mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Shoreawall 1.3.14 Changes
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@440 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
eca2b625e9
commit
ed61406441
@ -4,7 +4,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# On most distributions, this file should be called:
|
||||
# /etc/rc.d/init.d/shorewall or /etc/init.d/shorewall
|
||||
@ -374,7 +374,14 @@ chain_base() #$1 = interface
|
||||
{
|
||||
local c=${1%%+*}
|
||||
|
||||
echo ${c:=common}
|
||||
case $c in
|
||||
*.*)
|
||||
echo ${c%.*}_${c#*.}
|
||||
;;
|
||||
*)
|
||||
echo ${c:=common}
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
@ -599,13 +606,17 @@ validate_interfaces_file() {
|
||||
|
||||
for option in $options; do
|
||||
case $option in
|
||||
dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags)
|
||||
;;
|
||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||
;;
|
||||
dhcp|routestopped|norfc1918|multi|tcpflags)
|
||||
;;
|
||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
||||
;;
|
||||
noping|filterping)
|
||||
[ -n "$OLD_PING_HANDLING" ] || \
|
||||
startup_error "Option $option only allowed with old ping handling"
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
@ -1102,8 +1113,7 @@ validate_policy()
|
||||
#
|
||||
find_broadcasts() {
|
||||
for interface in $all_interfaces; do
|
||||
interface=`chain_base $interface`
|
||||
eval bcast=\$${interface}_broadcast
|
||||
eval bcast=\$`chain_base $interface`_broadcast
|
||||
if [ "x$bcast" = "xdetect" ]; then
|
||||
addr="`ip addr show $interface 2> /dev/null`"
|
||||
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
|
||||
@ -1122,7 +1132,7 @@ find_broadcasts() {
|
||||
#
|
||||
find_interface_broadcasts() # $1 = Interface name
|
||||
{
|
||||
eval bcast=\$${1}_broadcast
|
||||
eval bcast=\$`chain_base ${1}`_broadcast
|
||||
|
||||
if [ "x$bcast" = "xdetect" ]; then
|
||||
addr="`ip addr show $interface 2> /dev/null`"
|
||||
@ -1414,6 +1424,23 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
echo " PPTP server defined."
|
||||
}
|
||||
|
||||
setup_one_openvpn() # $1 = gateway, $2 = kind[:port]
|
||||
{
|
||||
case $2 in
|
||||
*:*)
|
||||
p=${2#*:}
|
||||
;;
|
||||
*)
|
||||
p=5000
|
||||
;;
|
||||
esac
|
||||
|
||||
addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT
|
||||
addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT
|
||||
|
||||
echo " OPENVPN tunnel to $1:$p defined."
|
||||
}
|
||||
|
||||
strip_file tunnels $1
|
||||
|
||||
while read kind z gateway z1; do
|
||||
@ -1441,6 +1468,9 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
pptpserver|PPTPSERVER)
|
||||
setup_pptp_server
|
||||
;;
|
||||
openvpn|OPENVPN|openvpn:*|OPENVPN:*)
|
||||
setup_one_openvpn $gateway $kind
|
||||
;;
|
||||
*)
|
||||
error_message "Tunnels of type $kind are not supported:" \
|
||||
"Tunnel \"$tunnel\" Ignored"
|
||||
@ -1704,8 +1734,11 @@ setup_nat() {
|
||||
|
||||
while read external interface internal allints localnat; do
|
||||
expandv external interface internal allints localnat
|
||||
|
||||
iface=${interface%:*}
|
||||
|
||||
if [ -n "$ADD_IP_ALIASES" ]; then
|
||||
qt ip addr del $external dev $interface
|
||||
qt ip addr del $external dev $iface
|
||||
fi
|
||||
|
||||
if [ -z "$allints" -o "$allints" = "Yes" -o "$allints" = "yes" ]
|
||||
@ -1718,9 +1751,9 @@ setup_nat() {
|
||||
-j DNAT --to-destination $internal
|
||||
fi
|
||||
else
|
||||
addnatrule `input_chain $interface` \
|
||||
addnatrule `input_chain $iface` \
|
||||
-d $external -j DNAT --to-destination $internal
|
||||
addnatrule `output_chain $interface` \
|
||||
addnatrule `output_chain $iface` \
|
||||
-s $internal -j SNAT --to-source $external
|
||||
fi
|
||||
|
||||
@ -1753,7 +1786,7 @@ delete_nat() {
|
||||
|
||||
#
|
||||
# Process a TC Rule - $marking_chain is assumed to contain the name of the
|
||||
# marking chain
|
||||
# default marking chain
|
||||
#
|
||||
process_tc_rule()
|
||||
{
|
||||
@ -1774,13 +1807,34 @@ process_tc_rule()
|
||||
;;
|
||||
*)
|
||||
if ! list_search $source $all_interfaces; then
|
||||
fatal_error "Error: Unknown interface $source"
|
||||
fatal_error "Error: Unknown interface $source in rule \"$rule\""
|
||||
fi
|
||||
|
||||
r="-i $source "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ "$mark" != "${mark%:*}" ]; then
|
||||
|
||||
[ "$chain" = tcout ] && \
|
||||
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
|
||||
|
||||
case "${mark#*:}" in
|
||||
p|P)
|
||||
chain=tcpre
|
||||
;;
|
||||
f|F)
|
||||
chain=tcfor
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\""
|
||||
;;
|
||||
esac
|
||||
|
||||
mark="${mark%:*}"
|
||||
fi
|
||||
|
||||
[ "x$dest" = "x-" ] || r="${r}-d $dest "
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
@ -1811,7 +1865,8 @@ setup_tc1() {
|
||||
# Create the TC mangle chains
|
||||
#
|
||||
|
||||
run_iptables -t mangle -N $marking_chain
|
||||
run_iptables -t mangle -N tcpre
|
||||
run_iptables -t mangle -N tcfor
|
||||
run_iptables -t mangle -N tcout
|
||||
#
|
||||
# Process the TC Rules File
|
||||
@ -1827,11 +1882,9 @@ setup_tc1() {
|
||||
# Link to the TC mangle chains from the main chains
|
||||
#
|
||||
|
||||
if [ $marking_chain = tcfor ]; then
|
||||
run_iptables -t mangle -A FORWARD -j tcfor
|
||||
else
|
||||
run_iptables -t mangle -A PREROUTING -j tcpre
|
||||
fi
|
||||
run_iptables -t mangle -A FORWARD -j tcfor
|
||||
run_iptables -t mangle -A PREROUTING -j tcpre
|
||||
run_iptables -t mangle -A OUTPUT -j tcout
|
||||
|
||||
run_user_exit tcstart
|
||||
|
||||
@ -2871,6 +2924,21 @@ rules_chain() # $1 = source zone, $2 = destination zone
|
||||
fatal_error "Error: No appropriate chain for zone $1 to zone $2"
|
||||
}
|
||||
|
||||
#
|
||||
# echo the list of subnets routed out of a given interface
|
||||
#
|
||||
get_routed_subnets() # $1 = interface name
|
||||
{
|
||||
local address
|
||||
local rest
|
||||
|
||||
ip route show dev $1 2> /dev/null |
|
||||
while read address rest; do
|
||||
[ "$address" = "${address%/*}" ] && address="${address}/32"
|
||||
echo $address
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Set up Source NAT (including masquerading)
|
||||
#
|
||||
@ -2879,12 +2947,32 @@ setup_masq()
|
||||
setup_one() {
|
||||
local using
|
||||
|
||||
if [ "$interface" = "${interface%:*}" ]; then
|
||||
destnet="0.0.0.0/0"
|
||||
else
|
||||
destnet="${interface#*:}"
|
||||
interface="${interface%:*}"
|
||||
fi
|
||||
case $fullinterface in
|
||||
*:*:*)
|
||||
# Both alias name and subnet
|
||||
destnet="${fullinterface##*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*:*)
|
||||
# Alias name OR subnet
|
||||
case ${fullinterface#*:} in
|
||||
*.*)
|
||||
# It's a subnet
|
||||
destnet="${fullinterface#*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*)
|
||||
#it's an alias name
|
||||
destnet="0.0.0.0/0"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
destnet="0.0.0.0/0"
|
||||
;;
|
||||
esac
|
||||
|
||||
interface=${fullinterface%:*}
|
||||
|
||||
if ! list_search $interface $all_interfaces; then
|
||||
fatal_error "Error: Unknown interface $interface"
|
||||
@ -2900,10 +2988,10 @@ setup_masq()
|
||||
chain=`masq_chain $interface`
|
||||
iface=
|
||||
|
||||
source="$subnet"
|
||||
|
||||
case $subnet in
|
||||
*.*.*)
|
||||
source="$subnet"
|
||||
subnet="-s $subnet"
|
||||
;;
|
||||
-)
|
||||
#
|
||||
@ -2916,22 +3004,15 @@ setup_masq()
|
||||
iface="-o $interface"
|
||||
;;
|
||||
*)
|
||||
ipaddr="`ip addr show $subnet 2> /dev/null | grep 'inet '`"
|
||||
source="$subnet"
|
||||
if [ -z "$ipaddr" ]; then
|
||||
fatal_error \
|
||||
"Interface $subnet must be up before Shorewall starts"
|
||||
fi
|
||||
|
||||
subnet="`echo $ipaddr | sed s/" "// | cut -d' ' -f2`"
|
||||
[ -z "`echo "$subnet" | grep '/'`" ] && subnet="${subnet}/32"
|
||||
subnet="-s $subnet"
|
||||
subnets=`get_routed_subnets $subnet`
|
||||
[ -z "$subnets" ] && startup_error "Unable to determine the routes through interface $subnet"
|
||||
subnet="$subnets"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
|
||||
list_search $address $aliases_to_add || \
|
||||
aliases_to_add="$aliases_to_add $address $interface"
|
||||
aliases_to_add="$aliases_to_add $address $fullinterface"
|
||||
fi
|
||||
|
||||
destination=$destnet
|
||||
@ -2939,7 +3020,15 @@ setup_masq()
|
||||
if [ -n "$nomasq" ]; then
|
||||
newchain=masq${masq_seq}
|
||||
createnatchain $newchain
|
||||
addnatrule $chain -d $destnet $iface $subnet -j $newchain
|
||||
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
addnatrule $chain -d $destnet $iface -s $s -j $newchain
|
||||
done
|
||||
else
|
||||
addnatrule $chain -d $destnet $iface -j $newchain
|
||||
fi
|
||||
|
||||
masq_seq=$(($masq_seq + 1))
|
||||
chain=$newchain
|
||||
subnet=
|
||||
@ -2949,29 +3038,38 @@ setup_masq()
|
||||
for addr in `separate_list $nomasq`; do
|
||||
addnatrule $chain -s $addr -j RETURN
|
||||
done
|
||||
|
||||
source="$source except $nomasq"
|
||||
else
|
||||
destnet="-d $destnet"
|
||||
fi
|
||||
|
||||
if [ -n "$address" ]; then
|
||||
addnatrule $chain $subnet $destnet $iface \
|
||||
-j SNAT --to-source $address
|
||||
using=" using $address"
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
if [ -n "$address" ]; then
|
||||
addnatrule $chain -s $s $destnet $iface -j SNAT --to-source $address
|
||||
echo " To $destination from $s through ${interface} using $address"
|
||||
else
|
||||
addnatrule $chain -s $s $destnet $iface -j MASQUERADE
|
||||
echo " To $destination from $s through ${interface}"
|
||||
fi
|
||||
done
|
||||
elif [ -n "$address" ]; then
|
||||
addnatrule $chain $destnet $iface -j SNAT --to-source $address
|
||||
echo " To $destination from $source through ${interface} using $address"
|
||||
else
|
||||
addnatrule $chain $subnet $destnet $iface -j MASQUERADE
|
||||
using=
|
||||
addnatrule $chain $destnet $iface -j MASQUERADE
|
||||
echo " To $destination from $source through ${interface}"
|
||||
fi
|
||||
|
||||
[ -n "$nomasq" ] && source="$source except $nomasq"
|
||||
echo " To $destination from $source through ${interface}${using}"
|
||||
}
|
||||
|
||||
strip_file masq $1
|
||||
|
||||
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:"
|
||||
|
||||
while read interface subnet address; do
|
||||
expandv interface subnet address
|
||||
while read fullinterface subnet address; do
|
||||
expandv fullinterface subnet address
|
||||
[ -n "$NAT_ENABLED" ] && setup_one || \
|
||||
error_message "Warning: NAT disabled; masq rule ignored"
|
||||
done < $TMP_DIR/masq
|
||||
@ -3195,9 +3293,10 @@ add_ip_aliases()
|
||||
val=${val%% scope*}
|
||||
fi
|
||||
|
||||
run_ip addr add ${external}${val} dev $interface
|
||||
run_ip addr add ${external}${val} dev $interface $label
|
||||
echo "$external $interface" >> ${STATEDIR}/nat
|
||||
echo " IP Address $external added to interface $interface"
|
||||
[ -n "$label" ] && label="with $label"
|
||||
echo " IP Address $external added to interface $interface $label"
|
||||
}
|
||||
|
||||
set -- $aliases_to_add
|
||||
@ -3205,6 +3304,14 @@ add_ip_aliases()
|
||||
while [ $# -gt 0 ]; do
|
||||
external=$1
|
||||
interface=$2
|
||||
label=
|
||||
|
||||
if [ "$interface" != "${interface%:*}" ]; then
|
||||
label="${interface#*:}"
|
||||
interface="${interface%:*}"
|
||||
label="label $interface:$label"
|
||||
fi
|
||||
|
||||
primary=`find_interface_address $interface`
|
||||
shift;shift
|
||||
[ "x${primary}" = "x${external}" ] || do_one
|
||||
@ -3350,11 +3457,14 @@ initialize_netfilter () {
|
||||
# Build the common chain -- called during [re]start and refresh
|
||||
#
|
||||
build_common_chain() {
|
||||
#
|
||||
# PING
|
||||
#
|
||||
[ -n "$FORWARDPING" ] && \
|
||||
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
|
||||
|
||||
if [ -n "$OLD_PING_HANDLING" ]; then
|
||||
#
|
||||
# PING
|
||||
#
|
||||
[ -n "$FORWARDPING" ] && \
|
||||
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# Common ICMP rules
|
||||
#
|
||||
@ -3907,23 +4017,25 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
process_rules $rules
|
||||
|
||||
echo "Setting up ICMP Echo handling..."
|
||||
if [ -n "$OLD_PING_HANDLING" ]; then
|
||||
echo "Setting up ICMP Echo handling..."
|
||||
|
||||
filterping_interfaces="`find_interfaces_by_option filterping`"
|
||||
noping_interfaces="`find_interfaces_by_option noping`"
|
||||
filterping_interfaces="`find_interfaces_by_option filterping`"
|
||||
noping_interfaces="`find_interfaces_by_option noping`"
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
if ! list_search $interface $filterping_interfaces; then
|
||||
if list_search $interface $noping_interfaces; then
|
||||
target=DROP
|
||||
else
|
||||
target=ACCEPT
|
||||
for interface in $all_interfaces; do
|
||||
if ! list_search $interface $filterping_interfaces; then
|
||||
if list_search $interface $noping_interfaces; then
|
||||
target=DROP
|
||||
else
|
||||
target=ACCEPT
|
||||
fi
|
||||
|
||||
run_iptables -A `input_chain $interface` \
|
||||
-p icmp --icmp-type echo-request -j $target
|
||||
fi
|
||||
|
||||
run_iptables -A `input_chain $interface` \
|
||||
-p icmp --icmp-type echo-request -j $target
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
policy=`find_file policy`
|
||||
|
||||
@ -4104,7 +4216,7 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
dhcp_interfaces=`find_interfaces_by_option dhcp`
|
||||
blacklist_interfaces=`find_interfaces_by_option blacklist`
|
||||
filterping_interfaces=`find_interfaces_by_option filterping`
|
||||
maclist_interfaces=`find_interfaces_by_maclist`
|
||||
maclist_interfaces=`find_interfaces_by_option maclist`
|
||||
tcpflags_interfaces=`find_interfaces_by_option tcpflags`
|
||||
#
|
||||
# Normalize the first argument to this function
|
||||
@ -4161,15 +4273,15 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
rulenum=2
|
||||
fi
|
||||
|
||||
if ! list_search $interface $filterping_interfaces; then
|
||||
if list_search $interface $filterping_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
|
||||
if ! list_search $interface $maclist_interfaces; then
|
||||
if list_search $interface $maclist_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
|
||||
if ! list_search $interface $tcpflags_interfaces; then
|
||||
if list_search $interface $tcpflags_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
|
||||
@ -4194,11 +4306,11 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
rulenum=2
|
||||
fi
|
||||
|
||||
if ! list_search $interface $maclist_interfaces; then
|
||||
if list_search $interface $maclist_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
|
||||
if ! list_search $interface $tcpflags_interfaces; then
|
||||
if list_search $interface $tcpflags_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
fi
|
||||
@ -4344,7 +4456,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
while read z1 z2 chain; do
|
||||
if [ "$z1" = "$zone" ]; then
|
||||
if [ "$z2" = "$FW" ]; then
|
||||
qt iptables -D `input_chain $interface` -i $interface -s $host -j $chain
|
||||
qt iptables -D `input_chain $interface` -s $host -j $chain
|
||||
else
|
||||
source_chain=`forward_chain $interface`
|
||||
eval dest_hosts=\"\$${z2}_hosts\"
|
||||
@ -4471,6 +4583,7 @@ do_initialize() {
|
||||
TCP_FLAGS_LOG_LEVEL=
|
||||
RFC1918_LOG_LEVEL=
|
||||
MARK_IN_FORWARD_CHAIN=
|
||||
OLD_PING_HANDLING=
|
||||
SHARED_DIR=/usr/lib/shorewall
|
||||
FUNCTIONS=
|
||||
VERSION_FILE=
|
||||
@ -4596,7 +4709,10 @@ do_initialize() {
|
||||
else
|
||||
CLEAR_TC=
|
||||
fi
|
||||
OLD_PING_HANDLING=`added_param_value_yes OLD_PING_HANDLING $OLD_PING_HANDLING`
|
||||
|
||||
[ -z "$OLD_PING_HANDLING" -a -n "$FORWARDPING" ] && \
|
||||
startup_error "FORWARDPING=Yes is incompatible with OLD_PING_HANDLING=No"
|
||||
|
||||
run_user_exit params
|
||||
|
||||
|
@ -46,18 +46,6 @@
|
||||
# a DHCP server running on the firewall or
|
||||
# you have a static IP but are on a LAN
|
||||
# segment with lots of Laptop DHCP clients.
|
||||
# noping - icmp echo-request (ping) packets
|
||||
# addressed to the firewall should
|
||||
# be ignored on this interface
|
||||
# filterping - icmp echo-request (ping) packets
|
||||
# addressed to the firewall should
|
||||
# be controlled by the rules file and
|
||||
# applicable policy. If neither 'noping'
|
||||
# nor 'filterping' are specified then
|
||||
# the firewall will respond to 'ping'
|
||||
# requests. 'filterping' takes
|
||||
# precedence over 'noping' if both are
|
||||
# given.
|
||||
# routestopped - (Deprecated -- use
|
||||
# /etc/shorewall/routestopped)
|
||||
# When the firewall is stopped, allow
|
||||
@ -117,15 +105,14 @@
|
||||
# eth1 connected to your local network and that your
|
||||
# local subnet is 192.168.1.0/24. The interface gets
|
||||
# it's IP address via DHCP from subnet
|
||||
# 206.191.149.192/27 and you want pings from the internet
|
||||
# to be ignored. You interface a DMZ with subnet
|
||||
# 206.191.149.192/27. You have a DMZ with subnet
|
||||
# 192.168.2.0/24 using eth2. You want to be able to
|
||||
# access the firewall from the local network when the
|
||||
# firewall is stopped.
|
||||
#
|
||||
# Your entries for this setup would look like:
|
||||
#
|
||||
# net eth0 206.191.149.223 noping,dhcp
|
||||
# net eth0 206.191.149.223 dhcp
|
||||
# local eth1 192.168.1.255 routestopped
|
||||
# dmz eth2 192.168.2.255
|
||||
#
|
||||
|
@ -9,7 +9,15 @@
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE -- Outgoing interface. This is usually your internet
|
||||
# interface. This may be qualified by adding the character
|
||||
# interface. If ADD_SNAT_ALIASES=Yes in
|
||||
# /etc/shorewall/shorewall.conf, you may add ":" and
|
||||
# a digit to indicate that you want the alias added with
|
||||
# that name (e.g., eth0:0). This will allow the alias to
|
||||
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
||||
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
||||
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
||||
#
|
||||
# This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
#
|
||||
@ -17,7 +25,7 @@
|
||||
# a subnet or as an interface. If you give the name of an
|
||||
# interface, you must have iproute installed and the interface
|
||||
# must be up before you start the firewall.
|
||||
#
|
||||
#
|
||||
# In order to exclude a subset of the specified SUBNET, you
|
||||
# may append "!" and a comma-separated list of IP addresses
|
||||
# and/or subnets that you wish to exclude.
|
||||
@ -74,13 +82,12 @@
|
||||
# Example 4:
|
||||
#
|
||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||
# eth0 to use source address 206.124.146.176.
|
||||
# eth0 to use source address 206.124.146.176 which is NOT the
|
||||
# primary address of eth0. You want 206.124.146.176 added to
|
||||
# be added to eth0 with name eth0:0.
|
||||
#
|
||||
# eth0 192.168.1.0/24 206.124.146.176
|
||||
# eth0:0 192.168.1.0/24 206.124.146.176
|
||||
#
|
||||
# This would normally be done when you have a static external
|
||||
# IP address since it makes the processing of outgoing
|
||||
# packets somewhat faster.
|
||||
##############################################################################
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -16,7 +16,13 @@
|
||||
# IP address of the interface named in the next
|
||||
# column and must not be a DNS Name.
|
||||
# INTERFACE Interface that we want to EXTERNAL address to appear
|
||||
# on
|
||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
||||
# follow the interface name with ":" and a digit to
|
||||
# indicate that you want Shorewall to add the alias
|
||||
# with this name (e.g., "eth0:0"). That allows you to
|
||||
# see the alias with ifconfig. THAT IS THE ONLY THING
|
||||
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
|
||||
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
|
||||
# INTERNAL Internal Address (must not be a DNS Name).
|
||||
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
|
||||
# from all hosts. If No or no then NAT will be effective
|
||||
@ -26,5 +32,5 @@
|
||||
# Yes or yes, NAT will be effective from the firewall
|
||||
# system
|
||||
##############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -401,12 +401,17 @@ MUTEX_TIMEOUT=60
|
||||
LOGNEWNOTSYN=
|
||||
|
||||
#
|
||||
# Forward "Ping"
|
||||
# Old Ping Handling
|
||||
#
|
||||
# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
|
||||
# forwarded by the firewall.
|
||||
|
||||
FORWARDPING=Yes
|
||||
# If this option is set to "Yes" then Shorewall will use its old ping handling
|
||||
# facility including the FORWARDPING option in this file and the 'noping' and
|
||||
# 'filterping' interface options. If this option is set to 'No' then ping
|
||||
# is handled via policy and rules just like any other connection request.
|
||||
#
|
||||
# If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
|
||||
# DON'T DELETE IT!!!!!!
|
||||
#
|
||||
OLD_PING_HANDLING=No
|
||||
|
||||
#
|
||||
# NEWNOTSYN
|
||||
@ -502,4 +507,20 @@ RFC1918_LOG_LEVEL=info
|
||||
|
||||
MARK_IN_FORWARD_CHAIN=No
|
||||
|
||||
#
|
||||
# Clear Traffic Shapping/Control
|
||||
#
|
||||
# If this option is set to 'No' then Shorewall won't clear the current
|
||||
# traffic control rules during [re]start. This setting is intended
|
||||
# for use by people that prefer to configure traffic shaping when
|
||||
# the network interfaces come up rather than when the firewall
|
||||
# is started. If that is what you want to do, set TC_ENABLED=Yes and
|
||||
# CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
|
||||
# way, your traffic shaping rules can still use the 'fwmark'
|
||||
# classifier based on packet marking defined in /etc/shorewall/tcrules.
|
||||
#
|
||||
# If omitted, CLEAR_TC=Yes is assumed.
|
||||
|
||||
CLEAR_TC=Yes
|
||||
|
||||
#LAST LINE -- DO NOT REMOVE
|
||||
|
@ -17,10 +17,20 @@
|
||||
# MARK The mark value which is an
|
||||
# integer in the range 1-255
|
||||
#
|
||||
# May optionally be followed by ":P" or ":F"
|
||||
# where ":P" indicates that marking should occur in
|
||||
# the PREROUTING chain and ":F" indicates that marking
|
||||
# should occur in the FORWARD chain. If neither
|
||||
# ":P" nor ":F" follow the mark value then the chain is
|
||||
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# SOURCE Source of the packet. A comma-separated list of
|
||||
# interface names, IP addresses, MAC addresses
|
||||
# and/or subnets. Use $FW if the packet originates on
|
||||
# the firewall.
|
||||
# the firewall in which case the MARK column may NOT
|
||||
# specify either ":P" or ":F" (marking always occurs
|
||||
# in the OUTPUT chain).
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
# "-" as a separator.
|
||||
|
@ -1,16 +1,21 @@
|
||||
#
|
||||
# Shorewall 1.3 - /etc/shorewall/tunnels
|
||||
#
|
||||
# This file defines IPSEC, GRE and IPIP tunnels.
|
||||
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
||||
#
|
||||
# IPIP and GRE tunnels must be configured on the firewall/gateway itself.
|
||||
# IPSEC endpoints may be defined on the firewall/gateway or on an
|
||||
# internal system.
|
||||
# IPIP, GRE and OPENVPN tunnels must be configured on the
|
||||
# firewall/gateway itself. IPSEC endpoints may be defined
|
||||
# on the firewall/gateway or on an internal system.
|
||||
#
|
||||
# The columns are:
|
||||
#
|
||||
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
|
||||
# "gre","pptpclient" or "pptpserver"
|
||||
# "gre", "pptpclient", "pptpserver" or "openvpn".
|
||||
#
|
||||
# If type is "openvpn", it may optionally be followed
|
||||
# by ":" and the port number used by the tunnel. if no
|
||||
# ":" and port number are included, then the default port
|
||||
# of 5000 will be used
|
||||
#
|
||||
# ZONE -- The zone of the physical interface through which
|
||||
# tunnel traffic passes. This is normally your internet
|
||||
@ -20,10 +25,12 @@
|
||||
# remote getway has no fixed address (Road Warrior)
|
||||
# then specify the gateway as 0.0.0.0/0.
|
||||
#
|
||||
# GATEWAY ZONES -- Optional. If the gateway system specified in the third
|
||||
# GATEWAY
|
||||
# ZONES -- Optional. If the gateway system specified in the third
|
||||
# column is a standalone host then this column should
|
||||
# contain a comma-separated list of the names of the zones that
|
||||
# the host might be in. This column only applies to IPSEC tunnels.
|
||||
# contain a comma-separated list of the names of the
|
||||
# zones that the host might be in. This column only
|
||||
# applies to IPSEC tunnels.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
@ -71,5 +78,12 @@
|
||||
#
|
||||
# pptpserver net
|
||||
#
|
||||
# TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
# Example 7:
|
||||
#
|
||||
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
|
||||
# openvpn uses port 7777.
|
||||
#
|
||||
# openvpn:7777 net 4.33.99.124
|
||||
#
|
||||
# TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -3,7 +3,7 @@
|
||||
#
|
||||
# This file determines your network zones. Columns are:
|
||||
#
|
||||
# ZONE Short name of the zone
|
||||
# ZONE Short name of the zone
|
||||
# DISPLAY Display name of the zone
|
||||
# COMMENTS Comments about the zone
|
||||
#
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
#
|
||||
# This file should be placed in /sbin/shorewall.
|
||||
@ -649,7 +649,7 @@ case "$1" in
|
||||
[ $# -ne 3 ] && usage 1
|
||||
exec $FIREWALL $debugging $nolock $1 $2 $3
|
||||
;;
|
||||
show)
|
||||
show|list)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
case "$2" in
|
||||
connections)
|
||||
|
@ -1 +1 @@
|
||||
1.3.13
|
||||
1.3.14
|
||||
|
@ -1,10 +1,22 @@
|
||||
Changes since 1.3.12
|
||||
Changes since 1.3.13
|
||||
|
||||
1. Added 'DNAT-' target.
|
||||
1. Fix 'shorewall add' bug.
|
||||
|
||||
2. Print policies in 'check' command.
|
||||
2. Add OLD_PING_HANDLING option
|
||||
|
||||
3. Added CLEAR_TC option.
|
||||
3. Allow adding alias labels under ADD_IP_ALIASES=Yes.
|
||||
|
||||
4. Added SHARED_DIR option.
|
||||
4. Allow adding alias labels under ADD_SNAT_ALIASES=Yes.
|
||||
|
||||
5. Use the routing table to generate list of subnets to be masqueraded
|
||||
when an interface name appears in the SUBNET column of
|
||||
/etc/shorewall/masq.
|
||||
|
||||
6. Restore $dev.$vid naming of VLAN interfaces.
|
||||
|
||||
7. Updated copyrights for 2003.
|
||||
|
||||
8. Added support for openvpn tunnels on arbitrary ports
|
||||
|
||||
9. Corrected rule number calculation problem in 'shorewall add' command
|
||||
processing.
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,207 +1,221 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Installation</title>
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Installation and
|
||||
Upgrade</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Installation and
|
||||
Upgrade</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p align="center"><b>Before upgrading, be sure to review the <a
|
||||
href="upgrade_issues.htm">Upgrade Issues</a></b></p>
|
||||
|
||||
|
||||
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
|
||||
<a href="#Install_Tarball">Install using tarball</a><br>
|
||||
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
|
||||
<a href="#Upgrade_Tarball">Upgrade using tarball</a><br>
|
||||
<a href="#Config_Files">Configuring Shorewall</a><br>
|
||||
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
|
||||
|
||||
<a href="#Install_Tarball">Install using tarball<br>
|
||||
</a><a href="#LRP">Install the .lrp</a><br>
|
||||
<a href="#Upgrade_RPM">Upgrade using RPM</a><br>
|
||||
<a href="#Upgrade_Tarball">Upgrade using tarball<br>
|
||||
</a><a href="#LRP_Upgrade">Upgrade the .lrp</a><br>
|
||||
<a href="#Config_Files">Configuring Shorewall</a><br>
|
||||
<a href="fallback.htm">Uninstall/Fallback</a></b></font></p>
|
||||
|
||||
<p><a name="Install_RPM"></a>To install Shorewall using the RPM:</p>
|
||||
|
||||
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
|
||||
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
|
||||
1.2.4 either from the <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
|
||||
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
|
||||
attempting to start Shorewall.</b></p>
|
||||
|
||||
|
||||
<p><b>If you have RedHat 7.2 and are running iptables version 1.2.3 (at a
|
||||
shell prompt, type "/sbin/iptables --version"), you must upgrade to version
|
||||
1.2.4 either from the <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
|
||||
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
|
||||
attempting to start Shorewall.</b></p>
|
||||
|
||||
<ul>
|
||||
<li>Install the RPM (rpm -ivh <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports
|
||||
a conflict with kernel <= 2.2 even though a 2.4 kernel is installed.
|
||||
If this happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps
|
||||
<shorewall rpm>).</li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
|
||||
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
|
||||
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
|
||||
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
|
||||
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK
|
||||
TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO RESTORE NETWORK
|
||||
CONNECTIVITY.</b></font></li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
|
||||
<li>Install the RPM (rpm -ivh <shorewall rpm>).<br>
|
||||
<br>
|
||||
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm
|
||||
reports a conflict with kernel <= 2.2 even though a 2.4 kernel is
|
||||
installed. If this happens, simply use the --nodeps option to rpm (rpm
|
||||
-ivh --nodeps <shorewall rpm>).</li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
|
||||
your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u>
|
||||
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
|
||||
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND
|
||||
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY
|
||||
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO
|
||||
RESTORE NETWORK CONNECTIVITY.</b></font></li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
|
||||
and install script: </p>
|
||||
|
||||
|
||||
<p><a name="Install_Tarball"></a>To install Shorewall using the tarball
|
||||
and install script: </p>
|
||||
|
||||
<ul>
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-1.1.10").</li>
|
||||
<li>If you are using <a
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-1.1.10").</li>
|
||||
<li>If you are using <a
|
||||
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
|
||||
href="http://www.redhat.com">RedHat</a>, <a
|
||||
href="http://www.linux-mandrake.com">Mandrake</a>, <a
|
||||
href="http://www.corel.com">Corel</a>, <a
|
||||
href="http://www.slackware.com/">Slackware</a> or <a
|
||||
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
|
||||
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
|
||||
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
|
||||
"./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d or
|
||||
/etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your distribution
|
||||
installs init scripts and type "./install.sh <init script directory></li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
|
||||
your configuration.</li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
<li>If the install script was unable to configure Shorewall to be started
|
||||
automatically at boot, see <a
|
||||
<li>If your distribution has directory /etc/rc.d/init.d
|
||||
or /etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your distribution
|
||||
installs init scripts and type "./install.sh <init script
|
||||
directory></li>
|
||||
<li>Edit the <a href="#Config_Files"> configuration files</a> to match
|
||||
your configuration.</li>
|
||||
<li>Start the firewall by typing "shorewall start"</li>
|
||||
<li>If the install script was unable to configure Shorewall to be started
|
||||
automatically at boot, see <a
|
||||
href="starting_and_stopping_shorewall.htm">these instructions</a>.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
|
||||
and are upgrading to a new version:</p>
|
||||
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
|
||||
you have entries in the /etc/shorewall/hosts file then please check your
|
||||
/etc/shorewall/interfaces file to be sure that it contains an entry for
|
||||
each interface mentioned in the hosts file. Also, there are certain 1.2
|
||||
rule forms that are no longer supported under 1.3 (you must use the new
|
||||
1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for details.
|
||||
You can check your rules and host file for 1.3 compatibility using the "shorewall
|
||||
check" command after installing the latest version of 1.3.</p>
|
||||
|
||||
<ul>
|
||||
<li>Upgrade the RPM (rpm -Uvh <shorewall rpm file>) <b>Note: </b>If
|
||||
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
|
||||
you must use the "--oldpackage" option to rpm (e.g., "rpm -Uvh --oldpackage
|
||||
shorewall-1.2-0.noarch.rpm").
|
||||
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby
|
||||
rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel is
|
||||
installed. If this happens, simply use the --nodeps option to rpm (rpm
|
||||
-Uvh --nodeps <shorewall rpm>).<br>
|
||||
</p>
|
||||
</li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as
|
||||
necessary.</li>
|
||||
<li>Restart the firewall (shorewall restart).</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and
|
||||
are upgrading to a new version using the tarball:</p>
|
||||
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and
|
||||
you have entries in the /etc/shorewall/hosts file then please check your
|
||||
/etc/shorewall/interfaces file to be sure that it contains an entry for
|
||||
each interface mentioned in the hosts file. Also, there are certain 1.2
|
||||
rule forms that are no longer supported under 1.3 (you must use the new
|
||||
1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for
|
||||
details. You can check your rules and host file for 1.3 compatibility using
|
||||
|
||||
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
|
||||
disk, simply replace the "shorwall.lrp" file on the image with the file that
|
||||
you downloaded. See the <a href="two-interface.htm">two-interface QuickStart
|
||||
Guide</a> for information about further steps required.</p>
|
||||
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
|
||||
and are upgrading to a new version:</p>
|
||||
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
|
||||
and you have entries in the /etc/shorewall/hosts file then please check
|
||||
your /etc/shorewall/interfaces file to be sure that it contains an entry
|
||||
for each interface mentioned in the hosts file. Also, there are certain
|
||||
1.2 rule forms that are no longer supported under 1.3 (you must use the
|
||||
new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues </a>for
|
||||
details. You can check your rules and host file for 1.3 compatibility using
|
||||
the "shorewall check" command after installing the latest version of 1.3.</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-3.0.1").</li>
|
||||
<li>If you are using <a
|
||||
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
|
||||
href="http://www.redhat.com">RedHat</a>, <a
|
||||
href="http://www.linux-mandrake.com">Mandrake</a>, <a
|
||||
href="http://www.corel.com">Corel</a>, <a
|
||||
href="http://www.slackware.com/">Slackware</a> or <a
|
||||
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
|
||||
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
|
||||
"./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d or
|
||||
/etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your distribution
|
||||
installs init scripts and type "./install.sh <init script directory></li>
|
||||
<li>Upgrade the RPM (rpm -Uvh <shorewall rpm file>) <b>Note: </b>If
|
||||
you are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs
|
||||
installed, you must use the "--oldpackage" option to rpm (e.g., "rpm
|
||||
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
|
||||
<p> <b>Note: </b>Some SuSE users have encountered a problem whereby
|
||||
rpm reports a conflict with kernel <= 2.2 even though a 2.4 kernel
|
||||
is installed. If this happens, simply use the --nodeps option to rpm (rpm
|
||||
-Uvh --nodeps <shorewall rpm>).<br>
|
||||
</p>
|
||||
</li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as necessary.</li>
|
||||
<li>Restart the firewall by typing "shorewall restart"</li>
|
||||
|
||||
<li>Restart the firewall (shorewall restart).</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
|
||||
|
||||
<p>You will need to edit some or all of these configuration files to match
|
||||
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
|
||||
QuickStart Guides</a> contain all of the information you need.</p>
|
||||
|
||||
|
||||
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
|
||||
and are upgrading to a new version using the tarball:</p>
|
||||
|
||||
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version
|
||||
and you have entries in the /etc/shorewall/hosts file then please check
|
||||
your /etc/shorewall/interfaces file to be sure that it contains an entry
|
||||
for each interface mentioned in the hosts file. Also, there are certain
|
||||
1.2 rule forms that are no longer supported under 1.3 (you must use the
|
||||
new 1.3 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
|
||||
for details. You can check your rules and host file for 1.3 compatibility
|
||||
using the "shorewall check" command after installing the latest version
|
||||
of 1.3.</p>
|
||||
|
||||
<ul>
|
||||
<li>/etc/shorewall/shorewall.conf - used to set several firewall
|
||||
parameters.</li>
|
||||
<li>/etc/shorewall/params - use this file to set shell variables that
|
||||
you will expand in other files.</li>
|
||||
<li>/etc/shorewall/zones - partition the firewall's view of the world
|
||||
into <i>zones.</i></li>
|
||||
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
|
||||
<li>/etc/shorewall/interfaces - describes the interfaces on the
|
||||
firewall system.</li>
|
||||
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
|
||||
hosts and subnetworks.</li>
|
||||
<li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br>
|
||||
</li>
|
||||
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
|
||||
(dynamic) NAT a.k.a. Masquerading.</li>
|
||||
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
|
||||
<li>/etc/shorewall/rules - defines rules that are exceptions to the
|
||||
overall policies established in /etc/shorewall/policy.</li>
|
||||
<li>/etc/shorewall/nat - defines static NAT rules.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
|
||||
hosts accessible when Shorewall is stopped.</li>
|
||||
<li>/etc/shorewall/tcrules - defines marking of packets for later use
|
||||
by traffic control/shaping.</li>
|
||||
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
|
||||
headers.</li>
|
||||
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
|
||||
the firewall system.</li>
|
||||
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
|
||||
|
||||
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
|
||||
<li>cd to the shorewall directory (the version is encoded in the
|
||||
directory name as in "shorewall-3.0.1").</li>
|
||||
<li>If you are using <a
|
||||
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a
|
||||
href="http://www.redhat.com">RedHat</a>, <a
|
||||
href="http://www.linux-mandrake.com">Mandrake</a>, <a
|
||||
href="http://www.corel.com">Corel</a>, <a
|
||||
href="http://www.slackware.com/">Slackware</a> or <a
|
||||
href="http://www.debian.org">Debian</a> then type "./install.sh"</li>
|
||||
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
|
||||
"./install.sh /etc/init.d"</li>
|
||||
<li>If your distribution has directory /etc/rc.d/init.d
|
||||
or /etc/init.d then type "./install.sh"</li>
|
||||
<li>For other distributions, determine where your distribution
|
||||
installs init scripts and type "./install.sh <init script
|
||||
directory></li>
|
||||
<li>See if there are any incompatibilities between your configuration
|
||||
and the new Shorewall version (type "shorewall check") and correct as
|
||||
necessary.</li>
|
||||
<li>Restart the firewall by typing "shorewall restart"</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<a name="LRP_Upgrade"></a>If you already have a running Bering installation
|
||||
and wish to upgrade to a later version of Shorewall:<br>
|
||||
<br>
|
||||
<b>UNDER CONSTRUCTION...</b><br>
|
||||
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
|
||||
|
||||
<p>You will need to edit some or all of these configuration files to match
|
||||
your setup. In most cases, the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guides</a>
|
||||
contain all of the information you need.</p>
|
||||
|
||||
<ul>
|
||||
<li>/etc/shorewall/shorewall.conf - used to set several firewall
|
||||
parameters.</li>
|
||||
<li>/etc/shorewall/params - use this file to set shell variables that
|
||||
you will expand in other files.</li>
|
||||
<li>/etc/shorewall/zones - partition the firewall's view of the world
|
||||
into <i>zones.</i></li>
|
||||
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
|
||||
<li>/etc/shorewall/interfaces - describes the interfaces on the
|
||||
firewall system.</li>
|
||||
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
|
||||
hosts and subnetworks.</li>
|
||||
<li>/etc/shorewall/maclist - verification of the MAC addresses of devices.<br>
|
||||
</li>
|
||||
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
|
||||
(dynamic) NAT a.k.a. Masquerading.</li>
|
||||
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
|
||||
<li>/etc/shorewall/rules - defines rules that are exceptions to the
|
||||
overall policies established in /etc/shorewall/policy.</li>
|
||||
<li>/etc/shorewall/nat - defines static NAT rules.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines
|
||||
hosts accessible when Shorewall is stopped.</li>
|
||||
<li>/etc/shorewall/tcrules - defines marking of packets for later use
|
||||
by traffic control/shaping.</li>
|
||||
<li>/etc/shorewall/tos - defines rules for setting the TOS field in
|
||||
packet headers.</li>
|
||||
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
|
||||
the firewall system.</li>
|
||||
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><font size="2">Updated 1/30/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -2,90 +2,92 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall Certificate Authority</title>
|
||||
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
|
||||
(CA) Certificate</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Certificate Authority
|
||||
(CA) Certificate</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Given that I develop and support Shorewall without asking for any renumeration,
|
||||
I can hardly justify paying $200US+ a year to a Certificate Authority such
|
||||
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
|
||||
I am who I am. I have therefore established my own Certificate Authority (CA)
|
||||
and sign my own X.509 certificates. I use these certificates on my mail server
|
||||
(<a href="https://mail.shorewall.net">https://mail.shorewall.net</a>)
|
||||
<br>
|
||||
Given that I develop and support Shorewall without asking for any renumeration,
|
||||
I can hardly justify paying $200US+ a year to a Certificate Authority such
|
||||
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
|
||||
I am who I am. I have therefore established my own Certificate Authority
|
||||
(CA) and sign my own X.509 certificates. I use these certificates on my list
|
||||
server (<a href="https://lists.shorewall.net">https://lists.shorewall.net</a>)
|
||||
which hosts parts of this web site.<br>
|
||||
<br>
|
||||
X.509 certificates are the basis for the Secure Socket Layer (SSL). As part
|
||||
of establishing an SSL session (URL https://...), your browser verifies the
|
||||
X.509 certificate supplied by the HTTPS server against the set of Certificate
|
||||
Authority Certificates that were shipped with your browser. It is expected
|
||||
that the server's certificate was issued by one of the authorities whose identities
|
||||
are known to your browser. <br>
|
||||
<br>
|
||||
This mechanism, while supposedly guaranteeing that when you connect to https://www.foo.bar
|
||||
you are REALLY connecting to www.foo.bar, means that the CAs literally have
|
||||
a license to print money -- they are selling a string of bits (an X.509 certificate)
|
||||
for $200US+ per year!!!I <br>
|
||||
<br>
|
||||
I wish that I had decided to become a CA rather that designing and writing
|
||||
Shorewall.<br>
|
||||
<br>
|
||||
What does this mean to you? It means that the X.509 certificate that my
|
||||
server will present to your browser will not have been signed by one of the
|
||||
authorities known to your browser. If you try to connect to my server using
|
||||
SSL, your browser will frown and give you a dialog box asking if you want
|
||||
<br>
|
||||
X.509 certificates are the basis for the Secure Socket Layer (SSL). As
|
||||
part of establishing an SSL session (URL https://...), your browser verifies
|
||||
the X.509 certificate supplied by the HTTPS server against the set of Certificate
|
||||
Authority Certificates that were shipped with your browser. It is expected
|
||||
that the server's certificate was issued by one of the authorities whose
|
||||
identities are known to your browser. <br>
|
||||
<br>
|
||||
This mechanism, while supposedly guaranteeing that when you connect to
|
||||
https://www.foo.bar you are REALLY connecting to www.foo.bar, means that
|
||||
the CAs literally have a license to print money -- they are selling a string
|
||||
of bits (an X.509 certificate) for $200US+ per year!!!I <br>
|
||||
<br>
|
||||
I wish that I had decided to become a CA rather that designing and writing
|
||||
Shorewall.<br>
|
||||
<br>
|
||||
What does this mean to you? It means that the X.509 certificate that my
|
||||
server will present to your browser will not have been signed by one of the
|
||||
authorities known to your browser. If you try to connect to my server using
|
||||
SSL, your browser will frown and give you a dialog box asking if you want
|
||||
to accept the sleezy X.509 certificate being presented by my server. <br>
|
||||
<br>
|
||||
There are two things that you can do:<br>
|
||||
|
||||
<br>
|
||||
There are two things that you can do:<br>
|
||||
|
||||
<ol>
|
||||
<li>You can accept the mail.shorewall.net certificate when your browser
|
||||
asks -- your acceptence of the certificate can be temporary (for that access
|
||||
only) or perminent.</li>
|
||||
<li>You can download and install <a href="ca.crt">my (self-signed) CA
|
||||
certificate.</a> This will make my Certificate Authority known to your browser
|
||||
<li>You can accept the mail.shorewall.net certificate when your browser
|
||||
asks -- your acceptence of the certificate can be temporary (for that access
|
||||
only) or perminent.</li>
|
||||
<li>You can download and install <a href="ca.crt">my (self-signed) CA
|
||||
certificate.</a> This will make my Certificate Authority known to your browser
|
||||
so that it will accept any certificate signed by me. <br>
|
||||
</li>
|
||||
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
What are the risks?<br>
|
||||
|
||||
What are the risks?<br>
|
||||
|
||||
<ol>
|
||||
<li>If you install my CA certificate then you assume that I am trustworthy
|
||||
and that Shorewall running on your firewall won't redirect HTTPS requests
|
||||
intented to go to your bank's server to one of my systems that will present
|
||||
your browser with a bogus certificate claiming that my server is that of
|
||||
your bank.</li>
|
||||
<li>If you only accept my server's certificate when prompted then the
|
||||
most that you have to loose is that when you connect to https://mail.shorewall.net,
|
||||
the server you are connecting to might not be mine.</li>
|
||||
|
||||
<li>If you install my CA certificate then you assume that I am trustworthy
|
||||
and that Shorewall running on your firewall won't redirect HTTPS requests
|
||||
intented to go to your bank's server to one of my systems that will present
|
||||
your browser with a bogus certificate claiming that my server is that of your
|
||||
bank.</li>
|
||||
<li>If you only accept my server's certificate when prompted then the
|
||||
most that you have to loose is that when you connect to https://mail.shorewall.net,
|
||||
the server you are connecting to might not be mine.</li>
|
||||
|
||||
</ol>
|
||||
I have my CA certificate loaded into all of my browsers but I certainly
|
||||
I have my CA certificate loaded into all of my browsers but I certainly
|
||||
won't be offended if you decline to load it into yours... :-)<br>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 12/29/2002 - Tom Eastep</font></p>
|
||||
|
||||
|
||||
<p align="left"><font size="2">Last Updated 1/17/2003 - Tom Eastep</font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
|
||||
M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -2,407 +2,489 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall Squid Usage</title>
|
||||
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table cellpadding="0" cellspacing="0" border="0" width="100%"
|
||||
bgcolor="#400169">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="middle" width="33%" bgcolor="#400169"><a
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="middle" width="33%" bgcolor="#400169"><a
|
||||
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
|
||||
alt="" width="88" height="31" hspace="4">
|
||||
</a><br>
|
||||
</td>
|
||||
<td valign="middle" height="90" align="center" width="34%"><font
|
||||
</a><br>
|
||||
</td>
|
||||
<td valign="middle" height="90" align="center" width="34%"><font
|
||||
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
|
||||
</td>
|
||||
<td valign="middle" height="90" width="33%" align="right"><a
|
||||
</td>
|
||||
<td valign="middle" height="90" width="33%" align="right"><a
|
||||
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
|
||||
alt="" width="100" height="31" hspace="4">
|
||||
</a><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</a><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
This page covers Shorewall configuration to use with <a
|
||||
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
|
||||
<br>
|
||||
This page covers Shorewall configuration to use with <a
|
||||
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
|
||||
Proxy</b></u>. <br>
|
||||
<a href="#DMZ"></a><br>
|
||||
<img border="0" src="images/j0213519.gif" width="60" height="60"
|
||||
<a href="#DMZ"></a><br>
|
||||
<img border="0" src="images/j0213519.gif" width="60" height="60"
|
||||
alt="Caution" align="middle">
|
||||
Please observe the following general requirements:<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b>In all cases, Squid should be configured to run
|
||||
Please observe the following general requirements:<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b>In all cases, Squid should be configured to run
|
||||
as a transparent proxy as described at <a
|
||||
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
|
||||
<b><br>
|
||||
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b>The following instructions mention the files /etc/shorewall/start
|
||||
and /etc/shorewall/init -- if you don't have those files, siimply create
|
||||
<b><br>
|
||||
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b>The following instructions mention the files /etc/shorewall/start
|
||||
and /etc/shorewall/init -- if you don't have those files, siimply create
|
||||
them.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> When the Squid server is in the DMZ zone or in
|
||||
the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
|
||||
file entries. That is because the packets being routed to the Squid server
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> When the Squid server is in the DMZ zone or in
|
||||
the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
|
||||
file entries. That is because the packets being routed to the Squid server
|
||||
still have their original destination IP addresses.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have iproute2 (<i>ip </i>utility) installed
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have iproute2 (<i>ip </i>utility) installed
|
||||
on your firewall.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have iptables installed on your Squid
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have iptables installed on your Squid
|
||||
server.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have NAT and MANGLE enabled in your /etc/shorewall/conf
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have NAT and MANGLE enabled in your /etc/shorewall/conf
|
||||
file<br>
|
||||
<br>
|
||||
<b><font color="#009900"> NAT_ENABLED=Yes<br>
|
||||
</font></b> <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
|
||||
<br>
|
||||
Three different configurations are covered:<br>
|
||||
|
||||
<br>
|
||||
<b><font color="#009900"> NAT_ENABLED=Yes<br>
|
||||
</font></b> <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
|
||||
<br>
|
||||
Three different configurations are covered:<br>
|
||||
|
||||
<ol>
|
||||
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
|
||||
Firewall.</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the local
|
||||
network</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
|
||||
|
||||
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
|
||||
Firewall.</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the
|
||||
local network</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
|
||||
|
||||
</ol>
|
||||
|
||||
|
||||
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
|
||||
You want to redirect all local www connection requests EXCEPT
|
||||
those to your own
|
||||
http server (206.124.146.177)
|
||||
to a Squid transparent
|
||||
proxy running on the firewall and listening on port 3128. Squid
|
||||
will of course require access to remote web servers.<br>
|
||||
<br>
|
||||
In /etc/shorewall/rules:<br>
|
||||
<br>
|
||||
You want to redirect all local www connection requests EXCEPT
|
||||
those to your own
|
||||
http server (206.124.146.177)
|
||||
to a Squid transparent
|
||||
proxy running on the firewall and listening on port 3128. Squid
|
||||
will of course require access to remote web servers.<br>
|
||||
<br>
|
||||
In /etc/shorewall/rules:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
|
||||
</tr>
|
||||
<tr>
|
||||
<td>REDIRECT</td>
|
||||
<td>loc</td>
|
||||
<td>3128</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> -<br>
|
||||
</td>
|
||||
<td>!206.124.146.177</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<h2><a name="Local"></a>Squid Running in the local network</h2>
|
||||
You want to redirect all local www connection requests to a Squid
|
||||
transparent proxy
|
||||
running in your local zone at 192.168.1.3 and listening on port 3128.
|
||||
Your local interface is eth1. There may also be a web server running on 192.168.1.3.
|
||||
It is assumed that web access is already enabled from the local zone to the
|
||||
internet.<br>
|
||||
|
||||
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
|
||||
other aspects of your gateway including but not limited to traffic shaping
|
||||
and route redirection. For that reason, <b>I don't recommend it</b>.<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>On your firewall system, issue the following command<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">echo 202 www.out >> /etc/iproute2/rt_tables</font></b><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/init, put:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/rules:<br>
|
||||
<br>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT<br>
|
||||
</td>
|
||||
<td>loc</td>
|
||||
<td>loc<br>
|
||||
</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
|
||||
</table>
|
||||
<br>
|
||||
</li>
|
||||
<li>Alternativfely, you can have the following policy:<br>
|
||||
<br>
|
||||
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>POLICY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>LOG LEVEL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BURST PARAMETERS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</li>
|
||||
<li>In /etc/shorewall/start add:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
|
||||
</tr>
|
||||
<tr>
|
||||
<td>REDIRECT</td>
|
||||
<td>loc</td>
|
||||
<td>3128</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> -<br>
|
||||
</td>
|
||||
<td>!206.124.146.177</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
|
||||
</table>
|
||||
<br>
|
||||
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<h2><a name="Local"></a>Squid Running in the local network</h2>
|
||||
You want to redirect all local www connection requests to a Squid
|
||||
transparent proxy
|
||||
running in your local zone at 192.168.1.3 and listening on port 3128.
|
||||
Your local interface is eth1. There may also be a web server running on
|
||||
192.168.1.3. It is assumed that web access is already enabled from the local
|
||||
zone to the internet.<br>
|
||||
|
||||
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
|
||||
other aspects of your gateway including but not limited to traffic shaping
|
||||
and route redirection. For that reason, I don't recommend it.<br>
|
||||
</p>
|
||||
<ul>
|
||||
<li>On 192.168.1.3, arrange for the following command to be executed
|
||||
after networking has come up<br>
|
||||
|
||||
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
|
||||
</li>
|
||||
|
||||
<ul>
|
||||
<li>On your firewall system, issue the following command<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">echo 202 www.out >> /etc/iproute2/rt_tables</font></b><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/init, put:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/rules:<br>
|
||||
<br>
|
||||
<blockquote> If you are running RedHat on the server, you can simply execute
|
||||
the following commands after you have typed the iptables command above:<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT<br>
|
||||
</td>
|
||||
<td>loc</td>
|
||||
<td>loc<br>
|
||||
</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
|
||||
<pre><font color="#009900"><b>iptables-save > /etc/sysconfig/iptables</b></font><font
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
|
||||
You have a single Linux system in your DMZ with IP address 192.0.2.177.
|
||||
You want to run both a web server and Squid on that system. Your DMZ interface
|
||||
is eth1 and your local interface is eth2.<br>
|
||||
|
||||
<ul>
|
||||
<li>On your firewall system, issue the following command<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>echo 202 www.out >> /etc/iproute2/rt_tables</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/init, put:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li> Do<b> one </b>of the following:<br>
|
||||
<br>
|
||||
A) In /etc/shorewall/start add<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900"> iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>B) Set MARK_IN_FORWARD_CHAIN=No in /etc/shorewall/shorewall.conf
|
||||
and add the following entry in /etc/shorewall/tcrules:<br>
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">MARK<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DESTINATION<br>
|
||||
</td>
|
||||
<td valign="top">PROTOCOL<br>
|
||||
</td>
|
||||
<td valign="top">PORT<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT PORT<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">202<br>
|
||||
</td>
|
||||
<td valign="top">eth2<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top">-<br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</li>
|
||||
<li>Alternativfely, you can have the following policy:<br>
|
||||
<br>
|
||||
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
</blockquote>
|
||||
C) Run Shorewall 1.3.14 or later and add the following entry in /etc/shorewall/tcrules:<br>
|
||||
</blockquote>
|
||||
<blockquote>
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>POLICY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>LOG LEVEL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BURST PARAMETERS<br>
|
||||
</b></td>
|
||||
<td valign="top">MARK<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DESTINATION<br>
|
||||
</td>
|
||||
<td valign="top">PROTOCOL<br>
|
||||
</td>
|
||||
<td valign="top">PORT<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT PORT<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
<td valign="top">202:P<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
<td valign="top">eth2<br>
|
||||
</td>
|
||||
<td valign="top">ACCEPT<br>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top">-<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</li>
|
||||
<li>In /etc/shorewall/start add:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<br>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li>On 192.168.1.3, arrange for the following command to be executed
|
||||
after networking has come up<br>
|
||||
|
||||
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
|
||||
</li>
|
||||
<li>In /etc/shorewall/rules, you will need:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote> If you are running RedHat on the server, you can simply execute
|
||||
the following commands after you have typed the iptables command above:<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<pre><font color="#009900"><b>iptables-save > /etc/sysconfig/iptables</b></font><font
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
|
||||
You have a single Linux system in your DMZ with IP address 192.0.2.177.
|
||||
You want to run both a web server and Squid on that system. Your DMZ interface
|
||||
is eth1 and your local interface is eth2.<br>
|
||||
|
||||
<ul>
|
||||
<li>On your firewall system, issue the following command<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>echo 202 www.out >> /etc/iproute2/rt_tables</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/init, put:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li> In /etc/shorewall/start add:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/rules, you will need:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ACTION<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
</td>
|
||||
<td valign="top">PROTO<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
PORT(S)<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT<br>
|
||||
PORT(2)<br>
|
||||
</td>
|
||||
<td valign="top">ORIGINAL<br>
|
||||
DEST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">dmz<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ACTION<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
</td>
|
||||
<td valign="top">PROTO<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
PORT(S)<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT<br>
|
||||
PORT(2)<br>
|
||||
</td>
|
||||
<td valign="top">ORIGINAL<br>
|
||||
DEST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">dmz<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
|
||||
command to be executed after networking has come up<br>
|
||||
|
||||
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote> If you are running RedHat on the server, you can simply execute
|
||||
the following commands after you have typed the iptables command above:<br>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<ul>
|
||||
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
|
||||
command to be executed after networking has come up<br>
|
||||
|
||||
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote> If you are running RedHat on the server, you can simply execute
|
||||
the following commands after you have typed the iptables command above:<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<pre><font color="#009900"><b>iptables-save > /etc/sysconfig/iptables</b></font><font
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<p><font size="-1"> Updated 1/10/2003 - <a
|
||||
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><font size="-1"> Updated 1/23/2003 - <a
|
||||
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
<a
|
||||
<a
|
||||
href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -2,149 +2,166 @@
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
|
||||
<base target="main">
|
||||
|
||||
<base target="main">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#4b017c" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a
|
||||
href="shorewall_features.htm">Features</a></li>
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
<li> <a
|
||||
href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||
<li> <a href="Documentation.htm">Reference Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
|
||||
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
<li> <a href="Documentation.htm">Reference
|
||||
Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful
|
||||
Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade
|
||||
Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li> <a
|
||||
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
|
||||
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://germany.shorewall.net">Germany</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://france.shorewall.net">France</a></li>
|
||||
<li><a href="http://www.shorewall.net" target="_top">Washington
|
||||
State, USA</a><br>
|
||||
</li>
|
||||
<li><a href="http://www.shorewall.net"
|
||||
target="_top">Washington State, USA</a><br>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS
|
||||
Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a
|
||||
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from
|
||||
Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the
|
||||
Author</a></li>
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
|
||||
<strong><br>
|
||||
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
|
||||
GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
|
||||
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
|
||||
<strong><br>
|
||||
<b>Note: </b></strong>Search is unavailable Daily
|
||||
0200-0330 GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
<p><strong>Quick Search</strong><br>
|
||||
<font face="Arial" size="-1"> <input
|
||||
<font face="Arial" size="-1"> <input
|
||||
type="text" name="words" size="15"></font><font size="-1"> </font> <font
|
||||
face="Arial" size="-1"> <input type="hidden" name="format"
|
||||
value="long"> <input type="hidden" name="method" value="and"> <input
|
||||
type="hidden" name="config" value="htdig"> <input type="submit"
|
||||
value="Search"></font> </p>
|
||||
<font face="Arial"> <input type="hidden"
|
||||
name="exclude" value="[http://mail.shorewall.net/pipermail/*]"> </font>
|
||||
</form>
|
||||
|
||||
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
||||
|
||||
<font face="Arial"> <input
|
||||
type="hidden" name="exclude"
|
||||
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
||||
|
||||
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
size="2">2001-2003 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
|
||||
src="images/shorewall.jpg" width="119" height="38" hspace="0">
|
||||
</a><br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</a><br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -2,149 +2,166 @@
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
|
||||
<base target="main">
|
||||
|
||||
<base target="main">
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#4b017c" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a
|
||||
href="shorewall_features.htm">Features</a></li>
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
<li> <a
|
||||
href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a
|
||||
href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||
<li> <a href="Documentation.htm">Reference
|
||||
Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
|
||||
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
<li> <a href="Documentation.htm">Reference
|
||||
Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful
|
||||
Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade
|
||||
Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li> <a
|
||||
href="http://lists.shorewall.net/mailing_list.htm">Mailing Lists</a></li>
|
||||
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://germany.shorewall.net">Germany</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://france.shorewall.net">France</a></li>
|
||||
<li><a href="http://www.shorewall.net" target="_top">Washington
|
||||
State, USA</a><br>
|
||||
</li>
|
||||
<li><a href="http://www.shorewall.net"
|
||||
target="_top">Washington State, USA</a><br>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS
|
||||
Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a
|
||||
href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from
|
||||
Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the
|
||||
Author</a></li>
|
||||
<li> <a
|
||||
href="sourceforge_index.htm#Donations">Donations</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
|
||||
<strong><br>
|
||||
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
|
||||
GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
|
||||
<strong><br>
|
||||
<b>Note: </b></strong>Search is unavailable Daily
|
||||
0200-0330 GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
<p><strong>Quick Search</strong><br>
|
||||
<font face="Arial" size="-1"> <input
|
||||
<font face="Arial" size="-1"> <input
|
||||
type="text" name="words" size="15"></font><font size="-1"> </font> <font
|
||||
face="Arial" size="-1"> <input type="hidden" name="format"
|
||||
value="long"> <input type="hidden" name="method" value="and"> <input
|
||||
type="hidden" name="config" value="htdig"> <input type="submit"
|
||||
value="Search"></font> </p>
|
||||
<font face="Arial"> <input type="hidden"
|
||||
name="exclude" value="[http://mail.shorewall.net/pipermail/*]"> </font>
|
||||
</form>
|
||||
|
||||
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
||||
|
||||
<font face="Arial"> <input
|
||||
type="hidden" name="exclude"
|
||||
value="[http://lists.shorewall.net/pipermail/*]"> </font> </form>
|
||||
|
||||
<p><b><a href="http://lists.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
size="2">2001-2003 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
<p><a href="http://www.shorewall.net" target="_top"> </a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,95 +1,99 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Blacklisting Support</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Blacklisting Support</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
|
||||
|
||||
|
||||
<h2>Static Blacklisting</h2>
|
||||
|
||||
<p>Shorewall static blacklisting support has the following configuration parameters:</p>
|
||||
|
||||
|
||||
<p>Shorewall static blacklisting support has the following configuration
|
||||
parameters:</p>
|
||||
|
||||
<ul>
|
||||
<li>You specify whether you want packets from blacklisted hosts dropped
|
||||
or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
|
||||
<li>You specify whether you want packets from blacklisted hosts dropped
|
||||
or rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
|
||||
setting in /etc/shorewall/shorewall.conf</li>
|
||||
<li>You specify whether you want packets from blacklisted hosts logged
|
||||
and at what syslog level using the <a
|
||||
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
|
||||
/etc/shorewall/shorewall.conf</li>
|
||||
<li>You list the IP addresses/subnets that you wish to blacklist in <a
|
||||
href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning
|
||||
with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service
|
||||
names in the blacklist file.<br>
|
||||
</li>
|
||||
<li>You specify the interfaces whose incoming packets you want checked
|
||||
against the blacklist using the "<a
|
||||
<li>You specify whether you want packets from blacklisted hosts logged
|
||||
and at what syslog level using the <a
|
||||
href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a> setting in
|
||||
/etc/shorewall/shorewall.conf</li>
|
||||
<li>You list the IP addresses/subnets that you wish to blacklist in
|
||||
<a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist.</a> Beginning
|
||||
with Shorewall version 1.3.8, you may also specify PROTOCOL and Port numbers/Service
|
||||
names in the blacklist file.<br>
|
||||
</li>
|
||||
<li>You specify the interfaces whose incoming packets you want checked
|
||||
against the blacklist using the "<a
|
||||
href="Documentation.htm#Interfaces">blacklist</a>" option in /etc/shorewall/interfaces.</li>
|
||||
<li>The black list is refreshed from /etc/shorewall/blacklist by the
|
||||
<li>The black list is refreshed from /etc/shorewall/blacklist by the
|
||||
"<a href="Documentation.htm#Starting">shorewall refresh</a>" command.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h2>Dynamic Blacklisting</h2>
|
||||
|
||||
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
|
||||
doesn't use any configuration parameters but is rather controlled using
|
||||
/sbin/shorewall commands:</p>
|
||||
|
||||
|
||||
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
|
||||
doesn't use any configuration parameters but is rather controlled using
|
||||
/sbin/shorewall commands:</p>
|
||||
|
||||
<ul>
|
||||
<li>drop <i><ip address list> </i>- causes packets from the listed
|
||||
IP addresses to be silently dropped by the firewall.</li>
|
||||
<li>reject <i><ip address list> </i>- causes packets from the listed
|
||||
IP addresses to be rejected by the firewall.</li>
|
||||
<li>allow <i><ip address list> </i>- re-enables receipt of packets
|
||||
from hosts previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
|
||||
<li>save - save the dynamic blacklisting configuration so that it will
|
||||
be automatically restored the next time that the firewall is restarted.</li>
|
||||
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
|
||||
|
||||
<li>drop <i><ip address list> </i>- causes packets from the listed
|
||||
IP addresses to be silently dropped by the firewall.</li>
|
||||
<li>reject <i><ip address list> </i>- causes packets from the
|
||||
listed IP addresses to be rejected by the firewall.</li>
|
||||
<li>allow <i><ip address list> </i>- re-enables receipt of packets
|
||||
from hosts previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
|
||||
<li>save - save the dynamic blacklisting configuration so that it will
|
||||
be automatically restored the next time that the firewall is restarted.</li>
|
||||
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
Dynamic blacklisting is <u>not</u> dependent on the "blacklist" option in
|
||||
/etc/shorewall/interfaces.<br>
|
||||
|
||||
<p>Example 1:</p>
|
||||
|
||||
<pre> shorewall drop 192.0.2.124 192.0.2.125</pre>
|
||||
|
||||
|
||||
<pre> <b><font color="#009900">shorewall drop 192.0.2.124 192.0.2.125</font></b></pre>
|
||||
|
||||
<p> Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
|
||||
|
||||
|
||||
<p>Example 2:</p>
|
||||
|
||||
<pre> shorewall allow 192.0.2.125</pre>
|
||||
|
||||
|
||||
<pre> <b><font color="#009900">shorewall allow 192.0.2.125</font></b></pre>
|
||||
|
||||
<p> Reenables access from 192.0.2.125.</p>
|
||||
|
||||
<p><font size="2">Last updated 10/7/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
|
||||
<p><font size="2">Last updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,339 +1,344 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Configuration File Basics</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
|
||||
configuration files on a system running Microsoft Windows, you <u>must</u>
|
||||
run them through <a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
|
||||
before you use them with Shorewall.</b></p>
|
||||
|
||||
<h2><a name="Files"></a>Files</h2>
|
||||
|
||||
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li>/etc/shorewall/shorewall.conf - used to set several
|
||||
firewall parameters.</li>
|
||||
<li>/etc/shorewall/params - use this file to set shell
|
||||
variables that you will expand in other files.</li>
|
||||
<li>/etc/shorewall/zones - partition the firewall's
|
||||
view of the world into <i>zones.</i></li>
|
||||
<li>/etc/shorewall/policy - establishes firewall high-level
|
||||
policy.</li>
|
||||
<li>/etc/shorewall/interfaces - describes the interfaces
|
||||
on the firewall system.</li>
|
||||
<li>/etc/shorewall/hosts - allows defining zones in
|
||||
terms of individual hosts and subnetworks.</li>
|
||||
<li>/etc/shorewall/masq - directs the firewall where
|
||||
to use many-to-one (dynamic) Network Address Translation (a.k.a.
|
||||
Masquerading) and Source Network Address Translation (SNAT).</li>
|
||||
<li>/etc/shorewall/modules - directs the firewall
|
||||
to load kernel modules.</li>
|
||||
<li>/etc/shorewall/rules - defines rules that are
|
||||
exceptions to the overall policies established in /etc/shorewall/policy.</li>
|
||||
<li>/etc/shorewall/nat - defines static NAT rules.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy
|
||||
ARP.</li>
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
|
||||
later) - defines hosts accessible when Shorewall is stopped.</li>
|
||||
<li>/etc/shorewall/tcrules - defines marking of packets
|
||||
for later use by traffic control/shaping or policy routing.</li>
|
||||
<li>/etc/shorewall/tos - defines rules for setting
|
||||
the TOS field in packet headers.</li>
|
||||
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and
|
||||
IPIP tunnels with end-points on the firewall system.</li>
|
||||
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
|
||||
addresses.</li>
|
||||
<li>/etc/shorewall/init - commands that you wish to execute at the beginning
|
||||
of a "shorewall start" or "shorewall restart".</li>
|
||||
<li>/etc/shorewall/start - commands that you wish to execute at the completion
|
||||
of a "shorewall start" or "shorewall restart"</li>
|
||||
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning
|
||||
of a "shorewall stop".</li>
|
||||
<li>/etc/shorewall/stopped - commands that you wish to execute at the
|
||||
completion of a "shorewall stop".<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="Comments"></a>Comments</h2>
|
||||
|
||||
<p>You may place comments in configuration files by making the first non-whitespace
|
||||
character a pound sign ("#"). You may also place comments at
|
||||
the end of any line, again by delimiting the comment from the rest
|
||||
of the line with a pound sign.</p>
|
||||
|
||||
<p>Examples:</p>
|
||||
|
||||
<pre># This is a comment</pre>
|
||||
|
||||
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
|
||||
|
||||
<h2><a name="Continuation"></a>Line Continuation</h2>
|
||||
|
||||
<p>You may continue lines in the configuration files using the usual backslash
|
||||
("\") followed immediately by a new line character.</p>
|
||||
|
||||
<p>Example:</p>
|
||||
|
||||
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
|
||||
|
||||
<h2><a name="dnsnames"></a>Using DNS Names</h2>
|
||||
|
||||
<p align="left"> </p>
|
||||
|
||||
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
|
||||
using DNS names in Shorewall configuration files. If you use DNS names
|
||||
and you are called out of bed at 2:00AM because Shorewall won't start
|
||||
as a result of DNS problems then don't say that you were not forewarned.
|
||||
<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left"><b> -Tom<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
|
||||
configuration files may be specified as either IP addresses or DNS
|
||||
Names.<br>
|
||||
<br>
|
||||
DNS names in iptables rules aren't nearly as useful as they
|
||||
first appear. When a DNS name appears in a rule, the iptables utility
|
||||
resolves the name to one or more IP addresses and inserts those addresses
|
||||
into the rule. So changes in the DNS->IP address relationship that
|
||||
occur after the firewall has started have absolutely no effect on the
|
||||
firewall's ruleset. </p>
|
||||
|
||||
<p align="left"> If your firewall rules include DNS names then:</p>
|
||||
|
||||
<ul>
|
||||
<li>If your /etc/resolv.conf is wrong then your firewall
|
||||
won't start.</li>
|
||||
<li>If your /etc/nsswitch.conf is wrong then your firewall
|
||||
won't start.</li>
|
||||
<li>If your Name Server(s) is(are) down then your firewall
|
||||
won't start.</li>
|
||||
<li>If your startup scripts try to start your firewall before
|
||||
starting your DNS server then your firewall won't start.<br>
|
||||
</li>
|
||||
<li>Factors totally outside your control (your ISP's router
|
||||
is down for example), can prevent your firewall from starting.</li>
|
||||
<li>You must bring up your network interfaces prior to starting
|
||||
your firewall.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left"> Each DNS name much be fully qualified and include a minumum
|
||||
of two periods (although one may be trailing). This restriction is
|
||||
imposed by Shorewall to insure backward compatibility with existing
|
||||
configuration files.<br>
|
||||
<br>
|
||||
Examples of valid DNS names:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>mail.shorewall.net</li>
|
||||
<li>shorewall.net. (note the trailing period).</li>
|
||||
|
||||
</ul>
|
||||
Examples of invalid DNS names:<br>
|
||||
|
||||
<ul>
|
||||
<li>mail (not fully qualified)</li>
|
||||
<li>shorewall.net (only one period)</li>
|
||||
|
||||
</ul>
|
||||
DNS names may not be used as:<br>
|
||||
|
||||
<ul>
|
||||
<li>The server address in a DNAT rule (/etc/shorewall/rules
|
||||
file)</li>
|
||||
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
|
||||
<li>In the /etc/shorewall/nat file.</li>
|
||||
|
||||
</ul>
|
||||
These restrictions are not imposed by Shorewall simply for
|
||||
your inconvenience but are rather limitations of iptables.<br>
|
||||
|
||||
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
|
||||
|
||||
<p>Where specifying an IP address, a subnet or an interface, you can
|
||||
precede the item with "!" to specify the complement of the item. For
|
||||
example, !192.168.1.4 means "any host but 192.168.1.4". There must
|
||||
be no white space following the "!".</p>
|
||||
|
||||
<h2><a name="Lists"></a>Comma-separated Lists</h2>
|
||||
|
||||
<p>Comma-separated lists are allowed in a number of contexts within the
|
||||
configuration files. A comma separated list:</p>
|
||||
|
||||
<ul>
|
||||
<li>Must not have any embedded white space.<br>
|
||||
Valid: routestopped,dhcp,norfc1918<br>
|
||||
Invalid: routestopped, dhcp, norfc1818</li>
|
||||
<li>If you use line continuation to break a comma-separated
|
||||
list, the continuation line(s) must begin in column 1 (or
|
||||
there would be embedded white space)</li>
|
||||
<li>Entries in a comma-separated list may appear in
|
||||
any order.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
|
||||
|
||||
<p>Unless otherwise specified, when giving a port number you can use
|
||||
either an integer or a service name from /etc/services. </p>
|
||||
|
||||
<h2><a name="Ranges"></a>Port Ranges</h2>
|
||||
|
||||
<p>If you need to specify a range of ports, the proper syntax is <<i>low
|
||||
port number</i>>:<<i>high port number</i>>. For example,
|
||||
if you want to forward the range of tcp ports 4000 through 4100 to
|
||||
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
|
||||
</p>
|
||||
|
||||
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
|
||||
|
||||
<h2><a name="Variables"></a>Using Shell Variables</h2>
|
||||
|
||||
<p>You may use the /etc/shorewall/params file to set shell variables
|
||||
that you can then use in some of the other configuration files.</p>
|
||||
|
||||
<p>It is suggested that variable names begin with an upper case letter<font
|
||||
size="1"> </font>to distinguish them from variables used internally
|
||||
within the Shorewall programs</p>
|
||||
|
||||
<p>Example:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
|
||||
</blockquote>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<p><br>
|
||||
Example (/etc/shorewall/interfaces record):</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
|
||||
<p>The result will be the same as if the record had been written</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
|
||||
configuration files on a system running Microsoft Windows, you <u>must</u>
|
||||
run them through <a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
|
||||
before you use them with Shorewall.</b></p>
|
||||
|
||||
<h2><a name="Files"></a>Files</h2>
|
||||
|
||||
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li>/etc/shorewall/shorewall.conf - used to set several
|
||||
firewall parameters.</li>
|
||||
<li>/etc/shorewall/params - use this file to set
|
||||
shell variables that you will expand in other files.</li>
|
||||
<li>/etc/shorewall/zones - partition the firewall's
|
||||
view of the world into <i>zones.</i></li>
|
||||
<li>/etc/shorewall/policy - establishes firewall
|
||||
high-level policy.</li>
|
||||
<li>/etc/shorewall/interfaces - describes the interfaces
|
||||
on the firewall system.</li>
|
||||
<li>/etc/shorewall/hosts - allows defining zones
|
||||
in terms of individual hosts and subnetworks.</li>
|
||||
<li>/etc/shorewall/masq - directs the firewall where
|
||||
to use many-to-one (dynamic) Network Address Translation
|
||||
(a.k.a. Masquerading) and Source Network Address Translation
|
||||
(SNAT).</li>
|
||||
<li>/etc/shorewall/modules - directs the firewall
|
||||
to load kernel modules.</li>
|
||||
<li>/etc/shorewall/rules - defines rules that are
|
||||
exceptions to the overall policies established in /etc/shorewall/policy.</li>
|
||||
<li>/etc/shorewall/nat - defines static NAT rules.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy
|
||||
ARP.</li>
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4
|
||||
and later) - defines hosts accessible when Shorewall is stopped.</li>
|
||||
<li>/etc/shorewall/tcrules - defines marking of packets
|
||||
for later use by traffic control/shaping or policy routing.</li>
|
||||
<li>/etc/shorewall/tos - defines rules for setting
|
||||
the TOS field in packet headers.</li>
|
||||
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and
|
||||
IPIP tunnels with end-points on the firewall system.</li>
|
||||
<li>/etc/shorewall/blacklist - lists blacklisted
|
||||
IP/subnet/MAC addresses.</li>
|
||||
<li>/etc/shorewall/init - commands that you wish to execute at the beginning
|
||||
of a "shorewall start" or "shorewall restart".</li>
|
||||
<li>/etc/shorewall/start - commands that you wish to execute at the
|
||||
completion of a "shorewall start" or "shorewall restart"</li>
|
||||
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning
|
||||
of a "shorewall stop".</li>
|
||||
<li>/etc/shorewall/stopped - commands that you wish to execute at the
|
||||
completion of a "shorewall stop".<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="Comments"></a>Comments</h2>
|
||||
|
||||
<p>You may place comments in configuration files by making the first non-whitespace
|
||||
character a pound sign ("#"). You may also place comments at
|
||||
the end of any line, again by delimiting the comment from the
|
||||
rest of the line with a pound sign.</p>
|
||||
|
||||
<p>Examples:</p>
|
||||
|
||||
<pre># This is a comment</pre>
|
||||
|
||||
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
|
||||
|
||||
<h2><a name="Continuation"></a>Line Continuation</h2>
|
||||
|
||||
<p>You may continue lines in the configuration files using the usual backslash
|
||||
("\") followed immediately by a new line character.</p>
|
||||
|
||||
<p>Example:</p>
|
||||
|
||||
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
|
||||
|
||||
<h2><a name="dnsnames"></a>Using DNS Names</h2>
|
||||
|
||||
<p align="left"> </p>
|
||||
|
||||
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
|
||||
using DNS names in Shorewall configuration files. If you use DNS
|
||||
names and you are called out of bed at 2:00AM because Shorewall won't
|
||||
start as a result of DNS problems then don't say that you were not forewarned.
|
||||
<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left"><b> -Tom<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
|
||||
configuration files may be specified as either IP addresses or DNS
|
||||
Names.<br>
|
||||
<br>
|
||||
DNS names in iptables rules aren't nearly as useful as they
|
||||
first appear. When a DNS name appears in a rule, the iptables utility
|
||||
resolves the name to one or more IP addresses and inserts those addresses
|
||||
into the rule. So changes in the DNS->IP address relationship that
|
||||
occur after the firewall has started have absolutely no effect on the
|
||||
firewall's ruleset. </p>
|
||||
|
||||
<p align="left"> If your firewall rules include DNS names then:</p>
|
||||
|
||||
<ul>
|
||||
<li>If your /etc/resolv.conf is wrong then your firewall
|
||||
won't start.</li>
|
||||
<li>If your /etc/nsswitch.conf is wrong then your firewall
|
||||
won't start.</li>
|
||||
<li>If your Name Server(s) is(are) down then your firewall
|
||||
won't start.</li>
|
||||
<li>If your startup scripts try to start your firewall before
|
||||
starting your DNS server then your firewall won't start.<br>
|
||||
</li>
|
||||
<li>Factors totally outside your control (your ISP's router
|
||||
is down for example), can prevent your firewall from starting.</li>
|
||||
<li>You must bring up your network interfaces prior to starting
|
||||
your firewall.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left"> Each DNS name much be fully qualified and include a minumum
|
||||
of two periods (although one may be trailing). This restriction is
|
||||
imposed by Shorewall to insure backward compatibility with existing
|
||||
configuration files.<br>
|
||||
<br>
|
||||
Examples of valid DNS names:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>mail.shorewall.net</li>
|
||||
<li>shorewall.net. (note the trailing period).</li>
|
||||
|
||||
</ul>
|
||||
Examples of invalid DNS names:<br>
|
||||
|
||||
<ul>
|
||||
<li>mail (not fully qualified)</li>
|
||||
<li>shorewall.net (only one period)</li>
|
||||
|
||||
</ul>
|
||||
DNS names may not be used as:<br>
|
||||
|
||||
<ul>
|
||||
<li>The server address in a DNAT rule (/etc/shorewall/rules
|
||||
file)</li>
|
||||
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
|
||||
<li>In the /etc/shorewall/nat file.</li>
|
||||
|
||||
</ul>
|
||||
These restrictions are not imposed by Shorewall simply for
|
||||
your inconvenience but are rather limitations of iptables.<br>
|
||||
|
||||
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
|
||||
|
||||
<p>Where specifying an IP address, a subnet or an interface, you can
|
||||
precede the item with "!" to specify the complement of the item. For
|
||||
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
|
||||
no white space following the "!".</p>
|
||||
|
||||
<h2><a name="Lists"></a>Comma-separated Lists</h2>
|
||||
|
||||
<p>Comma-separated lists are allowed in a number of contexts within the
|
||||
configuration files. A comma separated list:</p>
|
||||
|
||||
<ul>
|
||||
<li>Must not have any embedded white space.<br>
|
||||
Valid: routestopped,dhcp,norfc1918<br>
|
||||
Invalid: routestopped, dhcp, norfc1818</li>
|
||||
<li>If you use line continuation to break a comma-separated
|
||||
list, the continuation line(s) must begin in column 1 (or
|
||||
there would be embedded white space)</li>
|
||||
<li>Entries in a comma-separated list may appear
|
||||
in any order.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
|
||||
|
||||
<p>Unless otherwise specified, when giving a port number you can use
|
||||
either an integer or a service name from /etc/services. </p>
|
||||
|
||||
<h2><a name="Ranges"></a>Port Ranges</h2>
|
||||
|
||||
<p>If you need to specify a range of ports, the proper syntax is <<i>low
|
||||
port number</i>>:<<i>high port number</i>>. For example,
|
||||
if you want to forward the range of tcp ports 4000 through 4100 to local
|
||||
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
|
||||
</p>
|
||||
|
||||
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
|
||||
If you omit the low port number, a value of zero is assumed; if you omit
|
||||
the high port number, a value of 65535 is assumed.<br>
|
||||
|
||||
<h2><a name="Variables"></a>Using Shell Variables</h2>
|
||||
|
||||
<p>You may use the /etc/shorewall/params file to set shell variables
|
||||
that you can then use in some of the other configuration files.</p>
|
||||
|
||||
<p>It is suggested that variable names begin with an upper case letter<font
|
||||
size="1"> </font>to distinguish them from variables used internally
|
||||
within the Shorewall programs</p>
|
||||
|
||||
<p>Example:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
|
||||
</blockquote>
|
||||
|
||||
<p><br>
|
||||
Example (/etc/shorewall/interfaces record):</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
|
||||
<p>The result will be the same as if the record had been written</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
|
||||
<p>Variables may be used anywhere in the other configuration
|
||||
</blockquote>
|
||||
</font>
|
||||
|
||||
<p>Variables may be used anywhere in the other configuration
|
||||
files.</p>
|
||||
|
||||
|
||||
<h2><a name="MAC"></a>Using MAC Addresses</h2>
|
||||
|
||||
<p>Media Access Control (MAC) addresses can be used to specify packet
|
||||
source in several of the configuration files. To use this feature,
|
||||
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
|
||||
|
||||
<p>Media Access Control (MAC) addresses can be used to specify packet
|
||||
source in several of the configuration files. To use this feature,
|
||||
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
|
||||
included.</p>
|
||||
|
||||
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
|
||||
unique MAC address.<br>
|
||||
<br>
|
||||
In GNU/Linux, MAC addresses are usually written as a
|
||||
series of 6 hex numbers separated by colons. Example:<br>
|
||||
<br>
|
||||
[root@gateway root]# ifconfig eth0<br>
|
||||
eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
|
||||
inet addr:206.124.146.176 Bcast:206.124.146.255
|
||||
Mask:255.255.255.0<br>
|
||||
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
|
||||
RX packets:2398102 errors:0 dropped:0 overruns:0
|
||||
frame:0<br>
|
||||
TX packets:3044698 errors:0 dropped:0 overruns:0
|
||||
carrier:0<br>
|
||||
collisions:30394 txqueuelen:100<br>
|
||||
RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
|
||||
(1582.8 Mb)<br>
|
||||
Interrupt:11 Base address:0x1800<br>
|
||||
<br>
|
||||
Because Shorewall uses colons as a separator for address
|
||||
fields, Shorewall requires MAC addresses to be written in another
|
||||
way. In Shorewall, MAC addresses begin with a tilde ("~") and consist
|
||||
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address
|
||||
in the example above would be written "~02-00-08-E3-FA-55".<br>
|
||||
</p>
|
||||
|
||||
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
|
||||
|
||||
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
|
||||
unique MAC address.<br>
|
||||
<br>
|
||||
In GNU/Linux, MAC addresses are usually written as
|
||||
a series of 6 hex numbers separated by colons. Example:<br>
|
||||
<br>
|
||||
[root@gateway root]# ifconfig eth0<br>
|
||||
eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
|
||||
inet addr:206.124.146.176 Bcast:206.124.146.255
|
||||
Mask:255.255.255.0<br>
|
||||
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
|
||||
RX packets:2398102 errors:0 dropped:0 overruns:0
|
||||
frame:0<br>
|
||||
TX packets:3044698 errors:0 dropped:0 overruns:0
|
||||
carrier:0<br>
|
||||
collisions:30394 txqueuelen:100<br>
|
||||
RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
|
||||
(1582.8 Mb)<br>
|
||||
Interrupt:11 Base address:0x1800<br>
|
||||
<br>
|
||||
Because Shorewall uses colons as a separator for address
|
||||
fields, Shorewall requires MAC addresses to be written in another
|
||||
way. In Shorewall, MAC addresses begin with a tilde ("~") and
|
||||
consist of 6 hex numbers separated by hyphens. In Shorewall, the
|
||||
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
|
||||
</p>
|
||||
|
||||
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
|
||||
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<h2><a name="Levels"></a>Shorewall Configurations</h2>
|
||||
|
||||
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
|
||||
The <a href="starting_and_stopping_shorewall.htm">shorewall start
|
||||
and restart</a> commands allow you to specify an alternate configuration
|
||||
directory and Shorewall will use the files in the alternate directory
|
||||
rather than the corresponding files in /etc/shorewall. The alternate
|
||||
directory need not contain a complete configuration; those files not
|
||||
in the alternate directory will be read from /etc/shorewall.</p>
|
||||
|
||||
<p> This facility permits you to easily create a test or temporary configuration
|
||||
|
||||
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
|
||||
The <a href="starting_and_stopping_shorewall.htm">shorewall start and
|
||||
restart</a> commands allow you to specify an alternate configuration
|
||||
directory and Shorewall will use the files in the alternate directory
|
||||
rather than the corresponding files in /etc/shorewall. The alternate directory
|
||||
need not contain a complete configuration; those files not in the alternate
|
||||
directory will be read from /etc/shorewall.</p>
|
||||
|
||||
<p> This facility permits you to easily create a test or temporary configuration
|
||||
by:</p>
|
||||
|
||||
|
||||
<ol>
|
||||
<li> copying the files that need modification from
|
||||
<li> copying the files that need modification from
|
||||
/etc/shorewall to a separate directory;</li>
|
||||
<li> modify those files in the separate directory;
|
||||
<li> modify those files in the separate directory;
|
||||
and</li>
|
||||
<li> specifying the separate directory in a shorewall
|
||||
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
|
||||
<li> specifying the separate directory in a shorewall
|
||||
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
|
||||
restart</b></i> ).</li>
|
||||
|
||||
|
||||
</ol>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><font size="2"> Updated 12/29/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><font size="2"> Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
@ -1,392 +1,391 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Download</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p><b>I strongly urge you to read and print a copy of the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
|
||||
for the configuration that most closely matches your own.<br>
|
||||
</b></p>
|
||||
|
||||
<p>The entire set of Shorewall documentation is available in PDF format
|
||||
at:</p>
|
||||
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
|
||||
for the configuration that most closely matches your own.<br>
|
||||
</b></p>
|
||||
|
||||
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
|
||||
|
||||
<p> <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
|
||||
</p>
|
||||
|
||||
<p>The documentation in HTML format is included in the .rpm and in the
|
||||
.tgz packages below.</p>
|
||||
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
|
||||
</p>
|
||||
|
||||
<p>The documentation in HTML format is included in the .rpm and in the .tgz
|
||||
packages below.</p>
|
||||
|
||||
<p> Once you've done that, download <u> one</u> of the modules:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
|
||||
Linux PPC</b> or <b> TurboLinux</b> distribution with
|
||||
a 2.4 kernel, you can use the RPM version (note: the
|
||||
RPM should also work with other distributions that store
|
||||
init scripts in /etc/init.d and that include chkconfig or
|
||||
insserv). If you find that it works in other cases, let <a
|
||||
href="mailto:teastep@shorewall.net"> me</a> know so that
|
||||
I can mention them here. See the <a href="Install.htm">Installation
|
||||
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>,
|
||||
<b> Linux PPC</b> or <b> TurboLinux</b> distribution
|
||||
with a 2.4 kernel, you can use the RPM version (note: the
|
||||
RPM should also work with other distributions that
|
||||
store init scripts in /etc/init.d and that include chkconfig
|
||||
or insserv). If you find that it works in other cases, let <a
|
||||
href="mailto:teastep@shorewall.net"> me</a> know so that
|
||||
I can mention them here. See the <a href="Install.htm">Installation
|
||||
Instructions</a> if you have problems installing the RPM.</li>
|
||||
<li>If you are running LRP, download the .lrp file (you
|
||||
might also want to download the .tgz so you will have a copy of
|
||||
<li>If you are running LRP, download the .lrp file (you
|
||||
might also want to download the .tgz so you will have a copy of
|
||||
the documentation).</li>
|
||||
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
|
||||
and would like a .deb package, Shorewall is included in both the
|
||||
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||||
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
|
||||
and would like a .deb package, Shorewall is included in both
|
||||
the <a href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||||
Testing Branch</a> and the <a
|
||||
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
||||
Unstable Branch</a>.</li>
|
||||
<li>Otherwise, download the <i>shorewall</i>
|
||||
module (.tgz)</li>
|
||||
|
||||
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
||||
Unstable Branch</a>.</li>
|
||||
<li>Otherwise, download the <i>shorewall</i>
|
||||
module (.tgz)</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>The documentation in HTML format is included in the .tgz and .rpm files
|
||||
|
||||
<p>The documentation in HTML format is included in the .tgz and .rpm files
|
||||
and there is an documentation .deb that also contains the documentation.</p>
|
||||
|
||||
<p>Please verify the version that you have downloaded -- during the
|
||||
release of a new version of Shorewall, the links below may
|
||||
point to a newer or an older version than is shown below.</p>
|
||||
|
||||
|
||||
<p>Please verify the version that you have downloaded -- during the
|
||||
release of a new version of Shorewall, the links below may
|
||||
point to a newer or an older version than is shown below.</p>
|
||||
|
||||
<ul>
|
||||
<li>RPM - "rpm -qip LATEST.rpm"</li>
|
||||
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
|
||||
will contain the version)</li>
|
||||
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
|
||||
-zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
|
||||
<li>RPM - "rpm -qip LATEST.rpm"</li>
|
||||
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
|
||||
will contain the version)</li>
|
||||
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
|
||||
-zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
|
||||
</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p>Once you have verified the version, check the <font
|
||||
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
|
||||
if there are updates that apply to the version that you have
|
||||
downloaded.</p>
|
||||
|
||||
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
|
||||
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
|
||||
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
|
||||
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
|
||||
if there are updates that apply to the version that you have
|
||||
downloaded.</p>
|
||||
|
||||
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
|
||||
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
|
||||
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
|
||||
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
|
||||
<p><b>Download Latest Version</b> (<b>1.3.13</b>): <b>Remember that updates
|
||||
to the mirrors occur 1-12 hours after an update to the Washington State
|
||||
site.</b></p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p><b>Download Latest Version</b> (<b>1.3.14</b>): <b>Remember that updates
|
||||
to the mirrors occur 1-12 hours after an update to the Washington
|
||||
State site.</b></p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellspacing="3" cellpadding="3"
|
||||
style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">SourceForge<br>
|
||||
</td>
|
||||
<td valign="top">sf.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
<td valign="top">SourceForge<br>
|
||||
</td>
|
||||
<td valign="top">sf.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td> <a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Paris, France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="middle">Washington State, USA<br>
|
||||
</td>
|
||||
<td valign="middle">Shorewall.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a><br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
|
||||
Download .rpm</a> <br>
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a><br>
|
||||
</td>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td> <a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Paris, France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="middle">Washington State, USA<br>
|
||||
</td>
|
||||
<td valign="middle">Shorewall.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a><br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
|
||||
Download .rpm</a> <br>
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p><b>Browse Download Sites:</b></p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>SourceForge<br>
|
||||
</td>
|
||||
<td>sf.net</td>
|
||||
<td><a
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>SourceForge<br>
|
||||
</td>
|
||||
<td>sf.net</td>
|
||||
<td><a
|
||||
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
|
||||
<td>N/A</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td><a
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<td>N/A</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Washington State, USA</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td><a
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Washington State, USA</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><b>CVS:</b></p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">The <a target="_top"
|
||||
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
|
||||
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
|
||||
component. There's no guarantee that what you find there will work
|
||||
at all.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 1/13/2003 - <a
|
||||
href="http://cvs.shorewall.net/Shorewall_CVS_Access.html">CVS repository
|
||||
at cvs.shorewall.net</a> contains the latest snapshots of the each
|
||||
Shorewall component. There's no guarantee that what you find there
|
||||
will work at all.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 2/7/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,138 +1,153 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Mailing Lists</title>
|
||||
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
|
||||
style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
|
||||
border="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="33%" valign="middle">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="33%" valign="middle" align="left">
|
||||
|
||||
|
||||
|
||||
<h1 align="center"><a
|
||||
href="http://www.centralcommand.com/linux_products.html"><img
|
||||
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
|
||||
height="79" align="left">
|
||||
</a></h1>
|
||||
</a></h1>
|
||||
|
||||
|
||||
|
||||
<h1 align="center"><a
|
||||
<a
|
||||
href="http://www.gnu.org/software/mailman/mailman.html"> <img
|
||||
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
|
||||
height="35" alt="">
|
||||
</a></h1>
|
||||
|
||||
<p align="right"><br>
|
||||
<font color="#ffffff"><b> </b></font> </p>
|
||||
</td>
|
||||
<td valign="middle" width="34%" align="center">
|
||||
</a>
|
||||
|
||||
<p align="right"><font color="#ffffff"><b> </b></font> </p>
|
||||
</td>
|
||||
<td valign="middle" width="34%" align="center">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
|
||||
</td>
|
||||
<td valign="middle" width="33%">
|
||||
<h1 align="center"><a href="http://www.postfix.org/"> <img
|
||||
</td>
|
||||
<td valign="middle" width="33%"> <a
|
||||
href="http://www.postfix.org/"> <img
|
||||
src="images/small-picture.gif" align="right" border="0" width="115"
|
||||
height="45" alt="(Postfix Logo)">
|
||||
</a></h1>
|
||||
<br>
|
||||
|
||||
</a><br>
|
||||
|
||||
<div align="left"><a href="http://www.spamassassin.org"><img
|
||||
src="images/ninjalogo.png" alt="" width="110" height="42" align="right"
|
||||
border="0">
|
||||
</a> </div>
|
||||
<br>
|
||||
|
||||
<div align="right"><br>
|
||||
<b><font color="#ffffff">Powered by Postfix </font></b><br>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<b><font color="#ffffff"><br>
|
||||
Powered by Postfix </font></b><br>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<h2 align="left">Not getting List Mail? -- <a
|
||||
href="mailing_list_problems.htm">Check Here</a></h2>
|
||||
|
||||
<p align="left">If you experience problems with any of these lists, please
|
||||
let <a href="mailto:teastep@shorewall.net">me</a> know</p>
|
||||
|
||||
|
||||
<p align="left">If you experience problems with any of these lists, please
|
||||
let <a href="mailto:teastep@shorewall.net">me</a> know</p>
|
||||
|
||||
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
|
||||
|
||||
<p align="left">You can report such problems by sending mail to tom dot eastep
|
||||
at hp dot com.</p>
|
||||
|
||||
|
||||
<p align="left">You can report such problems by sending mail to tom dot eastep
|
||||
at hp dot com.</p>
|
||||
|
||||
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
|
||||
href="http://osirusoft.com/"> </a></h2>
|
||||
|
||||
<p>Before subscribing please read my <a href="spam_filters.htm">policy
|
||||
about list traffic that bounces.</a> Also please note that the mail server
|
||||
at shorewall.net checks incoming mail:<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>against <a href="http://spamassassin.org">Spamassassin</a>
|
||||
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
|
||||
</li>
|
||||
<li>to ensure that the sender address is fully qualified.</li>
|
||||
<li>to verify that the sender's domain has an A or MX record
|
||||
in DNS.</li>
|
||||
<li>to ensure that the host name in the HELO/EHLO command is
|
||||
a valid fully-qualified DNS name that resolves.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<h2>Please post in plain text</h2>
|
||||
A growing number of MTAs serving list subscribers are rejecting all
|
||||
HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
|
||||
"for continuous abuse" because it has been my policy to allow HTML in list
|
||||
posts!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a Draconian way to control spam and
|
||||
that the ultimate losers here are not the spammers but the list subscribers
|
||||
whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote
|
||||
to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i>
|
||||
life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
|
||||
to allow subscribers to receive list posts as must as possible, I have now
|
||||
configured the list server at shorewall.net to strip all HTML from outgoing
|
||||
posts. This means that HTML-only posts will be bounced by the list server.<br>
|
||||
|
||||
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
|
||||
</p>
|
||||
|
||||
|
||||
<h2>Other Mail Delivery Problems</h2>
|
||||
If you find that you are missing an occasional list post, your e-mail
|
||||
admin may be blocking mail whose <i>Received:</i> headers contain the names
|
||||
of certain ISPs. Again, I believe that such policies hurt more than they
|
||||
help but I'm not prepared to go so far as to start stripping <i>Received:</i>
|
||||
headers to circumvent those policies.<br>
|
||||
|
||||
<h2 align="left">Mailing Lists Archive Search</h2>
|
||||
<p>Before subscribing please read my <a href="spam_filters.htm">policy
|
||||
about list traffic that bounces.</a> Also please note that the mail server
|
||||
at shorewall.net checks incoming mail:<br>
|
||||
</p>
|
||||
|
||||
<form method="post" action="http://mail.shorewall.net/cgi-bin/htsearch">
|
||||
<ol>
|
||||
<li>against <a href="http://spamassassin.org">Spamassassin</a>
|
||||
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
|
||||
</li>
|
||||
<li>to ensure that the sender address is fully qualified.</li>
|
||||
<li>to verify that the sender's domain has an A or MX record
|
||||
in DNS.</li>
|
||||
<li>to ensure that the host name in the HELO/EHLO command
|
||||
is a valid fully-qualified DNS name that resolves.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<h2>Please post in plain text</h2>
|
||||
A growing number of MTAs serving list subscribers are rejecting
|
||||
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
|
||||
"for continuous abuse" because it has been my policy to allow HTML in list
|
||||
posts!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a Draconian way to control spam
|
||||
and that the ultimate losers here are not the spammers but the list subscribers
|
||||
whose MTAs are bouncing all shorewall.net mail. As one list subscriber
|
||||
wrote to me privately "These e-mail admin's need to get a <i>(explitive
|
||||
deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
|
||||
Nevertheless, to allow subscribers to receive list posts as must as possible,
|
||||
I have now configured the list server at shorewall.net to strip all HTML
|
||||
from outgoing posts. This means that HTML-only posts will be bounced by
|
||||
the list server.<br>
|
||||
|
||||
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
|
||||
</p>
|
||||
|
||||
<h2>Other Mail Delivery Problems</h2>
|
||||
If you find that you are missing an occasional list post, your e-mail
|
||||
admin may be blocking mail whose <i>Received:</i> headers contain the names
|
||||
of certain ISPs. Again, I believe that such policies hurt more than they
|
||||
help but I'm not prepared to go so far as to start stripping <i>Received:</i>
|
||||
headers to circumvent those policies.<br>
|
||||
|
||||
<h2 align="left">Mailing Lists Archive Search</h2>
|
||||
|
||||
<p> <font size="-1"> Match:
|
||||
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
|
||||
|
||||
<p> <font size="-1"> Match:
|
||||
|
||||
<select name="method">
|
||||
<option value="and">All </option>
|
||||
<option value="or">Any </option>
|
||||
<option value="boolean">Boolean </option>
|
||||
</select>
|
||||
Format:
|
||||
Format:
|
||||
|
||||
<select name="format">
|
||||
<option value="builtin-long">Long </option>
|
||||
<option value="builtin-short">Short </option>
|
||||
</select>
|
||||
Sort by:
|
||||
Sort by:
|
||||
|
||||
<select name="sort">
|
||||
<option value="score">Score </option>
|
||||
<option value="time">Time </option>
|
||||
@ -141,130 +156,149 @@ headers to circumvent those policies.<br>
|
||||
<option value="revtime">Reverse Time </option>
|
||||
<option value="revtitle">Reverse Title </option>
|
||||
</select>
|
||||
</font> <input type="hidden" name="config" value="htdig">
|
||||
<input type="hidden" name="restrict"
|
||||
value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||
</font> <input type="hidden" name="config"
|
||||
value="htdig"> <input type="hidden" name="restrict"
|
||||
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||
name="exclude" value=""> <br>
|
||||
Search: <input type="text" size="30" name="words"
|
||||
Search: <input type="text" size="30" name="words"
|
||||
value=""> <input type="submit" value="Search"> </p>
|
||||
</form>
|
||||
|
||||
<h2 align="left"><font color="#ff0000">Please do not try to download the
|
||||
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
|
||||
won't stand the traffic. If I catch you, you will be blacklisted.<br>
|
||||
</font></h2>
|
||||
|
||||
</form>
|
||||
|
||||
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
|
||||
Archive -- it is 75MB (and growing daily) and my slow DSL line simply won't
|
||||
stand the traffic. If I catch you, you will be blacklisted.<br>
|
||||
</font></h2>
|
||||
|
||||
<h2 align="left">Shorewall CA Certificate</h2>
|
||||
If you want to trust X.509 certificates issued by Shoreline
|
||||
Firewall (such as the one used on my web site), you may <a
|
||||
href="Shorewall_CA_html.html">download and install my CA certificate</a>
|
||||
in your browser. If you don't wish to trust my certificates then you
|
||||
can either use unencrypted access when subscribing to Shorewall mailing
|
||||
lists or you can use secure access (SSL) and accept the server's certificate
|
||||
when prompted by your browser.<br>
|
||||
|
||||
If you want to trust X.509 certificates issued by Shoreline
|
||||
Firewall (such as the one used on my web site), you may <a
|
||||
href="Shorewall_CA_html.html">download and install my CA certificate</a>
|
||||
in your browser. If you don't wish to trust my certificates then
|
||||
you can either use unencrypted access when subscribing to Shorewall
|
||||
mailing lists or you can use secure access (SSL) and accept the server's
|
||||
certificate when prompted by your browser.<br>
|
||||
|
||||
<h2 align="left">Shorewall Users Mailing List</h2>
|
||||
|
||||
<p align="left">The Shorewall Users Mailing list provides a way for users
|
||||
to get answers to questions and to report problems. Information of
|
||||
general interest to the Shorewall user community is also posted to this
|
||||
list.</p>
|
||||
|
||||
<p align="left"><b>Before posting a problem report to this list, please see
|
||||
the <a href="support.htm">problem reporting guidelines</a>.</b></p>
|
||||
|
||||
<p align="left">To subscribe to the mailing list, go to <a
|
||||
href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
SSL: <a
|
||||
href="https://mail.shorewall.net/mailman/listinfo/shorewall-users"
|
||||
target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-users</a></p>
|
||||
|
||||
<p align="left">To post to the list, post to <a
|
||||
href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
|
||||
|
||||
<p align="left">The list archives are at <a
|
||||
href="http://mail.shorewall.net/pipermail/shorewall-users/index.html">http://mail.shorewall.net/pipermail/shorewall-users</a>.</p>
|
||||
|
||||
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
|
||||
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
|
||||
may be found at <a
|
||||
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
|
||||
|
||||
<h2 align="left">Shorewall Announce Mailing List</h2>
|
||||
|
||||
<p align="left">This list is for announcements of general interest to the
|
||||
Shorewall community. To subscribe, go to <a
|
||||
href="http://mail.shorewall.net/mailman/listinfo/shorewall-announce">http://mail.shorewall.net/mailman/listinfo/shorewall-announce</a>
|
||||
SSL: <a
|
||||
href="https://mail.shorewall.net/mailman/listinfo/shorewall-announce"
|
||||
target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-announce.<br>
|
||||
</a><br>
|
||||
The list archives are at <a
|
||||
href="http://mail.shorewall.net/pipermail/shorewall-announce">http://mail.shorewall.net/pipermail/shorewall-announce</a>.</p>
|
||||
|
||||
<h2 align="left">Shorewall Development Mailing List</h2>
|
||||
|
||||
<p align="left">The Shorewall Development Mailing list provides a forum for
|
||||
the exchange of ideas about the future of Shorewall and for coordinating
|
||||
ongoing Shorewall Development.</p>
|
||||
|
||||
<p align="left">To subscribe to the mailing list, go to <a
|
||||
href="http://mail.shorewall.net/mailman/listinfo/shorewall-devel">http://mail.shorewall.net/mailman/listinfo/shorewall-devel</a>
|
||||
SSL: <a
|
||||
href="https://mail.shorewall.net/mailman/listinfo/shorewall-devel"
|
||||
target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
|
||||
To post to the list, post to <a
|
||||
href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
|
||||
|
||||
<p align="left">The list archives are at <a
|
||||
href="http://mail.shorewall.net/pipermail/shorewall-devel">http://mail.shorewall.net/pipermail/shorewall-devel</a>.</p>
|
||||
|
||||
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
|
||||
the Mailing Lists</h2>
|
||||
|
||||
<p align="left">There seems to be near-universal confusion about unsubscribing
|
||||
from Mailman-managed lists although Mailman 2.1 has attempted to make
|
||||
this less confusing. To unsubscribe:</p>
|
||||
|
||||
|
||||
<p align="left">The Shorewall Users Mailing list provides a way for users
|
||||
to get answers to questions and to report problems. Information
|
||||
of general interest to the Shorewall user community is also posted
|
||||
to this list.</p>
|
||||
|
||||
<p align="left"><b>Before posting a problem report to this list, please see
|
||||
the <a href="http://www.shorewall.net/support.htm">problem reporting
|
||||
guidelines</a>.</b></p>
|
||||
|
||||
<p align="left">To subscribe to the mailing list:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
|
||||
<p align="left">Follow the same link above that you used to subscribe
|
||||
to the list.</p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left">Down at the bottom of that page is the following text:
|
||||
" To <b>unsubscribe</b> from <i><list name></i>, get a password
|
||||
reminder, or change your subscription options enter your subscription
|
||||
email address:". Enter your email address in the box and click
|
||||
on the "<b>Unsubscribe</b> or edit options" button.</p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left">There will now be a box where you can enter your password
|
||||
and click on "Unsubscribe"; if you have forgotten your password, there
|
||||
is another button that will cause your password to be emailed to you.</p>
|
||||
</li>
|
||||
|
||||
<li><b>Insecure: </b><a
|
||||
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
|
||||
<li><b>SSL:</b> <a
|
||||
href="https://lists.shorewall.net/mailman/listinfo/shorewall-users"
|
||||
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-users</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<hr>
|
||||
|
||||
<p align="left">To post to the list, post to <a
|
||||
href="mailto:shorewall-users@lists.shorewall.net">shorewall-users@lists.shorewall.net</a>.</p>
|
||||
|
||||
<p align="left">The list archives are at <a
|
||||
href="http://lists.shorewall.net/pipermail/shorewall-users/index.html">http://lists.shorewall.net/pipermail/shorewall-users</a>.</p>
|
||||
|
||||
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
|
||||
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
|
||||
list may be found at <a
|
||||
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
|
||||
|
||||
<h2 align="left">Shorewall Announce Mailing List</h2>
|
||||
|
||||
<p align="left">This list is for announcements of general interest to the
|
||||
Shorewall community. To subscribe:<br>
|
||||
</p>
|
||||
|
||||
<p align="left"></p>
|
||||
|
||||
<ul>
|
||||
<li><b>Insecure:</b> <a
|
||||
href="http://lists.shorewall.net/mailman/listinfo/shorewall-announce">http://lists.shorewall.net/mailman/listinfo/shorewall-announce</a></li>
|
||||
<li><b>SSL</b>: <a
|
||||
href="https://lists.shorewall.net/mailman/listinfo/shorewall-announce"
|
||||
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-announce.</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left"><br>
|
||||
The list archives are at <a
|
||||
href="http://lists.shorewall.net/pipermail/shorewall-announce">http://lists.shorewall.net/pipermail/shorewall-announce</a>.</p>
|
||||
|
||||
<h2 align="left">Shorewall Development Mailing List</h2>
|
||||
|
||||
<p align="left">The Shorewall Development Mailing list provides a forum for
|
||||
the exchange of ideas about the future of Shorewall and for coordinating
|
||||
ongoing Shorewall Development.</p>
|
||||
|
||||
<p align="left">To subscribe to the mailing list:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li><b>Insecure: </b><a
|
||||
href="http://lists.shorewall.net/mailman/listinfo/shorewall-devel">http://lists.shorewall.net/mailman/listinfo/shorewall-devel</a></li>
|
||||
<li><b>SSL:</b> <a
|
||||
href="https://lists.shorewall.net/mailman/listinfo/shorewall-devel"
|
||||
target="_top">https//lists.shorewall.net/mailman/listinfo/shorewall-devel.</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left"> To post to the list, post to <a
|
||||
href="mailto:shorewall-devel@lists.shorewall.net">shorewall-devel@lists.shorewall.net</a>. </p>
|
||||
|
||||
<p align="left">The list archives are at <a
|
||||
href="http://lists.shorewall.net/pipermail/shorewall-devel">http://lists.shorewall.net/pipermail/shorewall-devel</a>.</p>
|
||||
|
||||
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
|
||||
the Mailing Lists</h2>
|
||||
|
||||
<p align="left">There seems to be near-universal confusion about unsubscribing
|
||||
from Mailman-managed lists although Mailman 2.1 has attempted
|
||||
to make this less confusing. To unsubscribe:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
|
||||
<p align="left">Follow the same link above that you used to subscribe
|
||||
to the list.</p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left">Down at the bottom of that page is the following text:
|
||||
" To <b>unsubscribe</b> from <i><list name></i>, get a password
|
||||
reminder, or change your subscription options enter your subscription
|
||||
email address:". Enter your email address in the box and click
|
||||
on the "<b>Unsubscribe</b> or edit options" button.</p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left">There will now be a box where you can enter your password
|
||||
and click on "Unsubscribe"; if you have forgotten your password,
|
||||
there is another button that will cause your password to be emailed
|
||||
to you.</p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<hr>
|
||||
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
|
||||
|
||||
|
||||
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
|
||||
|
||||
<p align="left"><font size="2">Last updated 12/31/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
<p align="left"><font size="2">Last updated 2/3/2003 - <a
|
||||
href="http://www.shorewall.net/support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font> ©
|
||||
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,144 +1,146 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>My Shorewall Configuration</title>
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">About My Network</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<h1>My Current Network </h1>
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<blockquote>
|
||||
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>I</small></b></big><big><b><small>
|
||||
use a combination of Static NAT and Proxy ARP, neither of which are relevant
|
||||
to a simple configuration with a single public IP address.</small></b></big><big><b><small>
|
||||
If you have just a single public IP address, most of what you see here won't
|
||||
apply to your setup so beware of copying parts of this configuration and
|
||||
expecting them to work for you. They may or may not work in your setup. </small></b></big><br>
|
||||
</p>
|
||||
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
|
||||
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
|
||||
is connected to eth0. I have a local network connected to eth2 (subnet
|
||||
192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). </p>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<h1>My Current Network </h1>
|
||||
|
||||
<blockquote>
|
||||
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>I</small></b></big><big><b><small>
|
||||
use a combination of Static NAT and Proxy ARP, neither of which are relevant
|
||||
to a simple configuration with a single public IP address.</small></b></big><big><b><small>
|
||||
If you have just a single public IP address, most of what you see here won't
|
||||
apply to your setup so beware of copying parts of this configuration and expecting
|
||||
them to work for you. What you copy may or may not work in your setup. </small></b></big><br>
|
||||
</p>
|
||||
|
||||
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
|
||||
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
|
||||
is connected to eth0. I have a local network connected to eth2 (subnet
|
||||
192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). </p>
|
||||
|
||||
<p> I use:<br>
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
|
||||
and external address 206.124.146.178.</li>
|
||||
<li>Proxy ARP for wookie (my Linux System). This system has two
|
||||
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
|
||||
and external address 206.124.146.178.</li>
|
||||
<li>Proxy ARP for wookie (my Linux System). This system has two
|
||||
IP addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
|
||||
<li>SNAT through the primary gateway address (206.124.146.176)
|
||||
for my Wife's system (tarry) and the Wireless Access Point (wap)</li>
|
||||
|
||||
<li>SNAT through the primary gateway address (206.124.146.176)
|
||||
for my Wife's system (tarry) and the Wireless Access Point (wap)</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
|
||||
|
||||
<p> Wookie runs Samba and acts as the a WINS server. Wookie is in its
|
||||
own 'whitelist' zone called 'me'.</p>
|
||||
|
||||
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
|
||||
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
|
||||
and is managed by Proxy ARP. It connects to the local network through
|
||||
the PopTop server running on my firewall. </p>
|
||||
|
||||
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
|
||||
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
|
||||
(Pure-ftpd). The system also runs fetchmail to fetch our email from
|
||||
our old and current ISPs. That server is managed through Proxy ARP.</p>
|
||||
|
||||
<p> The firewall system itself runs a DHCP server that serves the local
|
||||
network.</p>
|
||||
|
||||
|
||||
<p> Wookie runs Samba and acts as the a WINS server. Wookie is in its
|
||||
own 'whitelist' zone called 'me'.</p>
|
||||
|
||||
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
|
||||
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall
|
||||
software and is managed by Proxy ARP. It connects to the local network
|
||||
through the PopTop server running on my firewall. </p>
|
||||
|
||||
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
|
||||
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP
|
||||
server (Pure-ftpd). The system also runs fetchmail to fetch our email
|
||||
from our old and current ISPs. That server is managed through Proxy ARP.</p>
|
||||
|
||||
<p> The firewall system itself runs a DHCP server that serves the local
|
||||
network.</p>
|
||||
|
||||
<p> All administration and publishing is done using ssh/scp.</p>
|
||||
|
||||
|
||||
<p> I run an SNMP server on my firewall to serve <a
|
||||
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
|
||||
in the DMZ.</p>
|
||||
|
||||
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
|
||||
in the DMZ.</p>
|
||||
|
||||
<p align="center"> <img border="0"
|
||||
src="images/network.png" width="764" height="846">
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<p> </p>
|
||||
|
||||
<p>The ethernet interface in the Server is configured
|
||||
with IP address 206.124.146.177, netmask
|
||||
255.255.255.0. The server's default gateway is
|
||||
206.124.146.254 (Router at my ISP. This is the same
|
||||
default gateway used by the firewall itself). On the firewall,
|
||||
Shorewall automatically adds a host route to
|
||||
206.124.146.177 through eth1 (192.168.2.1) because
|
||||
of the entry in /etc/shorewall/proxyarp (see
|
||||
below).</p>
|
||||
|
||||
<p>A similar setup is used on eth3 (192.168.3.1) which
|
||||
interfaces to my laptop (206.124.146.180).<br>
|
||||
</p>
|
||||
|
||||
<p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
|
||||
|
||||
<p>The ethernet interface in the Server is configured
|
||||
with IP address 206.124.146.177, netmask
|
||||
255.255.255.0. The server's default gateway is
|
||||
206.124.146.254 (Router at my ISP. This is the same
|
||||
default gateway used by the firewall itself). On the firewall,
|
||||
Shorewall automatically adds a host route to
|
||||
206.124.146.177 through eth1 (192.168.2.1) because
|
||||
of the entry in /etc/shorewall/proxyarp (see
|
||||
below).</p>
|
||||
|
||||
<p>A similar setup is used on eth3 (192.168.3.1) which
|
||||
interfaces to my laptop (206.124.146.180).<br>
|
||||
</p>
|
||||
|
||||
<p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
|
||||
access.<br>
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<p><font color="#ff0000" size="5"></font></p>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<h3>Shorewall.conf</h3>
|
||||
|
||||
|
||||
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre>
|
||||
|
||||
|
||||
<h3>Zones File:</h3>
|
||||
|
||||
|
||||
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
|
||||
|
||||
|
||||
<h3>Interfaces File: </h3>
|
||||
|
||||
<blockquote>
|
||||
<p> This is set up so that I can start the firewall before bringing up my
|
||||
Ethernet interfaces. </p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<blockquote>
|
||||
<p> This is set up so that I can start the firewall before bringing up
|
||||
my Ethernet interfaces. </p>
|
||||
</blockquote>
|
||||
|
||||
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
|
||||
<h3>Hosts File: </h3>
|
||||
|
||||
|
||||
<pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS<br> me eth2:192.168.1.3,eth2:206.124.146.179<br> tx texas:192.168.9.0/24<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
|
||||
<h3>Routestopped File:</h3>
|
||||
|
||||
|
||||
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)<br> eth1 206.124.146.177<br> eth2 -<br> eth3 206.124.146.180</font></pre>
|
||||
|
||||
<h3>Common File: </h3>
|
||||
|
||||
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre>
|
||||
<h3>Policy File:</h3>
|
||||
|
||||
<h3>Common File: </h3>
|
||||
|
||||
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre>
|
||||
|
||||
<h3>Policy File:</h3>
|
||||
|
||||
<pre><font size="2" face="Courier">
|
||||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
me all ACCEPT
|
||||
@ -146,42 +148,43 @@ Ethernet interfaces. </p>
|
||||
all me CONTINUE #<font
|
||||
color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br> </font>#<font
|
||||
color="#ff0000"> this policy to work as expected!!!</font> <br> loc loc ACCEPT<br> loc net ACCEPT<br> $FW loc ACCEPT<br> $FW tx ACCEPT<br> loc tx ACCEPT<br> loc fw REJECT<br> net net ACCEPT<br> net all DROP info 10/sec:40<br> all all REJECT info<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
|
||||
|
||||
<h3>Masq File: </h3>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> Although most of our internal systems use static NAT, my wife's system
|
||||
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
|
||||
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
|
||||
</blockquote>
|
||||
|
||||
<h3>Masq File: </h3>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> Although most of our internal systems use static NAT, my wife's system
|
||||
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
|
||||
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
|
||||
</blockquote>
|
||||
|
||||
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
|
||||
<h3>NAT File: </h3>
|
||||
|
||||
|
||||
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL<br> 206.124.146.178 eth0 192.168.1.5 No No<br> 206.124.146.179 eth0 192.168.1.3 No No<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
|
||||
<h3>Proxy ARP File:</h3>
|
||||
|
||||
|
||||
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font
|
||||
face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br></font><pre><font
|
||||
face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre></pre>
|
||||
|
||||
|
||||
<h3>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):</h3>
|
||||
|
||||
|
||||
<pre><small> #TYPE ZONE GATEWAY</small><small> <br> gre net $TEXAS</small><small><br> #LAST LINE -- DO NOT REMOVE<br></small></pre>
|
||||
|
||||
<h3>Rules File (The shell variables
|
||||
are set in /etc/shorewall/params):</h3>
|
||||
|
||||
|
||||
<h3>Rules File (The shell variables
|
||||
are set in /etc/shorewall/params):</h3>
|
||||
|
||||
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> ACCEPT net loc:192.168.1.5 tcp 1723<br> ACCEPT net loc:192.168.1.5 gre<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
<p><font size="2"> Last updated 1/12/2003 - </font><font size="2">
|
||||
<a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<p><font size="2"> Last updated 1/12/2003 - </font><font size="2">
|
||||
<a href="support.htm">Tom Eastep</a></font>
|
||||
</p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> ©
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> ©
|
||||
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -2,89 +2,149 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>ICMP Echo-request (Ping)</title>
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">ICMP Echo-request (Ping)</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Shorewall 'Ping' management has evolved over time in a less than consistant
|
||||
way. This page describes how it now works.<br>
|
||||
<br>
|
||||
There are several aspects to Shorewall Ping management:<br>
|
||||
<ol>
|
||||
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
<li>The <b>FORWARDPING</b> option in<a
|
||||
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
|
||||
<li>Explicit rules in <a
|
||||
href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
|
||||
</ol>
|
||||
There are two cases to consider:<br>
|
||||
<ol>
|
||||
<li>Ping requests addressed to the firewall itself; and</li>
|
||||
<li>Ping requests being forwarded to another system. Included here are
|
||||
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
|
||||
routing.</li>
|
||||
</ol>
|
||||
These cases will be covered separately.<br>
|
||||
<h2>Ping Requests Addressed to the Firewall Itself</h2>
|
||||
For ping requests addressed to the firewall, the sequence is as follows:<br>
|
||||
<ol>
|
||||
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for the
|
||||
interface that receives the ping request then the request will be responded
|
||||
to with an ICMP echo-reply.</li>
|
||||
<li>If <b>noping</b> is specified for the interface that receives the ping
|
||||
request then the request is ignored.</li>
|
||||
<li>If <b>filterping </b>is specified for the interface then the request
|
||||
is passed to the rules/policy evaluation.</li>
|
||||
</ol>
|
||||
<h2>Ping Requests Forwarded by the Firewall</h2>
|
||||
These requests are <b>always</b> passed to rules/policy evaluation.<br>
|
||||
<h2>Rules Evaluation</h2>
|
||||
Ping requests are ICMP type 8. So the general rule format is:<br>
|
||||
<br>
|
||||
<i>Target Source Destination
|
||||
</i>icmp 8<br>
|
||||
<br>
|
||||
Example 1. Accept pings from the net to the dmz (pings are responded to with
|
||||
an ICMP echo-reply):<br>
|
||||
<br>
|
||||
ACCEPT net dmz
|
||||
icmp 8<br>
|
||||
<br>
|
||||
Example 2. Drop pings from the net to the firewall<br>
|
||||
<br>
|
||||
DROP net fw
|
||||
icmp 8<br>
|
||||
<h2>Policy Evaluation</h2>
|
||||
If no applicable rule is found, then the policy for the source to the destination
|
||||
is applied.<br>
|
||||
<ol>
|
||||
<li>If the relevant policy is ACCEPT then the request is responded to with
|
||||
an ICMP echo-reply.</li>
|
||||
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
|
||||
then the request is responded to with an ICMP echo-reply.</li>
|
||||
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
|
||||
is either rejected or simply ignored.</li>
|
||||
</ol>
|
||||
<p><font size="2">Updated 12/13/2002 - <a
|
||||
href="support.htm">Tom Eastep</a> </font></p>
|
||||
<br>
|
||||
Shorewall 'Ping' management has evolved over time with the latest change
|
||||
coming in Shorewall version 1.3.14. In that version, a new option (<b>OLD_PING_HANDLING</b>)
|
||||
was added to /etc/shorewall/shorewall.conf. The value of that option determines
|
||||
the overall handling of ICMP echo requests (pings).<br>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
<h2>Shorewall Versions >= 1.3.14 with OLD_PING_HANDLING=No in /etc/shorewall/shorewall.conf</h2>
|
||||
In 1.3.14, Ping handling was put under control of the rules and policies
|
||||
just like any other connection request. In order to accept ping requests from
|
||||
zone z1 to zone z2 where the policy for z1 to z2 is not ACCEPT, you need
|
||||
a rule in /etc/shoreall/rules of the form:<br>
|
||||
|
||||
<blockquote>ACCEPT <i>z1 z2
|
||||
</i>icmp 8<br>
|
||||
</blockquote>
|
||||
Example: <br>
|
||||
<br>
|
||||
To permit ping from the local zone to the firewall:<br>
|
||||
|
||||
<blockquote>ACCEPT loc fw
|
||||
icmp 8<br>
|
||||
</blockquote>
|
||||
If you would like to accept 'ping' by default even when the relevant
|
||||
policy is DROP or REJECT, create <b>/etc/shorewall/icmpdef </b>if it doesn't
|
||||
already exist and in that file place the following command:<br>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">run_iptables -A icmpdef -p icmp --icmp-type 8 -j ACCEPT<br></font></b></pre>
|
||||
</blockquote>
|
||||
With that rule in place, if you want to ignore 'ping' from z1 to z2 then
|
||||
you need a rule of the form:<br>
|
||||
|
||||
<blockquote>DROP <i>z1 z2
|
||||
</i>icmp 8<br>
|
||||
</blockquote>
|
||||
Example:<br>
|
||||
<br>
|
||||
To drop ping from the internet, you would need this rule in /etc/shorewall/rules:<br>
|
||||
|
||||
<blockquote>DROP net fw
|
||||
icmp 8<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<h2>Shorewall Versions < 1.3.14 or with OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf<br>
|
||||
</h2>
|
||||
There are several aspects to the old Shorewall Ping management:<br>
|
||||
|
||||
<ol>
|
||||
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
<li>The <b>FORWARDPING</b> option in<a href="Documentation.htm#Conf">
|
||||
/etc/shorewall/shorewall.conf</a>.</li>
|
||||
<li>Explicit rules in <a href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
|
||||
|
||||
</ol>
|
||||
There are two cases to consider:<br>
|
||||
|
||||
<ol>
|
||||
<li>Ping requests addressed to the firewall itself; and</li>
|
||||
<li>Ping requests being forwarded to another system. Included here are
|
||||
all cases of packet forwarding including NAT, DNAT rule, Proxy ARP and simple
|
||||
routing.</li>
|
||||
|
||||
</ol>
|
||||
These cases will be covered separately.<br>
|
||||
|
||||
<h3>Ping Requests Addressed to the Firewall Itself</h3>
|
||||
For ping requests addressed to the firewall, the sequence is as follows:<br>
|
||||
|
||||
<ol>
|
||||
<li>If neither <b>noping</b> nor <b>filterping </b>are specified for
|
||||
the interface that receives the ping request then the request will be responded
|
||||
to with an ICMP echo-reply.</li>
|
||||
<li>If <b>noping</b> is specified for the interface that receives the
|
||||
ping request then the request is ignored.</li>
|
||||
<li>If <b>filterping </b>is specified for the interface then the request
|
||||
is passed to the rules/policy evaluation.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<h3>Ping Requests Forwarded by the Firewall</h3>
|
||||
These requests are <b>always</b> passed to rules/policy evaluation.<br>
|
||||
|
||||
<h3>Rules Evaluation</h3>
|
||||
Ping requests are ICMP type 8. So the general rule format is:<br>
|
||||
<br>
|
||||
<i>Target Source
|
||||
Destination </i>icmp 8<br>
|
||||
<br>
|
||||
Example 1. Accept pings from the net to the dmz (pings are responded to
|
||||
with an ICMP echo-reply):<br>
|
||||
<br>
|
||||
ACCEPT net dmz
|
||||
icmp 8<br>
|
||||
<br>
|
||||
Example 2. Drop pings from the net to the firewall<br>
|
||||
<br>
|
||||
DROP net fw
|
||||
icmp 8<br>
|
||||
|
||||
<h3>Policy Evaluation</h3>
|
||||
If no applicable rule is found, then the policy for the source to the destination
|
||||
is applied.<br>
|
||||
|
||||
<ol>
|
||||
<li>If the relevant policy is ACCEPT then the request is responded to
|
||||
with an ICMP echo-reply.</li>
|
||||
<li>If <b>FORWARDPING</b> is set to Yes in /etc/shorewall/shorewall.conf
|
||||
then the request is responded to with an ICMP echo-reply.</li>
|
||||
<li>Otherwise, the relevant REJECT or DROP policy is used and the request
|
||||
is either rejected or simply ignored.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><font size="2">Updated 1/21/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,194 +1,203 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Port Information</title>
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Ports required for Various
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Ports required for Various
|
||||
Services/Applications</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p>In addition to those applications described in <a
|
||||
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
|
||||
are some other services/applications that you may need to configure your
|
||||
href="Documentation.htm">the /etc/shorewall/rules documentation</a>, here
|
||||
are some other services/applications that you may need to configure your
|
||||
firewall to accommodate.</p>
|
||||
|
||||
|
||||
<p>NTP (Network Time Protocol)</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p>UDP Port 123</p>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p>rdate</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 37</p>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 37</p>
|
||||
</blockquote>
|
||||
|
||||
<p>UseNet (NNTP)</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 119</p>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p>DNS</p>
|
||||
|
||||
<blockquote>
|
||||
<p>UDP Port 53. If you are configuring a DNS client, you will probably
|
||||
want to open TCP Port 53 as well.<br>
|
||||
If you are configuring a server, only open TCP Port 53 if you will return
|
||||
long replies to queries or if you need to enable ZONE transfers. In the
|
||||
latter case, be sure that your server is properly configured.</p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<blockquote>
|
||||
<p>UDP Port 53. If you are configuring a DNS client, you will probably want
|
||||
to open TCP Port 53 as well.<br>
|
||||
If you are configuring a server, only open TCP Port 53 if you will
|
||||
return long replies to queries or if you need to enable ZONE transfers. In
|
||||
the latter case, be sure that your server is properly configured.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>ICQ </p>
|
||||
|
||||
<blockquote>
|
||||
<p>UDP Port 4000. You will also need to open a range of TCP ports which
|
||||
|
||||
<blockquote>
|
||||
<p>UDP Port 4000. You will also need to open a range of TCP ports which
|
||||
you can specify to your ICQ client. By default, clients use 4000-4100.</p>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p>PPTP</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p><u>Protocol</u> 47 (NOT <u>port</u> 47) and TCP Port 1723 (<a
|
||||
href="PPTP.htm">Lots more information here</a>).</p>
|
||||
</blockquote>
|
||||
|
||||
<p>IPSEC</p>
|
||||
|
||||
<blockquote>
|
||||
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
|
||||
500. These should be opened in both directions (Lots more information
|
||||
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
|
||||
</blockquote>
|
||||
|
||||
<p>SMTP</p>
|
||||
|
||||
<blockquote>
|
||||
<p> TCP Port 25.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>POP3</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 110.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>TELNET</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 23.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>SSH</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 22.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>Auth (identd)</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 113</p>
|
||||
</blockquote>
|
||||
|
||||
<p>Web Access</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Ports 80 and 443.</p>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p>IPSEC</p>
|
||||
|
||||
<blockquote>
|
||||
<p><u>Protocols</u> 50 and 51 (NOT <u>ports</u> 50 and 51) and UDP Port
|
||||
500. These should be opened in both directions (Lots more information
|
||||
<a href="IPSEC.htm">here</a> and <a href="VPN.htm">here</a>).</p>
|
||||
</blockquote>
|
||||
|
||||
<p>SMTP</p>
|
||||
|
||||
<blockquote>
|
||||
<p> TCP Port 25.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>POP3</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 110.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>TELNET</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 23.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>SSH</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 22.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>Auth (identd)</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Port 113</p>
|
||||
</blockquote>
|
||||
|
||||
<p>Web Access</p>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Ports 80 and 443.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>FTP</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p>Server configuration is covered on in <a
|
||||
href="Documentation.htm#Rules">the /etc/shorewall/rules documentation</a>,</p>
|
||||
|
||||
<p>For a client, you must open outbound TCP port 21 and be sure that your
|
||||
kernel is compiled to support FTP connection tracking. If you build this
|
||||
support as a module, Shorewall will automatically load the module from
|
||||
/var/lib/<<i>kernel version</i>>/kernel/net/ipv4/netfilter. <br>
|
||||
</p>
|
||||
|
||||
<p>For a client, you must open outbound TCP port 21 and be sure that your
|
||||
kernel is compiled to support FTP connection tracking. If you build this
|
||||
support as a module, Shorewall will automatically load the module from
|
||||
/var/lib/<<i>kernel version</i>>/kernel/net/ipv4/netfilter. <br>
|
||||
</p>
|
||||
|
||||
<p>If you run an FTP server on a nonstandard port or you need to access
|
||||
such a server, then you must specify that port in /etc/shorewall/modules.
|
||||
For example, if you run an FTP server that listens on port 49 then you would
|
||||
have:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<p>If you run an FTP server on a nonstandard port or you need to access
|
||||
such a server, then you must specify that port in /etc/shorewall/modules.
|
||||
For example, if you run an FTP server that listens on port 49 then you would
|
||||
have:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<p>loadmodule ip_conntrack_ftp ports=21,49<br>
|
||||
loadmodule ip_nat_ftp ports=21,49<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
loadmodule ip_nat_ftp ports=21,49<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
|
||||
have problems accessing regular FTP servers.</p>
|
||||
|
||||
<p>Note that you MUST include port 21 in the <i>ports</i> list or you may
|
||||
have problems accessing regular FTP servers.</p>
|
||||
|
||||
<p>If there is a possibility that these modules might be loaded before
|
||||
Shorewall starts, then you should include the port list in /etc/modules.conf:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<p>If there is a possibility that these modules might be loaded before Shorewall
|
||||
starts, then you should include the port list in /etc/modules.conf:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<p>options ip_conntrack_ftp ports=21,49<br>
|
||||
options ip_nat_ftp ports=21,49<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
options ip_nat_ftp ports=21,49<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p>SMB/NMB (Samba/Windows Browsing/File Sharing)</p>
|
||||
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p>TCP Ports 137, 139 and 445.<br>
|
||||
UDP Ports 137-139.<br>
|
||||
<br>
|
||||
Also, <a href="samba.htm">see this page</a>.</p>
|
||||
</blockquote>
|
||||
|
||||
UDP Ports 137-139.<br>
|
||||
<br>
|
||||
Also, <a href="samba.htm">see this page</a>.</p>
|
||||
</blockquote>
|
||||
|
||||
<p>Traceroute</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p>UDP ports 33434 through 33434+<i><max number of hops></i>-1</p>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p>NFS<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p>I personally use the following rules for opening access from zone z1
|
||||
to a server with IP address a.b.c.d in zone z2:<br>
|
||||
</p>
|
||||
<pre>ACCEPT z1 z2:a.b.c.d udp 111<br>ACCEPT z1 z2:a.b.c.d udp 2049<br>ACCEPT z1 z2:a.b.c.d udp 32700:<br></pre>
|
||||
</blockquote>
|
||||
|
||||
<p>NFS</p>
|
||||
|
||||
<blockquote>
|
||||
<p>There's some good information at <a
|
||||
<blockquote>
|
||||
<p>Note that my rules only cover NFS using UDP (the normal case). There
|
||||
is lots of additional information at <a
|
||||
href="http://nfs.sourceforge.net/nfs-howto/security.html"> http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
|
||||
</blockquote>
|
||||
|
||||
<p>Didn't find what you are looking for -- have you looked in your own
|
||||
/etc/services file? </p>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p>Didn't find what you are looking for -- have you looked in your own /etc/services
|
||||
file? </p>
|
||||
|
||||
<p>Still looking? Try <a
|
||||
href="http://www.networkice.com/advice/Exploits/Ports"> http://www.networkice.com/advice/Exploits/Ports</a></p>
|
||||
|
||||
<p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a
|
||||
|
||||
<p><font size="2">Last updated 2/7/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -5,7 +5,8 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shoreline Firewall (Shorewall) 1.3</title>
|
||||
@ -13,36 +14,40 @@
|
||||
|
||||
|
||||
|
||||
<base target="_self">
|
||||
|
||||
<base target="_self">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="4"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%" height="90">
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h1 align="center"> <font size="4"><i> <a
|
||||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
|
||||
</a></i></font><font color="#ffffff">Shorewall 1.3
|
||||
- <font size="4">"<i>iptables made easy"</i></font></font></h1>
|
||||
</a></i></font><font color="#ffffff">Shorewall
|
||||
1.3 - <font size="4">"<i>iptables
|
||||
made easy"</i></font></font></h1>
|
||||
|
||||
|
||||
|
||||
@ -50,41 +55,43 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div align="center"><a
|
||||
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
|
||||
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div align="center">
|
||||
|
||||
|
||||
<center>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="90%">
|
||||
<td width="90%">
|
||||
|
||||
|
||||
|
||||
@ -92,7 +99,8 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2 align="left">What is it?</h2>
|
||||
|
||||
|
||||
@ -102,7 +110,9 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||||
firewall that can be used on a dedicated firewall system, a multi-function
|
||||
@ -115,26 +125,30 @@ firewall that can be used on a dedicated firewall system, a multi-functio
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
it under the terms of
|
||||
<a href="http://www.gnu.org/licenses/gpl.html">Version 2 of
|
||||
the GNU General Public License</a> as published by the Free Software
|
||||
Foundation.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
This program is distributed in the hope that
|
||||
it will be useful, but WITHOUT ANY WARRANTY;
|
||||
without even the implied warranty of MERCHANTABILITY
|
||||
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
General Public License for more details.<br>
|
||||
This program is distributed in the
|
||||
hope that it will be useful, but WITHOUT ANY
|
||||
WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
You should have received a copy of the GNU
|
||||
General Public License along with this program;
|
||||
if not, write to the Free Software Foundation,
|
||||
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
You should have received a copy of
|
||||
the GNU General Public License along
|
||||
with this program; if not, write to the Free Software
|
||||
Foundation, Inc., 675 Mass Ave, Cambridge, MA
|
||||
02139, USA</p>
|
||||
|
||||
|
||||
|
||||
@ -143,7 +157,9 @@ General Public License for more details.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
||||
|
||||
|
||||
@ -154,26 +170,29 @@ General Public License for more details.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
|
||||
</a>Jacques Nilo and Eric Wolzak have
|
||||
a LEAF (router/firewall/gateway on a floppy, CD or compact
|
||||
flash) distribution called <i>Bering</i> that
|
||||
features Shorewall-1.3.10 and Kernel-2.4.18. You
|
||||
can find their work at: <a
|
||||
</a>Jacques Nilo and Eric Wolzak
|
||||
have a LEAF (router/firewall/gateway on a floppy,
|
||||
CD or compact flash) distribution called <i>Bering</i>
|
||||
that features Shorewall-1.3.10 and Kernel-2.4.18.
|
||||
You can find their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
</a></p>
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>Congratulations to Jacques and Eric on the recent release of
|
||||
Bering 1.0 Final!!! </b><br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2>This is a mirror of the main Shorewall web site at SourceForge
|
||||
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||||
|
||||
@ -187,7 +206,8 @@ Bering 1.0 Final!!! </b><br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2>News</h2>
|
||||
|
||||
|
||||
@ -197,294 +217,127 @@ Bering 1.0 Final!!! </b><br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2></h2>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
|
||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p><b>2/8/2003 - Shoreawll 1.3.14</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
|
||||
<p>Just includes a few things that I had on the burner:<br>
|
||||
</p>
|
||||
<p>New features include</p>
|
||||
|
||||
<ol>
|
||||
<li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
|
||||
file. DNAT- is intended for advanced users who wish to minimize the number
|
||||
of rules that connection requests must traverse.<br>
|
||||
<li>An OLD_PING_HANDLING option has been added to shorewall.conf.
|
||||
When set to Yes, Shorewall ping handling is as it has always been (see
|
||||
http://www.shorewall.net/ping.html).<br>
|
||||
<br>
|
||||
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
|
||||
policies just like any other connection request. The FORWARDPING=Yes option
|
||||
in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces
|
||||
will all generate an error.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>It is now possible to direct Shorewall to create a "label" such
|
||||
as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
|
||||
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
|
||||
of just the interface name:<br>
|
||||
<br>
|
||||
a) In the INTERFACE column of /etc/shorewall/masq<br>
|
||||
b) In the INTERFACE column of /etc/shorewall/nat<br>
|
||||
</li>
|
||||
<li>Support for OpenVPN Tunnels.<br>
|
||||
<br>
|
||||
A Shorewall DNAT rule actually generates two iptables rules: a header rewriting
|
||||
rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT-
|
||||
rule only generates the first of these rules. This is handy when you have
|
||||
several DNAT rules that would generate the same ACCEPT rule.<br>
|
||||
<br>
|
||||
Here are three rules from my previous rules file:<br>
|
||||
<br>
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
|
||||
<br>
|
||||
These three rules ended up generating _three_ copies of<br>
|
||||
<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp smtp<br>
|
||||
<br>
|
||||
By writing the rules this way, I end up with only one copy of the ACCEPT
|
||||
rule.<br>
|
||||
<br>
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
|
||||
</li>
|
||||
<li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
|
||||
eth0.0)<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The 'shorewall check' command now prints out the applicable policy
|
||||
between each pair of zones.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>A new CLEAR_TC option has been added to shorewall.conf. If this
|
||||
option is set to 'No' then Shorewall won't clear the current traffic control
|
||||
rules during [re]start. This setting is intended for use by people that prefer
|
||||
to configure traffic shaping when the network interfaces come up rather than
|
||||
when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
|
||||
and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way,
|
||||
your traffic shaping rules can still use the 'fwmark' classifier based on
|
||||
packet marking defined in /etc/shorewall/tcrules.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>A new SHARED_DIR variable has been added that allows distribution
|
||||
packagers to easily move the shared directory (default /usr/lib/shorewall).
|
||||
Users should never have a need to change the value of this shorewall.conf
|
||||
setting.<br>
|
||||
</li>
|
||||
<li>When an interface name is entered in the SUBNET column of the
|
||||
/etc/shorewall/masq file, Shorewall previously masqueraded traffic from
|
||||
only the first subnet defined on that interface. It did not masquerade
|
||||
traffic from:<br>
|
||||
<br>
|
||||
a) The subnets associated with other addresses on the interface.<br>
|
||||
b) Subnets accessed through local routers.<br>
|
||||
<br>
|
||||
Beginning with Shorewall 1.3.14, if you enter an interface name in the
|
||||
SUBNET column, shorewall will use the firewall's routing table to construct
|
||||
the masquerading/SNAT rules.<br>
|
||||
<br>
|
||||
Example 1 -- This is how it works in 1.3.14.<br>
|
||||
<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
|
||||
|
||||
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
|
||||
<br>
|
||||
When upgrading to Shorewall 1.3.14, if you have multiple local subnets
|
||||
connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
|
||||
entry, your /etc/shorewall/masq file will need changing. In most cases,
|
||||
you will simply be able to remove redundant entries. In some cases though,
|
||||
you might want to change from using the interface name to listing specific
|
||||
subnetworks if the change described above will cause masquerading to occur
|
||||
on subnetworks that you don't wish to masquerade.<br>
|
||||
<br>
|
||||
Example 2 -- Suppose that your current config is as follows:<br>
|
||||
<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
<br>
|
||||
In this case, the second entry in /etc/shorewall/masq is no longer
|
||||
required.<br>
|
||||
<br>
|
||||
Example 3 -- What if your current configuration is like this?<br>
|
||||
<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
<br>
|
||||
In this case, you would want to change the entry in /etc/shorewall/masq
|
||||
to:<br>
|
||||
|
||||
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
|
||||
</b></p>
|
||||
|
||||
<p><b>Until further notice, I will not be involved in either Shorewall
|
||||
Development or Shorewall Support</b></p>
|
||||
|
||||
<p><b>-Tom Eastep</b><br>
|
||||
</p>
|
||||
|
||||
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
|
||||
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
|
||||
</b></p>
|
||||
|
||||
<p> Features include:<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules
|
||||
(tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after
|
||||
an error occurs. This places the point of the failure near the end of
|
||||
the trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than
|
||||
40% with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added
|
||||
which shows the current packet classification filters. The output from
|
||||
this command is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog
|
||||
level and causes the subject packets to be logged using the ULOG target
|
||||
rather than the LOG target. This allows you to run ulogd (available from
|
||||
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a href="shorewall_logging.html">to a
|
||||
separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain
|
||||
in the mangle table ("shorewall show mangle" will show you the chains
|
||||
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
|
||||
input packets based on their destination even when you are using Masquerading
|
||||
or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with
|
||||
empty 'init', 'start', 'stop' and 'stopped' files. If you already have
|
||||
a file with one of these names, don't worry -- the upgrade process won't
|
||||
overwrite your file.</li>
|
||||
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
|
||||
the syslog level at which packets are logged as a result of entries in
|
||||
the /etc/shorewall/rfc1918 file. Previously, these packets were always
|
||||
logged at the 'info' level.<br>
|
||||
</li>
|
||||
<br>
|
||||
|
||||
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
|
||||
</b><b><img border="0" src="images/new10.gif" width="28"
|
||||
height="12" alt="(New)">
|
||||
</b></p>
|
||||
Webmin version 1.060 now has Shorewall support included as standard. See
|
||||
<a href="http://www.webmin.com">http://www.webmin.com</a>.<b> </b>
|
||||
|
||||
<p><b></b></p>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
|
||||
</p>
|
||||
This version corrects a problem with Blacklist logging. In Beta
|
||||
2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would
|
||||
fail to start and "shorewall refresh" would also fail.<br>
|
||||
|
||||
<p> You may download the Beta from:<br>
|
||||
</p>
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
|
||||
</b></p>
|
||||
The first public Beta version of Shorewall 1.3.12 is now available
|
||||
(Beta 1 was made available to a limited audience). <br>
|
||||
<br>
|
||||
Features include:<br>
|
||||
<br>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping
|
||||
rules (tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging
|
||||
after an error occurs. This places the point of the failure near the
|
||||
end of the trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more
|
||||
than 40% with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been
|
||||
added which shows the current packet classification filters. The output
|
||||
from this command is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid
|
||||
syslog level and causes the subject packets to be logged using the ULOG
|
||||
target rather than the LOG target. This allows you to run ulogd (available
|
||||
from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a href="shorewall_logging.html">to a
|
||||
separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain
|
||||
in the mangle table ("shorewall show mangle" will show you the chains
|
||||
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
|
||||
This allows for marking input packets based on their destination even
|
||||
when you are using Masquerading or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory
|
||||
with empty 'init', 'start', 'stop' and 'stopped' files. If you already
|
||||
have a file with one of these names, don't worry -- the upgrade process
|
||||
won't overwrite your file.</li>
|
||||
|
||||
|
||||
</ol>
|
||||
You may download the Beta from:<br>
|
||||
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
|
||||
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
|
||||
alt="Powered by Mandrake Linux" width="150" height="21" border="0">
|
||||
</a></b></p>
|
||||
Shorewall is at the center of MandrakeSoft's recently-announced
|
||||
<a
|
||||
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi
|
||||
Network Firewall (MNF)</a> product. Here is the <a
|
||||
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
|
||||
release</a>.<br>
|
||||
|
||||
|
||||
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
|
||||
delivered. I have installed 9.0 on one of my systems and I am now
|
||||
in a position to support Shorewall users who run Mandrake 9.0.</p>
|
||||
|
||||
|
||||
<p><b>12/6/2002 - Debian 1.3.11a Packages Available</b><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p>Apt-get sources listed at <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
||||
|
||||
|
||||
|
||||
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
|
||||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
|
||||
users who don't need rules of this type need not upgrade to 1.3.11.</p>
|
||||
|
||||
|
||||
|
||||
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
|
||||
|
||||
<p><b></b></p>
|
||||
|
||||
<ul>
|
||||
<li>A 'tcpflags' option has been added to
|
||||
entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the
|
||||
SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>.
|
||||
When used, 'all' must appear by itself (in may not be qualified) and
|
||||
it does not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command
|
||||
is now compatible with bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup
|
||||
error. fw->fw rules generate a warning and are ignored</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b></b><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
@ -495,39 +348,41 @@ is now compatible with bash clones such as ash and dash.</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
<td width="88" bgcolor="#4b017c" valign="top"
|
||||
align="center"> <a href="http://sourceforge.net">M</a></td>
|
||||
<td width="88" bgcolor="#4b017c"
|
||||
valign="top" align="center"> <a
|
||||
href="http://sourceforge.net">M</a></td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
</center>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="5" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
|
||||
|
||||
|
||||
@ -535,12 +390,13 @@ is now compatible with bash clones such as ash and dash.</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p align="center"><a href="http://www.starlight.org"> <img
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
|
||||
</a></p>
|
||||
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
@ -549,31 +405,31 @@ is now compatible with bash clones such as ash and dash.</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||
but if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
<p><font size="2">Updated 1/13/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,125 +1,126 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>About the Shorewall Author</title>
|
||||
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p align="center"> <img border="3" src="images/TomNTarry.png"
|
||||
alt="Tom on the PCT - 1991" width="316" height="392">
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<p align="center">Tarry & Tom -- August 2002<br>
|
||||
<br>
|
||||
</p>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>Born 1945 in <a
|
||||
<li>Born 1945 in <a
|
||||
href="http://www.experiencewashington.com">Washington State</a> .</li>
|
||||
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
|
||||
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
|
||||
State University</a> 1967</li>
|
||||
<li>MA Mathematics from <a
|
||||
<li>MA Mathematics from <a
|
||||
href="http://www.washington.edu">University of Washington</a> 1969</li>
|
||||
<li>Burroughs Corporation (now <a
|
||||
<li>Burroughs Corporation (now <a
|
||||
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
|
||||
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
|
||||
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
|
||||
present</li>
|
||||
<li>Married 1969 - no children.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>I am currently a member of the design team for the next-generation
|
||||
operating system from the NonStop Enterprise Division of HP. </p>
|
||||
|
||||
<p>I became interested in Internet Security when I established a home office
|
||||
in 1999 and had DSL service installed in our home. I investigated
|
||||
ipchains and developed the scripts which are now collectively known as
|
||||
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
|
||||
on what I learned from Seattle Firewall, I then designed and wrote
|
||||
Shorewall. </p>
|
||||
|
||||
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
|
||||
Washington</a> where I live with my wife Tarry. </p>
|
||||
|
||||
<p>Our current home network consists of: </p>
|
||||
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
|
||||
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980
|
||||
- present</li>
|
||||
<li>Married 1969 - no children.</li>
|
||||
|
||||
<ul>
|
||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 20GB
|
||||
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
|
||||
Serves as a PPTP server for Road Warrior access. Also has <a
|
||||
href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
|
||||
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
|
||||
NIC - My personal Linux System which runs Samba configured as a
|
||||
WINS server. This system also has <a
|
||||
href="http://www.vmware.com/">VMware</a> installed and can run
|
||||
both <a href="http://www.debian.org">Debian Woody</a> and <a
|
||||
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
|
||||
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC
|
||||
- Email (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd),
|
||||
DNS server (Bind).</li>
|
||||
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX
|
||||
(Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.12+ and a
|
||||
DHCP server.</li>
|
||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
|
||||
wife's personal system.</li>
|
||||
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
|
||||
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
|
||||
work system.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p>I am currently a member of the design team for the next-generation
|
||||
operating system from the NonStop Enterprise Division of HP. </p>
|
||||
|
||||
<p>I became interested in Internet Security when I established a home office
|
||||
in 1999 and had DSL service installed in our home. I investigated
|
||||
ipchains and developed the scripts which are now collectively known as
|
||||
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
|
||||
on what I learned from Seattle Firewall, I then designed and wrote
|
||||
Shorewall. </p>
|
||||
|
||||
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
|
||||
Washington</a> where I live with my wife Tarry. </p>
|
||||
|
||||
<p>Our current home network consists of: </p>
|
||||
|
||||
<ul>
|
||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 20GB
|
||||
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Serves
|
||||
as a PPTP server for Road Warrior access. Dual boots <a
|
||||
href="http://www.mandrakelinux.com">Mandrake</a> 9.0.</li>
|
||||
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
|
||||
NIC - My personal Linux System which runs Samba configured as a
|
||||
WINS server. This system also has <a
|
||||
href="http://www.vmware.com/">VMware</a> installed and can run both
|
||||
<a href="http://www.debian.org">Debian Woody</a> and <a
|
||||
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
|
||||
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC
|
||||
- Email (Postfix, Courier-IMAP and Mailman), HTTP (Apache), FTP (Pure_ftpd),
|
||||
DNS server (Bind 9).</li>
|
||||
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX
|
||||
(Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.14 and a DHCP
|
||||
server.</li>
|
||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC -
|
||||
My wife's personal system.</li>
|
||||
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
|
||||
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
|
||||
work system.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
|
||||
|
||||
|
||||
<p>All of our other systems are made by <a
|
||||
href="http://www.compaq.com">Compaq</a> (part of the new <a
|
||||
href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
|
||||
href="http://www.netgear.com">Netgear</a> FA310TXs.</p>
|
||||
|
||||
|
||||
<p><a href="http://www.redhat.com"><img border="0"
|
||||
src="images/poweredby.png" width="88" height="31">
|
||||
</a><a href="http://www.compaq.com"><img border="0"
|
||||
</a><a href="http://www.compaq.com"><img border="0"
|
||||
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
|
||||
</a><a href="http://www.pureftpd.org"><img border="0"
|
||||
</a><a href="http://www.pureftpd.org"><img border="0"
|
||||
src="images/pure.jpg" width="88" height="31">
|
||||
</a><font size="4"><a href="http://www.apache.org"><img
|
||||
</a><font size="4"><a href="http://www.apache.org"><img
|
||||
border="0" src="images/apache_pb1.gif" hspace="2" width="170"
|
||||
height="20">
|
||||
</a><a href="http://www.mandrakelinux.com"><img
|
||||
</a><a href="http://www.mandrakelinux.com"><img
|
||||
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
|
||||
height="32">
|
||||
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
|
||||
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
|
||||
width="125" height="40" hspace="4">
|
||||
</font></p>
|
||||
|
||||
<p><font size="2">Last updated 1/7/2003 - </font><font size="2"> <a
|
||||
</font></p>
|
||||
|
||||
<p><font size="2">Last updated 1/24/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
|
||||
M. Eastep.</font></a></font><br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,111 +1,118 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Features</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Features</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>Uses Netfilter's connection tracking facilities for stateful packet
|
||||
filtering.</li>
|
||||
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
|
||||
|
||||
<li>Uses Netfilter's connection tracking facilities for stateful packet
|
||||
filtering.</li>
|
||||
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
|
||||
|
||||
<ul>
|
||||
<li>Completely customizable using configuration files.</li>
|
||||
<li>No limit on the number of network interfaces.</li>
|
||||
<li>Allows you to partitions the network into <i><a
|
||||
<li>Completely customizable using configuration files.</li>
|
||||
<li>No limit on the number of network interfaces.</li>
|
||||
<li>Allows you to partitions the network into <i><a
|
||||
href="Documentation.htm#Zones">zones</a></i> and gives you complete
|
||||
control over the connections permitted between each pair of zones.</li>
|
||||
<li>Multiple interfaces per zone and multiple zones per interface
|
||||
permitted.</li>
|
||||
<li>Supports nested and overlapping zones.</li>
|
||||
|
||||
control over the connections permitted between each pair of zones.</li>
|
||||
<li>Multiple interfaces per zone and multiple zones per interface
|
||||
permitted.</li>
|
||||
<li>Supports nested and overlapping zones.</li>
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to
|
||||
help get your first firewall up and running quickly</li>
|
||||
<li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a>
|
||||
</b> included in the .tgz and .rpm downloads.</li>
|
||||
<li><b>Flexible address management/routing support</b> (and you can use
|
||||
all types in the same firewall):
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides (HOWTOs)</a>
|
||||
to help get your first firewall up and running quickly</li>
|
||||
<li>A <b>GUI</b> is available via Webmin 1.060 and later (<a
|
||||
href="http://www.webmin.com">http://www.webmin.com</a>)<br>
|
||||
</li>
|
||||
<li>Extensive <b> <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">documentation</a>
|
||||
</b> included in the .tgz and .rpm downloads.</li>
|
||||
<li><b>Flexible address management/routing support</b> (and you can
|
||||
use all types in the same firewall):
|
||||
<ul>
|
||||
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
|
||||
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
|
||||
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
|
||||
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
|
||||
<li>Simple host/subnet Routing</li>
|
||||
|
||||
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
|
||||
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
|
||||
<li><a href="Documentation.htm#NAT"> Static NAT</a>.</li>
|
||||
<li><a href="Documentation.htm#ProxyArp"> Proxy ARP</a>.</li>
|
||||
<li>Simple host/subnet Routing</li>
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
|
||||
IP addresses and subnetworks is supported.</li>
|
||||
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
|
||||
|
||||
</li>
|
||||
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
|
||||
IP addresses and subnetworks is supported.</li>
|
||||
<li><b><a href="starting_and_stopping_shorewall.htm">Operational support</a></b>:
|
||||
|
||||
<ul>
|
||||
<li>Commands to start, stop and clear the firewall</li>
|
||||
<li>Supports status monitoring with an audible alarm
|
||||
when an "interesting" packet is detected.</li>
|
||||
<li>Wide variety of informational commands.</li>
|
||||
|
||||
<li>Commands to start, stop and clear the firewall</li>
|
||||
<li>Supports status monitoring with an audible alarm
|
||||
when an "interesting" packet is detected.</li>
|
||||
<li>Wide variety of informational commands.</li>
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><b>VPN Support</b>
|
||||
</li>
|
||||
<li><b>VPN Support</b>
|
||||
<ul>
|
||||
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP Tunnels</a>.</li>
|
||||
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
|
||||
|
||||
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE, IPIP and
|
||||
OpenVPN Tunnels</a>.</li>
|
||||
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
|
||||
integration.</li>
|
||||
<li>Wide support for different <b>GNU/Linux Distributions</b>.
|
||||
|
||||
</li>
|
||||
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
|
||||
integration.</li>
|
||||
<li>Wide support for different <b>GNU/Linux Distributions</b>.
|
||||
|
||||
<ul>
|
||||
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
|
||||
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html"><b>Debian</b></a>
|
||||
packages available.</li>
|
||||
<li>Includes <a href="Install.htm"><b>automated install, upgrade, fallback
|
||||
and uninstall facilities</b></a> for users who can't use or choose
|
||||
not to use the RPM or Debian packages.</li>
|
||||
<li>Included as a standard part of<b> <a
|
||||
packages available.</li>
|
||||
<li>Includes <a href="Install.htm"><b>automated install, upgrade,
|
||||
fallback and uninstall facilities</b></a> for users who can't use
|
||||
or choose not to use the RPM or Debian packages.</li>
|
||||
<li>Included as a standard part of<b> <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> LEAF/Bering</a> </b>(router/firewall
|
||||
on a floppy, CD or compact flash).</li>
|
||||
|
||||
on a floppy, CD or compact flash).</li>
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>) Address
|
||||
<b>Verification</b><br>
|
||||
</a><br>
|
||||
</li>
|
||||
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">Media Access Control (<b>MAC</b>)
|
||||
Address <b>Verification</b><br>
|
||||
</a><br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><font size="2">Last updated 11/09/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
|
||||
<p><font size="2">Last updated 2/5/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
size="2">Copyright</font> © <font size="2">2001-2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -45,7 +45,7 @@ and is located in California, USA. It is mirrored at:</p>
|
||||
(Martinez (Zona Norte - GBA), Argentina)</li>
|
||||
<li><a target="_top" href="http://france.shorewall.net">http://france.shorewall.net</a>
|
||||
(Paris, France)</li>
|
||||
<li><a href="http://shorewall.sf.net" target="_top">http://www.shorewall.net</a>
|
||||
<li><a href="http://www.shorewall.net" target="_top">http://www.shorewall.net</a>
|
||||
(Washington State, USA)<br>
|
||||
</li>
|
||||
|
||||
|
@ -1,288 +1,301 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall QuickStart Guide</title>
|
||||
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
|
||||
(HOWTO's)<br>
|
||||
Version 3.1</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
(HOWTO's)<br>
|
||||
Version 3.1</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p align="center">With thanks to Richard who reminded me once again that we
|
||||
must all first walk before we can run.</p>
|
||||
|
||||
must all first walk before we can run.<br>
|
||||
The French Translations are courtesy of Patrice Vetsel<br>
|
||||
</p>
|
||||
|
||||
<h2>The Guides</h2>
|
||||
|
||||
<p>These guides provide step-by-step instructions for configuring Shorewall
|
||||
in common firewall setups.</p>
|
||||
|
||||
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="standalone.htm">Standalone</a> Linux System</li>
|
||||
<li><a href="two-interface.htm">Two-interface</a> Linux
|
||||
System acting as a firewall/router for a small local network</li>
|
||||
<li><a href="three-interface.htm">Three-interface</a> Linux
|
||||
System acting as a firewall/router for a small local network and
|
||||
a DMZ.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>The above guides are designed to get your first firewall up and running
|
||||
quickly in the three most common Shorewall configurations.</p>
|
||||
|
||||
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
|
||||
the steps necessary to set up a firewall where <b>there are multiple
|
||||
public IP addresses involved or if you want to learn more about Shorewall
|
||||
than is explained in the single-address guides above.</b></p>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Introduction">1.0
|
||||
Introduction</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
|
||||
Concepts</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0
|
||||
Network Interfaces</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Addressing">4.0
|
||||
Addressing, Subnets and Routing</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Addresses">4.1
|
||||
IP Addresses</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
|
||||
Resolution Protocol</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
|
||||
1918</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
|
||||
up your Network</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2
|
||||
Non-routed</a>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
|
||||
SNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
|
||||
DNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
|
||||
Proxy ARP</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
|
||||
NAT</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
|
||||
Odds and Ends</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
|
||||
Stopping the Firewall</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="Documentation"></a>Documentation Index</h2>
|
||||
|
||||
<p>The following documentation covers a variety of topics and <b>supplements
|
||||
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
|
||||
described above</b>. Please review the appropriate guide before trying
|
||||
to use this documentation directly.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="configuration_file_basics.htm">Common configuration
|
||||
file features</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="configuration_file_basics.htm#Comments">Comments
|
||||
in configuration files</a></li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
|
||||
<li><a href="configuration_file_basics.htm#Ports">Port
|
||||
Numbers/Service Names</a></li>
|
||||
<li><a href="configuration_file_basics.htm#Ranges">Port
|
||||
Ranges</a></li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
|
||||
<li><a href="configuration_file_basics.htm#dnsnames">Using
|
||||
DNS Names</a><br>
|
||||
</li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Compliment">Complementing an IP address
|
||||
or Subnet</a></li>
|
||||
<li><a href="configuration_file_basics.htm#Configs">Shorewall
|
||||
Configurations (making a test configuration)</a></li>
|
||||
<li><a href="configuration_file_basics.htm#MAC">Using
|
||||
MAC Addresses in Shorewall</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="Documentation.htm">Configuration File Reference
|
||||
Manual</a>
|
||||
|
||||
<p>These guides provide step-by-step instructions for configuring Shorewall
|
||||
in common firewall setups.</p>
|
||||
|
||||
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="standalone.htm">Standalone</a> Linux System
|
||||
(<a href="standalone_fr.html">Version Française</a>)</li>
|
||||
<li><a href="two-interface.htm">Two-interface</a> Linux
|
||||
System acting as a firewall/router for a small local network (<a
|
||||
href="two-interface_fr.html">Version Française</a>)</li>
|
||||
<li><a href="three-interface.htm">Three-interface</a>
|
||||
Linux System acting as a firewall/router for a small local network
|
||||
and a DMZ. (<a href="three-interface_fr.html">Version Française</a>)</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>The above guides are designed to get your first firewall up and running
|
||||
quickly in the three most common Shorewall configurations.</p>
|
||||
|
||||
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
|
||||
the steps necessary to set up a firewall where <b>there are multiple
|
||||
public IP addresses involved or if you want to learn more about Shorewall
|
||||
than is explained in the single-address guides above.</b></p>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Introduction">1.0
|
||||
Introduction</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Concepts">2.0
|
||||
Shorewall Concepts</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0
|
||||
Network Interfaces</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Addressing">4.0
|
||||
Addressing, Subnets and Routing</a>
|
||||
|
||||
<ul>
|
||||
<li> <a href="Documentation.htm#Variables">params</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Zones">zones</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Interfaces">interfaces</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Hosts">hosts</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Policy">policy</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Rules">rules</a></font></li>
|
||||
<li><a href="Documentation.htm#Common">common</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Masq">masq</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#NAT">nat</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Tunnels">tunnels</a></font></li>
|
||||
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
|
||||
<li><a href="Documentation.htm#modules">modules</a></li>
|
||||
<li><a href="Documentation.htm#TOS">tos</a> </li>
|
||||
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
|
||||
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
|
||||
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Addresses">4.1
|
||||
IP Addresses</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Routing">4.3
|
||||
Routing</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
|
||||
Resolution Protocol</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="dhcp.htm">DHCP</a></li>
|
||||
<li><font color="#000099"><a
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5
|
||||
RFC 1918</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
|
||||
up your Network</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Routed">5.1
|
||||
Routed</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2
|
||||
Non-routed</a>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
|
||||
SNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
|
||||
DNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
|
||||
Proxy ARP</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4
|
||||
Static NAT</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
|
||||
Stopping the Firewall</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="Documentation"></a>Documentation Index</h2>
|
||||
|
||||
<p>The following documentation covers a variety of topics and <b>supplements
|
||||
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
|
||||
described above</b>. Please review the appropriate guide before trying
|
||||
to use this documentation directly.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="configuration_file_basics.htm">Common configuration
|
||||
file features</a>
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Comments">Comments in configuration
|
||||
files</a></li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
|
||||
<li><a href="configuration_file_basics.htm#Ports">Port
|
||||
Numbers/Service Names</a></li>
|
||||
<li><a href="configuration_file_basics.htm#Ranges">Port
|
||||
Ranges</a></li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#dnsnames">Using DNS Names</a><br>
|
||||
</li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Compliment">Complementing an IP address
|
||||
or Subnet</a></li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Configs">Shorewall Configurations
|
||||
(making a test configuration)</a></li>
|
||||
<li><a href="configuration_file_basics.htm#MAC">Using
|
||||
MAC Addresses in Shorewall</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="Documentation.htm">Configuration File Reference
|
||||
Manual</a>
|
||||
|
||||
<ul>
|
||||
<li> <a href="Documentation.htm#Variables">params</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Zones">zones</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Interfaces">interfaces</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Hosts">hosts</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Policy">policy</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Rules">rules</a></font></li>
|
||||
<li><a href="Documentation.htm#Common">common</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Masq">masq</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#NAT">nat</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Tunnels">tunnels</a></font></li>
|
||||
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
|
||||
<li><a href="Documentation.htm#modules">modules</a></li>
|
||||
<li><a href="Documentation.htm#TOS">tos</a> </li>
|
||||
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
|
||||
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
|
||||
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="dhcp.htm">DHCP</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
|
||||
(How to extend Shorewall without modifying Shorewall code)</li>
|
||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||
<li><a href="shorewall_firewall_structure.htm">Firewall
|
||||
Structure</a></li>
|
||||
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
|
||||
<li><a href="shorewall_logging.html">Logging</a><br>
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">MAC Verification</a><br>
|
||||
</li>
|
||||
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
|
||||
use Shorewall)</li>
|
||||
<li><a href="ping.html">'Ping' Management</a><br>
|
||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||
<li><a href="shorewall_firewall_structure.htm">Firewall
|
||||
Structure</a></li>
|
||||
<li><font color="#000099"><a href="kernel.htm">Kernel
|
||||
Configuration</a></font></li>
|
||||
<li><a href="shorewall_logging.html">Logging</a><br>
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">MAC Verification</a><br>
|
||||
</li>
|
||||
<li><a href="ports.htm">Port Information</a>
|
||||
|
||||
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
|
||||
use Shorewall)</li>
|
||||
<li><a href="ping.html">'Ping' Management</a><br>
|
||||
</li>
|
||||
<li><a href="ports.htm">Port Information</a>
|
||||
|
||||
<ul>
|
||||
<li>Which applications use which ports</li>
|
||||
<li>Ports used by Trojans</li>
|
||||
<li>Which applications use which ports</li>
|
||||
<li>Ports used by Trojans</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||
<li><a href="samba.htm">Samba</a></li>
|
||||
<li><font color="#000099"><a
|
||||
</li>
|
||||
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||
<li><a href="samba.htm">Samba</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>Description of all /sbin/shorewall commands</li>
|
||||
<li>How to safely test a Shorewall configuration change<br>
|
||||
</li>
|
||||
|
||||
<li>Description of all /sbin/shorewall commands</li>
|
||||
<li>How to safely test a Shorewall configuration change<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy with
|
||||
Shorewall</a><br>
|
||||
</li>
|
||||
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
|
||||
<li>VPN
|
||||
|
||||
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy
|
||||
with Shorewall</a><br>
|
||||
</li>
|
||||
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
|
||||
<li>VPN
|
||||
|
||||
<ul>
|
||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||
<li><a href="PPTP.htm">PPTP</a></li>
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
|
||||
your firewall to a remote network.</li>
|
||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||
<li><a href="OPENVPN.html">OpenVPN</a><br>
|
||||
</li>
|
||||
<li><a href="PPTP.htm">PPTP</a></li>
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system
|
||||
behind your firewall to a remote network.</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="whitelisting_under_shorewall.htm">White List
|
||||
Creation</a></li>
|
||||
|
||||
</li>
|
||||
<li><a href="whitelisting_under_shorewall.htm">White
|
||||
List Creation</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p>If you use one of these guides and have a suggestion for improvement <a
|
||||
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
||||
|
||||
<p><font size="2">Last modified 1/9/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
|
||||
<p><font size="2">Last modified 2/4/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
|
||||
Eastep</font></a><br>
|
||||
</p>
|
||||
Eastep</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -5,7 +5,8 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shoreline Firewall (Shorewall) 1.3</title>
|
||||
@ -13,22 +14,23 @@
|
||||
|
||||
|
||||
|
||||
<base
|
||||
target="_self">
|
||||
|
||||
<base target="_self">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="4"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%" height="90">
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
@ -36,15 +38,18 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h1 align="center"> <font size="4"><i> <a
|
||||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
|
||||
</a></i></font><font color="#ffffff">Shorewall
|
||||
1.3 - <font size="4">"<i>iptables made
|
||||
easy"</i></font></font><a href="http://www.sf.net"> </a></h1>
|
||||
</a></i></font><font color="#ffffff">Shorewall
|
||||
1.3 - <font size="4">"<i>iptables
|
||||
made easy"</i></font></font><a href="http://www.sf.net">
|
||||
</a></h1>
|
||||
|
||||
|
||||
|
||||
@ -53,32 +58,35 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div align="center"><a href="/1.2/index.html" target="_top"><font
|
||||
color="#ffffff">Shorewall 1.2 Site here</font></a></div>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
<div align="center">
|
||||
|
||||
|
||||
<div align="center">
|
||||
|
||||
<center>
|
||||
|
||||
<center>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="90%">
|
||||
<td width="90%">
|
||||
|
||||
|
||||
|
||||
@ -87,7 +95,8 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2 align="left">What is it?</h2>
|
||||
|
||||
|
||||
@ -98,11 +107,13 @@
|
||||
|
||||
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||||
firewall that can be used on a dedicated firewall system, a multi-function
|
||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||||
firewall that can be used on a dedicated firewall system, a multi-function
|
||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||
|
||||
|
||||
|
||||
@ -112,26 +123,31 @@ firewall that can be used on a dedicated firewall system, a multi-functio
|
||||
|
||||
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
<br>
|
||||
|
||||
This program is distributed in the
|
||||
hope that it will be useful, but WITHOUT ANY
|
||||
WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.<br>
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of
|
||||
<a href="http://www.gnu.org/licenses/gpl.html">Version 2 of
|
||||
the GNU General Public License</a> as published by the Free Software
|
||||
Foundation.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
You should have received a copy of the
|
||||
GNU General Public License along with this
|
||||
program; if not, write to the Free Software Foundation,
|
||||
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
This program is distributed
|
||||
in the hope that it will be useful, but
|
||||
WITHOUT ANY WARRANTY; without even the implied warranty
|
||||
of MERCHANTABILITY or FITNESS FOR A PARTICULAR
|
||||
PURPOSE. See the GNU General Public License
|
||||
for more details.<br>
|
||||
|
||||
<br>
|
||||
|
||||
You should have received a copy
|
||||
of the GNU General Public License
|
||||
along with this program; if not, write to the Free
|
||||
Software Foundation, Inc., 675 Mass Ave, Cambridge,
|
||||
MA 02139, USA</p>
|
||||
|
||||
|
||||
|
||||
@ -141,7 +157,9 @@ hope that it will be useful, but WITHOUT ANY
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
||||
|
||||
|
||||
@ -153,21 +171,24 @@ hope that it will be useful, but WITHOUT ANY
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
|
||||
</a>Jacques Nilo and Eric Wolzak
|
||||
have a LEAF (router/firewall/gateway on a floppy, CD
|
||||
or compact flash) distribution called <i>Bering</i>
|
||||
that features Shorewall-1.3.10 and Kernel-2.4.18.
|
||||
You can find their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
|
||||
<b>Congratulations to Jacques and Eric on
|
||||
the recent release of Bering 1.0 Final!!! <br>
|
||||
</b>
|
||||
</a>Jacques Nilo and Eric
|
||||
Wolzak have a LEAF (router/firewall/gateway on
|
||||
a floppy, CD or compact flash) distribution called
|
||||
<i>Bering</i> that features Shorewall-1.3.10
|
||||
and Kernel-2.4.18. You can find their work at:
|
||||
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
|
||||
<b>Congratulations to Jacques and
|
||||
Eric on the recent release of Bering 1.0 Final!!! <br>
|
||||
</b>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2>News</h2>
|
||||
|
||||
|
||||
@ -181,401 +202,128 @@ the recent release of Bering 1.0 Final!!! <br>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
|
||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b><br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>2/8/2003 - Shoreawll 1.3.14</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
|
||||
<p>Just includes a few things that I had on the burner:<br>
|
||||
</p>
|
||||
<p>New features include</p>
|
||||
|
||||
<ol>
|
||||
<li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
|
||||
file. DNAT- is intended for advanced users who wish to minimize the number
|
||||
of rules that connection requests must traverse.<br>
|
||||
<li>An OLD_PING_HANDLING option has been added to shorewall.conf.
|
||||
When set to Yes, Shorewall ping handling is as it has always been (see
|
||||
http://www.shorewall.net/ping.html).<br>
|
||||
<br>
|
||||
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
|
||||
policies just like any other connection request. The FORWARDPING=Yes option
|
||||
in shorewall.conf and the 'noping' and 'filterping' options in /etc/shorewall/interfaces
|
||||
will all generate an error.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>It is now possible to direct Shorewall to create a "label" such
|
||||
as "eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
|
||||
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label instead
|
||||
of just the interface name:<br>
|
||||
<br>
|
||||
a) In the INTERFACE column of /etc/shorewall/masq<br>
|
||||
b) In the INTERFACE column of /etc/shorewall/nat<br>
|
||||
</li>
|
||||
<li>Support for OpenVPN Tunnels.<br>
|
||||
<br>
|
||||
A Shorewall DNAT rule actually generates two iptables rules: a header rewriting
|
||||
rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT-
|
||||
rule only generates the first of these rules. This is handy when you have
|
||||
several DNAT rules that would generate the same ACCEPT rule.<br>
|
||||
<br>
|
||||
Here are three rules from my previous rules file:<br>
|
||||
<br>
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
|
||||
<br>
|
||||
These three rules ended up generating _three_ copies of<br>
|
||||
<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp smtp<br>
|
||||
<br>
|
||||
By writing the rules this way, I end up with only one copy of the ACCEPT
|
||||
rule.<br>
|
||||
<br>
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
|
||||
</li>
|
||||
<li>Support for VLAN devices with names of the form $DEV.$VID (e.g.,
|
||||
eth0.0)<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The 'shorewall check' command now prints out the applicable policy
|
||||
between each pair of zones.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>A new CLEAR_TC option has been added to shorewall.conf. If this
|
||||
option is set to 'No' then Shorewall won't clear the current traffic control
|
||||
rules during [re]start. This setting is intended for use by people that prefer
|
||||
to configure traffic shaping when the network interfaces come up rather than
|
||||
when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
|
||||
and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way,
|
||||
your traffic shaping rules can still use the 'fwmark' classifier based on
|
||||
packet marking defined in /etc/shorewall/tcrules.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>A new SHARED_DIR variable has been added that allows distribution
|
||||
packagers to easily move the shared directory (default /usr/lib/shorewall).
|
||||
Users should never have a need to change the value of this shorewall.conf
|
||||
setting.</li>
|
||||
<li>When an interface name is entered in the SUBNET column of the
|
||||
/etc/shorewall/masq file, Shorewall previously masqueraded traffic from
|
||||
only the first subnet defined on that interface. It did not masquerade
|
||||
traffic from:<br>
|
||||
<br>
|
||||
a) The subnets associated with other addresses on the interface.<br>
|
||||
b) Subnets accessed through local routers.<br>
|
||||
<br>
|
||||
Beginning with Shorewall 1.3.14, if you enter an interface name in the
|
||||
SUBNET column, shorewall will use the firewall's routing table to construct
|
||||
the masquerading/SNAT rules.<br>
|
||||
<br>
|
||||
Example 1 -- This is how it works in 1.3.14.<br>
|
||||
<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br></pre>
|
||||
|
||||
<pre> [root@gateway test]# shorewall start<br> ...<br> Masqueraded Subnets and Hosts:<br> To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176<br> To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176<br> Processing /etc/shorewall/tos...</pre>
|
||||
<br>
|
||||
When upgrading to Shorewall 1.3.14, if you have multiple local subnets
|
||||
connected to an interface that is specified in the SUBNET column of an /etc/shorewall/masq
|
||||
entry, your /etc/shorewall/masq file will need changing. In most cases,
|
||||
you will simply be able to remove redundant entries. In some cases though,
|
||||
you might want to change from using the interface name to listing specific
|
||||
subnetworks if the change described above will cause masquerading to occur
|
||||
on subnetworks that you don't wish to masquerade.<br>
|
||||
<br>
|
||||
Example 2 -- Suppose that your current config is as follows:<br>
|
||||
<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
<br>
|
||||
In this case, the second entry in /etc/shorewall/masq is no longer
|
||||
required.<br>
|
||||
<br>
|
||||
Example 3 -- What if your current configuration is like this?<br>
|
||||
<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
|
||||
<pre> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
<br>
|
||||
In this case, you would want to change the entry in /etc/shorewall/masq
|
||||
to:<br>
|
||||
|
||||
<pre> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
</li>
|
||||
</ol>
|
||||
<p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
|
||||
</b></p>
|
||||
|
||||
<p><b>Until further notice, I will not be involved in either Shorewall
|
||||
Development or Shorewall Support</b></p>
|
||||
|
||||
<p><b>-Tom Eastep</b><br>
|
||||
</p>
|
||||
|
||||
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
|
||||
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
|
||||
</b></p>
|
||||
|
||||
<p> Features include:<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules
|
||||
(tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after
|
||||
an error occurs. This places the point of the failure near the end of
|
||||
the trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than
|
||||
40% with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added
|
||||
which shows the current packet classification filters. The output from
|
||||
this command is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog
|
||||
level and causes the subject packets to be logged using the ULOG target
|
||||
rather than the LOG target. This allows you to run ulogd (available from
|
||||
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a href="shorewall_logging.html">to a
|
||||
separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain
|
||||
in the mangle table ("shorewall show mangle" will show you the chains
|
||||
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
|
||||
input packets based on their destination even when you are using Masquerading
|
||||
or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with
|
||||
empty 'init', 'start', 'stop' and 'stopped' files. If you already have
|
||||
a file with one of these names, don't worry -- the upgrade process won't
|
||||
overwrite your file.</li>
|
||||
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
|
||||
the syslog level at which packets are logged as a result of entries in
|
||||
the /etc/shorewall/rfc1918 file. Previously, these packets were always
|
||||
logged at the 'info' level.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
|
||||
</p>
|
||||
This version corrects a problem with Blacklist logging. In Beta
|
||||
2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would
|
||||
fail to start and "shorewall refresh" would also fail.<br>
|
||||
|
||||
<p> You may download the Beta from:<br>
|
||||
</p>
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
|
||||
</b></p>
|
||||
The first public Beta version of Shorewall 1.3.12 is now available
|
||||
(Beta 1 was made available only to a limited audience). <br>
|
||||
<br>
|
||||
Features include:<br>
|
||||
<br>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping
|
||||
rules (tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging
|
||||
after an error occurs. This places the point of the failure near the
|
||||
end of the trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more
|
||||
than 40% with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been
|
||||
added which shows the current packet classification filters. The output
|
||||
from this command is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid
|
||||
syslog level and causes the subject packets to be logged using the ULOG
|
||||
target rather than the LOG target. This allows you to run ulogd (available
|
||||
from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a href="shorewall_logging.html">to a
|
||||
separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain
|
||||
in the mangle table ("shorewall show mangle" will show you the chains
|
||||
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
|
||||
This allows for marking input packets based on their destination even
|
||||
when you are using Masquerading or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory
|
||||
with empty 'init', 'start', 'stop' and 'stopped' files. If you already
|
||||
have a file with one of these names, don't worry -- the upgrade process
|
||||
won't overwrite your file.</li>
|
||||
|
||||
|
||||
</ol>
|
||||
You may download the Beta from:<br>
|
||||
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
|
||||
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
|
||||
alt="Powered by Mandrake Linux" width="150" height="23" border="0">
|
||||
</a></b></p>
|
||||
Shorewall is at the center of MandrakeSofts's recently-announced
|
||||
<a
|
||||
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi
|
||||
Network Firewall (MNF)</a> product. Here is the <a
|
||||
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
|
||||
release</a>.<br>
|
||||
|
||||
|
||||
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
|
||||
delivered. I have installed 9.0 on one of my systems and I am now
|
||||
in a position to support Shorewall users who run Mandrake 9.0.</p>
|
||||
|
||||
|
||||
<p><b>12/6/2002 - Debian 1.3.11a Packages Available</b><b></b><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p>Apt-get sources listed at <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
||||
|
||||
|
||||
|
||||
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
|
||||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
|
||||
users who don't need rules of this type need not upgrade to 1.3.11.</p>
|
||||
|
||||
|
||||
|
||||
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li>A 'tcpflags' option has been added to
|
||||
entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the
|
||||
SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>.
|
||||
When used, 'all' must appear by itself (in may not be qualified)
|
||||
and it does not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command
|
||||
is now compatible with bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup
|
||||
error. fw->fw rules generate a warning and are ignored</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>2/5/2003 - Shorewall Support included in Webmin 1.06</b><b>0
|
||||
</b><b><img border="0" src="images/new10.gif" width="28"
|
||||
height="12" alt="(New)">
|
||||
</b></p>
|
||||
Webmin version 1.060 now has Shorewall support included as standard.
|
||||
See <a href="http://www.webmin.com">http://www.webmin.com</a> <b>
|
||||
</b>
|
||||
<p><b></b></p>
|
||||
|
||||
|
||||
<ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b></b><a href="News.htm">More News</a></p>
|
||||
<ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2> </h2>
|
||||
|
||||
|
||||
|
||||
|
||||
<h1 align="center"><a href="http://www.sf.net"><img align="left"
|
||||
alt="SourceForge Logo"
|
||||
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3">
|
||||
</a></h1>
|
||||
|
||||
|
||||
|
||||
|
||||
<h4> </h4>
|
||||
|
||||
|
||||
|
||||
|
||||
<h2>This site is hosted by the generous folks at <a
|
||||
href="http://www.sf.net">SourceForge.net</a> </h2>
|
||||
|
||||
|
||||
|
||||
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
</td>
|
||||
|
||||
<td width="88" bgcolor="#4b017c"
|
||||
valign="top" align="center"> <br>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="5" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
|
||||
<p align="center"><a href="http://www.starlight.org"> <img
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
@ -586,30 +334,122 @@ is now compatible with bash clones such as ash and dash.</li>
|
||||
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||
but if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
<h2> </h2>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
<h1 align="center"><a href="http://www.sf.net"><img align="left"
|
||||
alt="SourceForge Logo"
|
||||
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3">
|
||||
</a></h1>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h4> </h4>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2>This site is hosted by the generous folks at <a
|
||||
href="http://www.sf.net">SourceForge.net</a> </h2>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
|
||||
</td>
|
||||
|
||||
<td width="88"
|
||||
bgcolor="#4b017c" valign="top" align="center"> <br>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="5" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
|
||||
<td width="100%"
|
||||
style="margin-top: 1px;">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p align="center"><a href="http://www.starlight.org"> <img
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
||||
if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
||||
Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
<p><font size="2">Updated 1/6/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
|
||||
|
||||
<p><font size="2">Updated 2/7/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,44 +1,62 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>SPAM Filters</title>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>SPAM Filters</title>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#FFFFFF">SPAM Filters</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">SPAM Filters</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<h1 align="center"><br>
|
||||
<a href="http://ordb.org">
|
||||
<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a></h1>
|
||||
<p>Like all of you, I'm concerned about the increasing volume of Unsolicited
|
||||
Commercial Email (UCE or SPAM). I am therefore sympathetic with those of you who
|
||||
are installing SPAM filters on your mail servers. A couple of recent incidents
|
||||
involving mis-configured filters have prompted me to establish this page to spell
|
||||
out what I will do when these filters bounce list postings.</p>
|
||||
<a href="http://ordb.org"> <a href="http://www.spamassassin.org"><img
|
||||
src="images/ninjalogo.png" alt="(SpamAssassin Logo)" width="100"
|
||||
height="38">
|
||||
</a><img border="0" src="images/but3.png" hspace="3" width="88"
|
||||
height="31">
|
||||
</a></h1>
|
||||
|
||||
<p>Like all of you, I'm concerned about the increasing volume of Unsolicited
|
||||
Commercial Email (UCE or SPAM). I am therefore sympathetic with those of
|
||||
you who are installing SPAM filters on your mail servers. A couple of recent
|
||||
incidents involving mis-configured filters have prompted me to establish
|
||||
this page to spell out what I will do when these filters bounce list postings.</p>
|
||||
|
||||
<p>When your SPAM filter bounces/rejects list mail, I will:</p>
|
||||
|
||||
<ol>
|
||||
<li>immediately turn off delivery to you from all Shorewall lists to
|
||||
which you subscribe.</li>
|
||||
<li><u>try</u> to send you an email from a source other than shorewall.net</li>
|
||||
<li>immediately turn off delivery to you from all Shorewall lists to which
|
||||
you subscribe.</li>
|
||||
<li><u>try</u> to send you an email from a source other than shorewall.net</li>
|
||||
|
||||
</ol>
|
||||
<p>When you have corrected the problem, please let me know and I will re-enable
|
||||
|
||||
<p>When you have corrected the problem, please let me know and I will re-enable
|
||||
delivery (or you can reenable delivery yourself).</p>
|
||||
<p><font size="2">Last Updated 3/21/2002 - Tom Eastep</font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
|
||||
|
||||
<p><font size="2">Last Updated 1/29/2003 - Tom Eastep</font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
@ -1,429 +1,426 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Standalone Firewall</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber6" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Standalone Firewall</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<h2 align="center">Version 2.0.1</h2>
|
||||
|
||||
<p align="left">Setting up Shorewall on a standalone Linux system is very
|
||||
|
||||
<p align="left">Setting up Shorewall on a standalone Linux system is very
|
||||
easy if you understand the basics and follow the documentation.</p>
|
||||
|
||||
<p>This guide doesn't attempt to acquaint you with all of the features of
|
||||
Shorewall. It rather focuses on what is required to configure Shorewall
|
||||
|
||||
<p>This guide doesn't attempt to acquaint you with all of the features of
|
||||
Shorewall. It rather focuses on what is required to configure Shorewall
|
||||
in one of its most common configurations:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>Linux system</li>
|
||||
<li>Single external IP address</li>
|
||||
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
|
||||
|
||||
<li>Linux system</li>
|
||||
<li>Single external IP address</li>
|
||||
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>This guide assumes that you have the iproute/iproute2 package installed
|
||||
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
|
||||
if this package is installed by the presence of an <b>ip</b> program on
|
||||
your firewall system. As root, you can use the 'which' command to check
|
||||
|
||||
<p>This guide assumes that you have the iproute/iproute2 package installed
|
||||
(on RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell
|
||||
if this package is installed by the presence of an <b>ip</b> program on
|
||||
your firewall system. As root, you can use the 'which' command to check
|
||||
for this program:</p>
|
||||
|
||||
|
||||
<pre> [root@gateway root]# which ip<br> /sbin/ip<br> [root@gateway root]#</pre>
|
||||
|
||||
<p>I recommend that you read through the guide first to familiarize yourself
|
||||
with what's involved then go back through it again making your configuration
|
||||
changes. Points at which configuration changes are recommended are flagged
|
||||
|
||||
<p>I recommend that you read through the guide first to familiarize yourself
|
||||
with what's involved then go back through it again making your configuration
|
||||
changes. Points at which configuration changes are recommended are flagged
|
||||
with <img border="0" src="images/BD21298_.gif" width="13" height="13">
|
||||
.</p>
|
||||
|
||||
.</p>
|
||||
|
||||
<p><img border="0" src="images/j0213519.gif" width="60" height="60">
|
||||
If you edit your configuration files on a Windows system, you must
|
||||
save them as Unix files if your editor supports that option or you must
|
||||
run them through dos2unix before trying to use them. Similarly, if you copy
|
||||
a configuration file from your Windows hard drive to a floppy disk, you must
|
||||
run dos2unix against the copy before using it with Shorewall.</p>
|
||||
|
||||
If you edit your configuration files on a Windows system, you must
|
||||
save them as Unix files if your editor supports that option or you must
|
||||
run them through dos2unix before trying to use them. Similarly, if you
|
||||
copy a configuration file from your Windows hard drive to a floppy disk,
|
||||
you must run dos2unix against the copy before using it with Shorewall.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
|
||||
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version
|
||||
of dos2unix</a></li>
|
||||
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
<li><a href="http://www.megaloman.com/%7Ehany/software/hd2u/">Linux
|
||||
Version of dos2unix</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h2 align="left">Shorewall Concepts</h2>
|
||||
|
||||
|
||||
<p> <img border="0" src="images/BD21298_.gif" width="13" height="13"
|
||||
alt="">
|
||||
The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you only need to deal with a few of
|
||||
these as described in this guide. After you have <a href="Install.htm">installed
|
||||
Shorewall</a>, <b>download the <a
|
||||
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
|
||||
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
|
||||
(they will replace files with the same names that were placed in /etc/shorewall
|
||||
during Shorewall installation)</b>.</p>
|
||||
|
||||
<p>As each file is introduced, I suggest that you look through the actual
|
||||
file on your system -- each file contains detailed configuration instructions
|
||||
The configuration files for Shorewall are contained in the directory
|
||||
/etc/shorewall -- for simple setups, you only need to deal with a few of
|
||||
these as described in this guide. After you have <a
|
||||
href="Install.htm">installed Shorewall</a>, <b>download the <a
|
||||
href="/pub/shorewall/LATEST.samples/one-interface.tgz">one-interface sample</a>,
|
||||
un-tar it (tar -zxvf one-interface.tgz) and and copy the files to /etc/shorewall
|
||||
(they will replace files with the same names that were placed in /etc/shorewall
|
||||
during Shorewall installation)</b>.</p>
|
||||
|
||||
<p>As each file is introduced, I suggest that you look through the actual
|
||||
file on your system -- each file contains detailed configuration instructions
|
||||
and default entries.</p>
|
||||
|
||||
<p>Shorewall views the network where it is running as being composed of a
|
||||
set of <i>zones.</i> In the one-interface sample configuration, only one
|
||||
|
||||
<p>Shorewall views the network where it is running as being composed of a
|
||||
set of <i>zones.</i> In the one-interface sample configuration, only one
|
||||
zone is defined:</p>
|
||||
|
||||
|
||||
<table border="0" style="border-collapse: collapse;" cellpadding="3"
|
||||
cellspacing="0" id="AutoNumber2">
|
||||
<tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>Name</b></u></td>
|
||||
<td><u><b>Description</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><u><b>Name</b></u></td>
|
||||
<td><u><b>Description</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><b>net</b></td>
|
||||
<td><b>The Internet</b></td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<td><b>net</b></td>
|
||||
<td><b>The Internet</b></td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones"> /etc/shorewall/zones</a>.</p>
|
||||
|
||||
<p>Shorewall also recognizes the firewall system as its own zone - by default,
|
||||
|
||||
<p>Shorewall also recognizes the firewall system as its own zone - by default,
|
||||
the firewall itself is known as <b>fw</b>.</p>
|
||||
|
||||
<p>Rules about what traffic to allow and what traffic to deny are expressed
|
||||
|
||||
<p>Rules about what traffic to allow and what traffic to deny are expressed
|
||||
in terms of zones.</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>You express your default policy for connections from one zone
|
||||
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
</a>file.</li>
|
||||
<li>You define exceptions to those default policies in the <a
|
||||
<li>You express your default policy for connections from one zone
|
||||
to another zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy
|
||||
</a>file.</li>
|
||||
<li>You define exceptions to those default policies in the <a
|
||||
href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
<p>For each connection request entering the firewall, the request is first
|
||||
checked against the /etc/shorewall/rules file. If no rule in that file
|
||||
matches the connection request then the first policy in /etc/shorewall/policy
|
||||
that matches the request is applied. If that policy is REJECT or DROP
|
||||
the request is first checked against the rules in /etc/shorewall/common
|
||||
(the samples provide that file for you).</p>
|
||||
|
||||
<p>The /etc/shorewall/policy file included with the one-interface sample
|
||||
has the following policies:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p>For each connection request entering the firewall, the request is first
|
||||
checked against the /etc/shorewall/rules file. If no rule in that file
|
||||
matches the connection request then the first policy in /etc/shorewall/policy
|
||||
that matches the request is applied. If that policy is REJECT or DROP
|
||||
the request is first checked against the rules in /etc/shorewall/common (the
|
||||
samples provide that file for you).</p>
|
||||
|
||||
<p>The /etc/shorewall/policy file included with the one-interface sample has
|
||||
the following policies:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber3">
|
||||
<tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>SOURCE ZONE</b></u></td>
|
||||
<td><u><b>DESTINATION ZONE</b></u></td>
|
||||
<td><u><b>POLICY</b></u></td>
|
||||
<td><u><b>LOG LEVEL</b></u></td>
|
||||
<td><u><b>LIMIT:BURST</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><u><b>SOURCE ZONE</b></u></td>
|
||||
<td><u><b>DESTINATION ZONE</b></u></td>
|
||||
<td><u><b>POLICY</b></u></td>
|
||||
<td><u><b>LOG LEVEL</b></u></td>
|
||||
<td><u><b>LIMIT:BURST</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>net</td>
|
||||
<td>DROP</td>
|
||||
<td>info</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>all</td>
|
||||
<td>all</td>
|
||||
<td>REJECT</td>
|
||||
<td>info</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>ACCEPT</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>net</td>
|
||||
<td>all<br>
|
||||
</td>
|
||||
<td>DROP</td>
|
||||
<td>info</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>all</td>
|
||||
<td>all</td>
|
||||
<td>REJECT</td>
|
||||
<td>info</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<pre> fw net ACCEPT<br> net all DROP info<br> all all REJECT info</pre>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p>The above policy will:</p>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>allow all connection requests from the firewall to the internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet to your
|
||||
<li>allow all connection requests from the firewall to the internet</li>
|
||||
<li>drop (ignore) all connection requests from the internet to your
|
||||
firewall</li>
|
||||
<li>reject all other connection requests (Shorewall requires this
|
||||
<li>reject all other connection requests (Shorewall requires this
|
||||
catchall policy).</li>
|
||||
|
||||
|
||||
</ol>
|
||||
|
||||
<p>At this point, edit your /etc/shorewall/policy and make any changes that
|
||||
|
||||
<p>At this point, edit your /etc/shorewall/policy and make any changes that
|
||||
you wish.</p>
|
||||
|
||||
|
||||
<h2 align="left">External Interface</h2>
|
||||
|
||||
<p align="left">The firewall has a single network interface. Where Internet
|
||||
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
|
||||
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem"
|
||||
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
|
||||
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
|
||||
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
|
||||
a <b>ppp0</b>. If you connect via a regular modem, your External Interface
|
||||
will also be <b>ppp0</b>. If you connect using ISDN, your external interface
|
||||
|
||||
<p align="left">The firewall has a single network interface. Where Internet
|
||||
connectivity is through a cable or DSL "Modem", the <i>External Interface</i>
|
||||
will be the ethernet adapter (<b>eth0</b>) that is connected to that "Modem"
|
||||
<u>unless</u> you connect via <i><u>P</u>oint-to-<u>P</u>oint <u>P</u>rotocol
|
||||
over <u>E</u>thernet</i> (PPPoE) or <i><u>P</u>oint-to-<u>P</u>oint <u>T</u>unneling
|
||||
<u>P</u>rotocol </i>(PPTP) in which case the External Interface will be
|
||||
a <b>ppp0</b>. If you connect via a regular modem, your External Interface
|
||||
will also be <b>ppp0</b>. If you connect using ISDN, your external interface
|
||||
will be<b> ippp0.</b></p>
|
||||
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
|
||||
height="13">
|
||||
The Shorewall one-interface sample configuration assumes that the
|
||||
external interface is <b>eth0</b>. If your configuration is different,
|
||||
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
|
||||
While you are there, you may wish to review the list of options that are
|
||||
The Shorewall one-interface sample configuration assumes that the
|
||||
external interface is <b>eth0</b>. If your configuration is different,
|
||||
you will have to modify the sample /etc/shorewall/interfaces file accordingly.
|
||||
While you are there, you may wish to review the list of options that are
|
||||
specified for the interface. Some hints:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
|
||||
<li>
|
||||
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>,
|
||||
you can replace the "detect" in the second column with "-". </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
|
||||
or if you have a static IP address, you can remove "dhcp" from the option
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>
|
||||
or if you have a static IP address, you can remove "dhcp" from the option
|
||||
list. </p>
|
||||
</li>
|
||||
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<div align="left">
|
||||
|
||||
<div align="left">
|
||||
<h2 align="left">IP Addresses</h2>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges
|
||||
for use in private networks:</p>
|
||||
|
||||
<div align="left">
|
||||
|
||||
<div align="left">
|
||||
<pre> 10.0.0.0 - 10.255.255.255<br> 172.16.0.0 - 172.31.255.255<br> 192.168.0.0 - 192.168.255.255</pre>
|
||||
</div>
|
||||
|
||||
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
|
||||
because the Internet backbone routers will not forward a packet whose
|
||||
destination address is reserved by RFC 1918. In some cases though, ISPs
|
||||
are assigning these addresses then using <i>Network Address Translation
|
||||
</div>
|
||||
|
||||
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
|
||||
because the Internet backbone routers will not forward a packet whose
|
||||
destination address is reserved by RFC 1918. In some cases though, ISPs
|
||||
are assigning these addresses then using <i>Network Address Translation
|
||||
</i>to rewrite packet headers when forwarding to/from the internet.</p>
|
||||
|
||||
|
||||
<p align="left"><img border="0" src="images/BD21298_.gif" align="left"
|
||||
width="13" height="13">
|
||||
Before starting Shorewall, you should look at the IP address
|
||||
of your external interface and if it is one of the above ranges, you
|
||||
should remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<h2 align="left">Enabling other Connections</h2>
|
||||
Before starting Shorewall, you should look at the IP address
|
||||
of your external interface and if it is one of the above ranges, you should
|
||||
remove the 'norfc1918' option from the entry in /etc/shorewall/interfaces.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">If you wish to enable connections from the internet to your
|
||||
|
||||
<div align="left">
|
||||
<h2 align="left">Enabling other Connections</h2>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">If you wish to enable connections from the internet to your
|
||||
firewall, the general format is:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber4">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td><i><protocol></i></td>
|
||||
<td><i><port></i></td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td><i><protocol></i></td>
|
||||
<td><i><port></i></td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Example - You want to run a Web Server and a POP3 Server on
|
||||
your firewall system:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Example - You want to run a Web Server and a POP3 Server
|
||||
on your firewall system:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber5">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>80</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>110</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>80</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>110</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">If you don't know what port and protocol a particular application
|
||||
uses, see <a href="ports.htm">here</a>.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">If you don't know what port and protocol a particular
|
||||
application uses, see <a href="ports.htm">here</a>.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
|
||||
the internet because it uses clear text (even for login!). If you want
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>Important: </b>I don't recommend enabling telnet to/from
|
||||
the internet because it uses clear text (even for login!). If you want
|
||||
shell access to your firewall from the internet, use SSH:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;"
|
||||
id="AutoNumber4">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<td><u><b>ACTION</b></u></td>
|
||||
<td><u><b>SOURCE</b></u></td>
|
||||
<td><u><b>DESTINATION</b></u></td>
|
||||
<td><u><b>PROTOCOL</b></u></td>
|
||||
<td><u><b>PORT</b></u></td>
|
||||
<td><u><b>SOURCE PORT</b></u></td>
|
||||
<td><u><b>ORIGINAL ADDRESS</b></u></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>net</td>
|
||||
<td>fw</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> ACCEPT net fw tcp 22</pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</blockquote>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13"
|
||||
height="13">
|
||||
At this point, edit /etc/shorewall/rules to add other connections
|
||||
At this point, edit /etc/shorewall/rules to add other connections
|
||||
as desired.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<h2 align="left">Starting and Stopping Your Firewall</h2>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
|
||||
<div align="left">
|
||||
<h2 align="left">Starting and Stopping Your Firewall</h2>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"> <img border="0" src="images/BD21298_2.gif"
|
||||
width="13" height="13" alt="Arrow">
|
||||
The <a href="Install.htm">installation procedure </a> configures
|
||||
your system to start Shorewall at system boot but beginning with Shorewall
|
||||
version 1.3.9 startup is disabled so that your system won't try to start
|
||||
Shorewall before configuration is complete. Once you have completed configuration
|
||||
of your firewall, you can enable Shorewall startup by removing the file /etc/shorewall/startup_disabled.<br>
|
||||
</p>
|
||||
|
||||
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
|
||||
The <a href="Install.htm">installation procedure </a> configures
|
||||
your system to start Shorewall at system boot but beginning with Shorewall
|
||||
version 1.3.9 startup is disabled so that your system won't try to start
|
||||
Shorewall before configuration is complete. Once you have completed configuration
|
||||
of your firewall, you can enable Shorewall startup by removing the file
|
||||
/etc/shorewall/startup_disabled.<br>
|
||||
</p>
|
||||
|
||||
<p align="left"><font color="#ff0000"><b>IMPORTANT</b>: Users of the .deb
|
||||
package must edit /etc/default/shorewall and set 'startup=1'.</font><br>
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">The firewall is started using the "shorewall start" command
|
||||
and stopped using "shorewall stop". When the firewall is stopped, routing
|
||||
</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">The firewall is started using the "shorewall start" command
|
||||
and stopped using "shorewall stop". When the firewall is stopped, routing
|
||||
is enabled on those hosts that have an entry in <a
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
|
||||
running firewall may be restarted using the "shorewall restart" command.
|
||||
If you want to totally remove any trace of Shorewall from your Netfilter
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>. A
|
||||
running firewall may be restarted using the "shorewall restart" command.
|
||||
If you want to totally remove any trace of Shorewall from your Netfilter
|
||||
configuration, use "shorewall clear".</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
|
||||
the internet, do not issue a "shorewall stop" command unless you have
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left"><b>WARNING: </b>If you are connected to your firewall from
|
||||
the internet, do not issue a "shorewall stop" command unless you have
|
||||
added an entry for the IP address that you are connected from to <a
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
Also, I don't recommend using "shorewall restart"; it is better to create
|
||||
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
|
||||
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
|
||||
href="Documentation.htm#Routestopped">/etc/shorewall/routestopped</a>.
|
||||
Also, I don't recommend using "shorewall restart"; it is better to create
|
||||
an <i><a href="configuration_file_basics.htm#Configs">alternate configuration</a></i>
|
||||
and test it using the <a href="starting_and_stopping_shorewall.htm">"shorewall
|
||||
try" command</a>.</p>
|
||||
</div>
|
||||
|
||||
<p align="left"><font size="2">Last updated 12/9/2002 - <a
|
||||
</div>
|
||||
|
||||
<p align="left"><font size="2">Last updated 1/26/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas
|
||||
M. Eastep</font></a></p>
|
||||
<br>
|
||||
|
||||
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002, 2003
|
||||
Thomas M. Eastep</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
@ -1,13 +1,13 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Starting and Stopping Shorewall</title>
|
||||
@ -15,37 +15,38 @@
|
||||
<body>
|
||||
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
|
||||
<td width="100%">
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
|
||||
the Firewall</font></h1>
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
|
||||
the Firewall</font></h1>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
|
||||
<p> If you have a permanent internet connection such as DSL or Cable,
|
||||
I recommend that you start the firewall automatically at boot. Once
|
||||
you have installed "firewall" in your init.d directory, simply type
|
||||
"chkconfig --add firewall". This will start the firewall in run
|
||||
levels 2-5 and stop it in run levels 1 and 6. If you want to configure
|
||||
your firewall differently from this default, you can use the "--level"
|
||||
option in chkconfig (see "man chkconfig") or using your favorite
|
||||
|
||||
<p> If you have a permanent internet connection such as DSL or Cable,
|
||||
I recommend that you start the firewall automatically at boot. Once
|
||||
you have installed "firewall" in your init.d directory, simply type
|
||||
"chkconfig --add firewall". This will start the firewall in run
|
||||
levels 2-5 and stop it in run levels 1 and 6. If you want to configure
|
||||
your firewall differently from this default, you can use the "--level"
|
||||
option in chkconfig (see "man chkconfig") or using your favorite
|
||||
graphical run-level editor.</p>
|
||||
|
||||
|
||||
@ -54,198 +55,278 @@ graphical run-level editor.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>Shorewall startup is disabled by default. Once you have configured
|
||||
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
|
||||
Note: Users of the .deb package must edit /etc/default/shorewall and set
|
||||
'startup=1'.<br>
|
||||
</li>
|
||||
<li>If you use dialup, you may want to start the firewall in your
|
||||
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
|
||||
in that script.</li>
|
||||
|
||||
<li>Shorewall startup is disabled by default. Once you have configured
|
||||
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
|
||||
Note: Users of the .deb package must edit /etc/default/shorewall and set
|
||||
'startup=1'.<br>
|
||||
</li>
|
||||
<li>If you use dialup, you may want to start the firewall in
|
||||
your /etc/ppp/ip-up.local script. I recommend just placing "shorewall
|
||||
restart" in that script.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p>
|
||||
</p>
|
||||
|
||||
<p>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
|
||||
shell program: </p>
|
||||
|
||||
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
|
||||
shell program: </p>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li>shorewall start - starts the firewall</li>
|
||||
<li>shorewall stop - stops the firewall</li>
|
||||
<li>shorewall restart - stops the firewall (if it's running)
|
||||
and then starts it again</li>
|
||||
<li>shorewall reset - reset the packet and byte counters
|
||||
in the firewall</li>
|
||||
<li>shorewall clear - remove all rules and chains installed
|
||||
by Shoreline Firewall</li>
|
||||
<li>shorewall refresh - refresh the rules involving the broadcast
|
||||
addresses of firewall interfaces and the black and white lists.</li>
|
||||
|
||||
<li>shorewall start - starts the firewall</li>
|
||||
<li>shorewall stop - stops the firewall</li>
|
||||
<li>shorewall restart - stops the firewall (if it's
|
||||
running) and then starts it again</li>
|
||||
<li>shorewall reset - reset the packet and byte counters
|
||||
in the firewall</li>
|
||||
<li>shorewall clear - remove all rules and chains
|
||||
installed by Shoreline Firewall</li>
|
||||
<li>shorewall refresh - refresh the rules involving the broadcast
|
||||
addresses of firewall interfaces and the black and white lists.</li>
|
||||
|
||||
</ul>
|
||||
If you include the keyword <i>debug</i> as the first argument, then a shell
|
||||
trace of the command is produced as in:<br>
|
||||
If you include the keyword <i>debug</i> as the first argument, then a
|
||||
shell trace of the command is produced as in:<br>
|
||||
|
||||
<pre> <font color="#009900"><b>shorewall debug start 2> /tmp/trace</b></font><br></pre>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>The above command would trace the 'start' command and place the trace
|
||||
information in the file /tmp/trace</p>
|
||||
<p> The "shorewall" program may also be used to monitor the firewall.</p>
|
||||
|
||||
<p>The above command would trace the 'start' command and place the trace information
|
||||
in the file /tmp/trace<br>
|
||||
</p>
|
||||
|
||||
<p>The <a href="#StateDiagram">Shorewall State Diagram</a> is shown at the
|
||||
bottom of this page.<br>
|
||||
</p>
|
||||
|
||||
<p>The "shorewall" program may also be used to monitor the firewall.</p>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li>shorewall status - produce a verbose report about the firewall
|
||||
(iptables -L -n -v)</li>
|
||||
<li>shorewall show <i>chain</i> - produce a verbose report about
|
||||
<i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
|
||||
<li>shorewall show nat - produce a verbose report about the nat table
|
||||
(iptables -t nat -L -n -v)</li>
|
||||
<li>shorewall show tos - produce a verbose report about the mangle
|
||||
table (iptables -t mangle -L -n -v)</li>
|
||||
<li>shorewall show log - display the last 20 packet log entries.</li>
|
||||
<li>shorewall show connections - displays the IP connections currently
|
||||
being tracked by the firewall.</li>
|
||||
<li>shorewall
|
||||
show
|
||||
tc - displays information
|
||||
about the traffic control/shaping configuration.</li>
|
||||
<li>shorewall monitor [ delay ] - Continuously display the firewall
|
||||
status, last 20 log entries and nat. When the log entry display
|
||||
changes, an audible alarm is sounded.</li>
|
||||
<li>shorewall hits - Produces several reports about the Shorewall
|
||||
packet log messages in the current /var/log/messages file.</li>
|
||||
<li>shorewall version - Displays the installed version number.</li>
|
||||
<li>shorewall check - Performs a <u>cursory</u> validation of
|
||||
the zones, interfaces, hosts, rules and policy files. <font
|
||||
size="4" color="#ff6666"><b>The "check" command does not parse and validate
|
||||
the generated iptables commands so even though the "check" command
|
||||
<li>shorewall status - produce a verbose report about the firewall
|
||||
(iptables -L -n -v)</li>
|
||||
<li>shorewall show <i>chain</i> - produce a verbose report about
|
||||
<i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
|
||||
<li>shorewall show nat - produce a verbose report about the nat
|
||||
table (iptables -t nat -L -n -v)</li>
|
||||
<li>shorewall show tos - produce a verbose report about the mangle
|
||||
table (iptables -t mangle -L -n -v)</li>
|
||||
<li>shorewall show log - display the last 20 packet log entries.</li>
|
||||
<li>shorewall show connections - displays the IP connections currently
|
||||
being tracked by the firewall.</li>
|
||||
<li>shorewall
|
||||
show
|
||||
tc - displays information
|
||||
about the traffic control/shaping configuration.</li>
|
||||
<li>shorewall monitor [ delay ] - Continuously display the firewall
|
||||
status, last 20 log entries and nat. When the log entry display
|
||||
changes, an audible alarm is sounded.</li>
|
||||
<li>shorewall hits - Produces several reports about the Shorewall
|
||||
packet log messages in the current /var/log/messages file.</li>
|
||||
<li>shorewall version - Displays the installed version number.</li>
|
||||
<li>shorewall check - Performs a <u>cursory</u> validation
|
||||
of the zones, interfaces, hosts, rules and policy files. <font
|
||||
size="4" color="#ff6666"><b>The "check" command does not parse and validate
|
||||
the generated iptables commands so even though the "check" command
|
||||
completes successfully, the configuration may fail to start. See the
|
||||
recommended way to make configuration changes described below. </b></font>
|
||||
recommended way to make configuration changes described below. </b></font>
|
||||
</li>
|
||||
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
|
||||
] - Restart shorewall using the specified configuration and if an error
|
||||
occurs or if the<i> timeout </i> option is given and the new configuration
|
||||
has been up for that many seconds then shorewall is restarted using
|
||||
the standard configuration.</li>
|
||||
<li>shorewall deny, shorewall reject, shorewall accept and shorewall
|
||||
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
|
||||
<li>shorewall logwatch (added in version 1.3.2) - Monitors the
|
||||
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
|
||||
messages are logged.</li>
|
||||
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
|
||||
] - Restart shorewall using the specified configuration and if an
|
||||
error occurs or if the<i> timeout </i> option is given and the new configuration
|
||||
has been up for that many seconds then shorewall is restarted using
|
||||
the standard configuration.</li>
|
||||
<li>shorewall deny, shorewall reject, shorewall accept and shorewall
|
||||
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
|
||||
<li>shorewall logwatch (added in version 1.3.2) - Monitors the
|
||||
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new
|
||||
Shorewall messages are logged.</li>
|
||||
|
||||
</ul>
|
||||
Finally, the "shorewall" program may be used to dynamically alter the
|
||||
contents of a zone.<br>
|
||||
|
||||
<ul>
|
||||
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds
|
||||
the specified interface (and host if included) to the specified zone.</li>
|
||||
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>-
|
||||
Deletes the specified interface (and host if included) from the specified
|
||||
zone.</li>
|
||||
|
||||
</ul>
|
||||
Finally, the "shorewall" program may be used to dynamically alter the contents
|
||||
of a zone.<br>
|
||||
|
||||
<ul>
|
||||
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
|
||||
specified interface (and host if included) to the specified zone.</li>
|
||||
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
|
||||
the specified interface (and host if included) from the specified zone.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<blockquote>Examples:<br>
|
||||
|
||||
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
|
||||
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
|
||||
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
|
||||
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
|
||||
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
|
||||
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
|
||||
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
|
||||
<b>shorewall try </b>commands allow you to specify which <a
|
||||
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
|
||||
to use:</p>
|
||||
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
|
||||
shorewall try <i>configuration-directory</i></p>
|
||||
</blockquote>
|
||||
|
||||
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
|
||||
<b>shorewall try </b>commands allow you to specify which <a
|
||||
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
|
||||
to use:</p>
|
||||
|
||||
|
||||
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
|
||||
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
|
||||
. If the file is present in the <i>configuration-directory</i>, that file
|
||||
will be used; otherwise, the file in /etc/shorewall will be used.</p>
|
||||
|
||||
|
||||
<blockquote>
|
||||
|
||||
|
||||
<p> When changing the configuration of a production firewall, I recommend
|
||||
the following:</p>
|
||||
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
|
||||
shorewall try <i>configuration-directory</i></p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
|
||||
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
|
||||
. If the file is present in the <i>configuration-directory</i>, that
|
||||
file will be used; otherwise, the file in /etc/shorewall will be used.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p> When changing the configuration of a production firewall, I recommend
|
||||
the following:</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
|
||||
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
|
||||
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
|
||||
|
||||
<li><font color="#009900"><b>cd /etc/test</b></font></li>
|
||||
<li><font color="#009900"><b>cd /etc/test</b></font></li>
|
||||
|
||||
<li><copy any files that you need to change from /etc/shorewall
|
||||
to . and change them here></li>
|
||||
<li><copy any files that you need to change from /etc/shorewall
|
||||
to . and change them here></li>
|
||||
|
||||
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
|
||||
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
|
||||
|
||||
<li><correct any errors found by check and check again></li>
|
||||
<li><correct any errors found by check and check again></li>
|
||||
|
||||
<li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
|
||||
|
||||
<li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p> If the configuration starts but doesn't work, just "shorewall restart"
|
||||
to restore the old configuration. If the new configuration fails to start,
|
||||
the "try" command will automatically start the old one for you.</p>
|
||||
|
||||
<p> If the configuration starts but doesn't work, just "shorewall restart"
|
||||
to restore the old configuration. If the new configuration fails to start,
|
||||
the "try" command will automatically start the old one for you.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p> When the new configuration works then just </p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
|
||||
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
|
||||
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
|
||||
|
||||
<li><font color="#009900"><b>cd</b></font></li>
|
||||
<li><font color="#009900"><b>cd</b></font></li>
|
||||
|
||||
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
|
||||
|
||||
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><font size="2"> Updated 1/9/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><a name="StateDiagram"></a>The Shorewall State Diargram is depicted below.<br>
|
||||
</p>
|
||||
<div align="center"><img
|
||||
src="file:///J:/Shorewall-docs/images/State_Diagram.png"
|
||||
alt="(State Diagram)" width="747" height="714" align="middle">
|
||||
<br>
|
||||
</div>
|
||||
|
||||
<p> <br>
|
||||
</p>
|
||||
You will note that the commands that result in state transitions use
|
||||
the word "firewall" rather than "shorewall". That is because the actual
|
||||
transitions are done by /usr/lib/shorewall/firewall (/usr/share/shorewall/firewall
|
||||
on Debian); /sbin/shorewall runs 'firewall" according to the following table:<br>
|
||||
<br>
|
||||
|
||||
<table cellpadding="2" cellspacing="2" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">shorewall start<br>
|
||||
</td>
|
||||
<td valign="top">firewall start<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall stop<br>
|
||||
</td>
|
||||
<td valign="top">firewall stop<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall restart<br>
|
||||
</td>
|
||||
<td valign="top">firewall restart<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall add<br>
|
||||
</td>
|
||||
<td valign="top">firewall add<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall delete<br>
|
||||
</td>
|
||||
<td valign="top">firewall delete<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall refresh<br>
|
||||
</td>
|
||||
<td valign="top">firewall refresh<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">shorewall try<br>
|
||||
</td>
|
||||
<td valign="top">firewall -c <new configuration> restart<br>
|
||||
If unsuccessful then firewall start (standard configuration)<br>
|
||||
If timeout then firewall restart (standard configuration)<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
|
||||
<p><font size="2"> Updated 1/29/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
|
||||
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
@ -2,120 +2,128 @@
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Support</title>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Support<img
|
||||
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p> <b><big><big><font color="#ff0000">Due to "Shorewall burnout", I am currently
|
||||
not involved in either Shorewall development or Shorewall support. Nevertheless,
|
||||
the mailing list is being ably manned by other Shorewall users.</font></big><span
|
||||
|
||||
<p> <b><big><big><font color="#ff0000">While I don't answer Shorewall questions
|
||||
emailed directly to me, I try to spend some time each day answering questions
|
||||
on the Shorewall Users Mailing List.</font></big><span
|
||||
style="font-weight: 400;"></span></big></b></p>
|
||||
|
||||
|
||||
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
|
||||
|
||||
<h2>Before Reporting a Problem</h2>
|
||||
There are a number of sources for problem
|
||||
solution information. Please try these before you post.
|
||||
|
||||
|
||||
<h1>Before Reporting a Problem</h1>
|
||||
<i>"Well at least you tried to read the documentation, which is a lot more
|
||||
than some people on this list appear to do.</i>"<br>
|
||||
<br>
|
||||
<div align="center">- Wietse Venema - On the Postfix mailing list<br>
|
||||
</div>
|
||||
<br>
|
||||
There are a number of sources for
|
||||
problem solution information. Please try these before you post.
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>More than half of the questions posted on the support list
|
||||
have answers directly accessible from the <a
|
||||
<li>More than half of the questions posted on the support
|
||||
list have answers directly accessible from the <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
|
||||
<br>
|
||||
</li>
|
||||
<li> The <a href="FAQ.htm">FAQ</a>
|
||||
has solutions to more than 20 common problems. </li>
|
||||
|
||||
<br>
|
||||
</li>
|
||||
<li> The <a href="FAQ.htm">FAQ</a>
|
||||
has solutions to more than 20 common problems. </li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li> The <a
|
||||
href="troubleshoot.htm">Troubleshooting</a> Information contains
|
||||
a number of tips to help you solve common problems. </li>
|
||||
|
||||
<li> The <a
|
||||
href="troubleshoot.htm">Troubleshooting</a> Information contains
|
||||
a number of tips to help you solve common problems. </li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li> The <a
|
||||
href="errata.htm"> Errata</a> has links to download updated
|
||||
components. </li>
|
||||
|
||||
<li> The <a
|
||||
href="errata.htm"> Errata</a> has links to download updated
|
||||
components. </li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li> The Mailing List Archives
|
||||
search facility can locate posts about similar problems:
|
||||
</li>
|
||||
|
||||
<li> The Mailing List
|
||||
Archives search facility can locate posts about similar problems:
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h2> </h2>
|
||||
|
||||
|
||||
<h2>Mailing List Archive Search</h2>
|
||||
|
||||
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
|
||||
|
||||
|
||||
<p> <font size="-1"> Match:
|
||||
|
||||
|
||||
<form method="post" action="http://lists.shorewall.net/cgi-bin/htsearch">
|
||||
|
||||
|
||||
<p> <font size="-1"> Match:
|
||||
|
||||
<select name="method">
|
||||
<option value="and">All </option>
|
||||
<option value="or">Any </option>
|
||||
<option value="boolean">Boolean </option>
|
||||
</select>
|
||||
Format:
|
||||
|
||||
Format:
|
||||
|
||||
<select name="format">
|
||||
<option value="builtin-long">Long </option>
|
||||
<option value="builtin-short">Short </option>
|
||||
</select>
|
||||
Sort by:
|
||||
|
||||
Sort by:
|
||||
|
||||
<select name="sort">
|
||||
<option value="score">Score </option>
|
||||
<option value="time">Time </option>
|
||||
@ -124,239 +132,256 @@ has solutions to more than 20 common problems. </li>
|
||||
<option value="revtime">Reverse Time </option>
|
||||
<option value="revtitle">Reverse Title </option>
|
||||
</select>
|
||||
</font> <input type="hidden" name="config"
|
||||
value="htdig"> <input type="hidden" name="restrict"
|
||||
value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||
</font> <input type="hidden"
|
||||
name="config" value="htdig"> <input type="hidden" name="restrict"
|
||||
value="[http://lists.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||
name="exclude" value=""> <br>
|
||||
Search: <input type="text" size="30"
|
||||
Search: <input type="text" size="30"
|
||||
name="words" value=""> <input type="submit" value="Search"> </p>
|
||||
</form>
|
||||
|
||||
</form>
|
||||
|
||||
<h2>Problem Reporting Guidelines </h2>
|
||||
<i>"Let me see if I can translate your message into a real-world
|
||||
example. It would be like saying that you have three rooms at home,
|
||||
and when you walk into one of the rooms, you detect this strange smell.
|
||||
Can anyone tell you what that strange smell is?<br>
|
||||
<br>
|
||||
Now, all of us could do some wonderful guessing as to the smell
|
||||
and even what's causing it. You would be absolutely amazed at the range
|
||||
and variety of smells we could come up with. Even more amazing is that
|
||||
all of the explanations for the smells would be completely plausible."<br>
|
||||
</i><br>
|
||||
|
||||
<i>"Let me see if I can translate your message into a real-world
|
||||
example. It would be like saying that you have three rooms at home,
|
||||
and when you walk into one of the rooms, you detect this strange smell.
|
||||
Can anyone tell you what that strange smell is?<br>
|
||||
<br>
|
||||
Now, all of us could do some wonderful guessing as to the
|
||||
smell and even what's causing it. You would be absolutely amazed
|
||||
at the range and variety of smells we could come up with. Even more
|
||||
amazing is that all of the explanations for the smells would be completely
|
||||
plausible."<br>
|
||||
</i><br>
|
||||
|
||||
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
|
||||
</div>
|
||||
<br>
|
||||
|
||||
</div>
|
||||
<br>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>Please remember we only know what is posted in your message.
|
||||
Do not leave out any information that appears to be correct, or was mentioned
|
||||
in a previous post. There have been countless posts by people who were
|
||||
sure that some part of their configuration was correct when it actually
|
||||
contained a small error. We tend to be skeptics where detail is lacking.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please keep in mind that you're asking for <strong>free</strong>
|
||||
technical support. Any help we offer is an act of generosity, not an obligation.
|
||||
Try to make it easy for us to help you. Follow good, courteous practices
|
||||
in writing and formatting your e-mail. Provide details that we need if
|
||||
you expect good answers. <em>Exact quoting </em> of error messages, log
|
||||
entries, command output, and other output is better than a paraphrase or
|
||||
summary.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li> Please don't describe your
|
||||
environment and then ask us to send you custom configuration
|
||||
files. We're here to answer your questions but we can't
|
||||
do your job for you.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>When reporting a problem, <strong>ALWAYS</strong> include
|
||||
this information:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>Please remember we only know what is posted in your message. Do
|
||||
not leave out any information that appears to be correct, or was mentioned
|
||||
in a previous post. There have been countless posts by people who were
|
||||
sure that some part of their configuration was correct when it actually
|
||||
contained a small error. We tend to be skeptics where detail is lacking.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please keep in mind that you're asking for <strong>free</strong>
|
||||
technical support. Any help we offer is an act of generosity, not an obligation.
|
||||
Try to make it easy for us to help you. Follow good, courteous practices
|
||||
in writing and formatting your e-mail. Provide details that we need if
|
||||
you expect good answers. <em>Exact quoting </em> of error messages, log
|
||||
entries, command output, and other output is better than a paraphrase or
|
||||
summary.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li> Please don't describe your environment
|
||||
and then ask us to send you custom configuration files.
|
||||
We're here to answer your questions but we can't do your
|
||||
job for you.<br>
|
||||
<br>
|
||||
|
||||
<ul>
|
||||
<li>the exact version of Shorewall you are running.<br>
|
||||
<br>
|
||||
<b><font color="#009900">shorewall version</font><br>
|
||||
</b> <br>
|
||||
</li>
|
||||
<li>When reporting a problem, <strong>ALWAYS</strong> include this
|
||||
information:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
|
||||
<ul>
|
||||
<li>the exact version of Shorewall you are running.<br>
|
||||
<br>
|
||||
<b><font color="#009900">shorewall version</font><br>
|
||||
</b> <br>
|
||||
</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>the exact kernel version you are running<br>
|
||||
<br>
|
||||
<font color="#009900"><b>uname -a<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
<li>the exact kernel version you are running<br>
|
||||
<br>
|
||||
<font color="#009900"><b>uname -a<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip addr show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip addr show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip route show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip route show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>If your kernel is modularized, the exact output from<br>
|
||||
<br>
|
||||
<font color="#009900"><b>lsmod</b></font><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>the exact wording of any <code
|
||||
style="color: green; font-weight: bold;">ping</code> failure responses.<br>
|
||||
<br>
|
||||
</li>
|
||||
|
||||
<li>If your kernel is modularized, the exact output from<br>
|
||||
<br>
|
||||
<font color="#009900"><b>lsmod</b></font><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>the exact wording of any <code
|
||||
style="color: green; font-weight: bold;">ping</code> failure responses<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>If you installed Shorewall using one of the QuickStart Guides, please
|
||||
indicate which one. <br>
|
||||
<br>
|
||||
</li>
|
||||
<li><b>If you are running Shorewall under Mandrake using the Mandrake
|
||||
installation of Shorewall, please say so.</b><br>
|
||||
<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li><b>NEVER </b>include the output of "<b><font color="#009900">iptables
|
||||
-L</font></b>". Instead, please post the exact output of<br>
|
||||
<br>
|
||||
<b><font color="#009900">/sbin/shorewall status<br>
|
||||
<br>
|
||||
</font></b>Since that command generates a lot of output, we suggest
|
||||
that you redirect the output to a file and attach the file to your post<br>
|
||||
<br>
|
||||
<b><font color="#009900">/sbin/shorewall status > /tmp/status.txt</font></b><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>As a general matter, please <strong>do not edit the diagnostic
|
||||
information</strong> in an attempt to conceal your IP address, netmask,
|
||||
nameserver addresses, domain name, etc. These aren't secrets, and concealing
|
||||
them often misleads us (and 80% of the time, a hacker could derive them
|
||||
anyway from information contained in the SMTP headers of your post).<strong></strong></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li> Do you see any "Shorewall"
|
||||
messages ("<b><font color="#009900">/sbin/shorewall show log</font></b>")
|
||||
when you exercise the function that is giving you problems? If
|
||||
so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
|
||||
file.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please include any of the Shorewall configuration files (especially
|
||||
the /etc/shorewall/hosts file if you have modified that file)
|
||||
that you think are relevant. If you include /etc/shorewall/rules,
|
||||
please include /etc/shorewall/policy as well (rules are meaningless unless
|
||||
one also knows the policies). </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li> If an error occurs when
|
||||
you try to "<font color="#009900"><b>shorewall start</b></font>",
|
||||
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
|
||||
section for instructions). </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The list server limits posts to 120kb so don't post GIFs of
|
||||
your network layout, etc. to the Mailing List -- your
|
||||
post will be rejected.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
The author gratefully acknowleges that the above list was heavily plagiarized
|
||||
from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> found
|
||||
at <a href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
|
||||
|
||||
<h2>Please post in plain text</h2>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
A growing number of MTAs serving list subscribers are rejecting all
|
||||
HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
|
||||
"for continuous abuse" because it has been my policy to allow HTML in list
|
||||
posts!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a Draconian way to control spam
|
||||
and that the ultimate losers here are not the spammers but the list subscribers
|
||||
whose MTAs are bouncing all shorewall.net mail. As one list subscriber
|
||||
wrote to me privately "These e-mail admin's need to get a <i>(expletive
|
||||
deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
|
||||
Nevertheless, to allow subscribers to receive list posts as must as possible,
|
||||
I have now configured the list server at shorewall.net to strip all HTML
|
||||
from outgoing posts.<br>
|
||||
|
||||
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
||||
|
||||
<blockquote>
|
||||
<h4>If you run Shorewall under Bering -- <span
|
||||
style="font-weight: 400;">please post your question or problem
|
||||
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
|
||||
list</a>.</span></h4>
|
||||
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall
|
||||
(MNF) and you have not purchased an MNF license from MandrakeSoft then
|
||||
you can post non MNF-specific Shorewall questions to the </b><a
|
||||
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a>
|
||||
<b>Do not expect to get free MNF support on the list.</b><br>
|
||||
|
||||
<p>Otherwise, please post your question or problem to the <a
|
||||
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>To Subscribe to the mailing list go to <a
|
||||
href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
.</p>
|
||||
|
||||
<ul>
|
||||
<li><b>NEVER </b>include the output of "<b><font
|
||||
color="#009900">iptables -L</font></b>". Instead, if you are having connection
|
||||
problems of any kind, post the exact output of<br>
|
||||
<br>
|
||||
<b><font color="#009900">/sbin/shorewall status<br>
|
||||
<br>
|
||||
</font></b>Since that command generates a lot of output, we
|
||||
suggest that you redirect the output to a file and attach the file to
|
||||
your post<br>
|
||||
<br>
|
||||
<b><font color="#009900">/sbin/shorewall status > /tmp/status.txt</font></b><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>As a general matter, please <strong>do not edit the diagnostic
|
||||
information</strong> in an attempt to conceal your IP address, netmask,
|
||||
nameserver addresses, domain name, etc. These aren't secrets, and concealing
|
||||
them often misleads us (and 80% of the time, a hacker could derive them
|
||||
anyway from information contained in the SMTP headers of your post).<strong></strong></li>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 1/9/2002 - Tom Eastep</font></p>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li> Do you see any "Shorewall"
|
||||
messages ("<b><font color="#009900">/sbin/shorewall show log</font></b>")
|
||||
when you exercise the function that is giving you problems? If
|
||||
so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
|
||||
file.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please include any of the Shorewall configuration files
|
||||
(especially the /etc/shorewall/hosts file if you have modified
|
||||
that file) that you think are relevant. If you include /etc/shorewall/rules,
|
||||
please include /etc/shorewall/policy as well (rules are meaningless unless
|
||||
one also knows the policies). </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li> If an error occurs
|
||||
when you try to "<font color="#009900"><b>shorewall start</b></font>",
|
||||
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
|
||||
section for instructions). </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
|
||||
<h3><b>The list server limits posts to 120kb so don't post GIFs of
|
||||
your network layout, etc. to the Mailing List -- your
|
||||
post will be rejected.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
The author gratefully acknowleges that the above list was heavily
|
||||
plagiarized from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em>
|
||||
found at <a
|
||||
href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
|
||||
|
||||
<h2>Please post in plain text</h2>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
A growing number of MTAs serving list subscribers are rejecting
|
||||
all HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
|
||||
"for continuous abuse" because it has been my policy to allow HTML in
|
||||
list posts!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a Draconian way to control
|
||||
spam and that the ultimate losers here are not the spammers but the
|
||||
list subscribers whose MTAs are bouncing all shorewall.net mail. As
|
||||
one list subscriber wrote to me privately "These e-mail admin's need
|
||||
to get a <i>(expletive deleted)</i> life instead of trying to rid the
|
||||
planet of HTML based e-mail". Nevertheless, to allow subscribers to receive
|
||||
list posts as must as possible, I have now configured the list server
|
||||
at shorewall.net to strip all HTML from outgoing posts.<br>
|
||||
|
||||
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
||||
|
||||
<blockquote>
|
||||
<h4>If you run Shorewall under Bering -- <span
|
||||
style="font-weight: 400;">please post your question or problem
|
||||
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users
|
||||
mailing list</a>.</span></h4>
|
||||
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall
|
||||
(MNF) and you have not purchased an MNF license from MandrakeSoft then
|
||||
you can post non MNF-specific Shorewall questions to the </b><a
|
||||
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
|
||||
list.</a> <b>Do not expect to get free MNF support on the list.</b><br>
|
||||
|
||||
<p>Otherwise, please post your question or problem to the <a
|
||||
href="mailto:shorewall-users@lists.shorewall.net">Shorewall users mailing
|
||||
list.</a></p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>To Subscribe to the mailing list go to <a
|
||||
href="http://lists.shorewall.net/mailman/listinfo/shorewall-users">http://lists.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
.</p>
|
||||
|
||||
|
||||
<p align="left"><font size="2">Last Updated 2/4/2003 - Tom Eastep</font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,176 +1,234 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Upgrade Issues</title>
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Upgrade Issues</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p>For upgrade instructions see the <a
|
||||
href="Install.htm">Install/Upgrade page</a>.</p>
|
||||
|
||||
|
||||
<h3>Version >= 1.3.14</h3>
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Beginning in version 1.3.14, Shorewall treats entries in <a
|
||||
href="Documentation.htm#Masq">/etc/shorewall/masq </a>differently. The change
|
||||
involves entries with an <b>interface name</b> in the <b>SUBNET</b> (second)
|
||||
<b>column</b>:<br>
|
||||
|
||||
<ul>
|
||||
<li>Prior to 1.3.14, Shorewall would detect the FIRST subnet on the interface
|
||||
(as shown by "ip addr show <i>interface</i>") and would masquerade traffic
|
||||
from that subnet. Any other subnets that routed through eth1 needed their
|
||||
own entry in /etc/shorewall/masq to be masqueraded or to have SNAT applied.</li>
|
||||
<li>Beginning with Shorewall 1.3.14, Shorewall uses the firewall's routing
|
||||
table to determine ALL subnets routed through the named interface. Traffic
|
||||
originating in ANY of those subnets is masqueraded or has SNAT applied.</li>
|
||||
|
||||
</ul>
|
||||
You will need to make a change to your configuration if:<br>
|
||||
|
||||
<ol>
|
||||
<li>You have one or more entries in /etc/shorewall/masq with an interface
|
||||
name in the SUBNET (second) column; and</li>
|
||||
<li>That interface connects to more than one subnetwork.</li>
|
||||
|
||||
</ol>
|
||||
Two examples:<br>
|
||||
<br>
|
||||
<b>Example 1</b> -- Suppose that your current config is as follows:<br>
|
||||
<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq<br> #INTERFACE SUBNET ADDRESS<br> eth0 eth2 206.124.146.176<br> eth0 192.168.10.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE<br> [root@gateway test]# ip route show dev eth2<br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254<br> [root@gateway test]#</pre>
|
||||
|
||||
<blockquote>In this case, the second entry in /etc/shorewall/masq is no longer
|
||||
required.<br>
|
||||
</blockquote>
|
||||
<b>Example 2</b>-- What if your current configuration is like this?<br>
|
||||
|
||||
<pre> [root@gateway test]# cat /etc/shorewall/masq <br> #INTERFACE SUBNET ADDRESS <br> eth0 eth2 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE <br> [root@gateway test]# ip route show dev eth2 <br> 192.168.1.0/24 scope link<br> 192.168.10.0/24 proto kernel scope link src 192.168.10.254 <br> [root@gateway test]#</pre>
|
||||
|
||||
<blockquote>In this case, you would want to change the entry in /etc/shorewall/masq
|
||||
to:<br>
|
||||
</blockquote>
|
||||
|
||||
<pre> #INTERFACE SUBNET ADDRESS <br> eth0 192.168.1.0/24 206.124.146.176<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
<img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
Version 1.3.14 also introduced simplified ICMP echo-request (ping) handling.
|
||||
The option OLD_PING_HANDLING=Yes in /etc/shorewall/shorewall.conf is used
|
||||
to specify that the old (pre-1.3.14) ping handling is to be used (If the
|
||||
option is not set in your /etc/shorewall/shorewall.conf then OLD_PING_HANDLING=Yes
|
||||
is assumed). I don't plan on supporting the old handling indefinitely so
|
||||
I urge current users to migrate to using the new handling as soon as possible.
|
||||
See the <a href="ping.html">'Ping' handling documentation</a> for details.<br>
|
||||
<h3>Version 1.3.10</h3>
|
||||
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
|
||||
1.3.10, you will need to use the '--force' option:<br>
|
||||
<br>
|
||||
<blockquote>
|
||||
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
|
||||
</blockquote>
|
||||
<h3>Version >= 1.3.9</h3>
|
||||
The 'functions' file has moved to /usr/lib/shorewall/functions. If you
|
||||
have an application that uses functions from that file, your application
|
||||
will need to be changed to reflect this change of location.<br>
|
||||
If you have installed the 1.3.10 Beta 1 RPM and are now upgrading to version
|
||||
1.3.10, you will need to use the '--force' option:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<pre>rpm -Uvh --force shorewall-1.3.10-1.noarch.rpm </pre>
|
||||
</blockquote>
|
||||
|
||||
<h3>Version >= 1.3.9</h3>
|
||||
The 'functions' file has moved to /usr/lib/shorewall/functions. If you
|
||||
have an application that uses functions from that file, your application
|
||||
will need to be changed to reflect this change of location.<br>
|
||||
|
||||
<h3>Version >= 1.3.8</h3>
|
||||
|
||||
|
||||
<p>If you have a pair of firewall systems configured for failover
|
||||
or if you have asymmetric routing, you will need to modify
|
||||
your firewall setup slightly under Shorewall
|
||||
versions >= 1.3.8. Beginning with version 1.3.8,
|
||||
or if you have asymmetric routing, you will need to modify
|
||||
your firewall setup slightly under Shorewall
|
||||
versions >= 1.3.8. Beginning with version 1.3.8,
|
||||
you must set NEWNOTSYN=Yes in your
|
||||
/etc/shorewall/shorewall.conf file.</p>
|
||||
|
||||
|
||||
<h3>Version >= 1.3.7</h3>
|
||||
|
||||
|
||||
<p>Users specifying ALLOWRELATED=No in /etc/shorewall.conf
|
||||
will need to include the following rules
|
||||
in their /etc/shorewall/icmpdef file (creating
|
||||
this file if necessary):</p>
|
||||
|
||||
will need to include the following rules
|
||||
in their /etc/shorewall/icmpdef file (creating
|
||||
this file if necessary):</p>
|
||||
|
||||
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT<br> run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
|
||||
|
||||
|
||||
<p>Users having an /etc/shorewall/icmpdef file may remove the ". /etc/shorewall/icmp.def"
|
||||
command from that file since the icmp.def file is now empty.</p>
|
||||
|
||||
command from that file since the icmp.def file is now empty.</p>
|
||||
|
||||
<h3><b><a name="Bering">Upgrading </a>Bering to
|
||||
Shorewall >= 1.3.3</b></h3>
|
||||
|
||||
|
||||
<p>To properly upgrade with Shorewall version
|
||||
1.3.3 and later:</p>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>Be sure you have a backup -- you
|
||||
will need to transcribe any Shorewall configuration
|
||||
<li>Be sure you have a backup -- you
|
||||
will need to transcribe any Shorewall configuration
|
||||
changes that you have made to the new
|
||||
configuration.</li>
|
||||
<li>Replace the shorwall.lrp package
|
||||
provided on the Bering floppy with the later
|
||||
one. If you did not obtain the later version
|
||||
from Jacques's site, see additional instructions
|
||||
below.</li>
|
||||
<li>Edit the /var/lib/lrpkg/root.exclude.list
|
||||
file and remove the /var/lib/shorewall
|
||||
entry if present. Then do not forget to
|
||||
backup root.lrp !</li>
|
||||
|
||||
<li>Replace the shorwall.lrp package
|
||||
provided on the Bering floppy with the
|
||||
later one. If you did not obtain the later
|
||||
version from Jacques's site, see additional
|
||||
instructions below.</li>
|
||||
<li>Edit the /var/lib/lrpkg/root.exclude.list
|
||||
file and remove the /var/lib/shorewall
|
||||
entry if present. Then do not forget to
|
||||
backup root.lrp !</li>
|
||||
|
||||
</ol>
|
||||
|
||||
|
||||
<p>The .lrp that I release isn't set up for a two-interface firewall like
|
||||
Jacques's. You need to follow the <a href="two-interface.htm">instructions
|
||||
for setting up a two-interface firewall</a> plus you also need to add
|
||||
the following two Bering-specific rules to /etc/shorewall/rules:</p>
|
||||
|
||||
<blockquote>
|
||||
Jacques's. You need to follow the <a href="two-interface.htm">instructions
|
||||
for setting up a two-interface firewall</a> plus you also need to add
|
||||
the following two Bering-specific rules to /etc/shorewall/rules:</p>
|
||||
|
||||
<blockquote>
|
||||
<pre># Bering specific rules:<br># allow loc to fw udp/53 for dnscache to work<br># allow loc to fw tcp/80 for weblet to work<br>#<br>ACCEPT loc fw udp 53<br>ACCEPT loc fw tcp 80</pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<h3 align="left">Version 1.3.6 and 1.3.7</h3>
|
||||
|
||||
|
||||
<p align="left">If you have a pair of firewall systems configured for
|
||||
failover or if you have asymmetric routing, you will need to modify
|
||||
your firewall setup slightly under Shorewall versions 1.3.6
|
||||
your firewall setup slightly under Shorewall versions 1.3.6
|
||||
and 1.3.7</p>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
<li>
|
||||
|
||||
<p align="left">Create the file /etc/shorewall/newnotsyn and in it add
|
||||
the following rule<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A newnotsyn -j RETURN #
|
||||
So that the connection tracking table can be rebuilt<br>
|
||||
# from non-SYN packets
|
||||
after takeover.<br>
|
||||
</font> </p>
|
||||
</li>
|
||||
<li>
|
||||
the following rule<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A newnotsyn -j RETURN
|
||||
# So that the connection tracking table can be rebuilt<br>
|
||||
# from non-SYN packets
|
||||
after takeover.<br>
|
||||
</font> </p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">Create /etc/shorewall/common (if you don't already
|
||||
have that file) and include the following:<br>
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
|
||||
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
|
||||
|
||||
#tracking table. <br>
|
||||
. /etc/shorewall/common.def</font> </p>
|
||||
</li>
|
||||
|
||||
<br>
|
||||
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
|
||||
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
|
||||
|
||||
#tracking table. <br>
|
||||
. /etc/shorewall/common.def</font> </p>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
|
||||
<h3 align="left">Versions >= 1.3.5</h3>
|
||||
|
||||
|
||||
<p align="left">Some forms of pre-1.3.0 rules file syntax are no
|
||||
longer supported. </p>
|
||||
|
||||
|
||||
<p align="left">Example 1:</p>
|
||||
|
||||
<div align="left">
|
||||
|
||||
<div align="left">
|
||||
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
|
||||
<p align="left">Must be replaced with:</p>
|
||||
|
||||
<div align="left">
|
||||
|
||||
<div align="left">
|
||||
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Example 2:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Must be replaced with:</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> REDIRECT loc 3128 tcp 80</pre>
|
||||
</div>
|
||||
|
||||
|
||||
<div align="left">
|
||||
<pre> REDIRECT loc 3128 tcp 80</pre>
|
||||
</div>
|
||||
|
||||
<h3 align="left">Version >= 1.3.2</h3>
|
||||
|
||||
|
||||
<p align="left">The functions and versions files together with the
|
||||
'firewall' symbolic link have moved from /etc/shorewall to /var/lib/shorewall.
|
||||
If you have applications that access these files, those applications
|
||||
should be modified accordingly.</p>
|
||||
|
||||
<p><font size="2"> Last updated 11/09/2002 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
If you have applications that access these files, those applications
|
||||
should be modified accordingly.</p>
|
||||
|
||||
<p><font size="2"> Last updated 1/25/2003 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -5,7 +5,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://seattlefirewall.dyndns.org
|
||||
#
|
||||
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.3.13
|
||||
VERSION=1.3.14
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
276
STABLE/firewall
276
STABLE/firewall
@ -4,7 +4,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# On most distributions, this file should be called:
|
||||
# /etc/rc.d/init.d/shorewall or /etc/init.d/shorewall
|
||||
@ -374,7 +374,14 @@ chain_base() #$1 = interface
|
||||
{
|
||||
local c=${1%%+*}
|
||||
|
||||
echo ${c:=common}
|
||||
case $c in
|
||||
*.*)
|
||||
echo ${c%.*}_${c#*.}
|
||||
;;
|
||||
*)
|
||||
echo ${c:=common}
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
#
|
||||
@ -599,13 +606,17 @@ validate_interfaces_file() {
|
||||
|
||||
for option in $options; do
|
||||
case $option in
|
||||
dhcp|noping|filterping|routestopped|norfc1918|multi|tcpflags)
|
||||
;;
|
||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||
;;
|
||||
dhcp|routestopped|norfc1918|multi|tcpflags)
|
||||
;;
|
||||
routefilter|dropunclean|logunclean|blacklist|proxyarp|maclist|-)
|
||||
;;
|
||||
noping|filterping)
|
||||
[ -n "$OLD_PING_HANDLING" ] || \
|
||||
startup_error "Option $option only allowed with old ping handling"
|
||||
;;
|
||||
*)
|
||||
error_message "Warning: Invalid option ($option) in record \"$r\""
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
@ -1102,8 +1113,7 @@ validate_policy()
|
||||
#
|
||||
find_broadcasts() {
|
||||
for interface in $all_interfaces; do
|
||||
interface=`chain_base $interface`
|
||||
eval bcast=\$${interface}_broadcast
|
||||
eval bcast=\$`chain_base $interface`_broadcast
|
||||
if [ "x$bcast" = "xdetect" ]; then
|
||||
addr="`ip addr show $interface 2> /dev/null`"
|
||||
if [ -n "`echo "$addr" | grep 'inet.*brd '`" ]; then
|
||||
@ -1122,7 +1132,7 @@ find_broadcasts() {
|
||||
#
|
||||
find_interface_broadcasts() # $1 = Interface name
|
||||
{
|
||||
eval bcast=\$${1}_broadcast
|
||||
eval bcast=\$`chain_base ${1}`_broadcast
|
||||
|
||||
if [ "x$bcast" = "xdetect" ]; then
|
||||
addr="`ip addr show $interface 2> /dev/null`"
|
||||
@ -1414,6 +1424,23 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
echo " PPTP server defined."
|
||||
}
|
||||
|
||||
setup_one_openvpn() # $1 = gateway, $2 = kind[:port]
|
||||
{
|
||||
case $2 in
|
||||
*:*)
|
||||
p=${2#*:}
|
||||
;;
|
||||
*)
|
||||
p=5000
|
||||
;;
|
||||
esac
|
||||
|
||||
addrule $inchain -p udp -s $1 --sport $p --dport $p -j ACCEPT
|
||||
addrule $outchain -p udp -d $1 --sport $p --dport $p -j ACCEPT
|
||||
|
||||
echo " OPENVPN tunnel to $1:$p defined."
|
||||
}
|
||||
|
||||
strip_file tunnels $1
|
||||
|
||||
while read kind z gateway z1; do
|
||||
@ -1441,6 +1468,9 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
pptpserver|PPTPSERVER)
|
||||
setup_pptp_server
|
||||
;;
|
||||
openvpn|OPENVPN|openvpn:*|OPENVPN:*)
|
||||
setup_one_openvpn $gateway $kind
|
||||
;;
|
||||
*)
|
||||
error_message "Tunnels of type $kind are not supported:" \
|
||||
"Tunnel \"$tunnel\" Ignored"
|
||||
@ -1704,8 +1734,11 @@ setup_nat() {
|
||||
|
||||
while read external interface internal allints localnat; do
|
||||
expandv external interface internal allints localnat
|
||||
|
||||
iface=${interface%:*}
|
||||
|
||||
if [ -n "$ADD_IP_ALIASES" ]; then
|
||||
qt ip addr del $external dev $interface
|
||||
qt ip addr del $external dev $iface
|
||||
fi
|
||||
|
||||
if [ -z "$allints" -o "$allints" = "Yes" -o "$allints" = "yes" ]
|
||||
@ -1718,9 +1751,9 @@ setup_nat() {
|
||||
-j DNAT --to-destination $internal
|
||||
fi
|
||||
else
|
||||
addnatrule `input_chain $interface` \
|
||||
addnatrule `input_chain $iface` \
|
||||
-d $external -j DNAT --to-destination $internal
|
||||
addnatrule `output_chain $interface` \
|
||||
addnatrule `output_chain $iface` \
|
||||
-s $internal -j SNAT --to-source $external
|
||||
fi
|
||||
|
||||
@ -1753,7 +1786,7 @@ delete_nat() {
|
||||
|
||||
#
|
||||
# Process a TC Rule - $marking_chain is assumed to contain the name of the
|
||||
# marking chain
|
||||
# default marking chain
|
||||
#
|
||||
process_tc_rule()
|
||||
{
|
||||
@ -1774,13 +1807,34 @@ process_tc_rule()
|
||||
;;
|
||||
*)
|
||||
if ! list_search $source $all_interfaces; then
|
||||
fatal_error "Error: Unknown interface $source"
|
||||
fatal_error "Error: Unknown interface $source in rule \"$rule\""
|
||||
fi
|
||||
|
||||
r="-i $source "
|
||||
;;
|
||||
esac
|
||||
fi
|
||||
|
||||
if [ "$mark" != "${mark%:*}" ]; then
|
||||
|
||||
[ "$chain" = tcout ] && \
|
||||
fatal_error "Chain designator not allowed when source is \$FW; rule \"$rule\""
|
||||
|
||||
case "${mark#*:}" in
|
||||
p|P)
|
||||
chain=tcpre
|
||||
;;
|
||||
f|F)
|
||||
chain=tcfor
|
||||
;;
|
||||
*)
|
||||
fatal_error "Invalid chain designator: (${mark#*:}) in rule \"$rule\""
|
||||
;;
|
||||
esac
|
||||
|
||||
mark="${mark%:*}"
|
||||
fi
|
||||
|
||||
[ "x$dest" = "x-" ] || r="${r}-d $dest "
|
||||
[ "$proto" = "all" ] || r="${r}-p $proto "
|
||||
[ "x$port" = "x-" ] || r="${r}--dport $port "
|
||||
@ -1811,7 +1865,8 @@ setup_tc1() {
|
||||
# Create the TC mangle chains
|
||||
#
|
||||
|
||||
run_iptables -t mangle -N $marking_chain
|
||||
run_iptables -t mangle -N tcpre
|
||||
run_iptables -t mangle -N tcfor
|
||||
run_iptables -t mangle -N tcout
|
||||
#
|
||||
# Process the TC Rules File
|
||||
@ -1827,11 +1882,9 @@ setup_tc1() {
|
||||
# Link to the TC mangle chains from the main chains
|
||||
#
|
||||
|
||||
if [ $marking_chain = tcfor ]; then
|
||||
run_iptables -t mangle -A FORWARD -j tcfor
|
||||
else
|
||||
run_iptables -t mangle -A PREROUTING -j tcpre
|
||||
fi
|
||||
run_iptables -t mangle -A FORWARD -j tcfor
|
||||
run_iptables -t mangle -A PREROUTING -j tcpre
|
||||
run_iptables -t mangle -A OUTPUT -j tcout
|
||||
|
||||
run_user_exit tcstart
|
||||
|
||||
@ -2871,6 +2924,21 @@ rules_chain() # $1 = source zone, $2 = destination zone
|
||||
fatal_error "Error: No appropriate chain for zone $1 to zone $2"
|
||||
}
|
||||
|
||||
#
|
||||
# echo the list of subnets routed out of a given interface
|
||||
#
|
||||
get_routed_subnets() # $1 = interface name
|
||||
{
|
||||
local address
|
||||
local rest
|
||||
|
||||
ip route show dev $1 2> /dev/null |
|
||||
while read address rest; do
|
||||
[ "$address" = "${address%/*}" ] && address="${address}/32"
|
||||
echo $address
|
||||
done
|
||||
}
|
||||
|
||||
#
|
||||
# Set up Source NAT (including masquerading)
|
||||
#
|
||||
@ -2879,12 +2947,32 @@ setup_masq()
|
||||
setup_one() {
|
||||
local using
|
||||
|
||||
if [ "$interface" = "${interface%:*}" ]; then
|
||||
destnet="0.0.0.0/0"
|
||||
else
|
||||
destnet="${interface#*:}"
|
||||
interface="${interface%:*}"
|
||||
fi
|
||||
case $fullinterface in
|
||||
*:*:*)
|
||||
# Both alias name and subnet
|
||||
destnet="${fullinterface##*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*:*)
|
||||
# Alias name OR subnet
|
||||
case ${fullinterface#*:} in
|
||||
*.*)
|
||||
# It's a subnet
|
||||
destnet="${fullinterface#*:}"
|
||||
fullinterface="${fullinterface%:*}"
|
||||
;;
|
||||
*)
|
||||
#it's an alias name
|
||||
destnet="0.0.0.0/0"
|
||||
;;
|
||||
esac
|
||||
;;
|
||||
*)
|
||||
destnet="0.0.0.0/0"
|
||||
;;
|
||||
esac
|
||||
|
||||
interface=${fullinterface%:*}
|
||||
|
||||
if ! list_search $interface $all_interfaces; then
|
||||
fatal_error "Error: Unknown interface $interface"
|
||||
@ -2900,10 +2988,10 @@ setup_masq()
|
||||
chain=`masq_chain $interface`
|
||||
iface=
|
||||
|
||||
source="$subnet"
|
||||
|
||||
case $subnet in
|
||||
*.*.*)
|
||||
source="$subnet"
|
||||
subnet="-s $subnet"
|
||||
;;
|
||||
-)
|
||||
#
|
||||
@ -2916,22 +3004,15 @@ setup_masq()
|
||||
iface="-o $interface"
|
||||
;;
|
||||
*)
|
||||
ipaddr="`ip addr show $subnet 2> /dev/null | grep 'inet '`"
|
||||
source="$subnet"
|
||||
if [ -z "$ipaddr" ]; then
|
||||
fatal_error \
|
||||
"Interface $subnet must be up before Shorewall starts"
|
||||
fi
|
||||
|
||||
subnet="`echo $ipaddr | sed s/" "// | cut -d' ' -f2`"
|
||||
[ -z "`echo "$subnet" | grep '/'`" ] && subnet="${subnet}/32"
|
||||
subnet="-s $subnet"
|
||||
subnets=`get_routed_subnets $subnet`
|
||||
[ -z "$subnets" ] && startup_error "Unable to determine the routes through interface $subnet"
|
||||
subnet="$subnets"
|
||||
;;
|
||||
esac
|
||||
|
||||
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
|
||||
list_search $address $aliases_to_add || \
|
||||
aliases_to_add="$aliases_to_add $address $interface"
|
||||
aliases_to_add="$aliases_to_add $address $fullinterface"
|
||||
fi
|
||||
|
||||
destination=$destnet
|
||||
@ -2939,7 +3020,15 @@ setup_masq()
|
||||
if [ -n "$nomasq" ]; then
|
||||
newchain=masq${masq_seq}
|
||||
createnatchain $newchain
|
||||
addnatrule $chain -d $destnet $iface $subnet -j $newchain
|
||||
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
addnatrule $chain -d $destnet $iface -s $s -j $newchain
|
||||
done
|
||||
else
|
||||
addnatrule $chain -d $destnet $iface -j $newchain
|
||||
fi
|
||||
|
||||
masq_seq=$(($masq_seq + 1))
|
||||
chain=$newchain
|
||||
subnet=
|
||||
@ -2949,29 +3038,38 @@ setup_masq()
|
||||
for addr in `separate_list $nomasq`; do
|
||||
addnatrule $chain -s $addr -j RETURN
|
||||
done
|
||||
|
||||
source="$source except $nomasq"
|
||||
else
|
||||
destnet="-d $destnet"
|
||||
fi
|
||||
|
||||
if [ -n "$address" ]; then
|
||||
addnatrule $chain $subnet $destnet $iface \
|
||||
-j SNAT --to-source $address
|
||||
using=" using $address"
|
||||
if [ -n "$subnet" ]; then
|
||||
for s in $subnet; do
|
||||
if [ -n "$address" ]; then
|
||||
addnatrule $chain -s $s $destnet $iface -j SNAT --to-source $address
|
||||
echo " To $destination from $s through ${interface} using $address"
|
||||
else
|
||||
addnatrule $chain -s $s $destnet $iface -j MASQUERADE
|
||||
echo " To $destination from $s through ${interface}"
|
||||
fi
|
||||
done
|
||||
elif [ -n "$address" ]; then
|
||||
addnatrule $chain $destnet $iface -j SNAT --to-source $address
|
||||
echo " To $destination from $source through ${interface} using $address"
|
||||
else
|
||||
addnatrule $chain $subnet $destnet $iface -j MASQUERADE
|
||||
using=
|
||||
addnatrule $chain $destnet $iface -j MASQUERADE
|
||||
echo " To $destination from $source through ${interface}"
|
||||
fi
|
||||
|
||||
[ -n "$nomasq" ] && source="$source except $nomasq"
|
||||
echo " To $destination from $source through ${interface}${using}"
|
||||
}
|
||||
|
||||
strip_file masq $1
|
||||
|
||||
[ -n "$NAT_ENABLED" ] && echo "Masqueraded Subnets and Hosts:"
|
||||
|
||||
while read interface subnet address; do
|
||||
expandv interface subnet address
|
||||
while read fullinterface subnet address; do
|
||||
expandv fullinterface subnet address
|
||||
[ -n "$NAT_ENABLED" ] && setup_one || \
|
||||
error_message "Warning: NAT disabled; masq rule ignored"
|
||||
done < $TMP_DIR/masq
|
||||
@ -3195,9 +3293,10 @@ add_ip_aliases()
|
||||
val=${val%% scope*}
|
||||
fi
|
||||
|
||||
run_ip addr add ${external}${val} dev $interface
|
||||
run_ip addr add ${external}${val} dev $interface $label
|
||||
echo "$external $interface" >> ${STATEDIR}/nat
|
||||
echo " IP Address $external added to interface $interface"
|
||||
[ -n "$label" ] && label="with $label"
|
||||
echo " IP Address $external added to interface $interface $label"
|
||||
}
|
||||
|
||||
set -- $aliases_to_add
|
||||
@ -3205,6 +3304,14 @@ add_ip_aliases()
|
||||
while [ $# -gt 0 ]; do
|
||||
external=$1
|
||||
interface=$2
|
||||
label=
|
||||
|
||||
if [ "$interface" != "${interface%:*}" ]; then
|
||||
label="${interface#*:}"
|
||||
interface="${interface%:*}"
|
||||
label="label $interface:$label"
|
||||
fi
|
||||
|
||||
primary=`find_interface_address $interface`
|
||||
shift;shift
|
||||
[ "x${primary}" = "x${external}" ] || do_one
|
||||
@ -3350,11 +3457,14 @@ initialize_netfilter () {
|
||||
# Build the common chain -- called during [re]start and refresh
|
||||
#
|
||||
build_common_chain() {
|
||||
#
|
||||
# PING
|
||||
#
|
||||
[ -n "$FORWARDPING" ] && \
|
||||
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
|
||||
|
||||
if [ -n "$OLD_PING_HANDLING" ]; then
|
||||
#
|
||||
# PING
|
||||
#
|
||||
[ -n "$FORWARDPING" ] && \
|
||||
run_iptables -A icmpdef -p icmp --icmp-type echo-request -j ACCEPT
|
||||
fi
|
||||
#
|
||||
# Common ICMP rules
|
||||
#
|
||||
@ -3907,23 +4017,25 @@ define_firewall() # $1 = Command (Start or Restart)
|
||||
|
||||
process_rules $rules
|
||||
|
||||
echo "Setting up ICMP Echo handling..."
|
||||
if [ -n "$OLD_PING_HANDLING" ]; then
|
||||
echo "Setting up ICMP Echo handling..."
|
||||
|
||||
filterping_interfaces="`find_interfaces_by_option filterping`"
|
||||
noping_interfaces="`find_interfaces_by_option noping`"
|
||||
filterping_interfaces="`find_interfaces_by_option filterping`"
|
||||
noping_interfaces="`find_interfaces_by_option noping`"
|
||||
|
||||
for interface in $all_interfaces; do
|
||||
if ! list_search $interface $filterping_interfaces; then
|
||||
if list_search $interface $noping_interfaces; then
|
||||
target=DROP
|
||||
else
|
||||
target=ACCEPT
|
||||
for interface in $all_interfaces; do
|
||||
if ! list_search $interface $filterping_interfaces; then
|
||||
if list_search $interface $noping_interfaces; then
|
||||
target=DROP
|
||||
else
|
||||
target=ACCEPT
|
||||
fi
|
||||
|
||||
run_iptables -A `input_chain $interface` \
|
||||
-p icmp --icmp-type echo-request -j $target
|
||||
fi
|
||||
|
||||
run_iptables -A `input_chain $interface` \
|
||||
-p icmp --icmp-type echo-request -j $target
|
||||
fi
|
||||
done
|
||||
done
|
||||
fi
|
||||
|
||||
policy=`find_file policy`
|
||||
|
||||
@ -4161,15 +4273,15 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
rulenum=2
|
||||
fi
|
||||
|
||||
if ! list_search $interface $filterping_interfaces; then
|
||||
if list_search $interface $filterping_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
|
||||
if ! list_search $interface $maclist_interfaces; then
|
||||
if list_search $interface $maclist_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
|
||||
if ! list_search $interface $tcpflags_interfaces; then
|
||||
if list_search $interface $tcpflags_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
|
||||
@ -4194,11 +4306,11 @@ add_to_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
rulenum=2
|
||||
fi
|
||||
|
||||
if ! list_search $interface $maclist_interfaces; then
|
||||
if list_search $interface $maclist_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
|
||||
if ! list_search $interface $tcpflags_interfaces; then
|
||||
if list_search $interface $tcpflags_interfaces; then
|
||||
rulenum=$(($rulenum + 1))
|
||||
fi
|
||||
fi
|
||||
@ -4344,7 +4456,7 @@ delete_from_zone() # $1 = <interface>[:<hosts>] $2 = zone
|
||||
while read z1 z2 chain; do
|
||||
if [ "$z1" = "$zone" ]; then
|
||||
if [ "$z2" = "$FW" ]; then
|
||||
qt iptables -D `input_chain $interface` -i $interface -s $host -j $chain
|
||||
qt iptables -D `input_chain $interface` -s $host -j $chain
|
||||
else
|
||||
source_chain=`forward_chain $interface`
|
||||
eval dest_hosts=\"\$${z2}_hosts\"
|
||||
@ -4471,6 +4583,7 @@ do_initialize() {
|
||||
TCP_FLAGS_LOG_LEVEL=
|
||||
RFC1918_LOG_LEVEL=
|
||||
MARK_IN_FORWARD_CHAIN=
|
||||
OLD_PING_HANDLING=
|
||||
SHARED_DIR=/usr/lib/shorewall
|
||||
FUNCTIONS=
|
||||
VERSION_FILE=
|
||||
@ -4596,7 +4709,10 @@ do_initialize() {
|
||||
else
|
||||
CLEAR_TC=
|
||||
fi
|
||||
OLD_PING_HANDLING=`added_param_value_yes OLD_PING_HANDLING $OLD_PING_HANDLING`
|
||||
|
||||
[ -z "$OLD_PING_HANDLING" -a -n "$FORWARDPING" ] && \
|
||||
startup_error "FORWARDPING=Yes is incompatible with OLD_PING_HANDLING=No"
|
||||
|
||||
run_user_exit params
|
||||
|
||||
|
@ -5,7 +5,7 @@ RCDLINKS="2,S41 3,S41 6,K41"
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# On most distributions, this file should be called:
|
||||
# /etc/rc.d/init.d/shorewall or /etc/init.d/shorewall
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Seawall documentation is available at http://seawall.sourceforge.net
|
||||
#
|
||||
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.3.13
|
||||
VERSION=1.3.14
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -46,18 +46,6 @@
|
||||
# a DHCP server running on the firewall or
|
||||
# you have a static IP but are on a LAN
|
||||
# segment with lots of Laptop DHCP clients.
|
||||
# noping - icmp echo-request (ping) packets
|
||||
# addressed to the firewall should
|
||||
# be ignored on this interface
|
||||
# filterping - icmp echo-request (ping) packets
|
||||
# addressed to the firewall should
|
||||
# be controlled by the rules file and
|
||||
# applicable policy. If neither 'noping'
|
||||
# nor 'filterping' are specified then
|
||||
# the firewall will respond to 'ping'
|
||||
# requests. 'filterping' takes
|
||||
# precedence over 'noping' if both are
|
||||
# given.
|
||||
# routestopped - (Deprecated -- use
|
||||
# /etc/shorewall/routestopped)
|
||||
# When the firewall is stopped, allow
|
||||
@ -117,29 +105,28 @@
|
||||
# eth1 connected to your local network and that your
|
||||
# local subnet is 192.168.1.0/24. The interface gets
|
||||
# it's IP address via DHCP from subnet
|
||||
# 206.191.149.192/27 and you want pings from the internet
|
||||
# to be ignored. You interface a DMZ with subnet
|
||||
# 206.191.149.192/27. You have a DMZ with subnet
|
||||
# 192.168.2.0/24 using eth2. You want to be able to
|
||||
# access the firewall from the local network when the
|
||||
# firewall is stopped.
|
||||
#
|
||||
# Your entries for this setup would look like:
|
||||
#
|
||||
# net eth0 206.191.149.223 noping,dhcp
|
||||
# net eth0 206.191.149.223 dhcp
|
||||
# local eth1 192.168.1.255 routestopped
|
||||
# dmz eth2 192.168.2.255
|
||||
#
|
||||
# Example 2: The same configuration without specifying broadcast
|
||||
# addresses is:
|
||||
#
|
||||
# net eth0 detect noping,dhcp
|
||||
# net eth0 detect dhcp
|
||||
# loc eth1 detect routestopped
|
||||
# dmz eth2 detect
|
||||
#
|
||||
# Example 3: You have a simple dial-in system with no ethernet
|
||||
# connections and you want to ignore ping requests.
|
||||
# connections.
|
||||
#
|
||||
# net ppp0 - noping
|
||||
# net ppp0 -
|
||||
##############################################################################
|
||||
#ZONE INTERFACE BROADCAST OPTIONS
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
21
STABLE/masq
21
STABLE/masq
@ -9,7 +9,15 @@
|
||||
# Columns are:
|
||||
#
|
||||
# INTERFACE -- Outgoing interface. This is usually your internet
|
||||
# interface. This may be qualified by adding the character
|
||||
# interface. If ADD_SNAT_ALIASES=Yes in
|
||||
# /etc/shorewall/shorewall.conf, you may add ":" and
|
||||
# a digit to indicate that you want the alias added with
|
||||
# that name (e.g., eth0:0). This will allow the alias to
|
||||
# be displayed with ifconfig. THAT IS THE ONLY USE FOR
|
||||
# THE ALIAS NAME AND IT MAY NOT APPEAR IN ANY OTHER
|
||||
# PLACE IN YOUR SHOREWALL CONFIGURATION.
|
||||
#
|
||||
# This may be qualified by adding the character
|
||||
# ":" followed by a destination host or subnet.
|
||||
#
|
||||
#
|
||||
@ -17,7 +25,7 @@
|
||||
# a subnet or as an interface. If you give the name of an
|
||||
# interface, you must have iproute installed and the interface
|
||||
# must be up before you start the firewall.
|
||||
#
|
||||
#
|
||||
# In order to exclude a subset of the specified SUBNET, you
|
||||
# may append "!" and a comma-separated list of IP addresses
|
||||
# and/or subnets that you wish to exclude.
|
||||
@ -74,13 +82,12 @@
|
||||
# Example 4:
|
||||
#
|
||||
# You want all outgoing traffic from 192.168.1.0/24 through
|
||||
# eth0 to use source address 206.124.146.176.
|
||||
# eth0 to use source address 206.124.146.176 which is NOT the
|
||||
# primary address of eth0. You want 206.124.146.176 added to
|
||||
# be added to eth0 with name eth0:0.
|
||||
#
|
||||
# eth0 192.168.1.0/24 206.124.146.176
|
||||
# eth0:0 192.168.1.0/24 206.124.146.176
|
||||
#
|
||||
# This would normally be done when you have a static external
|
||||
# IP address since it makes the processing of outgoing
|
||||
# packets somewhat faster.
|
||||
##############################################################################
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
10
STABLE/nat
10
STABLE/nat
@ -16,7 +16,13 @@
|
||||
# IP address of the interface named in the next
|
||||
# column and must not be a DNS Name.
|
||||
# INTERFACE Interface that we want to EXTERNAL address to appear
|
||||
# on
|
||||
# on. If ADD_IP_ALIASES=Yes in shorewall.conf, you may
|
||||
# follow the interface name with ":" and a digit to
|
||||
# indicate that you want Shorewall to add the alias
|
||||
# with this name (e.g., "eth0:0"). That allows you to
|
||||
# see the alias with ifconfig. THAT IS THE ONLY THING
|
||||
# THAT THIS NAME IS GOOD FOR -- YOU CANNOT USE IT
|
||||
# ANYWHERE ELSE IN YOUR SHORWALL CONFIGURATION.
|
||||
# INTERNAL Internal Address (must not be a DNS Name).
|
||||
# ALL INTERFACES If Yes or yes (or left empty), NAT will be effective
|
||||
# from all hosts. If No or no then NAT will be effective
|
||||
@ -26,5 +32,5 @@
|
||||
# Yes or yes, NAT will be effective from the firewall
|
||||
# system
|
||||
##############################################################################
|
||||
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -2,48 +2,104 @@ This is a minor release of Shorewall that has a couple of new features.
|
||||
|
||||
New features include:
|
||||
|
||||
1) A new 'DNAT-' action has been added for entries in the
|
||||
/etc/shorewall/rules file. DNAT- is intended for advanced users who
|
||||
wish to minimize the number of rules that connection requests must
|
||||
traverse.
|
||||
1) An OLD_PING_HANDLING option has been added to shorewall.conf. When
|
||||
set to Yes, Shorewall ping handling is as it has always been (see
|
||||
http://www.shorewall.net/ping.html).
|
||||
|
||||
When OLD_PING_HANDLING=No, icmp echo (ping) is handled via rules and
|
||||
policies just like any other connection request. The FORWARDPING
|
||||
option in shorewall.conf is ignored and the 'noping' and
|
||||
'filterping' options in /etc/shorewall/interfaces will generate an
|
||||
error.
|
||||
|
||||
2) It is now possible to direct Shorewall to create a "label" such as
|
||||
"eth0:0" for IP addresses that it creates under ADD_IP_ALIASES=Yes
|
||||
and ADD_SNAT_ALIASES=Yes. This is done by specifying the label
|
||||
instead of just the interface name:
|
||||
|
||||
a) In the INTERFACE column of /etc/shorewall/masq
|
||||
b) In the INTERFACE column of /etc/shorewall/nat
|
||||
|
||||
3) The ability to name your VLAN interfaces using the $dev.$vid
|
||||
convention (e.g., "eth0.0") has been restored. This capability was
|
||||
inadvertently broken in version 1.3.12.
|
||||
|
||||
4) Support has been added for defining OpenVPN tunnels in the
|
||||
/etc/shorewall/tunnels file.
|
||||
|
||||
5) When an interface name is entered in the SUBNET column of the
|
||||
/etc/shorewall/masq file, Shorewall previously masqueraded traffic
|
||||
from only the first subnet defined on that interface. It did not
|
||||
masquerade traffic from:
|
||||
|
||||
a) The subnets associated with other addresses on the interface.
|
||||
b) Subnets accessed through local routers.
|
||||
|
||||
Beginning with Shorewall 1.3.14, if you enter an interface name in
|
||||
the SUBNET column, shorewall will use the firewall's routing table
|
||||
to construct the masquerading/SNAT rules.
|
||||
|
||||
Example 1 -- This is how it works in 1.3.14.
|
||||
|
||||
A Shorewall DNAT rule actually generates two iptables rules: a
|
||||
header rewriting rule in the 'nat' table and an ACCEPT rule in the
|
||||
'filter' table. A DNAT- rule only generates the first of these
|
||||
rules. This is handy when you have several DNAT rules that would
|
||||
generate the same ACCEPT rule.
|
||||
|
||||
Here are three rules from my previous rules file:
|
||||
[root@gateway test]# cat /etc/shorewall/masq
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
eth0 eth2 206.124.146.176
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
||||
[root@gateway test]# ip route show dev eth2
|
||||
192.168.1.0/24 scope link
|
||||
192.168.10.0/24 proto kernel scope link src 192.168.10.254
|
||||
|
||||
[root@gateway test]# ip route show dev eth2
|
||||
192.168.1.0/24 scope link
|
||||
192.168.10.0/24 proto kernel scope link src 192.168.10.254
|
||||
[root@gateway test]# shorewall start
|
||||
...
|
||||
Masqueraded Subnets and Hosts:
|
||||
To 0.0.0.0/0 from 192.168.1.0/24 through eth0 using 206.124.146.176
|
||||
To 0.0.0.0/0 from 192.168.10.0/24 through eth0 using 206.124.146.176
|
||||
Processing /etc/shorewall/tos...
|
||||
|
||||
These three rules ended up generating _three_ copies of
|
||||
When upgrading to Shorewall 1.3.14, if you have multiple local
|
||||
subnets connected to an interface that is specified in the SUBNET
|
||||
column of an /etc/shorewall/masq entry, your /etc/shorewall/masq
|
||||
file will need changing. In most cases, you will simply be able to
|
||||
remove redundant entries. In some cases though, you might want to change
|
||||
from using the interface name to listing specific subnetworks if the
|
||||
change described above will cause masquerading to occur on
|
||||
subnetworks that you don't wish to masquerade.
|
||||
|
||||
ACCEPT net dmz:206.124.146.177 tcp smtp
|
||||
Example 2 -- Suppose that your current config is as follows:
|
||||
|
||||
[root@gateway test]# cat /etc/shorewall/masq
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
eth0 eth2 206.124.146.176
|
||||
eth0 192.168.10.0/24 206.124.146.176
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
[root@gateway test]# ip route show dev eth2
|
||||
192.168.1.0/24 scope link
|
||||
192.168.10.0/24 proto kernel scope link src 192.168.10.254
|
||||
[root@gateway test]#
|
||||
|
||||
By writing the rules this way, I end up with only one copy of the
|
||||
ACCEPT rule.
|
||||
In this case, the second entry in /etc/shorewall/masq is no longer
|
||||
required.
|
||||
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
||||
Example 3 -- What if your current configuration is like this?
|
||||
|
||||
2) The 'shorewall check' command now prints out the applicable policy
|
||||
between each pair of zones.
|
||||
[root@gateway test]# cat /etc/shorewall/masq
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
eth0 eth2 206.124.146.176
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
||||
[root@gateway test]# ip route show dev eth2
|
||||
192.168.1.0/24 scope link
|
||||
192.168.10.0/24 proto kernel scope link src 192.168.10.254
|
||||
[root@gateway test]#
|
||||
|
||||
3. A new CLEAR_TC option has been added to shorewall.conf. If this
|
||||
option is set to 'No' then Shorewall won't clear the current
|
||||
traffic control rules during [re]start. This setting is intended
|
||||
for use by people that prefer to configure traffic shaping when
|
||||
the network interfaces come up rather than when the firewall
|
||||
is started. If that is what you want to do, set TC_ENABLED=Yes and
|
||||
CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
|
||||
way, your traffic shaping rules can still use the 'fwmark'
|
||||
classifier based on packet marking defined in /etc/shorewall/tcrules.
|
||||
In this case, you would want to change the entry in
|
||||
/etc/shorewall/masq to:
|
||||
|
||||
4. A new SHARED_DIR variable has been added that allows distribution
|
||||
packagers to easily move the shared directory (default
|
||||
/usr/lib/shorewall). Users should never have a need to change the
|
||||
value of this shorewall.conf setting.
|
||||
#INTERFACE SUBNET ADDRESS
|
||||
eth0 192.168.1.0/24 206.124.146.176
|
||||
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
#
|
||||
# This file should be placed in /sbin/shorewall.
|
||||
@ -649,7 +649,7 @@ case "$1" in
|
||||
[ $# -ne 3 ] && usage 1
|
||||
exec $FIREWALL $debugging $nolock $1 $2 $3
|
||||
;;
|
||||
show)
|
||||
show|list)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
case "$2" in
|
||||
connections)
|
||||
|
@ -6,7 +6,7 @@
|
||||
#
|
||||
# This file should be placed in /etc/shorewall
|
||||
#
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 1999,2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
#
|
||||
# You should not have to change the variables in this section -- they are set
|
||||
@ -401,12 +401,17 @@ MUTEX_TIMEOUT=60
|
||||
LOGNEWNOTSYN=
|
||||
|
||||
#
|
||||
# Forward "Ping"
|
||||
# Old Ping Handling
|
||||
#
|
||||
# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
|
||||
# forwarded by the firewall.
|
||||
|
||||
FORWARDPING=Yes
|
||||
# If this option is set to "Yes" then Shorewall will use its old ping handling
|
||||
# facility including the FORWARDPING option in this file and the 'noping' and
|
||||
# 'filterping' interface options. If this option is set to 'No' then ping
|
||||
# is handled via policy and rules just like any other connection request.
|
||||
#
|
||||
# If you are a new Shorewall user DON'T CHANGE THE VALUE OF THIS OPTION AND
|
||||
# DON'T DELETE IT!!!!!!
|
||||
#
|
||||
OLD_PING_HANDLING=No
|
||||
|
||||
#
|
||||
# NEWNOTSYN
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 1.3.13
|
||||
%define version 1.3.14
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -105,6 +105,14 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Fri Feb 07 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.14-1
|
||||
* Tue Feb 04 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.14-0RC1
|
||||
* Tue Jan 28 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.14-0Beta2
|
||||
* Sat Jan 25 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.14-0Beta1
|
||||
* Mon Jan 13 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.13
|
||||
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
|
||||
|
@ -17,10 +17,20 @@
|
||||
# MARK The mark value which is an
|
||||
# integer in the range 1-255
|
||||
#
|
||||
# May optionally be followed by ":P" or ":F"
|
||||
# where ":P" indicates that marking should occur in
|
||||
# the PREROUTING chain and ":F" indicates that marking
|
||||
# should occur in the FORWARD chain. If neither
|
||||
# ":P" nor ":F" follow the mark value then the chain is
|
||||
# determined by the setting of MARK_IN_FORWARD_CHAIN in
|
||||
# /etc/shorewall/shorewall.conf.
|
||||
#
|
||||
# SOURCE Source of the packet. A comma-separated list of
|
||||
# interface names, IP addresses, MAC addresses
|
||||
# and/or subnets. Use $FW if the packet originates on
|
||||
# the firewall.
|
||||
# the firewall in which case the MARK column may NOT
|
||||
# specify either ":P" or ":F" (marking always occurs
|
||||
# in the OUTPUT chain).
|
||||
#
|
||||
# MAC addresses must be prefixed with "~" and use
|
||||
# "-" as a separator.
|
||||
|
@ -9,7 +9,7 @@ RCDLINKS="2,S45 3,S45 6,K45"
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Modify the following variables to match your configuration
|
||||
#
|
||||
|
@ -1,16 +1,21 @@
|
||||
#
|
||||
# Shorewall 1.3 - /etc/shorewall/tunnels
|
||||
#
|
||||
# This file defines IPSEC, GRE and IPIP tunnels.
|
||||
# This file defines IPSEC, GRE, IPIP and OPENVPN tunnels.
|
||||
#
|
||||
# IPIP and GRE tunnels must be configured on the firewall/gateway itself.
|
||||
# IPSEC endpoints may be defined on the firewall/gateway or on an
|
||||
# internal system.
|
||||
# IPIP, GRE and OPENVPN tunnels must be configured on the
|
||||
# firewall/gateway itself. IPSEC endpoints may be defined
|
||||
# on the firewall/gateway or on an internal system.
|
||||
#
|
||||
# The columns are:
|
||||
#
|
||||
# TYPE -- must start in column 1 and be "ipsec", "ipsecnat","ip"
|
||||
# "gre","pptpclient" or "pptpserver"
|
||||
# "gre", "pptpclient", "pptpserver" or "openvpn".
|
||||
#
|
||||
# If type is "openvpn", it may optionally be followed
|
||||
# by ":" and the port number used by the tunnel. if no
|
||||
# ":" and port number are included, then the default port
|
||||
# of 5000 will be used
|
||||
#
|
||||
# ZONE -- The zone of the physical interface through which
|
||||
# tunnel traffic passes. This is normally your internet
|
||||
@ -20,10 +25,12 @@
|
||||
# remote getway has no fixed address (Road Warrior)
|
||||
# then specify the gateway as 0.0.0.0/0.
|
||||
#
|
||||
# GATEWAY ZONES -- Optional. If the gateway system specified in the third
|
||||
# GATEWAY
|
||||
# ZONES -- Optional. If the gateway system specified in the third
|
||||
# column is a standalone host then this column should
|
||||
# contain a comma-separated list of the names of the zones that
|
||||
# the host might be in. This column only applies to IPSEC tunnels.
|
||||
# contain a comma-separated list of the names of the
|
||||
# zones that the host might be in. This column only
|
||||
# applies to IPSEC tunnels.
|
||||
#
|
||||
# Example 1:
|
||||
#
|
||||
@ -71,5 +78,12 @@
|
||||
#
|
||||
# pptpserver net
|
||||
#
|
||||
# TYPE ZONE GATEWAY GATEWAY ZONE
|
||||
# Example 7:
|
||||
#
|
||||
# OPENVPN tunnel. The remote gateway is 4.33.99.124 and
|
||||
# openvpn uses port 7777.
|
||||
#
|
||||
# openvpn:7777 net 4.33.99.124
|
||||
#
|
||||
# TYPE ZONE GATEWAY GATEWAY ZONE PORT
|
||||
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE
|
||||
|
@ -4,7 +4,7 @@
|
||||
#
|
||||
# This program is under GPL [http://www.gnu.org/copyleft/gpl.htm]
|
||||
#
|
||||
# (c) 2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
# (c) 2000,2001,2002,2003 - Tom Eastep (teastep@shorewall.net)
|
||||
#
|
||||
# Shorewall documentation is available at http://shorewall.sourceforge.net
|
||||
#
|
||||
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.3.13
|
||||
VERSION=1.3.14
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user