diff --git a/Shorewall-docs2/myfiles.xml b/Shorewall-docs2/myfiles.xml
index ae73b8c84..0823a7d01 100644
--- a/Shorewall-docs2/myfiles.xml
+++ b/Shorewall-docs2/myfiles.xml
@@ -166,7 +166,7 @@
Shorewall.conf
- LOGFILE=/var/log/messages
+ LOGFILE=/var/log/ulog/syslogemu.log
LOGFORMAT="Shorewall:%s:%s "
LOGRATE=
LOGBURST=
@@ -216,7 +216,7 @@ TCP_FLAGS_DISPOSITION=DROP
MIRRORS=<list of shorewall mirror ip addresses>
NTPSERVERS=<list of the NTP servers I sync with>
TEXAS=<ip address of gateway in Plano>
-LOG=info
+LOG=ULOGD
EXT_IF=eth1
INT_IF=eth2
DMZ_IF=eth0
@@ -665,6 +665,20 @@ iface eth2 inet static
+
+
+ /etc/ulogd.conf
+
+ This is the default /etc/ulogd.conf from the Debian package. Only
+ the relevant entries are shown.
+
+
+ # where to write to
+syslogfile /var/log/ulog/syslogemu.log
+# do we want to fflush() the file after each write?
+syslogsync 1
+
+
@@ -839,7 +853,7 @@ remote 192.168.3.8
verify_identifier on ;
lifetime time 24 hour ;
proposal {
- encryption_algorithm 3des;
+ encryption_algorithm blowfish ;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
@@ -850,7 +864,7 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
{
pfs_group 2;
lifetime time 12 hour ;
- encryption_algorithm 3des, blowfish, des, rijndael ;
+ encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
@@ -986,7 +1000,7 @@ remote 192.168.3.254
verify_identifier on ;
lifetime time 24 hour ;
proposal {
- encryption_algorithm 3des;
+ encryption_algorithm blowfish ;
hash_algorithm sha1;
authentication_method rsasig ;
dh_group 2 ;
@@ -997,7 +1011,7 @@ sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
{
pfs_group 2;
lifetime time 12 hour ;
- encryption_algorithm 3des, blowfish, des, rijndael ;
+ encryption_algorithm blowfish ;
authentication_algorithm hmac_sha1, hmac_md5 ;
compression_algorithm deflate ;
}
diff --git a/Shorewall-docs2/shorewall_logging.xml b/Shorewall-docs2/shorewall_logging.xml
index 2aa2de5b5..b9f252527 100644
--- a/Shorewall-docs2/shorewall_logging.xml
+++ b/Shorewall-docs2/shorewall_logging.xml
@@ -15,7 +15,7 @@
- 2004-07-15
+ 2004-12-27
2001 - 2004
@@ -29,7 +29,8 @@
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
- GNU Free Documentation License
.
+ GNU Free Documentation
+ License
.
@@ -56,9 +57,11 @@
The packet is rejected because of an option in /etc/shorewall/shorewall.conf or
- /etc/shorewall/interfaces.
+ /etc/shorewall/interfaces.
These packets can be logged by setting the appropriate logging-related
- option in /etc/shorewall/shorewall.conf.
+ option in /etc/shorewall/shorewall.conf.
@@ -66,25 +69,29 @@
url="Documentation.htm#Rules">/etc/shorewall/rules. By
including a syslog level (see below) in the ACTION column of a rule
(e.g., ACCEPT:info net fw tcp
- 22
), the connection attempt will be logged at that level.
+ 22), the connection attempt will be logged at that
+ level.
- The packet doesn't match a rule so it is handled by a policy
- defined in /etc/shorewall/policy.
- These may be logged by specifying a syslog level in the LOG LEVEL
- column of the policy's entry (e.g., loc net ACCEPT
- info
).
+ The packet doesn't match a rule so it is handled by a policy
+ defined in /etc/shorewall/policy. These
+ may be logged by specifying a syslog level in the LOG LEVEL column of
+ the policy's entry (e.g., loc net ACCEPT info
).
- Where the Traffic is Logged and How to Change the Destination
+ Where the Traffic is Logged and How to Change the
+ Destination
By default, Shorewall directs NetFilter to log using syslog (8).
Syslog classifies log messages by a facility and a
- priority (using the notation facility.priority).
+ priority (using the notation
+ facility.priority).
The facilities defined by syslog are auth, authpriv, cron,
daemon, kern, lpr, mail, mark, news, syslog, user, uucp and
@@ -108,7 +115,8 @@
7 - debug (Debug-level
messages)
- 6 - info (Informational)
+ 6 - info
+ (Informational)
5 - notice (Normal but
significant Condition)
@@ -116,7 +124,8 @@
4 - warning (Warning
Condition)
- 3 - err (Error Condition)
+ 3 - err (Error
+ Condition)
2 - crit (Critical
Conditions)
@@ -139,6 +148,10 @@
pairs to log files is done in /etc/syslog.conf (5). If you make changes
to this file, you must restart syslogd before the changes can take
effect.
+
+ Syslog may also write to your system console. See Shorewall FAQ 16 for ways to avoid having
+ Shorewall messages written to the console.
@@ -148,9 +161,9 @@
- If you give, for example, kern.info it's own log
- destination then that destination will also receive all kernel
- messages of levels 5 (notice) through 0 (emerg).
+ If you give, for example, kern.info it's own log destination
+ then that destination will also receive all kernel messages of
+ levels 5 (notice) through 0 (emerg).
@@ -164,67 +177,28 @@
specify a log level of ULOG (must be all caps). When ULOG is used,
Shorewall will direct netfilter to log the related messages via the ULOG
target which will send them to a process called ulogd
.
- The ulogd program is available from http://www.gnumonks.org/projects/ulogd
- and can be configured to log all Shorewall message to their own log
+ The ulogd program is included in most distributions and is also
+ available from http://www.gnumonks.org/projects/ulogd.
+ Ulogd can be configured to log all Shorewall messages to their own log
file.
- The ULOG logging mechanism is completely
- separate from syslog. Once you switch to ULOG, the settings
- in /etc/syslog.conf have absolutely no effect on your Shorewall
- logging (except for Shorewall status messages which still go to
- syslog).
+ The ULOG logging mechanism is completely separate from syslog. Once you
+ switch to ULOG, the settings in /etc/syslog.conf have absolutely no
+ effect on your Shorewall logging (except for Shorewall status messages
+ which still go to syslog).
- You will need to have the kernel source available to compile
- ulogd.
-
- Download the ulog tar file and:
+ Once you have installed ulogd, edit /etc/ulogd.conf
+ (/usr/local/etc/ulogd.conf if you built ulogd
+ yourself) and set:
- Be sure that /usr/src/linux is linked to your kernel source
- tree
-
-
-
- cd /usr/local/src (or whereever you do your builds)
-
-
-
- tar -zxf source-tarball-that-you-downloaded
-
-
-
- cd ulod-version
-
-
-
- ./configure
-
-
-
- make
-
-
-
- make install
-
-
-
- If you are like me and don't have a development environment on
- your firewall, you can do the first six steps on another system then
- either NFS mount your /usr/local/src directory or tar up the
- /usr/local/src/ulogd-version directory and move it
- to your firewall system.
-
- Now on the firewall system, edit /usr/local/etc/ulogd.conf and
- set:
-
-
-
- syslogfile <the file that you wish to log to>
+ syslogfile <the file that you wish to log
+ to>
@@ -235,34 +209,34 @@
Also on the firewall system:
- touch <the file that you wish to log to>
+ touch <the file that you wish to log
+ to>
- I also copied the file /usr/local/src/ulogd-version/ulogd.init
- to /etc/init.d/ulogd. I had to edit the line that read daemon
- /usr/local/sbin/ulogd
to read daemon
- /usr/local/sbin/ulogd -d
. On a RedHat system, a simple
- chkconfig --level 3 ulogd on
starts ulogd during boot up.
- Your init system may need something else done to activate the script.
+ Your distribution's ulogd package may include a logrotate file in
+ /etc/logrotate.d. If you change the log file location, be sure to change
+ that logrotate file accordingly.
You will need to change all instances of log levels (usually
- info
) in your configuration files to ULOG
- - this includes entries in the policy, rules and shorewall.conf files.
- Here's what I have:
+ info
) in your Shorewall configuration files to
+ ULOG
- this includes entries in the policy, rules and
+ shorewall.conf files. Here's what I have:
- [root@gateway shorewall]# grep ULOG *
- policy:loc fw REJECT ULOG
- policy:net all DROP ULOG 10/sec:40
- policy:all all REJECT ULOG
- rules:REJECT:ULOG loc net tcp 6667
- shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG
- shorewall.conf:RFC1918_LOG_LEVEL=ULOG
+ [root@gateway shorewall]# grep LOG * | grep -v ^\#
+ params:LOG=ULOG
+ policy:loc fw REJECT $LOG
+ policy:net all DROP $LOG 10/sec:40
+ policy:all all REJECT $LOG
+ rules:REJECT:$LOG loc net tcp 6667
+ shorewall.conf:TCP_FLAGS_LOG_LEVEL=$LOG
+ shorewall.conf:RFC1918_LOG_LEVEL=$LOG
[root@gateway shorewall]#
- Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<file
- that you wish to log to>. This tells the /sbin/shorewall
- program where to look for the log when processing its show log
,
- logwatch
and monitor
commands.
+ Finally edit /etc/shorewall/shorewall.conf and set
+ LOGFILE=<file that you wish to log to>. This
+ tells the /sbin/shorewall program where to look for the log when
+ processing its show log
, logwatch
and
+ monitor
commands.
@@ -270,7 +244,7 @@
Syslog-ng
Here
+ url="http://marc.theaimsgroup.com/?l=gentoo-security&m=106040714910563&w=2">Here
is a post describing configuring syslog-ng to work with Shorewall.
@@ -278,9 +252,10 @@
Understanding the Contents of Shorewall Log Messages
For general information on the contents of Netfilter log messages,
- see http://logi.cc/linux/netfilter-log-format.php3.
+ see http://logi.cc/linux/netfilter-log-format.php3.
- For Shorewall-specific information, see FAQ
- #17.
+ For Shorewall-specific information, see FAQ #17.
\ No newline at end of file
diff --git a/Shorewall-docs2/shorewall_setup_guide.xml b/Shorewall-docs2/shorewall_setup_guide.xml
index 65f1070a2..d5bec3aff 100644
--- a/Shorewall-docs2/shorewall_setup_guide.xml
+++ b/Shorewall-docs2/shorewall_setup_guide.xml
@@ -15,7 +15,7 @@
- 2004-11-19
+ 2004-12-27
2001-2004
@@ -219,11 +219,11 @@ dmz DMZ Demilitarized zone
- Identify the source zone.
+ Identify the source (client) zone.
- Identify destination zone.
+ Identify destination (server) zone.
@@ -251,12 +251,12 @@ dmz DMZ Demilitarized zone
first checked against the /etc/shorewall/rules file.
If no rule in that file matches the connection request then the first
policy in /etc/shorewall/policy that matches the
- request is applied. If that policy is REJECT or DROP the request is first
- checked against the rules in
- /etc/shorewall/common.def.
+ request is applied after the request is passed to the appropriate common action (if any).
- The default /etc/shorewall/policy file has the
- following policies:
+ Prior to Shorewall 2.2.0, the default
+ /etc/shorewall/policy file had the following
+ policies:
#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
# LEVEL
@@ -264,7 +264,13 @@ loc net ACCEPT
net all DROP info
all all REJECT info
- The above policy will:
+
+ Beginning with Shorewall 2.2.0, the released policy file is empty.
+ You can copy and paste the above entries to create a starting point from
+ which to customize your policies.
+
+
+ The above policies will:
@@ -291,12 +297,6 @@ all all REJECT info
At this point, edit your /etc/shorewall/policy
and make any changes that you wish.
-
-
- Beginning with Shorewall 2.2.0, the released policy file is empty.
- You can copy and paste the above entries to create a starting point from
- which to customize your policies.
-
@@ -329,9 +329,9 @@ all all REJECT info
![]()
- The simplest way to define zones is to simply associate the zone
- name (previously defined in /etc/shorewall/zones) with a network
- interface. This is done in the The simplest way to define zones is to associate the zone name
+ (previously defined in /etc/shorewall/zones) with a network interface.
+ This is done in the /etc/shorewall/interfaces file.
The firewall illustrated above has three network interfaces. Where
Internet connectivity is through a cable or DSL Modem
, the
@@ -431,7 +431,10 @@ loc eth2 detect
You may define more complicated zones using the /etc/shorewall/hosts file
- but in most cases, that isn't necessary.
+ but in most cases, that isn't necessary. See Shorewall_and_Aliased_Interfaces.html
+ and Multiple_Zones.html for
+ examples.
@@ -534,8 +537,8 @@ loc eth2 detect
ones.
Since n is a power of two, we can easily calculate the
- Natural Logarithm (log2) of n. For the more common
- subnet sizes, the size and its natural logarithm are given in the
+ Base-2 Logarithm (log2) of n. For the more common
+ subnet sizes, the size and its base-2 logarithm are given in the
following table:
@@ -1112,8 +1115,7 @@ tcpdump: listening on eth2
? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
-? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
-
+? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
The leading question marks are a result of my having specified the
n
option (Windows arp
doesn't allow that
@@ -1145,10 +1147,15 @@ tcpdump: listening on eth2
192.168.0.0 - 192.168.255.255
The addresses reserved by RFC 1918 are sometimes referred to as
- non-routable because the Internet backbone routers don't forward packets
- which have an RFC-1918 destination address. This is understandable given
- that anyone can select any of these addresses for their private
- use.
+ non-routable because the Internet backbone
+ routers don't forward packets which have an RFC-1918 destination
+ address. This is understandable given that anyone can select any of
+ these addresses for their private use but the term non-routable is
+ somewhat unfortunate because it leads people to the erroneous conclusion
+ that traffic destined for one of these addresses can't be sent through a
+ router. This is definitely not true; private routers (including your
+ Shorewall-based firewall) can forward RFC 1918 addresed traffic just
+ fine.
When selecting addresses from these ranges, there's a couple of
things to keep in mind:
@@ -1171,14 +1178,15 @@ tcpdump: listening on eth2
using (or are planning to use) private addresses before you decide the
addresses that you are going to use.
-
+
In this document, external
real
IP addresses are of the form 192.0.2.x.
192.0.2.0/24 is reserved by RFC 3330 for use as public IP addresses in
- printed examples. These addresses are not to be confused with
- addresses in 192.168.0.0/16; as described above, these addresses are
- reserved by RFC 1918 for private use.
-
+ printed examples and test networks. These "real" addresses are not to
+ be confused with addresses in 192.168.0.0/16; as described above,
+ those addresses are reserved by RFC 1918 for private
+ use.
+
@@ -1406,8 +1414,9 @@ DNAT net loc:192.168.201.4 tcp www
role="bold">A.
This example used the firewall's external IP address for DNAT.
- You can use another of your public IP addresses but Shorewall will not
- add that address to the firewall's external interface for you.
+ You can use another of your public IP addresses (place it in the
+ ORIGINAL DEST column in the rule above) but Shorewall will not add
+ that address to the firewall's external interface for you.
@@ -1436,7 +1445,8 @@ DNAT net loc:192.168.201.4 tcp www
the network defined by M where
the target machine is outside of the firewall, the firewall will
respond to H (with the MAC of the
- firewall interface).
+ firewall interface that H is
+ connected to).
@@ -1676,12 +1686,13 @@ ACCEPT net loc:192.168.201.4 tcp www
- With the default policies, your local systems (Local 1-3) can
- access any servers on the internet and the DMZ can't access any other
- host (including the firewall). With the exception of DNAT rules which
- cause address translation and allow the translated connection request to
- pass through the firewall, the way to allow connection requests through
- your firewall is to use ACCEPT rules.
+ With the default policies described earlier in this document, your
+ local systems (Local 1-3) can access any server on the internet and the
+ DMZ can't access any other host (including the firewall). With the
+ exception of DNAT rules which cause address translation and allow the
+ translated connection request to pass through the firewall, the way to
+ allow connection requests through your firewall is to use ACCEPT
+ rules.
Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in
diff --git a/Shorewall-docs2/upgrade_issues.xml b/Shorewall-docs2/upgrade_issues.xml
index ee3d15a67..da4876a61 100644
--- a/Shorewall-docs2/upgrade_issues.xml
+++ b/Shorewall-docs2/upgrade_issues.xml
@@ -62,7 +62,7 @@
- Version >= 2.2.0 Beta 1
+ Version >= 2.2.0
@@ -164,6 +164,22 @@ DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69The 'logunclean' and 'dropunclean' options that were deprecated
in Shorewall 2.0 have now been removed completely.
+
+
+ The default port for 'openvpn' tunnels (/etc/shorewall/tunnels)
+ has been changed to 1194 to match a similar change in the OpenVPN
+ product. The IANA has registered port 1194 for use by OpenVPN.
+
+
+
+ A new IPTABLES variable has been added to shorewall.conf. This
+ variable names the iptables executable that Shorewall will use. The
+ variable is set to "/sbin/iptables". If you use the new
+ shorewall.conf, you may need to change this setting to maintain
+ compabibility with your current setup (if you use your existing
+ shorewall.conf that does not set IPTABLES then you should experience
+ no change in behavior).
+