mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-25 09:03:30 +01:00
More 2.0 Documentation Updates
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@1864 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
3f3cb340c9
commit
eaf1a17cfe
@ -166,7 +166,7 @@
|
||||
<title>Shorewall.conf</title>
|
||||
|
||||
<blockquote>
|
||||
<programlisting>LOGFILE=/var/log/messages
|
||||
<programlisting>LOGFILE=/var/log/ulog/syslogemu.log
|
||||
LOGFORMAT="Shorewall:%s:%s "
|
||||
LOGRATE=
|
||||
LOGBURST=
|
||||
@ -216,7 +216,7 @@ TCP_FLAGS_DISPOSITION=DROP</programlisting>
|
||||
<para><programlisting>MIRRORS=<list of shorewall mirror ip addresses>
|
||||
NTPSERVERS=<list of the NTP servers I sync with>
|
||||
TEXAS=<ip address of gateway in Plano>
|
||||
LOG=info
|
||||
LOG=ULOGD
|
||||
EXT_IF=eth1
|
||||
INT_IF=eth2
|
||||
DMZ_IF=eth0</programlisting></para>
|
||||
@ -665,6 +665,20 @@ iface eth2 inet static
|
||||
</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>/etc/ulogd.conf</title>
|
||||
|
||||
<para>This is the default /etc/ulogd.conf from the Debian package. Only
|
||||
the relevant entries are shown.</para>
|
||||
|
||||
<blockquote>
|
||||
<programlisting># where to write to
|
||||
syslogfile /var/log/ulog/syslogemu.log
|
||||
# do we want to fflush() the file after each write?
|
||||
syslogsync 1</programlisting>
|
||||
</blockquote>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -839,7 +853,7 @@ remote 192.168.3.8
|
||||
verify_identifier on ;
|
||||
lifetime time 24 hour ;
|
||||
proposal {
|
||||
encryption_algorithm 3des;
|
||||
encryption_algorithm blowfish ;
|
||||
hash_algorithm sha1;
|
||||
authentication_method rsasig ;
|
||||
dh_group 2 ;
|
||||
@ -850,7 +864,7 @@ sainfo address 0.0.0.0/0 any address 192.168.3.8/32 any
|
||||
{
|
||||
pfs_group 2;
|
||||
lifetime time 12 hour ;
|
||||
encryption_algorithm 3des, blowfish, des, rijndael ;
|
||||
encryption_algorithm blowfish ;
|
||||
authentication_algorithm hmac_sha1, hmac_md5 ;
|
||||
compression_algorithm deflate ;
|
||||
}</programlisting>
|
||||
@ -986,7 +1000,7 @@ remote 192.168.3.254
|
||||
verify_identifier on ;
|
||||
lifetime time 24 hour ;
|
||||
proposal {
|
||||
encryption_algorithm 3des;
|
||||
encryption_algorithm blowfish ;
|
||||
hash_algorithm sha1;
|
||||
authentication_method rsasig ;
|
||||
dh_group 2 ;
|
||||
@ -997,7 +1011,7 @@ sainfo address 192.168.3.8/32 any address 0.0.0.0/0 any
|
||||
{
|
||||
pfs_group 2;
|
||||
lifetime time 12 hour ;
|
||||
encryption_algorithm 3des, blowfish, des, rijndael ;
|
||||
encryption_algorithm blowfish ;
|
||||
authentication_algorithm hmac_sha1, hmac_md5 ;
|
||||
compression_algorithm deflate ;
|
||||
}</programlisting>
|
||||
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-07-15</pubdate>
|
||||
<pubdate>2004-12-27</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001 - 2004</year>
|
||||
@ -29,7 +29,8 @@
|
||||
1.2 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover
|
||||
Texts. A copy of the license is included in the section entitled
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation License</ulink></quote>.</para>
|
||||
<quote><ulink url="GnuCopyright.htm">GNU Free Documentation
|
||||
License</ulink></quote>.</para>
|
||||
</legalnotice>
|
||||
</articleinfo>
|
||||
|
||||
@ -56,9 +57,11 @@
|
||||
<listitem>
|
||||
<para>The packet is rejected because of an option in <ulink
|
||||
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink> or
|
||||
<ulink url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.
|
||||
<ulink
|
||||
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink>.
|
||||
These packets can be logged by setting the appropriate logging-related
|
||||
option in <ulink url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
|
||||
option in <ulink
|
||||
url="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</ulink>.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -66,25 +69,29 @@
|
||||
url="Documentation.htm#Rules">/etc/shorewall/rules</ulink>. By
|
||||
including a syslog level (see below) in the ACTION column of a rule
|
||||
(e.g., <quote>ACCEPT<emphasis role="bold">:info</emphasis> net fw tcp
|
||||
22</quote>), the connection attempt will be logged at that level.</para>
|
||||
22</quote>), the connection attempt will be logged at that
|
||||
level.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The packet doesn't match a rule so it is handled by a policy
|
||||
defined in <ulink url="Documentation.htm#Policy">/etc/shorewall/policy</ulink>.
|
||||
These may be logged by specifying a syslog level in the LOG LEVEL
|
||||
column of the policy's entry (e.g., <quote>loc net ACCEPT
|
||||
<emphasis role="bold">info</emphasis></quote>).</para>
|
||||
<para>The packet doesn't match a rule so it is handled by a policy
|
||||
defined in <ulink
|
||||
url="Documentation.htm#Policy">/etc/shorewall/policy</ulink>. These
|
||||
may be logged by specifying a syslog level in the LOG LEVEL column of
|
||||
the policy's entry (e.g., <quote>loc net ACCEPT <emphasis
|
||||
role="bold">info</emphasis></quote>).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Where the Traffic is Logged and How to Change the Destination</title>
|
||||
<title>Where the Traffic is Logged and How to Change the
|
||||
Destination</title>
|
||||
|
||||
<para>By default, Shorewall directs NetFilter to log using syslog (8).
|
||||
Syslog classifies log messages by a <emphasis>facility</emphasis> and a
|
||||
<emphasis>priority</emphasis> (using the notation <emphasis>facility.priority</emphasis>).</para>
|
||||
<emphasis>priority</emphasis> (using the notation
|
||||
<emphasis>facility.priority</emphasis>).</para>
|
||||
|
||||
<para>The facilities defined by syslog are <emphasis>auth, authpriv, cron,
|
||||
daemon, kern, lpr, mail, mark, news, syslog, user, uucp</emphasis> and
|
||||
@ -108,7 +115,8 @@
|
||||
<member>7 - <emphasis role="bold">debug</emphasis> (Debug-level
|
||||
messages)</member>
|
||||
|
||||
<member>6 - <emphasis role="bold">info</emphasis> (Informational)</member>
|
||||
<member>6 - <emphasis role="bold">info</emphasis>
|
||||
(Informational)</member>
|
||||
|
||||
<member>5 - <emphasis role="bold">notice</emphasis> (Normal but
|
||||
significant Condition)</member>
|
||||
@ -116,7 +124,8 @@
|
||||
<member>4 - <emphasis role="bold">warning</emphasis> (Warning
|
||||
Condition)</member>
|
||||
|
||||
<member>3 - <emphasis role="bold">err</emphasis> (Error Condition)</member>
|
||||
<member>3 - <emphasis role="bold">err</emphasis> (Error
|
||||
Condition)</member>
|
||||
|
||||
<member>2 - <emphasis role="bold">crit</emphasis> (Critical
|
||||
Conditions)</member>
|
||||
@ -139,6 +148,10 @@
|
||||
pairs to log files is done in /etc/syslog.conf (5). If you make changes
|
||||
to this file, you must restart syslogd before the changes can take
|
||||
effect.</para>
|
||||
|
||||
<para>Syslog may also write to your system console. See <ulink
|
||||
url="FAQ.htm#faq16">Shorewall FAQ 16</ulink> for ways to avoid having
|
||||
Shorewall messages written to the console.</para>
|
||||
</section>
|
||||
|
||||
<section>
|
||||
@ -148,9 +161,9 @@
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>If you give, for example, kern.info it's own log
|
||||
destination then that destination will also receive all kernel
|
||||
messages of levels 5 (notice) through 0 (emerg).</para>
|
||||
<para>If you give, for example, kern.info it's own log destination
|
||||
then that destination will also receive all kernel messages of
|
||||
levels 5 (notice) through 0 (emerg).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -164,67 +177,28 @@
|
||||
specify a log level of ULOG (must be all caps). When ULOG is used,
|
||||
Shorewall will direct netfilter to log the related messages via the ULOG
|
||||
target which will send them to a process called <quote>ulogd</quote>.
|
||||
The ulogd program is available from <ulink
|
||||
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>
|
||||
and can be configured to log all Shorewall message to their own log
|
||||
The ulogd program is included in most distributions and is also
|
||||
available from <ulink
|
||||
url="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</ulink>.
|
||||
Ulogd can be configured to log all Shorewall messages to their own log
|
||||
file.</para>
|
||||
|
||||
<note>
|
||||
<para>The ULOG logging mechanism is <emphasis role="underline">completely
|
||||
separate</emphasis> from syslog. Once you switch to ULOG, the settings
|
||||
in /etc/syslog.conf have absolutely no effect on your Shorewall
|
||||
logging (except for Shorewall status messages which still go to
|
||||
syslog).</para>
|
||||
<para>The ULOG logging mechanism is <emphasis
|
||||
role="underline">completely separate</emphasis> from syslog. Once you
|
||||
switch to ULOG, the settings in /etc/syslog.conf have absolutely no
|
||||
effect on your Shorewall logging (except for Shorewall status messages
|
||||
which still go to syslog).</para>
|
||||
</note>
|
||||
|
||||
<para>You will need to have the kernel source available to compile
|
||||
ulogd.</para>
|
||||
|
||||
<para>Download the ulog tar file and:</para>
|
||||
<para>Once you have installed ulogd, edit /etc/ulogd.conf
|
||||
(<filename>/usr/local/etc/ulogd.conf</filename> if you built ulogd
|
||||
yourself) and set:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Be sure that /usr/src/linux is linked to your kernel source
|
||||
tree</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cd /usr/local/src (or whereever you do your builds)</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>tar -zxf <emphasis>source-tarball-that-you-downloaded</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>cd ulod-<emphasis>version</emphasis></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>./configure</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>make</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>make install</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>If you are like me and don't have a development environment on
|
||||
your firewall, you can do the first six steps on another system then
|
||||
either NFS mount your /usr/local/src directory or tar up the
|
||||
/usr/local/src/ulogd-<emphasis>version</emphasis> directory and move it
|
||||
to your firewall system.</para>
|
||||
|
||||
<para>Now on the firewall system, edit /usr/local/etc/ulogd.conf and
|
||||
set:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>syslogfile <<emphasis>the file that you wish to log to</emphasis>></para>
|
||||
<para>syslogfile <<emphasis>the file that you wish to log
|
||||
to</emphasis>></para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -235,34 +209,34 @@
|
||||
<para>Also on the firewall system:</para>
|
||||
|
||||
<simplelist>
|
||||
<member>touch <<emphasis>the file that you wish to log to</emphasis>></member>
|
||||
<member>touch <<emphasis>the file that you wish to log
|
||||
to</emphasis>></member>
|
||||
</simplelist>
|
||||
|
||||
<para>I also copied the file /usr/local/src/ulogd-<emphasis>version</emphasis>/ulogd.init
|
||||
to /etc/init.d/ulogd. I had to edit the line that read <quote>daemon
|
||||
/usr/local/sbin/ulogd</quote> to read <quote>daemon
|
||||
/usr/local/sbin/ulogd -d</quote>. On a RedHat system, a simple
|
||||
<quote>chkconfig --level 3 ulogd on</quote> starts ulogd during boot up.
|
||||
Your init system may need something else done to activate the script.</para>
|
||||
<para>Your distribution's ulogd package may include a logrotate file in
|
||||
/etc/logrotate.d. If you change the log file location, be sure to change
|
||||
that logrotate file accordingly.</para>
|
||||
|
||||
<para>You will need to change all instances of log levels (usually
|
||||
<quote>info</quote>) in your configuration files to <quote>ULOG</quote>
|
||||
- this includes entries in the policy, rules and shorewall.conf files.
|
||||
Here's what I have:</para>
|
||||
<quote>info</quote>) in your Shorewall configuration files to
|
||||
<quote>ULOG</quote> - this includes entries in the policy, rules and
|
||||
shorewall.conf files. Here's what I have:</para>
|
||||
|
||||
<programlisting> [root@gateway shorewall]# grep ULOG *
|
||||
policy:loc fw REJECT ULOG
|
||||
policy:net all DROP ULOG 10/sec:40
|
||||
policy:all all REJECT ULOG
|
||||
rules:REJECT:ULOG loc net tcp 6667
|
||||
shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG
|
||||
shorewall.conf:RFC1918_LOG_LEVEL=ULOG
|
||||
<programlisting> [root@gateway shorewall]# grep LOG * | grep -v ^\#
|
||||
params:LOG=ULOG
|
||||
policy:loc fw REJECT $LOG
|
||||
policy:net all DROP $LOG 10/sec:40
|
||||
policy:all all REJECT $LOG
|
||||
rules:REJECT:$LOG loc net tcp 6667
|
||||
shorewall.conf:TCP_FLAGS_LOG_LEVEL=$LOG
|
||||
shorewall.conf:RFC1918_LOG_LEVEL=$LOG
|
||||
[root@gateway shorewall]#</programlisting>
|
||||
|
||||
<para>Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<<emphasis>file
|
||||
that you wish to log to</emphasis>>. This tells the /sbin/shorewall
|
||||
program where to look for the log when processing its <quote>show log</quote>,
|
||||
<quote>logwatch</quote> and <quote>monitor</quote> commands.</para>
|
||||
<para>Finally edit /etc/shorewall/shorewall.conf and set
|
||||
LOGFILE=<<emphasis>file that you wish to log to</emphasis>>. This
|
||||
tells the /sbin/shorewall program where to look for the log when
|
||||
processing its <quote>show log</quote>, <quote>logwatch</quote> and
|
||||
<quote>monitor</quote> commands.</para>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -270,7 +244,7 @@
|
||||
<title>Syslog-ng</title>
|
||||
|
||||
<para><ulink
|
||||
url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</ulink>
|
||||
url="http://marc.theaimsgroup.com/?l=gentoo-security&amp;m=106040714910563&amp;w=2">Here</ulink>
|
||||
is a post describing configuring syslog-ng to work with Shorewall.</para>
|
||||
</section>
|
||||
|
||||
@ -278,9 +252,10 @@
|
||||
<title>Understanding the Contents of Shorewall Log Messages</title>
|
||||
|
||||
<para>For general information on the contents of Netfilter log messages,
|
||||
see <ulink url="http://logi.cc/linux/netfilter-log-format.php3">http://logi.cc/linux/netfilter-log-format.php3</ulink>.</para>
|
||||
see <ulink
|
||||
url="http://logi.cc/linux/netfilter-log-format.php3">http://logi.cc/linux/netfilter-log-format.php3</ulink>.</para>
|
||||
|
||||
<para>For Shorewall-specific information, see <ulink url="FAQ.htm#faq17">FAQ
|
||||
#17</ulink>.</para>
|
||||
<para>For Shorewall-specific information, see <ulink
|
||||
url="FAQ.htm#faq17">FAQ #17</ulink>.</para>
|
||||
</section>
|
||||
</article>
|
@ -15,7 +15,7 @@
|
||||
</author>
|
||||
</authorgroup>
|
||||
|
||||
<pubdate>2004-11-19</pubdate>
|
||||
<pubdate>2004-12-27</pubdate>
|
||||
|
||||
<copyright>
|
||||
<year>2001-2004</year>
|
||||
@ -219,11 +219,11 @@ dmz DMZ Demilitarized zone</programlisting>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
<para>Identify the source zone.</para>
|
||||
<para>Identify the source (client) zone.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Identify destination zone.</para>
|
||||
<para>Identify destination (server) zone.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
@ -251,12 +251,12 @@ dmz DMZ Demilitarized zone</programlisting>
|
||||
first checked against the <filename>/etc/shorewall/rules</filename> file.
|
||||
If no rule in that file matches the connection request then the first
|
||||
policy in <filename>/etc/shorewall/policy</filename> that matches the
|
||||
request is applied. If that policy is REJECT or DROP the request is first
|
||||
checked against the rules in
|
||||
<filename>/etc/shorewall/common.def</filename>.</para>
|
||||
request is applied after the request is passed to the appropriate <ulink
|
||||
url="User_defined_Actions.html">common action</ulink> (if any). </para>
|
||||
|
||||
<para>The default <filename>/etc/shorewall/policy</filename> file has the
|
||||
following policies:</para>
|
||||
<para>Prior to Shorewall 2.2.0, the default
|
||||
<filename>/etc/shorewall/policy</filename> file had the following
|
||||
policies:</para>
|
||||
|
||||
<programlisting>#SOURCE ZONE DESTINATION ZONE POLICY LOG LIMIT:BURST
|
||||
# LEVEL
|
||||
@ -264,7 +264,13 @@ loc net ACCEPT
|
||||
net all DROP info
|
||||
all all REJECT info</programlisting>
|
||||
|
||||
<para>The above policy will:</para>
|
||||
<important>
|
||||
<para>Beginning with Shorewall 2.2.0, the released policy file is empty.
|
||||
You can copy and paste the above entries to create a starting point from
|
||||
which to customize your policies.</para>
|
||||
</important>
|
||||
|
||||
<para>The above policies will:</para>
|
||||
|
||||
<orderedlist>
|
||||
<listitem>
|
||||
@ -291,12 +297,6 @@ all all REJECT info</programlisting>
|
||||
|
||||
<para>At this point, edit your <filename>/etc/shorewall/policy
|
||||
</filename>and make any changes that you wish.</para>
|
||||
|
||||
<important>
|
||||
<para>Beginning with Shorewall 2.2.0, the released policy file is empty.
|
||||
You can copy and paste the above entries to create a starting point from
|
||||
which to customize your policies.</para>
|
||||
</important>
|
||||
</section>
|
||||
|
||||
<section id="Interfaces">
|
||||
@ -329,9 +329,9 @@ all all REJECT info</programlisting>
|
||||
|
||||
<graphic align="center" fileref="images/dmz3.png" />
|
||||
|
||||
<para>The simplest way to define zones is to simply associate the zone
|
||||
name (previously defined in /etc/shorewall/zones) with a network
|
||||
interface. This is done in the <ulink
|
||||
<para>The simplest way to define zones is to associate the zone name
|
||||
(previously defined in /etc/shorewall/zones) with a network interface.
|
||||
This is done in the <ulink
|
||||
url="Documentation.htm#Interfaces">/etc/shorewall/interfaces</ulink> file.
|
||||
The firewall illustrated above has three network interfaces. Where
|
||||
Internet connectivity is through a cable or DSL <quote>Modem</quote>, the
|
||||
@ -431,7 +431,10 @@ loc eth2 detect</programlisting>
|
||||
|
||||
<para>You may define more complicated zones using the<filename> <ulink
|
||||
url="Documentation.htm#Hosts">/etc/shorewall/hosts</ulink></filename> file
|
||||
but in most cases, that isn't necessary.</para>
|
||||
but in most cases, that isn't necessary. See <ulink
|
||||
url="Shorewall_and_Aliased_Interfaces.html">Shorewall_and_Aliased_Interfaces.html</ulink>
|
||||
and <ulink url="Multiple_Zones.html">Multiple_Zones.html</ulink> for
|
||||
examples.</para>
|
||||
</section>
|
||||
|
||||
<section id="Addressing">
|
||||
@ -534,8 +537,8 @@ loc eth2 detect</programlisting>
|
||||
ones.</para>
|
||||
|
||||
<para>Since n is a power of two, we can easily calculate the
|
||||
<emphasis>Natural Logarithm</emphasis> (log2) of n. For the more common
|
||||
subnet sizes, the size and its natural logarithm are given in the
|
||||
<emphasis>Base-2 Logarithm</emphasis> (log2) of n. For the more common
|
||||
subnet sizes, the size and its base-2 logarithm are given in the
|
||||
following table:</para>
|
||||
|
||||
<table>
|
||||
@ -1112,8 +1115,7 @@ tcpdump: listening on eth2
|
||||
? (192.168.1.3) at 00:A0:CC:63:66:89 [ether] on eth2
|
||||
? (192.168.1.5) at 00:A0:CC:DB:31:C4 [ether] on eth2
|
||||
? (206.124.146.254) at 00:03:6C:8A:18:38 [ether] on eth0
|
||||
? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2
|
||||
</programlisting>
|
||||
? (192.168.1.19) at 00:06:25:AA:8A:F0 [ether] on eth2</programlisting>
|
||||
|
||||
<para>The leading question marks are a result of my having specified the
|
||||
<quote>n</quote> option (Windows <quote>arp</quote> doesn't allow that
|
||||
@ -1145,10 +1147,15 @@ tcpdump: listening on eth2
|
||||
192.168.0.0 - 192.168.255.255</programlisting>
|
||||
|
||||
<para>The addresses reserved by RFC 1918 are sometimes referred to as
|
||||
non-routable because the Internet backbone routers don't forward packets
|
||||
which have an RFC-1918 destination address. This is understandable given
|
||||
that anyone can select any of these addresses for their private
|
||||
use.</para>
|
||||
<firstterm>non-routable</firstterm> because the Internet backbone
|
||||
routers don't forward packets which have an RFC-1918 destination
|
||||
address. This is understandable given that anyone can select any of
|
||||
these addresses for their private use but the term non-routable is
|
||||
somewhat unfortunate because it leads people to the erroneous conclusion
|
||||
that traffic destined for one of these addresses can't be sent through a
|
||||
router. This is definitely not true; private routers (including your
|
||||
Shorewall-based firewall) can forward RFC 1918 addresed traffic just
|
||||
fine.</para>
|
||||
|
||||
<para>When selecting addresses from these ranges, there's a couple of
|
||||
things to keep in mind:</para>
|
||||
@ -1171,14 +1178,15 @@ tcpdump: listening on eth2
|
||||
using (or are planning to use) private addresses before you decide the
|
||||
addresses that you are going to use.</para>
|
||||
|
||||
<note>
|
||||
<warning>
|
||||
<para><emphasis role="bold">In this document, external
|
||||
<quote>real</quote> IP addresses are of the form 192.0.2.x.
|
||||
192.0.2.0/24 is reserved by RFC 3330 for use as public IP addresses in
|
||||
printed examples. These addresses are not to be confused with
|
||||
addresses in 192.168.0.0/16; as described above, these addresses are
|
||||
reserved by RFC 1918 for private use.</emphasis></para>
|
||||
</note>
|
||||
printed examples and test networks. These "real" addresses are not to
|
||||
be confused with addresses in 192.168.0.0/16; as described above,
|
||||
those addresses are reserved by RFC 1918 for private
|
||||
use.</emphasis></para>
|
||||
</warning>
|
||||
</section>
|
||||
</section>
|
||||
|
||||
@ -1406,8 +1414,9 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
role="bold">A</emphasis>.</para>
|
||||
|
||||
<para>This example used the firewall's external IP address for DNAT.
|
||||
You can use another of your public IP addresses but Shorewall will not
|
||||
add that address to the firewall's external interface for you.</para>
|
||||
You can use another of your public IP addresses (place it in the
|
||||
ORIGINAL DEST column in the rule above) but Shorewall will not add
|
||||
that address to the firewall's external interface for you.</para>
|
||||
</section>
|
||||
|
||||
<section id="ProxyARP">
|
||||
@ -1436,7 +1445,8 @@ DNAT net loc:192.168.201.4 tcp www</programlisting>
|
||||
the network defined by <emphasis role="bold">M</emphasis> where
|
||||
the target machine is outside of the firewall, the firewall will
|
||||
respond to <emphasis role="bold">H</emphasis> (with the MAC of the
|
||||
firewall interface).</para>
|
||||
firewall interface that <emphasis role="bold">H</emphasis> is
|
||||
connected to).</para>
|
||||
</listitem>
|
||||
</itemizedlist>
|
||||
|
||||
@ -1676,12 +1686,13 @@ ACCEPT net loc:192.168.201.4 tcp www</programlisting>
|
||||
|
||||
<para><inlinegraphic fileref="images/BD21298_.gif" /></para>
|
||||
|
||||
<para>With the default policies, your local systems (Local 1-3) can
|
||||
access any servers on the internet and the DMZ can't access any other
|
||||
host (including the firewall). With the exception of DNAT rules which
|
||||
cause address translation and allow the translated connection request to
|
||||
pass through the firewall, the way to allow connection requests through
|
||||
your firewall is to use ACCEPT rules.</para>
|
||||
<para>With the default policies described earlier in this document, your
|
||||
local systems (Local 1-3) can access any server on the internet and the
|
||||
DMZ can't access any other host (including the firewall). With the
|
||||
exception of DNAT rules which cause address translation and allow the
|
||||
translated connection request to pass through the firewall, the way to
|
||||
allow connection requests through your firewall is to use ACCEPT
|
||||
rules.</para>
|
||||
|
||||
<note>
|
||||
<para>Since the SOURCE PORT(S) and ORIG. DEST. Columns aren't used in
|
||||
|
@ -62,7 +62,7 @@
|
||||
</section>
|
||||
|
||||
<section>
|
||||
<title>Version >= 2.2.0 Beta 1</title>
|
||||
<title>Version >= 2.2.0</title>
|
||||
|
||||
<para></para>
|
||||
|
||||
@ -164,6 +164,22 @@ DNAT loc loc:192.168.1.12 tcp 80 - 130.252.100.69</p
|
||||
<para>The 'logunclean' and 'dropunclean' options that were deprecated
|
||||
in Shorewall 2.0 have now been removed completely.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>The default port for 'openvpn' tunnels (/etc/shorewall/tunnels)
|
||||
has been changed to 1194 to match a similar change in the OpenVPN
|
||||
product. The IANA has registered port 1194 for use by OpenVPN.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para> A new IPTABLES variable has been added to shorewall.conf. This
|
||||
variable names the iptables executable that Shorewall will use. The
|
||||
variable is set to "/sbin/iptables". If you use the new
|
||||
shorewall.conf, you may need to change this setting to maintain
|
||||
compabibility with your current setup (if you use your existing
|
||||
shorewall.conf that does not set IPTABLES then you should experience
|
||||
no change in behavior).</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
</section>
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user