - Updated Samples</b><b> </b></p>
<p>Thanks to Francesca Smith, the samples have been updated to Shorewall <p>Thanks to Francesca Smith, the samples have been updated to Shorewall
version 1.4.4.</p> version 1.4.4.</p>
<p><b></b></p> <p><b></b></p>
<ol> <ol>
</ol> </ol>
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques Nilo and Eric </a>Jacques Nilo and Eric
Wolzak have a LEAF (router/firewall/gateway Wolzak have a LEAF (router/firewall/gateway
on a floppy, CD or compact flash) distribution on a floppy, CD or compact flash) distribution
called <i>Bering</i> that called <i>Bering</i> that
features Shorewall-1.4.2 and Kernel-2.4.20. features Shorewall-1.4.2 and Kernel-2.4.20.
You can find their work at: You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br> <a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
</a></p> </a></p>
<b>Congratulations to Jacques and Eric on <b>Congratulations to Jacques and Eric
the recent release of Bering 1.2!!! </b><br> on the recent release of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#3366ff" </td>
<td width="88" bgcolor="#3366ff"
valign="top" align="center"> valign="top" align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<font <font
color="#ffffff"><b>Note: </b></font></strong><font color="#ffffff"><b>Note: </b></font></strong><font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br> color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
<strong></strong> <strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text" <font face="Arial" size="-1"> <input type="text"
name="words" size="15"></font><font size="-1"> </font> <font name="words" size="15"></font><font size="-1"> </font> <font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> <input value="long"> <input type="hidden" name="method" value="and"> <input
type="hidden" name="config" value="htdig"> <input type="submit" type="hidden" name="config" value="htdig"> <input type="submit"
value="Search"></font> </p> value="Search"></font> </p>
<font face="Arial"> <input type="hidden" <font face="Arial"> <input type="hidden"
name="exclude" value="[http://lists.shorewall.net/pipermail/*]"> </font> name="exclude" value="[http://lists.shorewall.net/pipermail/*]"> </font>
</form> </form>
<p><font color="#ffffff"><b><a <p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<br> <br>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
</center> </center>
</div> </div>
<table border="0" cellpadding="5" cellspacing="0" <table border="0" cellpadding="5" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber2" style="border-collapse: collapse;" width="100%" id="AutoNumber2"
bgcolor="#3366ff"> bgcolor="#3366ff">
<tbody> <tbody>
<tr> <tr>
<td width="100%" style="margin-top: 1px;" <td width="100%"
valign="middle"> style="margin-top: 1px;" valign="middle">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10" alt="(Starlight Logo)"> hspace="10" alt="(Starlight Logo)">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff"><br> <p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you <font size="+2"> Shorewall is free but if
try it and find it useful, please consider making a donation you try it and find it useful, please consider making a donation
to to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight <a href="http://www.starlight.org"><font
Children's Foundation.</font></a> Thanks!</font></font></p> color="#ffffff">Starlight Children's Foundation.</font></a>
Thanks!</font></font></p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 7/16/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
</body> </body>
</html> </html>

521
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -1,332 +1,357 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html> <html>
<head> <head>
<meta http-equiv="Content-Language" content="en-us"> <meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0"> <meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document"> <meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" <meta http-equiv="Content-Type"
content="text/html; charset=windows-1252"> content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title> <title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none"> <meta name="Microsoft Theme" content="none">
</head> </head>
<body> <body>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1" style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90"> bgcolor="#3366ff" height="90">
<tbody> <tbody>
<tr> <tr>
<td width="100%"> <td width="100%">
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides <h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
(HOWTO's)<br> (HOWTO's)<br>
</font></h1> </font></h1>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that <p align="center">With thanks to Richard who reminded me once again that
we must all first walk before we can run.<br> we must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br> The French Translations are courtesy of Patrice Vetsel<br>
</p> </p>
<h2>The Guides</h2> <h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall <p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p> in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p> <p>If you have a <font color="#ff0000"><big><big><b>single public IP address</b></big></big></font>:</p>
<blockquote>
<ul>
<li><a href="standalone.htm">Standalone</a>
Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local
network (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local
network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.
If you want to learn more about Shorewall than is explained in the above
simple guides,  the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
(See Index Below) is for you.</p>
</blockquote>
<p>If you have <font color="#ff0000"><big><big><b>more than one public IP
address</b></big></big></font>:<br>
</p>
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
(See Index Below) outlines the steps necessary to set up
a firewall where there are <small><small><big><big>multiple
public IP addresses</big></big></small></small> involved or if you
want to learn more about Shorewall than is explained in the
single-address guides above.</blockquote>
<ul> <ul>
<li><a href="standalone.htm">Standalone</a>
Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
Linux System acting as a firewall/router for a small local
network (<a href="two-interface_fr.html">Version Française</a>)</li>
<li><a href="three-interface.htm">Three-interface</a>
Linux System acting as a firewall/router for a small local
network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul> </ul>
<p>The above guides are designed to get your first firewall up and running <h2><b><a name="Documentation"></a></b>Documentation Index</h2>
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See
Index Below) outlines the steps necessary to set up a firewall
where <b>there are multiple public IP addresses involved
or if you want to learn more about Shorewall than is explained
in the single-address guides above.</b></p>
<ul>
</ul>
<h2><a name="Documentation"></a>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements <p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart the <a href="shorewall_quickstart_guide.htm">QuickStart
Guides</a> described above</b>. Please review the appropriate Guides</a> described above</b>. Please review the appropriate
guide before trying to use this documentation directly.</p> guide before trying to use this documentation directly.</p>
<ul> <ul>
<li><a <li><a
href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces href="Shorewall_and_Aliased_Interfaces.html">Aliased (virtual) Interfaces
(e.g., eth0:0)</a><br> (e.g., eth0:0)</a><br>
</li> </li>
<li><a href="blacklisting_support.htm">Blacklisting</a> <li><a href="blacklisting_support.htm">Blacklisting</a>
<ul> <ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li> <li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li> <li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul> </ul>
</li> </li>
<li><a <li><a
href="configuration_file_basics.htm">Common configuration file href="configuration_file_basics.htm">Common configuration file
features</a> features</a>
<ul> <ul>
<li><a <li><a
href="configuration_file_basics.htm#Comments">Comments in configuration href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li> files</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li> href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a><br> <li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE
</li> Directive</a><br>
<li><a </li>
<li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li> href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Ranges">Port Ranges</a></li> href="configuration_file_basics.htm#Ranges">Port Ranges</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li> href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
<li><a <li><a
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br> href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
</li> </li>
<li><a <li><a
href="configuration_file_basics.htm#Compliment">Complementing an IP address href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li> or Subnet</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making href="configuration_file_basics.htm#Configs">Shorewall Configurations (making
a test configuration)</a></li> a test configuration)</a></li>
<li><a <li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li> href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul> </ul>
</li> </li>
<li><a href="Documentation.htm">Configuration <li><a href="Documentation.htm">Configuration
File Reference Manual</a> File Reference Manual</a>
<ul> <ul>
<li> <a <li> <a
href="Documentation.htm#Variables">params</a></li> href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Zones">zones</a></font></li> href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Interfaces">interfaces</a></font></li> href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Hosts">hosts</a></font></li> href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Policy">policy</a></font></li> href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Rules">rules</a></font></li> href="Documentation.htm#Rules">rules</a></font></li>
<li><a <li><a
href="Documentation.htm#Common">common</a></li> href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Masq">masq</a></font></li> href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#ProxyArp">proxyarp</a></font></li> href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#NAT">nat</a></font></li> href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Tunnels">tunnels</a></font></li> href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a <li><a
href="traffic_shaping.htm#tcrules">tcrules</a></li> href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a <li><a
href="Documentation.htm#modules">modules</a></li> href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> <li><a
</li> href="Documentation.htm#TOS">tos</a> </li>
<li><a <li><a
href="Documentation.htm#Blacklist">blacklist</a></li> href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a <li><a
href="Documentation.htm#rfc1918">rfc1918</a></li> href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a <li><a
href="Documentation.htm#Routestopped">routestopped</a></li> href="Documentation.htm#Routestopped">routestopped</a></li>
</ul> </ul>
</li> </li>
<li><a href="CorpNetwork.htm">Corporate <li><a href="CorpNetwork.htm">Corporate
Network Example</a> (Contributed by a Graeme Boyle)<br> Network Example</a> (Contributed by a Graeme Boyle)<br>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling by
host or subnet</a></li>
<li><a href="errata.htm">Errata</a><br>
</li> </li>
<li><font color="#000099"><a <li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling
by host or subnet</a></li>
<li><a href="errata.htm">Errata</a><br>
</li>
<li><font color="#000099"><a
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code through the (How to extend Shorewall without modifying Shorewall code through the
use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped, use of files in /etc/shorewall -- /etc/shorewall/start, /etc/shorewall/stopped,
etc.)</li> etc.)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li> <li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="FAQ.htm">FAQs</a><br> <li><a href="FAQ.htm">FAQs</a><br>
</li> </li>
<li><a href="shorewall_features.htm">Features</a><br> <li><a href="shorewall_features.htm">Features</a><br>
</li> </li>
<li><a <li><a
href="shorewall_firewall_structure.htm">Firewall Structure</a></li> href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><a href="support.htm">Getting help or answers to questions</a></li> <li><a href="support.htm">Getting help or answers to questions</a></li>
<li><a href="Install.htm">Installation/Upgrade</a><br> <li>Greater Seattle Linux Users Group Presentation</li>
</li>
<li><font color="#000099"><a <ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a></li>
</ul>
<li><a href="Install.htm">Installation/Upgrade</a><br>
</li>
<li><font color="#000099"><a
href="kernel.htm">Kernel Configuration</a></font></li> href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="shorewall_logging.html">Logging</a><br> <li><a href="shorewall_logging.html">Logging</a><br>
</li> </li>
<li><a href="MAC_Validation.html">MAC <li><a href="MAC_Validation.html">MAC
Verification</a></li> Verification</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br> <li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
</li> </li>
<li><a href="myfiles.htm">My Shorewall <li><a href="myfiles.htm">My
Configuration (How I personally use Shorewall)</a><br> Shorewall Configuration (How I personally use Shorewall)</a><br>
</li> </li>
<li><a href="ping.html">'Ping' Management</a><br> <li><a href="ping.html">'Ping' Management</a><br>
</li> </li>
<li><a href="ports.htm">Port Information</a> <li><a href="ports.htm">Port Information</a>
<ul> <ul>
<li>Which applications use which ports</li> <li>Which applications use which ports</li>
<li>Ports used by Trojans</li> <li>Ports used by Trojans</li>
</ul> </ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="shorewall_prerequisites.htm">Requirements</a><br>
</li>
<li><a href="samba.htm">Samba</a></li>
<li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li> </li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li> <li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 <li><a href="shorewall_prerequisites.htm">Requirements</a><br>
Odds and Ends</a></li> </li>
<li><a href="samba.htm">Samba</a></li>
</ul> <li><a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a><br>
</li> </li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul> <ul>
<li>Description of all /sbin/shorewall commands</li> <li><a href="shorewall_setup_guide.htm#Introduction">1.0
<li>How to safely test a Shorewall configuration Introduction</a></li>
change<br> <li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
</li> Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1
IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
up your Network</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2
Non-routed</a>
<ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul> </ul>
<li><font color="#000099"><a <li><font color="#000099"><a
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<ul>
<li>Description of all /sbin/shorewall commands</li>
<li>How to safely test a Shorewall configuration
change<br>
</li>
</ul>
<li><font color="#000099"><a
href="NAT.htm">Static NAT</a></font></li> href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent <li><a href="Shorewall_Squid_Usage.html">Squid as a
Proxy with Shorewall</a></li> Transparent Proxy with Shorewall</a></li>
<li><a href="traffic_shaping.htm">Traffic <li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li> Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it doesn't <li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
work)</a><br> doesn't work)</a><br>
</li> </li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br> <li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li> </li>
<li>VPN <li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br> <li><a href="OPENVPN.html">OpenVPN</a><br>
</li> </li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="6to4.htm">6t04</a><br> <li><a href="6to4.htm">6t04</a><br>
</li> </li>
<li><a href="VPN.htm">IPSEC/PPTP</a> <li><a href="VPN.htm">IPSEC/PPTP</a>
from a system behind your firewall to a remote network.</li> from a system behind your firewall to a remote network.</li>
</ul> </ul>
</li> </li>
<li><a <li><a
href="whitelisting_under_shorewall.htm">White List Creation</a></li> href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul> </ul>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 7/16/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 7/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
</p> </p>
<br>
<br> <br>
</body> </body>
</html> </html>

856
Shorewall-docs/sourceforge_index.htm
View File

File diff suppressed because it is too large Load Diff

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of # shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall. # Shoreline Firewall.
VERSION=1.4.6RC1 VERSION=1.4.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall. # /etc/rc.d/rc.local file is modified to start the firewall.
# #
VERSION=1.4.6RC1 VERSION=1.4.6
usage() # $1 = exit status usage() # $1 = exit status
{ {

4
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall %define name shorewall
%define version 1.4.6 %define version 1.4.6
%define release 0RC1 %define release 1
%define prefix /usr %define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems. Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel %doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog %changelog
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-1
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net> * Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0RC1 - Changed version to 1.4.6-0RC1
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net> * Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version # You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall # shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6RC1 VERSION=1.4.6
usage() # $1 = exit status usage() # $1 = exit status
{ {