extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-19 17:28:35 +02:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall-1.4.6

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@667 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-07-19 15:07:31 +00:00
parent afd7840558
commit e80d8ca732
15 changed files with 4816 additions and 4538 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

248
Shorewall-docs/CorpNetwork.htm
View File

@ -1,143 +1,133 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<!-- saved from url=(0118)file://C:\Documents%20and%20Settings\Graeme%20Boyle\Local%20Settings\Temporary%20Internet%20Files\OLKD\CorpNetwork.htm -->
<title>Corporate Shorewall Configuration</title>
<meta http-equiv="Content-Type"
content="text/html; charset=windows-1252">
<title>Corporate Shorewall Configuration</title>
<meta content="Microsoft FrontPage 5.0" name="GENERATOR">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta content="FrontPage.Editor.Document" name="ProgId">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta content="none" name="Microsoft Theme">
<meta name="Microsoft Theme" content="none">
<meta name="author" content="Graeme Boyle">
<meta content="Graeme Boyle" name="author">
</head>
<body>
<script><!--
function PrivoxyWindowOpen(){return(null);}
//--></script>
<table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
bgcolor="#3366ff" height="90">
<table id="AutoNumber1" style="border-collapse: collapse;" height="90"
cellspacing="0" cellpadding="0" width="100%" bgcolor="#3366ff"
border="0">
<tbody>
<tr>
<td width="100%">
<h1 align="center"><font color="#ffffff">Multiple IPs with DMZ and
Internal Servers</font></h1>
Internal Servers</font></h1>
</td>
</tr>
</tbody>
</table>
<blockquote> </blockquote>
<blockquote></blockquote>
<h1>Corporate Network</h1>
<p><font size="4" color="#ff0000"><b>Notes</b></font><big><font
<p><font color="#ff0000" size="4"><b>Notes</b></font><big><font
color="#ff0000"><b>:</b></font></big></p>
<blockquote>
<ul>
<li><b>This configuration is used on a corporate network that
has a Linux (RedHat 8.0) server with three interfaces, running Shorewall
1.4.5 release,</b></li>
<li><b>Make sure you know what public IP addresses are currently
being used and verify these </b><i>before</i><b> starting.</b></li>
<li><b>Verify you DNS settings </b><i>before</i><b> starting any
Shorewall configuration especially if you have split DNS.</b></li>
<li><b>System names and Internet IP addresses have been changed
to protect the innocent.</b></li>
<li><b>This configuration is used on a corporate network that has a
Linux (RedHat 8.0) server with three interfaces, running Shorewall 1.4.5
release,</b> </li>
<li><b>Make sure you know what public IP addresses are currently being
used and verify these </b><i>before</i><b> starting.</b> </li>
<li><b>Verify your DNS settings </b><i>before</i><b> starting any Shorewall
configuration especially if you have split DNS.</b> </li>
<li><b>System names and Internet IP addresses have been changed to protect
the innocent.</b> </li>
</ul>
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This configuration
uses a combination of Static NAT and Proxy ARP. This is generally not
relevant to a simple configuration with a single public IP address.</small></b></big><big><b><small>
If you have just a single public IP address, most of what you see
here won't apply to your setup so beware of copying parts of this
configuration and expecting them to work for you. What you copy may
or may not work in your configuration.<br>
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>This
configuration uses a combination of Static NAT and Proxy ARP. This is
generally not relevant to a simple configuration with a single public IP
address.</small></b></big><big><b><small> If you have just a single public
IP address, most of what you see here won't apply to your setup so beware
of copying parts of this configuration and expecting them to work for
you. What you copy may or may not work in your configuration.<br>
</small></b></big><br>
</p>
<p> I have a T1 with 64 static IP addresses (63.123.106.65-127/26). The
<p>I have a T1 with 64 static IP addresses (192.0.18.65-127/26). The
internet is connected to eth0. The local network is connected via eth1
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I
have an IPSec tunnel connecting our offices in Germany to our offices
in the US. I host two Microsoft Exchange servers for two different companies
(10.10.0.0/22) and the DMZ is connected to eth2 (192.168.21.0/24). I have
an IPSec tunnel connecting our offices in Germany to our offices in the
US. I host two Microsoft Exchange servers for two different companies
behind the firewall hence, the two Exchange servers in the diagram below.</p>
<p> Summary:<br>
<p>Summary:<br>
</p>
<ul>
<li>SNAT for all systems connected to the LAN
- Internal addresses 10.10.x.x to external address 63.123.106.127.</li>
<li>Static NAT for <i>Polaris</i> (Exchange Server
#2). Internal address 10.10.1.8 and external address 63.123.106.70.</li>
<li>Static NAT for <i>Sims</i> (Inventory Management server).
Internal address 10.10.1.56 and external address 63.123.106.75.<br>
<li>SNAT for all systems connected to the LAN - Internal addresses 10.10.x.x
to external address 192.0.18.127. </li>
<li>Static NAT for <i>Polaris</i> (Exchange Server #2). Internal address
10.10.1.8 and external address 192.0.18.70. </li>
<li>Static NAT for <i>Sims</i> (Inventory Management server). Internal
address 10.10.1.56 and external address 192.0.18.75.<br>
</li>
<li>Static NAT for <i>Project</i> (Project Web
Server). Internal address 10.10.1.55 and external
address 63.123.106.84.</li>
<li>Static NAT for <i>Fortress</i> (Exchange
Server). Internal address 10.10.1.252 and external
address 63.123.106.93.</li>
<li>Static NAT for <i>BBSRV</i> (Blackberry Server).
Internal address 10.10.1.230 and external address
63.123.106.97.</li>
<li>Static NAT for <i>Intweb</i> (Intranet Web
Server). Internal address 10.10.1.60 and external
address 63.123.106.115.</li>
<li>Static NAT for <i>Project</i> (Project Web Server). Internal address
10.10.1.55 and external address 192.0.18.84. </li>
<li>Static NAT for <i>Fortress</i> (Exchange Server). Internal address
10.10.1.252 and external address 192.0.18.93. </li>
<li>Static NAT for <i>BBSRV</i> (Blackberry Server). Internal address
10.10.1.230 and external address 192.0.18.97. </li>
<li>Static NAT for <i>Intweb</i> (Intranet Web Server). Internal address
10.10.1.60 and external address 192.0.18.115. </li>
</ul>
<p> The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
<p>The firewall runs on a 2Gb, Dual PIV/2.8GHz, Intel motherboard with
RH8.0.</p>
<p> The Firewall is also a proxy server running Privoxy 3.0.</p>
<p>The Firewall is also a proxy server running Privoxy 3.0.</p>
<p> The single system in the DMZ (address 63.123.106.80) runs sendmail,
imap, pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0).
That server is managed through Proxy ARP.</p>
<p>The single system in the DMZ (address 192.0.18.80) runs sendmail, imap,
pop3, DNS, a Web server (Apache) and an FTP server (vsFTPd 1.1.0). That
server is managed through Proxy ARP.</p>
<p> All administration and publishing is done using ssh/scp. I have X installed
on the firewall and the system in the DMZ. X applications tunnel
through SSH to Hummingbird Exceed running on a PC located in the LAN.
Access to the firewall using SSH is restricted to systems in the LAN, DMZ
or the system Kaos which is on the Internet and managed by me.</p>
<p>All administration and publishing is done using ssh/scp. I have X installed
on the firewall and the system in the DMZ. X applications tunnel through
SSH to Hummingbird Exceed running on a PC located in the LAN. Access to
the firewall using SSH is restricted to systems in the LAN, DMZ or the
system Kaos which is on the Internet and managed by me.</p>
<p align="center"> <img border="0"
src="images/CorpNetwork.gif" width="770" height="1000"
alt="(Corporate Network Diagram)">
<p align="center"><img height="1000" alt="(Corporate Network Diagram)"
src="images/CorpNetwork.gif" width="770" border="0">
</p>
<p> </p>
<p></p>
<p>The Ethernet 0 interface in the Server is configured with IP
address 63.123.106.68, netmask 255.255.255.192. The server's default
gateway is 63.123.106.65, the Router connected to my network and
the ISP. This is the same default gateway used by the firewall
itself. On the firewall, Shorewall automatically
adds a host route to 63.123.106.80 through Ethernet
2 (192.168.21.1) because of the entry in
/etc/shorewall/proxyarp (see below). I modified the start, stop and
init scripts to include the fixes suggested when having an IPSec tunnel.</p>
<p>The Ethernet 0 interface in the Server is configured with IP address
192.0.18.68, netmask 255.255.255.192. The server's default gateway is
192.0.18.65, the Router connected to my network and the ISP. This is the
same default gateway used by the firewall itself. On the firewall, Shorewall
automatically adds a host route to 192.0.18.80 through Ethernet 2 (192.168.21.1)
because of the entry in /etc/shorewall/proxyarp (see below). I modified
the start, stop and init scripts to include the fixes suggested when having
an IPSec tunnel.</p>
<p><b>Some Mistakes I Made:</b></p>
<p>Yes, believe it or not, I made some really basic mistakes when building
this firewall. Firstly, I had the new firewall setup in parallel with
the old firewall so that there was no interruption of service to my users.
During my out-bound testing, I set up systems on the LAN to utilize the
firewall which worked fine. When testing my NAT connections, from the
During my out-bound testing, I set up systems on the LAN to utilize the
firewall which worked fine. When testing my NAT connections, from the
outside, these would fail and I could not understand why. Eventually,
I changed the default route on the internal system I was trying to access,
to point to the new firewall and "bingo", everything worked as expected.
@ -145,8 +135,8 @@ This oversight delayed my deployment by a couple of days not to mention
level of frustration it produced. </p>
<p>Another problem that I encountered was in setting up the Proxyarp system
in the DMZ. Initially I forgot to remove the entry for the eth2 from
the /etc/shorewall/masq file. Once my file settings were correct, I started
in the DMZ. Initially I forgot to remove the entry for the eth2 from the
/etc/shorewall/masq file. Once my file settings were correct, I started
verifying that the ARP caches on the firewall, as well as the outside
system "kaos", were showing the correct Ethernet MAC address. However,
in testing remote access, I could access the system in the DMZ only from
@ -163,131 +153,129 @@ etc., etc. The administrator will <i>not</i> be doing that again! :-)</p>
<p><b>Lessons Learned:</b></p>
<ul>
<li>Read the documentation.</li>
<li>Draw your network topology before starting.</li>
<li>Understand what services you are going to allow in and out of
the firewall, whether they are TCP or UDP packets and make a note
of these port numbers.</li>
<li>Try to get quiet time to build the firewall - you need to focus
on the job at hand.</li>
<li>Read the documentation. </li>
<li>Draw your network topology before starting. </li>
<li>Understand what services you are going to allow in and out of the
firewall, whether they are TCP or UDP packets and make a note of these
port numbers. </li>
<li>Try to get quiet time to build the firewall - you need to focus on
the job at hand. </li>
<li>When asking for assistance, be honest and include as much detail
as requested. Don't try and hide IP addresses etc., you will probably
screw up the logs and make receiving assistance harder.</li>
<li>Read the documentation.</li>
as requested. Don't try and hide IP addresses etc., you will probably
screw up the logs and make receiving assistance harder. </li>
<li>Read the documentation. </li>
</ul>
<p><b>Futures:</b></p>
<p>This is by no means the final configuration. In the near future, I will
be moving more systems from the LAN to the DMZ. I will also be watching
the logs for port scan programs etc. but, this should be standard security
be moving more systems from the LAN to the DMZ. I will also be watching
the logs for port scan programs etc. but, this should be standard security
maintenance.</p>
<p>Here are copies of my files. I have removed most of the internal
documentation for the purpose of this space however, my system still has
the original files with all the comments and I highly recommend you do
the same.</p>
</blockquote>
</blockquote>
<h3>Shorewall.conf</h3>
<blockquote>
<pre>##############################################################################<br># /etc/shorewall/shorewall.conf V1.4 - Change the following variables to<br># match your setup<br>#<br># This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]<br>#<br># This file should be placed in /etc/shorewall<br>#<br># (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)<br>##############################################################################<br># L O G G I N G<br>##############################################################################<br>LOGFILE=/var/log/messages<br>LOGFORMAT="Shorewall:%s:%s:"<br>LOGRATE=<br>LOGBURST=<br>LOGUNCLEAN=info<br>BLACKLIST_LOGLEVEL=<br>LOGNEWNOTSYN=<br>MACLIST_LOG_LEVEL=info<br>TCP_FLAGS_LOG_LEVEL=debug<br>RFC1918_LOG_LEVEL=debug<br>PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin<br>SUBSYSLOCK=/var/lock/subsys/shorewall<br>STATEDIR=/var/lib/shorewall<br>MODULESDIR=<br>FW=fw<br>NAT_ENABLED=Yes<br>MANGLE_ENABLED=Yes<br>IP_FORWARDING=On<br>ADD_IP_ALIASES=Yes<br>ADD_SNAT_ALIASES=Yes<br>TC_ENABLED=Yes<br>CLEAR_TC=No<br>MARK_IN_FORWARD_CHAIN=No<br>CLAMPMSS=No<br>ROUTE_FILTER=Yes<br>NAT_BEFORE_RULES=No<br>MULTIPORT=Yes<br>DETECT_DNAT_IPADDRS=Yes<br>MUTEX_TIMEOUT=60<br>NEWNOTSYN=Yes<br>BLACKLIST_DISPOSITION=DROP<br>MACLIST_DISPOSITION=REJECT<br>TCP_FLAGS_DISPOSITION=DROP<br>#LAST LINE -- DO NOT REMOVE<br><br></pre>
</blockquote>
</blockquote>
<h3>Zones File</h3>
<blockquote>
<pre><font face="Courier">#<br># Shorewall 1.4 -- Sample Zone File For Two Interfaces<br># /etc/shorewall/zones<br>#<br># This file determines your network zones. Columns are:<br>#<br># ZONE Short name of the zone<br># DISPLAY Display name of the zone<br># COMMENTS Comments about the zone<br>#<br>#ZONE DISPLAY COMMENTS<br>net Net Internet<br>loc Local Local Networks<br>dmz DMZ Demilitarized Zone<br>vpn1 VPN1 VPN to Germany<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font><font
face="Courier" size="2"><br></font></pre>
</blockquote>
</blockquote>
<h3>Interfaces File: </h3>
<blockquote>
<p> ##############################################################################<br>
#ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br>
vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
</p>
</blockquote>
<p>##############################################################################<br>
#ZONE INTERFACE BROADCAST OPTIONS<br>
net eth0 62.123.106.127 routefilter,norfc1918,blacklist,tcpflags<br>
loc eth1 detect dhcp,routefilter<br>
dmz eth2 detect<br>
vpn1 ipsec0<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </p>
</blockquote>
<h3>Routestopped File:</h3>
<blockquote>
<pre><font face="Courier">#INTERFACE HOST(S)<br>eth1 -<br>eth2 -<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font><font
face="Courier" size="2"> </font></pre>
</blockquote>
</blockquote>
<h3>Policy File:</h3>
<blockquote>
<pre>###############################################################################<br>#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST<br>loc net ACCEPT<br>loc fw ACCEPT<br>loc dmz ACCEPT<br># If you want open access to the Internet from your Firewall <br># remove the comment from the following line.<br>fw net ACCEPT<br>fw loc ACCEPT<br>fw dmz ACCEPT<br>dmz fw ACCEPT<br>dmz loc ACCEPT<br>dmz net ACCEPT<br># <br># Adding VPN Access<br>loc vpn1 ACCEPT<br>dmz vpn1 ACCEPT<br>fw vpn1 ACCEPT<br>vpn1 loc ACCEPT<br>vpn1 dmz ACCEPT<br>vpn1 fw ACCEPT<br>#<br>net all DROP info<br>all all REJECT info<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
</blockquote>
<h3>Masq File: </h3>
<blockquote>
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 163.123.106.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<pre>#INTERFACE SUBNET ADDRESS<br>eth0 eth1 1192.0.18.126<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>NAT File: </h3>
<blockquote>
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>63.123.106.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>63.123.106.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>63.123.106.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>63.123.106.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>63.123.106.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>63.123.106.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>#<br># Intranet Web Server<br>192.0.18.115 eth0:0 10.10.1.60 No No<br>#<br># Project Web Server<br>192.0.18.84 eth0:1 10.10.1.55 No No<br>#<br># Blackberry Server<br>192.0.18.97 eth0:2 10.10.1.55 No No<br>#<br># Corporate Mail Server<br>192.0.18.93 eth0:3 10.10.1.252 No No<br>#<br># Second Corp Mail Server<br>192.0.18.70 eth0:4 10.10.1.8 No No<br>#<br># Sims Server<br>192.0.18.75 eth0:5 10.10.1.56 No No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br></pre>
</blockquote>
<h3>Proxy ARP File:</h3>
<blockquote>
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>63.123.106.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
</blockquote>
<pre><font face="Courier" size="2">#ADDRESS INTERFACE EXTERNAL HAVEROUTE<br>#<br># The Corporate email server in the DMZ<br>192.0.18.80 eth2 eth0 No<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE </font></pre>
</blockquote>
<h3>Tunnels File:</h3>
<blockquote>
<pre># TYPE ZONE GATEWAY GATEWAY ZONE PORT<br>ipsec net 134.147.129.82<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
</blockquote>
<h3>Rules File (The shell variables are set in /etc/shorewall/params):</h3>
<blockquote>
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:63.123.106.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
<pre>##############################################################################<br>#ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br># PORT PORT(S) DEST<br>#<br># Accept DNS connections from the firewall to the network<br>#<br>ACCEPT fw net tcp 53<br>ACCEPT fw net udp 53<br>#<br># Accept SSH from internet interface from kaos only<br>#<br>ACCEPT net:192.0.18.98 fw tcp 22<br>#<br># Accept connections from the local network for administration <br>#<br>ACCEPT loc fw tcp 20:22<br>ACCEPT loc net tcp 22<br>ACCEPT loc fw tcp 53<br>ACCEPT loc fw udp 53<br>ACCEPT loc net tcp 53<br>ACCEPT loc net udp 53<br>#<br># Allow Ping To And From Firewall<br>#<br>ACCEPT loc fw icmp 8<br>ACCEPT loc dmz icmp 8<br>ACCEPT loc net icmp 8<br>ACCEPT dmz fw icmp 8<br>ACCEPT dmz loc icmp 8<br>ACCEPT dmz net icmp 8<br>DROP net fw icmp 8<br>DROP net loc icmp 8<br>DROP net dmz icmp 8<br>ACCEPT fw loc icmp 8<br>ACCEPT fw dmz icmp 8<br>DROP fw net icmp 8<br>#<br># Accept proxy web connections from the inside<br>#<br>ACCEPT loc fw tcp 8118<br>#<br># Forward PcAnywhere, Oracle and Web traffic from outside to the Demo systems<br># From a specific IP Address on the Internet.<br># <br># ACCEPT net:207.65.110.10 loc:10.10.3.151 tcp 1521,http<br># ACCEPT net:207.65.110.10 loc:10.10.2.32 tcp 5631:5632<br>#<br># Intranet web server<br>ACCEPT net loc:10.10.1.60 tcp 443<br>ACCEPT dmz loc:10.10.1.60 tcp 443<br>#<br># Projects web server<br>ACCEPT net loc:10.10.1.55 tcp 80<br>ACCEPT dmz loc:10.10.1.55 tcp 80<br># <br># Blackberry Server<br>ACCEPT net loc:10.10.1.230 tcp 3101<br>#<br># Corporate Email Server<br>ACCEPT net loc:10.10.1.252 tcp 25,53,110,143,443<br>#<br># Corporate #2 Email Server<br>ACCEPT net loc:10.10.1.8 tcp 25,80,110,443<br>#<br># Sims Server<br>ACCEPT net loc:10.10.1.56 tcp 80,443<br>ACCEPT net loc:10.10.1.56 tcp 7001:7002<br>ACCEPT net:63.83.198.0/24 loc:10.10.1.56 tcp 5631:5632<br>#<br># Access to DMZ<br>ACCEPT loc dmz udp 53,177<br>ACCEPT loc dmz tcp 80,25,53,22,143,443,993,20,110 -<br>ACCEPT net dmz udp 53<br>ACCEPT net dmz tcp 25,53,22,21,123<br>ACCEPT dmz net tcp 25,53,80,123,443,21,22<br>ACCEPT dmz net udp 53<br>#<br>#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</pre>
</blockquote>
<h3>Start File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/start<br>#<br># Add commands below that you want to be executed after shorewall has<br># been started or restarted.<br>#<br>qt service ipsec start<br></pre>
</blockquote>
</blockquote>
<h3>Stop File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/stop<br>#<br># Add commands below that you want to be executed at the beginning of a<br># "shorewall stop" command.<br>#<br>qt service ipsec stop</pre>
</blockquote>
</blockquote>
<h3>Init File:</h3>
<blockquote>
<pre>############################################################################<br># Shorewall 1.4 -- /etc/shorewall/init<br>#<br># Add commands below that you want to be executed at the beginning of<br># a "shorewall start" or "shorewall restart" command.<br>#<br>qt service ipsec stop<br></pre>
</blockquote>
</blockquote>
<p><font size="2">Last updated 7/16/2003</font>
<script><!--
function PrivoxyWindowOpen(a, b, c){return(window.open(a, b, c));}
//</script><br>
</p>
<p><small><a href="GnuCopyright.htm">Copyright 2003 Thomas M. Eastep and
Graeme Boyle</a></small><br>
</p>
//</script>
<br>
</p>
<p><small><a
href="file:///C:/Documents%20and%20Settings/Graeme%20Boyle/Local%20Settings/Temporary%20Internet%20Files/OLKD/GnuCopyright.htm">Copyright
2003 Thomas M. Eastep and Graeme Boyle</a></small><br>
</p>
<br>
</body>
</html>

1274
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

50
Shorewall-docs/Shorewall_Squid_Usage.html
View File

@ -60,9 +60,9 @@
height="13">
</b>&nbsp;&nbsp;&nbsp; When the Squid server is in the DMZ
zone or in the local zone, that zone must be defined ONLY by its interface
-- no /etc/shorewall/hosts file entries. That is because the packets being
routed to the Squid server still have their original destination IP
addresses.<br>
-- no /etc/shorewall/hosts file entries. That is because the packets
being routed to the Squid server still have their original destination
IP addresses.<br>
<br>
<b><img src="images/BD21298_3.gif" alt="" width="13"
height="13">
@ -88,17 +88,17 @@ your Squid server.<br>
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running
in the local network</a></li>
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running
in the DMZ</a></li>
in the DMZ</a></li>
</ol>
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
You want to redirect all local www connection requests EXCEPT
those to your own
http server (206.124.146.177)
those to your
own http server (206.124.146.177)
to a Squid
transparent proxy running on the firewall and listening on port
3128. Squid will of course require access to remote web servers.<br>
transparent proxy running on the firewall and listening on
port 3128. Squid will of course require access to remote web servers.<br>
<br>
In /etc/shorewall/rules:<br>
<br>
@ -146,8 +146,8 @@ in the DMZ</a></li>
</blockquote>
There may be a requirement to exclude additional destination hosts
or networks from being redirected. For example, you might also want requests
destined for 130.252.100.0/24 to not be routed to Squid. In that case,
you must add a manual rule in /etc/shorewall/start:<br>
destined for 130.252.100.0/24 to not be routed to Squid. In that case, you
must add a manual rule in /etc/shorewall/start:<br>
<blockquote>
<pre>run_iptables -t nat -I loc_dnat -p tcp --dport www -d 130.252.100.0/24 -j RETURN<br></pre>
@ -156,8 +156,8 @@ you must add a manual rule in /etc/shorewall/start:<br>
rules.<br>
<h2><a name="Local"></a>Squid Running in the local network</h2>
You want to redirect all local www connection requests to
a Squid transparent
You want to redirect all local www connection requests
to a Squid transparent
proxy running in your local zone at 192.168.1.3 and listening on
port 3128. Your local interface is eth1. There may also be a web server
running on 192.168.1.3. It is assumed that web access is already enabled
@ -165,8 +165,8 @@ from the local zone to the internet.<br>
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
other aspects of your gateway including but not limited to traffic
shaping and route redirection. For that reason, <b>I don't recommend
it</b>.<br>
shaping and route redirection. For that reason, <b>I don't recommend
it</b>.<br>
</p>
<ul>
@ -312,22 +312,23 @@ be executed after networking has come up<br>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
the following commands after you have typed the iptables command
above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
You have a single Linux system in your DMZ with IP address
192.0.2.177. You want to run both a web server and Squid on that system.
Your DMZ interface is eth1 and your local interface is eth2.<br>
192.0.2.177. You want to run both a web server and Squid on that system.
Your DMZ interface is eth1 and your local interface is eth2.<br>
<ul>
<li>On your firewall system, issue the following command<br>
@ -402,7 +403,7 @@ Your DMZ interface is eth1 and your local interface is eth2.<br>
</table>
</blockquote>
C) Run Shorewall 1.3.14 or later and add the following entry in
/etc/shorewall/tcrules:<br>
/etc/shorewall/tcrules:<br>
</blockquote>
<blockquote>
@ -518,25 +519,26 @@ the following command to be executed after networking has come up<br>
</ul>
<blockquote> If you are running RedHat on the server, you can simply execute
the following commands after you have typed the iptables command above:<br>
the following commands after you have typed the iptables command
above:<br>
</blockquote>
<blockquote>
<blockquote> </blockquote>
<pre><font color="#009900"><b>iptables-save &gt; /etc/sysconfig/iptables</b></font><font
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
color="#009900"><b><br>chkconfig --level 35 iptables on<br></b></font></pre>
</blockquote>
<blockquote> </blockquote>
<p><font size="-1"> Updated 6/27/2003 - <a href="support.htm">Tom Eastep</a>
<p><font size="-1"> Updated 7/18/2003 - <a href="support.htm">Tom Eastep</a>
</font></p>
<a href="copyright.htm"><font size="2">Copyright</font>
&copy; <font size="2">2003 Thomas M. Eastep.</font></a><br>
&copy; <font size="2">2003 Thomas M. Eastep.</font></a><br>
<br>
<br>
<br>
</body>
</html>

24
Shorewall-docs/Shorewall_index_frame.htm
View File

@ -38,8 +38,8 @@
<ul>
<li> <a
href="seattlefirewall_index.htm">Home</a></li>
<li> <a
href="shorewall_features.htm">Features</a></li>
<li>
<a href="shorewall_features.htm">Features</a></li>
<li><a href="Shorewall_Doesnt.html">What it Cannot Do</a><br>
</li>
<li> <a
@ -74,11 +74,7 @@
<li><a href="http://lists.shorewall.net">Mailing Lists</a><a
href="http://lists.shorewall.net"> </a><br>
</li>
<li><a href="1.3"
target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall 1.2
Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
@ -108,13 +104,16 @@ Site</a></li>
</ul>
</li>
</ul>
<ul>
<li> <a
href="News.htm">News Archive</a></li>
@ -122,12 +121,9 @@ Site</a></li>
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li> <a
href="quotes.htm">Quotes from Users</a></li>
<li>GSLUG Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul>
<li> <a
@ -136,6 +132,7 @@ Site</a></li>
href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
@ -145,9 +142,6 @@ Site</a></li>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</p>
</body>
</html>

25
Shorewall-docs/Shorewall_sfindex_frame.htm
View File

@ -23,15 +23,17 @@
bgcolor="#3366ff" height="90">
<tbody>
<tr>
<td width="100%"
height="90">
<td
width="100%" height="90">
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%"
bgcolor="#ffffff">
<td
width="100%" bgcolor="#ffffff">
<ul>
<li> <a
@ -73,11 +75,8 @@
<li><a
href="http://lists.shorewall.net">Mailing Lists</a> <br>
</li>
<li><a href="1.3" target="_top">Shorewall 1.3 Site</a></li>
<li><a
href="http://www1.shorewall.net/1.2/index.htm" target="_top">Shorewall
1.2 Site</a></li>
<li><a href="shorewall_mirrors.htm">Mirrors</a>
href="shorewall_mirrors.htm">Mirrors</a>
@ -118,12 +117,9 @@
href="News.htm">News Archive</a></li>
<li> <a
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
<li>GSLUG Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a><br>
</li>
</ul>
<li> <a
@ -143,9 +139,6 @@
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001-2003 Thomas M. Eastep.</font></a><br>
</p>
<br>
<br>
<br>
</p>
</body>
</html>

BIN
Shorewall-docs/images/CorpNetwork.gif
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 48 KiB

After

Width:  |  Height:  |  Size: 48 KiB

BIN
Shorewall-docs/images/Logo1.png
View File

Binary file not shown.

BIN
Shorewall-docs/images/Thumbs.db
View File

Binary file not shown.

234
Shorewall-docs/seattlefirewall_index.htm
View File

@ -9,8 +9,8 @@
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base
target="_self">
<base target="_self">
</head>
<body>
@ -29,7 +29,8 @@
border="0">
</a></td>
<td valign="middle" width="34%" align="center"
bgcolor="#ffffff">
bgcolor="#3366ff">
@ -39,7 +40,7 @@
<img
src="images/Logo1.png" alt="(Shorewall Logo)" width="341" height="80">
src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
</div>
</td>
<td valign="middle" width="33%">
@ -74,6 +75,7 @@
<tr>
<td width="90%">
<div align="center">
@ -108,19 +110,21 @@ General Public License</a> as published by the Free Software
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more
details.<br>
<br>
You should have received a copy
of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
You should have received a
copy of the GNU General Public License
along with this program; if not,
write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
@ -139,12 +143,12 @@ General Public License</a> as published by the Free Software
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
target="_top">here.</a></li>
<li>The 1.3 site is <a
href="http://www.shorewall.net/1.3" target="_top">here.</a></li>
<li>The 1.2 site is <a href="http://shorewall.net/1.2/"
target="_top">here</a>.<br>
</li>
@ -153,21 +157,23 @@ For older versions:<br>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most closely match your environment and follow the step
by step instructions.<br>
the <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a>
that most closely match your environment and follow the
step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will
not apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
for details.<br>
If so, the documentation<b> </b>on this site
will not apply directly to your setup. If you want to use the
documentation that you find here, you will want to consider uninstalling
what you have and installing a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface
QuickStart Guide</a> for details.<br>
<h2>News</h2>
@ -182,30 +188,19 @@ by step instructions.<br>
</ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.<br>
<p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
<blockquote><b><a
href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
ftp://shorewall.net/pub/shorewall/testing</a><br>
</b></blockquote>
<blockquote> </blockquote>
<p><b>Problems Corrected:</b><br>
</p>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
@ -213,40 +208,45 @@ by step instructions.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column
of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in
the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
of a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules
in the nat table (one for each element in the list). Shorewall now correctly
creates a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
as lists in the ORIGINAL DESTINATION column.<br>
<br>
</li>
<li>The message "Adding rules for DHCP" is now suppressed if there
are no DHCP rules to add.<br>
</li>
</ol>
<p><b>Migration Issues:</b><br>
</p>
<ol>
<li>In earlier versions, an undocumented feature allowed entries
in the host file as follows:<br>
<li>In earlier versions, an undocumented feature allowed
entries in the host file as follows:<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have
been removed from /etc/shorewall/shorewall.conf. These capabilities are
now automatically detected by Shorewall (see below).<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
have been removed from /etc/shorewall/shorewall.conf. These capabilities
are now automatically detected by Shorewall (see below).<br>
</li>
</ol>
@ -254,19 +254,20 @@ now automatically detected by Shorewall (see below).<br>
<p><b>New Features:</b><br>
</p>
<ol>
<li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br>
<li>A 'newnotsyn' interface option has been added. This
option may be specified in /etc/shorewall/interfaces and overrides the
setting NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
address ranges.<br>
<li>The means for specifying a range of IP addresses in
/etc/shorewall/masq to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes
is enabled for address ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other than
the first one on an interface.<br>
<li>Shorewall can now add IP addresses to subnets other
than the first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
@ -280,9 +281,9 @@ the first one on an interface.<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the
outcome:<br>
whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the
outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
@ -291,12 +292,12 @@ outcome:<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has
been added. This extension is available in recent kernel/iptables releases
and allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
<li>Support for the Connection Tracking Match Extension
has been added. This extension is available in recent kernel/iptables
releases and allows for rules which match against elements in netfilter's
connection tracking table. Shorewall automatically detects the availability
of this extension and reports its availability in the output of the start,
restart and check commands.<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
@ -306,20 +307,22 @@ and allows for rules which match against elements in netfilter's connection
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li>
is changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
<li>To handle 'norfc1918' filtering, Shorewall will not
create chains in the mangle table but will rather do all 'norfc1918'
filtering in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br>
extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br>
<br>
</li>
</ul>
<li>The shell used to interpret the firewall script (/usr/share/shorewall/firewall)
may now be specified using the SHOREWALL_SHELL parameter in shorewall.conf.<br>
@ -349,9 +352,9 @@ specified (or defaulted to) in the DNAT rule.<br>
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall.
@ -359,12 +362,13 @@ for all valid IP addresses.<br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
This command decomposes a range of IP addressses into a list of network
and host addresses. The command can be useful if you need to construct an
efficient set of rules that accept connections from a range of network addresses.<br>
This command decomposes a range of IP addressses into a list of
network and host addresses. The command can be useful if you need to construct
an efficient set of rules that accept connections from a range of network
addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or
dash) then the range may not span 128.0.0.0.<br>
Note: If your shell only supports 32-bit signed arithmetic (ash
or dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
@ -384,15 +388,37 @@ dash) then the range may not span 128.0.0.0.<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br>
in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The "shorewall check" command now includes the chain name when
printing the applicable policy for each pair of zones.<br>
 <br>
    Example:<br>
 <br>
        Policy for dmz to net is REJECT using chain all2all<br>
 <br>
This means that the policy for connections from the dmz to the internet is
REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br>
<br>
</li>
<li>Support for the 2.6 Kernel series has been added.<br>
</li>
</ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
@ -403,10 +429,10 @@ in /etc/shorewall/hosts.<br>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones
file; previously, INCLUDE in that file was ignored.</li>
<li>The INCLUDE directive now works properly in the
zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br>
second column are no longer ignored.<br>
</li>
@ -419,9 +445,10 @@ second column are no longer ignored.<br>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
rule may now contain a list of addresses. If the list begins with
"!' then the rule will take effect only if the original destination
address in the connection request does not match any of the addresses
listed.</li>
</ol>
@ -432,8 +459,8 @@ second column are no longer ignored.<br>
<p>The firewall at shorewall.net has been upgraded to the 2.4.21 kernel
and iptables 1.2.8 (using the "official" RPM from netfilter.org). No
problems have been encountered with this set of software. The Shorewall
and iptables 1.2.8 (using the "official" RPM from netfilter.org).
No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.<br>
</p>
@ -462,6 +489,7 @@ second column are no longer ignored.<br>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)">
@ -477,12 +505,14 @@ second column are no longer ignored.<br>
</a></p>
<b>Congratulations to Jacques and Eric on
the recent release of Bering 1.2!!! </b><br>
<b>Congratulations to Jacques and Eric
on the recent release of Bering 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2>
</td>
<td width="88" bgcolor="#3366ff"
@ -490,6 +520,7 @@ the recent release of Bering 1.2!!! </b><br>
<form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br>
@ -518,6 +549,7 @@ the recent release of Bering 1.2!!! </b><br>
<p><font color="#ffffff"><b><a
href="http://lists.shorewall.net/htdig/search.html"><font
color="#ffffff">Extended Search</font></a></b></font></p>
@ -544,8 +576,9 @@ the recent release of Bering 1.2!!! </b><br>
<tr>
<td width="100%" style="margin-top: 1px;"
valign="middle">
<td width="100%"
style="margin-top: 1px;" valign="middle">
@ -562,11 +595,12 @@ the recent release of Bering 1.2!!! </b><br>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2"> Shorewall is free but if you
try it and find it useful, please consider making a donation
<font size="+2"> Shorewall is free but if
you try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
<a href="http://www.starlight.org"><font
color="#ffffff">Starlight Children's Foundation.</font></a>
Thanks!</font></font></p>
</td>
@ -578,7 +612,7 @@ try it and find it useful, please consider making a donation
</table>
<p><font size="2">Updated 7/16/2003 - <a href="support.htm">Tom Eastep</a></font>
<p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>

95
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -12,6 +12,7 @@
content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="none">
</head>
<body>
@ -42,9 +43,10 @@ we must all first walk before we can run.<br>
<p>These guides provide step-by-step instructions for configuring Shorewall
in common firewall setups.</p>
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
<p>If you have a <font color="#ff0000"><big><big><b>single public IP address</b></big></big></font>:</p>
<ul>
<blockquote>
<ul>
<li><a href="standalone.htm">Standalone</a>
Linux System (<a href="standalone_fr.html">Version Française</a>)</li>
<li><a href="two-interface.htm">Two-interface</a>
@ -54,22 +56,29 @@ we must all first walk before we can run.<br>
Linux System acting as a firewall/router for a small local
network and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
</ul>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.
If you want to learn more about Shorewall than is explained in the above
simple guides,  the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
(See Index Below) is for you.</p>
</blockquote>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> (See
Index Below) outlines the steps necessary to set up a firewall
where <b>there are multiple public IP addresses involved
or if you want to learn more about Shorewall than is explained
in the single-address guides above.</b></p>
<p>If you have <font color="#ff0000"><big><big><b>more than one public IP
address</b></big></big></font>:<br>
</p>
<blockquote>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a>
(See Index Below) outlines the steps necessary to set up
a firewall where there are <small><small><big><big>multiple
public IP addresses</big></big></small></small> involved or if you
want to learn more about Shorewall than is explained in the
single-address guides above.</blockquote>
<ul>
</ul>
<h2><a name="Documentation"></a>Documentation Index</h2>
<h2><b><a name="Documentation"></a></b>Documentation Index</h2>
<p>The following documentation covers a variety of topics and <b>supplements
the <a href="shorewall_quickstart_guide.htm">QuickStart
@ -92,13 +101,15 @@ guide before trying to use this documentation directly.</p>
<li><a
href="configuration_file_basics.htm">Common configuration file
features</a>
<ul>
<li><a
href="configuration_file_basics.htm#Comments">Comments in configuration
files</a></li>
<li><a
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE Directive</a><br>
<li><a href="configuration_file_basics.htm#INCLUDE">INCLUDE
Directive</a><br>
</li>
<li><a
href="configuration_file_basics.htm#Ports">Port Numbers/Service Names</a></li>
@ -118,6 +129,7 @@ a test configuration)</a></li>
<li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration
@ -152,8 +164,8 @@ a test configuration)</a></li>
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a
href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a>
</li>
<li><a
href="Documentation.htm#TOS">tos</a> </li>
<li><a
href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a
@ -164,11 +176,11 @@ a test configuration)</a></li>
</ul>
</li>
<li><a href="CorpNetwork.htm">Corporate
Network Example</a> (Contributed by a Graeme Boyle)<br>
Network Example</a> (Contributed by a Graeme Boyle)<br>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><a href="ECN.html">ECN Disabling by
host or subnet</a></li>
<li><a href="ECN.html">ECN Disabling
by host or subnet</a></li>
<li><a href="errata.htm">Errata</a><br>
</li>
<li><font color="#000099"><a
@ -184,6 +196,13 @@ Network Example</a> (Contributed by a Graeme Boyle)<br>
<li><a
href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><a href="support.htm">Getting help or answers to questions</a></li>
<li>Greater Seattle Linux Users Group Presentation</li>
<ul>
<li><a href="GSLUG.htm">HTML</a></li>
<li><a href="GSLUG.ppt">PowerPoint</a></li>
</ul>
<li><a href="Install.htm">Installation/Upgrade</a><br>
</li>
<li><font color="#000099"><a
@ -191,11 +210,11 @@ Network Example</a> (Contributed by a Graeme Boyle)<br>
<li><a href="shorewall_logging.html">Logging</a><br>
</li>
<li><a href="MAC_Validation.html">MAC
Verification</a></li>
Verification</a></li>
<li><a href="http://lists.shorewall.net">Mailing Lists</a><br>
</li>
<li><a href="myfiles.htm">My Shorewall
Configuration (How I personally use Shorewall)</a><br>
<li><a href="myfiles.htm">My
Shorewall Configuration (How I personally use Shorewall)</a><br>
</li>
<li><a href="ping.html">'Ping' Management</a><br>
</li>
@ -215,7 +234,8 @@ Verification</a></li>
</li>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0
Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
@ -224,13 +244,14 @@ Verification</a></li>
Subnets and Routing</a>
<ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1
IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
Resolution Protocol (ARP)</a></li>
</ul>
@ -238,6 +259,7 @@ Verification</a></li>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
@ -246,11 +268,13 @@ Verification</a></li>
<ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2
Non-routed</a>
<ul>
@ -261,7 +285,7 @@ Verification</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
Static NAT</a></li>
Static NAT</a></li>
</ul>
@ -270,11 +294,13 @@ Static NAT</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0
Starting and Stopping the Firewall</a></li>
<li><a
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting
and Stopping the Firewall</a></li>
</ul>
<li><font color="#000099"><a
@ -289,12 +315,12 @@ Static NAT</a></li>
</ul>
<li><font color="#000099"><a
href="NAT.htm">Static NAT</a></font></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent
Proxy with Shorewall</a></li>
<li><a href="Shorewall_Squid_Usage.html">Squid as a
Transparent Proxy with Shorewall</a></li>
<li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it doesn't
work)</a><br>
<li><a href="troubleshoot.htm">Troubleshooting (Things to try if it
doesn't work)</a><br>
</li>
<li><a href="upgrade_issues.htm">Upgrade Issues</a><br>
</li>
@ -309,7 +335,7 @@ Static NAT</a></li>
<li><a href="6to4.htm">6t04</a><br>
</li>
<li><a href="VPN.htm">IPSEC/PPTP</a>
from a system behind your firewall to a remote network.</li>
from a system behind your firewall to a remote network.</li>
</ul>
</li>
@ -321,12 +347,11 @@ from a system behind your firewall to a remote network.</li>
<p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 7/16/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><font size="2">Last modified 7/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br>
</p>
<br>
<br>
</body>
</html>

212
Shorewall-docs/sourceforge_index.htm
View File

@ -9,8 +9,8 @@
<title>Shoreline Firewall (Shorewall) 1.4</title>
<base
target="_self">
<base target="_self">
</head>
<body>
@ -29,9 +29,9 @@
border="0">
</a></td>
<td valign="middle"
bgcolor="#ffffff" width="34%" align="center">
bgcolor="#3366ff" width="34%" align="center">
<img
src="images/Logo1.png" alt="(Shorewall Logo)" width="341" height="80">
src="images/Logo1.png" alt="(Shorewall Logo)" width="430" height="90">
</td>
<td valign="top" width="33"><br>
</td>
@ -64,6 +64,7 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
a <a
href="http://www.netfilter.org">Netfilter</a> (iptables)
@ -75,29 +76,32 @@
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
General Public License</a> as published by the Free Software
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the
GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed
in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.<br>
in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without
even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br>
<br>
You should have received a copy
of the GNU General Public License
along with this program; if not, write
to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
You should have received a
copy of the GNU General Public License
along with this program; if not,
write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139,
USA</p>
@ -111,8 +115,8 @@ General Public License</a> as published by the Free Software
<h2>This is the Shorewall 1.4 Web Site</h2>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
The information on this site applies only to 1.4.x releases of Shorewall.
For older versions:<br>
<ul>
<li>The 1.3 site is <a href="http://www.shorewall.net/1.3"
@ -124,23 +128,24 @@ For older versions:<br>
</ul>
<h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the
<a
New to Shorewall? Start by selecting
the <a
href="file:///vfat/Shorewall-docs/shorewall_quickstart_guide.htm">QuickStart
Guide</a> that most closely match your environment and follow
the step by step instructions.<br>
Guide</a> that most closely match your environment and
follow the step by step instructions.<br>
<h2>Looking for Information?</h2>
The <a href="shorewall_quickstart_guide.htm#Documentation">Documentation
Index</a> is a good place to start as is the Quick Search to your right.
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, the documentation<b> </b>on this site will
not apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you have
and installing a setup that matches the documentation on this site.
See the <a href="two-interface.htm">Two-interface QuickStart Guide</a>
for details.
If so, the documentation<b> </b>on this site
will not apply directly to your setup. If you want to use the documentation
that you find here, you will want to consider uninstalling what you
have and installing a setup that matches the documentation on
this site. See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.
<h2></h2>
@ -148,22 +153,12 @@ For older versions:<br>
<h2><b>News</b></h2>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>.
<p><b>7/15/2003 - Shorewall-1.4.6 RC 1</b><b> <img border="0"
<p><b>7/20/2003 - Shorewall-1.4.6</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b> </p>
<blockquote><b><a
href="http://shorewall.net/pub/shorewall/testing">http://shorewall.net/pub/shorewall/testing</a></b><b><a
href="ftp://shorewall.net/pub/shorewall/testing" target="_top"><br>
ftp://shorewall.net/pub/shorewall/testing</a></b></blockquote>
<p><b>Problems Corrected:</b><br>
</p>
@ -171,24 +166,26 @@ For older versions:<br>
<ol>
<li>A problem seen on RH7.3 systems where Shorewall encountered
start errors when started using the "service" mechanism has been worked
around.<br>
around.<br>
<br>
</li>
<li>Where a list of IP addresses appears in the DEST column of
a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the
a DNAT[-] rule, Shorewall incorrectly created multiple DNAT rules in the
nat table (one for each element in the list). Shorewall now correctly creates
a single DNAT rule with multiple "--to-destination" clauses.<br>
<br>
</li>
<li>Corrected a problem in Beta 1 where DNS names containing
a "-" were mis-handled when they appeared in the DEST column of a rule.<br>
<li>Corrected a problem in Beta 1 where DNS names containing a
"-" were mis-handled when they appeared in the DEST column of a rule.<br>
<br>
</li>
<li value="4">A number of problems with rule parsing have been
corrected. Corrections involve the handling of "z1!z2" in the SOURCE column
as well as lists in the ORIGINAL DESTINATION column.<br>
<li>A number of problems with rule parsing have been corrected.
Corrections involve the handling of "z1!z2" in the SOURCE column as well
as lists in the ORIGINAL DESTINATION column.<br>
<br>
</li>
<li>The message "Adding rules for DHCP" is now suppressed if there
are no DHCP rules to add.</li>
</ol>
<p><b>Migration Issues:</b><br>
@ -200,15 +197,15 @@ as well as lists in the ORIGINAL DESTINATION column.<br>
<br>
    z    eth1:192.168.1.0/24,eth2:192.168.2.0/24<br>
<br>
This capability was never documented and has been removed in 1.4.6 to
allow entries of the following format:<br>
This capability was never documented and has been removed in 1.4.6
to allow entries of the following format:<br>
<br>
    z   eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options have
been removed from /etc/shorewall/shorewall.conf. These capabilities are
now automatically detected by Shorewall (see below).<br>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT options
have been removed from /etc/shorewall/shorewall.conf. These capabilities
are now automatically detected by Shorewall (see below).<br>
</li>
</ol>
@ -219,16 +216,16 @@ now automatically detected by Shorewall (see below).<br>
<ol>
<li>A 'newnotsyn' interface option has been added. This option
may be specified in /etc/shorewall/interfaces and overrides the setting
NEWNOTSYN=No for packets arriving on the associated interface.<br>
NEWNOTSYN=No for packets arriving on the associated interface.<br>
<br>
</li>
<li>The means for specifying a range of IP addresses in /etc/shorewall/masq
to use for SNAT is now documented. ADD_SNAT_ALIASES=Yes is enabled for
address ranges.<br>
address ranges.<br>
<br>
</li>
<li>Shorewall can now add IP addresses to subnets other than
the first one on an interface.<br>
the first one on an interface.<br>
<br>
</li>
<li>DNAT[-] rules may now be used to load balance (round-robin)
@ -241,9 +238,10 @@ the first one on an interface.<br>
<br>
</li>
<li>The NAT_ENABLED, MANGLE_ENABLED and MULTIPORT configuration
options have been removed and have been replaced by code that detects whether
these capabilities are present in the current kernel. The output of the
start, restart and check commands have been enhanced to report the outcome:<br>
options have been removed and have been replaced by code that detects
whether these capabilities are present in the current kernel. The output
of the start, restart and check commands have been enhanced to report the
outcome:<br>
<br>
Shorewall has detected the following iptables/netfilter capabilities:<br>
   NAT: Available<br>
@ -252,9 +250,9 @@ start, restart and check commands have been enhanced to report the outcome:<br>
Verifying Configuration...<br>
<br>
</li>
<li>Support for the Connection Tracking Match Extension has been
added. This extension is available in recent kernel/iptables releases
and allows for rules which match against elements in netfilter's connection
<li>Support for the Connection Tracking Match Extension has
been added. This extension is available in recent kernel/iptables releases
and allows for rules which match against elements in netfilter's connection
tracking table. Shorewall automatically detects the availability of this
extension and reports its availability in the output of the start, restart
and check commands.<br>
@ -267,17 +265,17 @@ and allows for rules which match against elements in netfilter's connection
Verifying Configuration...<br>
<br>
If this extension is available, the ruleset generated by Shorewall
is changed in the following ways:</li>
is changed in the following ways:</li>
<ul>
<li>To handle 'norfc1918' filtering, Shorewall will not create
chains in the mangle table but will rather do all 'norfc1918' filtering
in the filter table (rfc1918 chain).</li>
<li>To handle 'norfc1918' filtering, Shorewall will not
create chains in the mangle table but will rather do all 'norfc1918'
filtering in the filter table (rfc1918 chain).</li>
<li>Recall that Shorewall DNAT rules generate two netfilter
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is extended
to check that the original destination address was the same as specified
(or defaulted to) in the DNAT rule.<br>
rules; one in the nat table and one in the filter table. If the Connection
Tracking Match Extension is available, the rule in the filter table is
extended to check that the original destination address was the same as
specified (or defaulted to) in the DNAT rule.<br>
<br>
</li>
@ -310,12 +308,13 @@ to check that the original destination address was the same as specified
Warning:<br>
<br>
If your shell only supports 32-bit signed arithmatic (ash or dash),
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
then the ipcalc command produces incorrect information for IP addresses
128.0.0.0-1 and for /1 networks. Bash should produce correct information
for all valid IP addresses.<br>
<br>
</li>
<li>An 'iprange' command has been added to /sbin/shorewall. <br>
<li>An 'iprange' command has been added to /sbin/shorewall.
<br>
<br>
      iprange &lt;address&gt;-&lt;address&gt;<br>
<br>
@ -324,8 +323,8 @@ for all valid IP addresses.<br>
an efficient set of rules that accept connections from a range of network
addresses.<br>
<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or dash)
then the range may not span 128.0.0.0.<br>
Note: If your shell only supports 32-bit signed arithmetic (ash or
dash) then the range may not span 128.0.0.0.<br>
<br>
Example:<br>
<br>
@ -344,19 +343,45 @@ addresses.<br>
      [root@gateway root]#<br>
<br>
</li>
<li>A list of host/net addresses is now allowed in an entry in
/etc/shorewall/hosts.<br>
<li>A list of host/net addresses is now allowed in an entry
in /etc/shorewall/hosts.<br>
<br>
Example:<br>
<br>
    foo    eth1:192.168.1.0/24,192.168.2.0/24</li>
    foo    eth1:192.168.1.0/24,192.168.2.0/24<br>
<br>
</li>
<li value="11">The "shorewall check" command now includes the chain
name when printing the applicable policy for each pair of zones.<br>
 <br>
    Example:<br>
 <br>
        Policy for dmz to net is REJECT using chain all2all<br>
 <br>
This means that the policy for connections from the dmz to the internet
is REJECT and the applicable entry in the /etc/shorewall/policy was the all-&gt;all
policy.<br>
<br>
</li>
<li>Support for the 2.6 Kernel series has been added.<br>
</li>
</ol>
<b> </b>
<ol>
</ol>
<p><b>7/15/2003 - New Mirror in Brazil</b><b> <img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)">
<br>
</b></p>
Thanks to the folks at securityopensource.org.br, there is now a <a
href="http://shorewall.securityopensource.org.br" target="_top">Shorewall
mirror in Brazil</a>
<p><b>6/17/2003 - Shorewall-1.4.5</b><b> </b></p>
@ -367,10 +392,10 @@ addresses.<br>
<ol>
<li>The command "shorewall debug try &lt;directory&gt;"
now correctly traces the attempt.</li>
<li>The INCLUDE directive now works properly in the zones
file; previously, INCLUDE in that file was ignored.</li>
<li>The INCLUDE directive now works properly in the
zones file; previously, INCLUDE in that file was ignored.</li>
<li>/etc/shorewall/routestopped records with an empty
second column are no longer ignored.<br>
second column are no longer ignored.<br>
</li>
@ -384,8 +409,8 @@ second column are no longer ignored.<br>
<ol>
<li>The ORIGINAL DEST column in a DNAT[-] or REDIRECT[-]
rule may now contain a list of addresses. If the list begins with "!'
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
then the rule will take effect only if the original destination address
in the connection request does not match any of the addresses listed.</li>
</ol>
@ -398,6 +423,7 @@ in the connection request does not match any of the addresses listed.</li>
No problems have been encountered with this set of software. The Shorewall
version is 1.4.4b plus the accumulated changes for 1.4.5.
<p><b>6/8/2003 - Updated Samples</b><b> </b></p>
@ -407,6 +433,7 @@ in the connection request does not match any of the addresses listed.</li>
<p><b></b></p>
<ol>
@ -482,6 +509,7 @@ in the connection request does not match any of the addresses listed.</li>
<h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -524,14 +552,15 @@ in the connection request does not match any of the addresses listed.</li>
<p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily
0200-0330 GMT.</font><br>
<font color="#ffffff"><b>Note:
</b></font></strong> <font
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br>
 </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1">
<input type="text" name="words" size="15"></font><font
@ -595,8 +624,8 @@ in the connection request does not match any of the addresses listed.</li>
<p align="center"><font size="4" color="#ffffff"><br>
<font size="+2">Shorewall is free but if you try
it and find it useful, please consider making a donation
<font size="+2">Shorewall is free but if you
try it and find it useful, please consider making a donation
to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></font></p>
@ -611,9 +640,8 @@ in the connection request does not match any of the addresses listed.</li>
</table>
<p><font size="2">Updated 7/15/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
<p><font size="2">Updated 7/19/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
</p>
</body>
</html>

2
Shorewall/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.4.6RC1
VERSION=1.4.6
usage() # $1 = exit status
{

2
Shorewall/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.4.6RC1
VERSION=1.4.6
usage() # $1 = exit status
{

4
Shorewall/shorewall.spec
View File

@ -1,6 +1,6 @@
%define name shorewall
%define version 1.4.6
%define release 0RC1
%define release 1
%define prefix /usr
Summary: Shoreline Firewall is an iptables-based firewall for Linux systems.
@ -105,6 +105,8 @@ fi
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Sat Jul 19 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-1
* Mon Jul 14 2003 Tom Eastep <tom@shorewall.net>
- Changed version to 1.4.6-0RC1
* Mon Jul 07 2003 Tom Eastep <tom@shorewall.net>

2
Shorewall/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.4.6RC1
VERSION=1.4.6
usage() # $1 = exit status
{