extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

More 2.0 Documentation Updates

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1864 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2004-12-28 17:25:25 +00:00
parent 3f3cb340c9
commit eaf1a17cfe
4 changed files with 159 additions and 143 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
Shorewall-docs2/myfiles.xml
View File

@ -166,7 +166,7 @@
<title>Shorewall.conf</title>
<blockquote>
<programlisting>LOGFILE=/var/log/messages
<programlisting>LOGFILE=/var/log/ulog/syslogemu.log
LOGFORMAT="Shorewall:%s:%s "
LOGRATE=
LOGBURST=
@ -216,7 +216,7 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
<para><programlisting>MIRRORS=&lt;list of shorewall mirror ip addresses&gt;
NTPSERVERS=&lt;list of the NTP servers I sync with&gt;
TEXAS=&lt;ip address of gateway in Plano&gt;
LOG=info
LOG=ULOGD
EXT_IF=eth1
INT_IF=eth2
DMZ_IF=eth0</programlisting></para>
@ -665,6 +665,20 @@ iface eth2 inet static
</programlisting>
</blockquote>
</section>
<section>
<title>/etc/ulogd.conf</title>
<para>This is the default /etc/ulogd.conf from the Debian package. Only
the relevant entries are shown.</para>
<blockquote>
<programlisting># where to write to
syslogfile /var/log/ulog/syslogemu.log
# do we want to fflush() the file after each write?
syslogsync 1</programlisting>
</blockquote>
</section>
</section>
<section>
@ -839,7 +853,7 @@ remote 192.168.3.8
verify_identifier on ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des;
encryption_algorithm blowfish ;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
@ -850,7 +864,7 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}</programlisting>
@ -986,7 +1000,7 @@ remote 192.168.3.254
verify_identifier on ;
lifetime time 24 hour ;
proposal {
encryption_algorithm 3des;
encryption_algorithm blowfish ;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
@ -997,7 +1011,7 @@ sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
{
pfs_group 2;
lifetime time 12 hour ;
encryption_algorithm 3des, blowfish, des, rijndael ;
encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}</programlisting>

165
Shorewall-docs2/shorewall_logging.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-07-15</pubdate>
<pubdate>2004-12-27</pubdate>
<copyright>
<year>2001 - 2004</year>
@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
License</ulink></quote>.</para>
</legalnotice>
</articleinfo>
@ -56,9 +57,11 @@
<listitem>
<para>The packet is rejected because of an option in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink> or
<ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.
<ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.
These packets can be logged by setting the appropriate logging-related
option in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
option in <ulink
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
</listitem>
<listitem>
@ -66,25 +69,29 @@
url="Documentation.htm#Rules">/etc/shorewall/rules</ulink>. By
including a syslog level (see below) in the ACTION column of a rule
(e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net fw tcp
22</quote>), the connection attempt will be logged at that level.</para>
22</quote>), the connection attempt will be logged at that
level.</para>
</listitem>
<listitem>
<para>The packet doesn&#39;t match a rule so it is handled by a policy
defined in <ulink url="Documentation.htm#Policy">/etc/shorewall/policy</ulink>.
These may be logged by specifying a syslog level in the LOG LEVEL
column of the policy&#39;s entry (e.g., <quote>loc net ACCEPT
<emphasis role="bold">info</emphasis></quote>).</para>
<para>The packet doesn't match a rule so it is handled by a policy
defined in <ulink
url="Documentation.htm#Policy">/etc/shorewall/policy</ulink>. These
may be logged by specifying a syslog level in the LOG LEVEL column of
the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
role="bold">info</emphasis></quote>).</para>
</listitem>
</orderedlist>
</section>
<section>
<title>Where the Traffic is Logged and How to Change the Destination</title>
<title>Where the Traffic is Logged and How to Change the
Destination</title>
<para>By default, Shorewall directs NetFilter to log using syslog (8).
Syslog classifies log messages by a <emphasis>facility</emphasis> and a
<emphasis>priority</emphasis> (using the notation <emphasis>facility.priority</emphasis>).</para>
<emphasis>priority</emphasis> (using the notation
<emphasis>facility.priority</emphasis>).</para>
<para>The facilities defined by syslog are <emphasis>auth, authpriv, cron,
daemon, kern, lpr, mail, mark, news, syslog, user, uucp</emphasis> and
@ -108,7 +115,8 @@
<member>7 - <emphasis role="bold">debug</emphasis> (Debug-level
messages)</member>
<member>6 - <emphasis role="bold">info</emphasis> (Informational)</member>
<member>6 - <emphasis role="bold">info</emphasis>
(Informational)</member>
<member>5 - <emphasis role="bold">notice</emphasis> (Normal but
significant Condition)</member>
@ -116,7 +124,8 @@
<member>4 - <emphasis role="bold">warning</emphasis> (Warning
Condition)</member>
<member>3 - <emphasis role="bold">err</emphasis> (Error Condition)</member>
<member>3 - <emphasis role="bold">err</emphasis> (Error
Condition)</member>
<member>2 - <emphasis role="bold">crit</emphasis> (Critical
Conditions)</member>
@ -139,6 +148,10 @@
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take
effect.</para>
<para>Syslog may also write to your system console. See <ulink
url="FAQ.htm#faq16">Shorewall FAQ 16</ulink> for ways to avoid having
Shorewall messages written to the console.</para>
</section>
<section>
@ -148,9 +161,9 @@
<orderedlist>
<listitem>
<para>If you give, for example, kern.info it&#39;s own log
destination then that destination will also receive all kernel
messages of levels 5 (notice) through 0 (emerg).</para>
<para>If you give, for example, kern.info it's own log destination
then that destination will also receive all kernel messages of
levels 5 (notice) through 0 (emerg).</para>
</listitem>
<listitem>
@ -164,67 +177,28 @@
specify a log level of ULOG (must be all caps). When ULOG is used,
Shorewall will direct netfilter to log the related messages via the ULOG
target which will send them to a process called <quote>ulogd</quote>.
The ulogd program is available from <ulink
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>
and can be configured to log all Shorewall message to their own log
The ulogd program is included in most distributions and is also
available from <ulink
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>.
Ulogd can be configured to log all Shorewall messages to their own log
file.</para>
<note>
<para>The ULOG logging mechanism is <emphasis role="underline">completely
separate</emphasis> from syslog. Once you switch to ULOG, the settings
in /etc/syslog.conf have absolutely no effect on your Shorewall
logging (except for Shorewall status messages which still go to
syslog).</para>
<para>The ULOG logging mechanism is <emphasis
role="underline">completely separate</emphasis> from syslog. Once you
switch to ULOG, the settings in /etc/syslog.conf have absolutely no
effect on your Shorewall logging (except for Shorewall status messages
which still go to syslog).</para>
</note>
<para>You will need to have the kernel source available to compile
ulogd.</para>
<para>Download the ulog tar file and:</para>
<para>Once you have installed ulogd, edit /etc/ulogd.conf
(<filename>/usr/local/etc/ulogd.conf</filename> if you built ulogd
yourself) and set:</para>
<orderedlist>
<listitem>
<para>Be sure that /usr/src/linux is linked to your kernel source
tree</para>
</listitem>
<listitem>
<para>cd /usr/local/src (or whereever you do your builds)</para>
</listitem>
<listitem>
<para>tar -zxf <emphasis>source-tarball-that-you-downloaded</emphasis></para>
</listitem>
<listitem>
<para>cd ulod-<emphasis>version</emphasis></para>
</listitem>
<listitem>
<para>./configure</para>
</listitem>
<listitem>
<para>make</para>
</listitem>
<listitem>
<para>make install</para>
</listitem>
</orderedlist>
<para>If you are like me and don&#39;t have a development environment on
your firewall, you can do the first six steps on another system then
either NFS mount your /usr/local/src directory or tar up the
/usr/local/src/ulogd-<emphasis>version</emphasis> directory and move it
to your firewall system.</para>
<para>Now on the firewall system, edit /usr/local/etc/ulogd.conf and
set:</para>
<orderedlist>
<listitem>
<para>syslogfile &#60;<emphasis>the file that you wish to log to</emphasis>&#62;</para>
<para>syslogfile &lt;<emphasis>the file that you wish to log
to</emphasis>&gt;</para>
</listitem>
<listitem>
@ -235,34 +209,34 @@
<para>Also on the firewall system:</para>
<simplelist>
<member>touch &#60;<emphasis>the file that you wish to log to</emphasis>&#62;</member>
<member>touch &lt;<emphasis>the file that you wish to log
to</emphasis>&gt;</member>
</simplelist>
<para>I also copied the file /usr/local/src/ulogd-<emphasis>version</emphasis>/ulogd.init
to /etc/init.d/ulogd. I had to edit the line that read <quote>daemon
/usr/local/sbin/ulogd</quote> to read <quote>daemon
/usr/local/sbin/ulogd -d</quote>. On a RedHat system, a simple
<quote>chkconfig --level 3 ulogd on</quote> starts ulogd during boot up.
Your init system may need something else done to activate the script.</para>
<para>Your distribution's ulogd package may include a logrotate file in
/etc/logrotate.d. If you change the log file location, be sure to change
that logrotate file accordingly.</para>
<para>You will need to change all instances of log levels (usually
<quote>info</quote>) in your configuration files to <quote>ULOG</quote>
- this includes entries in the policy, rules and shorewall.conf files.
Here&#39;s what I have:</para>
<quote>info</quote>) in your Shorewall configuration files to
<quote>ULOG</quote> - this includes entries in the policy, rules and
shorewall.conf files. Here's what I have:</para>
<programlisting> [root@gateway shorewall]# grep ULOG *
policy:loc fw REJECT ULOG
policy:net all DROP ULOG 10/sec:40
policy:all all REJECT ULOG
rules:REJECT:ULOG loc net tcp 6667
shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG
shorewall.conf:RFC1918_LOG_LEVEL=ULOG
<programlisting> [root@gateway shorewall]# grep LOG * | grep -v ^\#
params:LOG=ULOG
policy:loc fw REJECT $LOG
policy:net all DROP $LOG 10/sec:40
policy:all all REJECT $LOG
rules:REJECT:$LOG loc net tcp 6667
shorewall.conf:TCP_FLAGS_LOG_LEVEL=$LOG
shorewall.conf:RFC1918_LOG_LEVEL=$LOG
[root@gateway shorewall]#</programlisting>
<para>Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=&#60;<emphasis>file
that you wish to log to</emphasis>&#62;. This tells the /sbin/shorewall
program where to look for the log when processing its <quote>show log</quote>,
<quote>logwatch</quote> and <quote>monitor</quote> commands.</para>
<para>Finally edit /etc/shorewall/shorewall.conf and set
LOGFILE=&lt;<emphasis>file that you wish to log to</emphasis>&gt;. This
tells the /sbin/shorewall program where to look for the log when
processing its <quote>show log</quote>, <quote>logwatch</quote> and
<quote>monitor</quote> commands.</para>
</section>
</section>
@ -270,7 +244,7 @@
<title>Syslog-ng</title>
<para><ulink
url="http://marc.theaimsgroup.com/?l=gentoo-security&#38;amp;m=106040714910563&#38;amp;w=2">Here</ulink>
url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;amp;m=106040714910563&amp;amp;w=2">Here</ulink>
is a post describing configuring syslog-ng to work with Shorewall.</para>
</section>
@ -278,9 +252,10 @@
<title>Understanding the Contents of Shorewall Log Messages</title>
<para>For general information on the contents of Netfilter log messages,
see <ulink url="http://logi.cc/linux/netfilter-log-format.php3">http://logi.cc/linux/netfilter-log-format.php3</ulink>.</para>
see <ulink
url="http://logi.cc/linux/netfilter-log-format.php3">http://logi.cc/linux/netfilter-log-format.php3</ulink>.</para>
<para>For Shorewall-specific information, see <ulink url="FAQ.htm#faq17">FAQ
#17</ulink>.</para>
<para>For Shorewall-specific information, see <ulink
url="FAQ.htm#faq17">FAQ #17</ulink>.</para>
</section>
</article>

93
Shorewall-docs2/shorewall_setup_guide.xml
View File

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>2004-11-19</pubdate>
<pubdate>2004-12-27</pubdate>
<copyright>
<year>2001-2004</year>
@ -219,11 +219,11 @@ dmz DMZ Demilitarized zone</programlisting>
<orderedlist>
<listitem>
<para>Identify the source zone.</para>
<para>Identify the source (client) zone.</para>
</listitem>
<listitem>
<para>Identify destination zone.</para>
<para>Identify destination (server) zone.</para>
</listitem>
<listitem>
@ -251,12 +251,12 @@ dmz DMZ Demilitarized zone</programlisting>
first checked against the <filename>/etc/shorewall/rules</filename> file.
If no rule in that file matches the connection request then the first
policy in <filename>/etc/shorewall/policy</filename> that matches the
request is applied. If that policy is REJECT or DROP the request is first
checked against the rules in
<filename>/etc/shorewall/common.def</filename>.</para>
request is applied after the request is passed to the appropriate <ulink
url="User_defined_Actions.html">common action</ulink> (if any). </para>
<para>The default <filename>/etc/shorewall/policy</filename> file has the
following policies:</para>
<para>Prior to Shorewall 2.2.0, the default
<filename>/etc/shorewall/policy</filename> file had the following
policies:</para>
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
# LEVEL
@ -264,7 +264,13 @@ loc net ACCEPT
net all DROP info
all all REJECT info</programlisting>
<para>The above policy will:</para>
<important>
<para>Beginning with Shorewall 2.2.0, the released policy file is empty.
You can copy and paste the above entries to create a starting point from
which to customize your policies.</para>
</important>
<para>The above policies will:</para>
<orderedlist>
<listitem>
@ -291,12 +297,6 @@ all all REJECT info</programlisting>
<para>At this point, edit your <filename>/etc/shorewall/policy
</filename>and make any changes that you wish.</para>
<important>
<para>Beginning with Shorewall 2.2.0, the released policy file is empty.
You can copy and paste the above entries to create a starting point from
which to customize your policies.</para>
</important>
</section>
<section id="Interfaces">
@ -329,9 +329,9 @@ all all REJECT info</programlisting>
<graphic align="center" fileref="images/dmz3.png" />
<para>The simplest way to define zones is to simply associate the zone
name (previously defined in /etc/shorewall/zones) with a network
interface. This is done in the <ulink
<para>The simplest way to define zones is to associate the zone name
(previously defined in /etc/shorewall/zones) with a network interface.
This is done in the <ulink
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink> file.
The firewall illustrated above has three network interfaces. Where
Internet connectivity is through a cable or DSL <quote>Modem</quote>, the
@ -431,7 +431,10 @@ loc eth2 detect</programlisting>
<para>You may define more complicated zones using the<filename> <ulink
url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink></filename> file
but in most cases, that isn't necessary.</para>
but in most cases, that isn't necessary. See <ulink
url="Shorewall_and_Aliased_Interfaces.html">Shorewall_and_Aliased_Interfaces.html</ulink>
and <ulink url="Multiple_Zones.html">Multiple_Zones.html</ulink> for
examples.</para>
</section>
<section id="Addressing">
@ -534,8 +537,8 @@ loc eth2 detect</programlisting>
ones.</para>
<para>Since n is a power of two, we can easily calculate the
<emphasis>Natural Logarithm</emphasis> (log2) of n. For the more common
subnet sizes, the size and its natural logarithm are given in the
<emphasis>Base-2 Logarithm</emphasis> (log2) of n. For the more common
subnet sizes, the size and its base-2 logarithm are given in the
following table:</para>
<table>
@ -1112,8 +1115,7 @@ tcpdump: listening on eth2
? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
</programlisting>
? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2</programlisting>
<para>The leading question marks are a result of my having specified the
<quote>n</quote> option (Windows <quote>arp</quote> doesn't allow that
@ -1145,10 +1147,15 @@ tcpdump: listening on eth2
192.168.0.0 - 192.168.255.255</programlisting>
<para>The addresses reserved by RFC 1918 are sometimes referred to as
non-routable because the Internet backbone routers don't forward packets
which have an RFC-1918 destination address. This is understandable given
that anyone can select any of these addresses for their private
use.</para>
<firstterm>non-routable</firstterm> because the Internet backbone
routers don't forward packets which have an RFC-1918 destination
address. This is understandable given that anyone can select any of
these addresses for their private use but the term non-routable is
somewhat unfortunate because it leads people to the erroneous conclusion
that traffic destined for one of these addresses can't be sent through a
router. This is definitely not true; private routers (including your
Shorewall-based firewall) can forward RFC 1918 addresed traffic just
fine.</para>
<para>When selecting addresses from these ranges, there's a couple of
things to keep in mind:</para>
@ -1171,14 +1178,15 @@ tcpdump: listening on eth2
using (or are planning to use) private addresses before you decide the
addresses that you are going to use.</para>
<note>
<warning>
<para><emphasis role="bold">In this document, external
<quote>real</quote> IP addresses are of the form 192.0.2.x.
192.0.2.0/24 is reserved by RFC 3330 for use as public IP addresses in
printed examples. These addresses are not to be confused with
addresses in 192.168.0.0/16; as described above, these addresses are
reserved by RFC 1918 for private use.</emphasis></para>
</note>
printed examples and test networks. These "real" addresses are not to
be confused with addresses in 192.168.0.0/16; as described above,
those addresses are reserved by RFC 1918 for private
use.</emphasis></para>
</warning>
</section>
</section>
@ -1406,8 +1414,9 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
role="bold">A</emphasis>.</para>
<para>This example used the firewall's external IP address for DNAT.
You can use another of your public IP addresses but Shorewall will not
add that address to the firewall's external interface for you.</para>
You can use another of your public IP addresses (place it in the
ORIGINAL DEST column in the rule above) but Shorewall will not add
that address to the firewall's external interface for you.</para>
</section>
<section id="ProxyARP">
@ -1436,7 +1445,8 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
the network defined by <emphasis role="bold">M</emphasis> where
the target machine is outside of the firewall, the firewall will
respond to <emphasis role="bold">H</emphasis> (with the MAC of the
firewall interface).</para>
firewall interface that <emphasis role="bold">H</emphasis> is
connected to).</para>
</listitem>
</itemizedlist>
@ -1676,12 +1686,13 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
<para>With the default policies, your local systems (Local 1-3) can
access any servers on the internet and the DMZ can't access any other
host (including the firewall). With the exception of DNAT rules which
cause address translation and allow the translated connection request to
pass through the firewall, the way to allow connection requests through
your firewall is to use ACCEPT rules.</para>
<para>With the default policies described earlier in this document, your
local systems (Local 1-3) can access any server on the internet and the
DMZ can't access any other host (including the firewall). With the
exception of DNAT rules which cause address translation and allow the
translated connection request to pass through the firewall, the way to
allow connection requests through your firewall is to use ACCEPT
rules.</para>
<note>
<para>Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in

18
Shorewall-docs2/upgrade_issues.xml
View File

@ -62,7 +62,7 @@
</section>
<section>
<title>Version &gt;= 2.2.0 Beta 1</title>
<title>Version &gt;= 2.2.0</title>
<para></para>
@ -164,6 +164,22 @@ DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69</p
<para>The 'logunclean' and 'dropunclean' options that were deprecated
in Shorewall 2.0 have now been removed completely.</para>
</listitem>
<listitem>
<para>The default port for 'openvpn' tunnels (/etc/shorewall/tunnels)
has been changed to 1194 to match a similar change in the OpenVPN
product. The IANA has registered port 1194 for use by OpenVPN.</para>
</listitem>
<listitem>
<para> A new IPTABLES variable has been added to shorewall.conf. This
variable names the iptables executable that Shorewall will use. The
variable is set to "/sbin/iptables". If you use the new
shorewall.conf, you may need to change this setting to maintain
compabibility with your current setup (if you use your existing
shorewall.conf that does not set IPTABLES then you should experience
no change in behavior).</para>
</listitem>
</orderedlist>
</section>