extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-01-15 10:08:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

Shorewall 1.4.3 Documentation

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@552 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2003-05-18 18:27:36 +00:00
parent cd271ac59f
commit ee6bdaaec4
6 changed files with 5882 additions and 5963 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

807
Shorewall-docs/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

79
Shorewall-docs/Install.htm
View File

@ -30,8 +30,8 @@
href="upgrade_issues.htm">Upgrade Issues<br> href="upgrade_issues.htm">Upgrade Issues<br>
</a></b></p> </a></b></p>
<div align="left"><b>Before attempting installation, I strongly urge you to <div align="left"><b>Before attempting installation, I strongly urge you
read and print a copy of the <a to read and print a copy of the <a
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a> href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
for the configuration that most closely matches your own.</b><br> for the configuration that most closely matches your own.</b><br>
</div> </div>
@ -74,13 +74,13 @@ diagnostic:<br>
--nodeps &lt;shorewall rpm&gt;).<br> --nodeps &lt;shorewall rpm&gt;).<br>
<br> <br>
</li> </li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to <li>Edit the <a href="#Config_Files"> configuration files</a>
match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> to match your configuration. <font color="#ff0000"><b>WARNING - YOU CAN
SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION <u>NOT</u> SIMPLY INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND.
IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU ISSUE A "start" COMMAND SOME CONFIGURATION IS REQUIRED BEFORE THE FIREWALL WILL START. IF YOU
AND THE FIREWALL FAILS TO START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY ISSUE A "start" COMMAND AND THE FIREWALL FAILS TO START, YOUR SYSTEM
NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall clear" COMMAND TO WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS, ISSUE A "shorewall
RESTORE NETWORK CONNECTIVITY.</b></font></li> clear" COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
</ul> </ul>
@ -103,11 +103,11 @@ RESTORE NETWORK CONNECTIVITY.</b></font></li>
type "./install.sh /etc/init.d"</li> type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your
installs init scripts and type "./install.sh &lt;init script distribution installs init scripts and type "./install.sh
directory&gt;</li> &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to <li>Edit the <a href="#Config_Files"> configuration files</a>
match your configuration.</li> to match your configuration.</li>
<li>Start the firewall by typing "shorewall start"</li> <li>Start the firewall by typing "shorewall start"</li>
<li>If the install script was unable to configure Shorewall to <li>If the install script was unable to configure Shorewall to
be started automatically at boot, see <a be started automatically at boot, see <a
@ -117,14 +117,14 @@ be started automatically at boot, see <a
<p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering <p><a name="LRP"></a>To install my version of Shorewall on a fresh Bering
disk, simply replace the "shorwall.lrp" file on the image with the file disk, simply replace the "shorwall.lrp" file on the image with the file
that you downloaded. See the <a href="two-interface.htm">two-interface QuickStart that you downloaded. See the <a href="two-interface.htm">two-interface
Guide</a> for information about further steps required.</p> QuickStart Guide</a> for information about further steps required.</p>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed <p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed
and are upgrading to a new version:</p> and are upgrading to a new version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version or
or and you have entries in the /etc/shorewall/hosts file then please check and you have entries in the /etc/shorewall/hosts file then please check
your /etc/shorewall/interfaces file to be sure that it contains an entry your /etc/shorewall/interfaces file to be sure that it contains an entry
for each interface mentioned in the hosts file. Also, there are certain for each interface mentioned in the hosts file. Also, there are certain
1.2 rule forms that are no longer supported under 1.4 (you must use the 1.2 rule forms that are no longer supported under 1.4 (you must use the
@ -134,8 +134,8 @@ details.</p>
<ul> <ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: <li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note:
</b>If you are installing version 1.2.0 and have one of the 1.2.0 </b>If you are installing version 1.2.0 and have one of the 1.2.0
Beta RPMs installed, you must use the "--oldpackage" option to rpm Beta RPMs installed, you must use the "--oldpackage" option to rpm (e.g.,
(e.g., "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm"). "rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm").
<p> <b>Note1: </b>Some SuSE users have encountered a problem whereby <p> <b>Note1: </b>Some SuSE users have encountered a problem whereby
rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel rpm reports a conflict with kernel &lt;= 2.2 even though a 2.4 kernel
@ -159,16 +159,16 @@ iproute2 which will cause the upgrade of Shorewall to fail with the diagnostic:<
</ul> </ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and <p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed
are upgrading to a new version using the tarball:</p> and are upgrading to a new version using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version and <p>If you are upgrading from a 1.2 version of Shorewall to a 1.4 version
you have entries in the /etc/shorewall/hosts file then please check your and you have entries in the /etc/shorewall/hosts file then please check
/etc/shorewall/interfaces file to be sure that it contains an entry for your /etc/shorewall/interfaces file to be sure that it contains an entry
each interface mentioned in the hosts file.  Also, there are certain 1.2 for each interface mentioned in the hosts file.  Also, there are certain
rule forms that are no longer supported under 1.4 (you must use the new 1.2 rule forms that are no longer supported under 1.4 (you must use the
1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a> for new 1.4 syntax). See <a href="errata.htm#Upgrade">the upgrade issues</a>
details. </p> for details. </p>
<ul> <ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li> <li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
@ -185,9 +185,9 @@ details. </p>
type "./install.sh /etc/init.d"</li> type "./install.sh /etc/init.d"</li>
<li>If your distribution has directory /etc/rc.d/init.d <li>If your distribution has directory /etc/rc.d/init.d
or /etc/init.d then type "./install.sh"</li> or /etc/init.d then type "./install.sh"</li>
<li>For other distributions, determine where your distribution <li>For other distributions, determine where your
installs init scripts and type "./install.sh &lt;init script distribution installs init scripts and type "./install.sh
directory&gt;</li> &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration <li>See if there are any incompatibilities between your configuration
and the new Shorewall version (type "shorewall check") and correct as and the new Shorewall version (type "shorewall check") and correct as
necessary.</li> necessary.</li>
@ -201,8 +201,8 @@ details. </p>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3> <h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of the configuration files to match <p>You will need to edit some or all of the configuration files to match your
your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p> QuickStart Guides</a> contain all of the information you need.</p>
<ul> <ul>
@ -213,14 +213,7 @@ your setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewa
</font></p> </font></p>
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font <p><a href="copyright.htm"><font size="2">Copyright</font> © <font
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></p> size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
<br> </p>
<br>
<br>
<br>
<br>
<br>
<br>
<br>
</body> </body>
</html> </html>

779
Shorewall-docs/News.htm
View File

File diff suppressed because it is too large Load Diff

222
Shorewall-docs/seattlefirewall_index.htm
View File

@ -33,6 +33,7 @@
href="http://www.shorewall.net" target="_top"> </a></small></small></small></small> href="http://www.shorewall.net" target="_top"> </a></small></small></small></small>
<div align="center"> <div align="center">
@ -46,10 +47,12 @@
</div> </div>
<p><a href="http://www.shorewall.net" target="_top"> </a> </p> <p><a href="http://www.shorewall.net" target="_top"> </a> </p>
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -67,9 +70,9 @@
<p>The Shoreline Firewall, more commonly known as "Shorewall", is <p>The Shoreline Firewall, more commonly known as "Shorewall", is a
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based <a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
firewall that can be used on a dedicated firewall system, a multi-function that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p> gateway/router/server or on a standalone GNU/Linux system.</p>
@ -77,23 +80,26 @@ firewall that can be used on a dedicated firewall system, a multi-functio
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it it
under the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
GNU General Public License</a> as published by the Free Software General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
This This
program is distributed in the hope that program is distributed in the hope that
it will be useful, but WITHOUT ANY WARRANTY; it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See or FITNESS FOR A PARTICULAR PURPOSE.
the GNU General Public License for more details.<br> See the GNU General Public License for more
details.<br>
<br> <br>
You You
should have received a copy of the GNU General should have received a copy of the GNU
Public License along with this program; General Public License along with
if not, write to the Free Software Foundation, this program; if not, write to the Free Software
Inc., 675 Mass Ave, Cambridge, MA 02139, Foundation, Inc., 675 Mass Ave, Cambridge,
USA</p> MA 02139, USA</p>
@ -105,39 +111,66 @@ should have received a copy of the GNU General
<h2><br> <h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
Getting Started with Shorewall</h2> If so, almost <b>NOTHING </b>on this site will apply directly to your setup.
If you want to use the documentation that you find here, it is best if you
uninstall what you have and install a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.<br>
<h2> Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
match your environment and follow the step by step instructions.<br> match your environment and follow the step by step instructions.<br>
<br>
<h2>News</h2> <h2>News</h2>
<p><b>5/10/2003 - Shorewall Mirror in Asia </b><b><img border="0"
<p><b>5/18/2003 - Shorewall 1.4.3 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br> </b><br>
</p> </p>
    <b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail to remove
a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface
have been moved to before the rule that drops status=INVALID packets. This
insures that all loopback traffic is allowed even if Netfilter connection
tracking is confused.</li>
</ol>
    <b>New Features:<br>
</b>
<ol>
<li> <a href="6to4.htm">IPV6-IPV4 (6to4) tunnels are</a> now supported
in the /etc/shorewall/tunnels file.</li>
<li>Shorewall can now be easily integrated with fireparse (http://www.fireparse.com)
by setting LOGMARKER="fp=" in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed! Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile </b><b><img border="0" <p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br> <p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p> </p>
<p><b>4/26/2003 - lists.shorewall.net Downtime </b><b><img <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b> </b></p>
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br> <p>The list server will be down this morning for upgrade to RH9.0.<br>
</p> </p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
</b><b><img border="0" src="images/new10.gif" width="28"
height="12" alt="(New)">
</b></p> </b></p>
@ -145,8 +178,7 @@ Getting Started with Shorewall</h2>
to Shorewall version 1.4.2.</p> to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
@ -154,126 +186,15 @@ Getting Started with Shorewall</h2>
Shorewall presentation to GSLUG</a>. The presentation is in Shorewall presentation to GSLUG</a>. The presentation is in
HTML format but was generated from Microsoft PowerPoint and is best viewed HTML format but was generated from Microsoft PowerPoint and is best viewed
using Internet Explorer (although Konqueror also seems to work reasonably using Internet Explorer (although Konqueror also seems to work reasonably
well as does Opera 7.1.0). Neither Opera 6 nor Netscape work well to view well as does Opera 7.1.0). Neither Opera 6 nor Netscape work well to
the presentation.<br> view the presentation.<br>
</blockquote> </blockquote>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img <p><b></b></p>
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p><b> Problems Corrected:</b></p>
<blockquote> <blockquote>
<ol> <ol>
<li>TCP connection requests rejected out of the
<b>common</b> chain are now properly rejected with TCP
RST; previously, some of these requests were rejected with an ICMP
port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously
timed out on the first hop (e.g., to the firewall). This has been
worked around.</li>
</ol>
</blockquote>
<p><b> New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file
specifies a particular host or network, Shorewall now creates an intermediate
chain for handling input from the related zone. This can substantially
reduce the number of rules traversed by connections requests from such
zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An
INCLUDE directive consists of the word INCLUDE followed by a file
name and causes the contents of the named file to be logically included
into the file containing the INCLUDE. File names given in an INCLUDE
directive are assumed to reside in /etc/shorewall or in an alternate
configuration directory if one has been specified for the command. <br>
<br>
Examples:<br>
shorewall/params.mgmt:<br>
MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
TIME_SERVERS=4.4.4.4<br>
BACKUP_SERVERS=5.5.5.5<br>
----- end params.mgmt -----<br>
<br>
<br>
shorewall/params:<br>
# Shorewall 1.3 /etc/shorewall/params<br>
[..]<br>
#######################################<br>
<br>
INCLUDE params.mgmt <br>
<br>
# params unique to this host here<br>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT
REMOVE<br>
----- end params -----<br>
<br>
<br>
shorewall/rules.mgmt:<br>
ACCEPT net:$MGMT_SERVERS $FW tcp 22<br>
ACCEPT $FW net:$TIME_SERVERS udp 123<br>
ACCEPT $FW net:$BACKUP_SERVERS tcp 22<br>
----- end rules.mgmt -----<br>
<br>
shorewall/rules:<br>
# Shorewall version 1.3 - Rules File<br>
[..]<br>
#######################################<br>
<br>
INCLUDE rules.mgmt <br>
<br>
# rules unique to this host here<br>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE<br>
----- end rules -----<br>
<br>
INCLUDE's may be nested to a level of 3 -- further nested
INCLUDE directives are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that
interface continues to be a problem. While I firmly believe that
this should never happen, people continue to want to do it. To limit
the damage that such nonsense produces, I have added a new 'routeback'
option in /etc/shorewall/interfaces and /etc/shorewall/hosts. When
used in /etc/shorewall/interfaces, the 'ZONE' column may not contain
'-'; in other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual
group entries in /etc/shorewall/hosts.<br>
<br>
The 'routeback' option is similar to the old 'multi' option
with two exceptions:<br>
<br>
a) The option pertains to a particular zone,interface,address
tuple.<br>
<br>
b) The option only created infrastructure to pass traffic
from (zone,interface,address) tuples back to themselves (the 'multi'
option affected all (zone,interface,address) tuples associated with
the given 'interface').<br>
<br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>'
for information about how this new option may affect your configuration.<br>
</li>
@ -286,6 +207,7 @@ for information about how this new option may affect your configuration.<b
<p><a href="News.htm">More News</a></p> <p><a href="News.htm">More News</a></p>
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
@ -302,6 +224,7 @@ features Shorewall-1.3.14 and Kernel-2.4.20.
<b>Congratulations to Jacques and Eric on the recent release of Bering <b>Congratulations to Jacques and Eric on the recent release of Bering
1.2!!! </b><br> 1.2!!! </b><br>
<h2><a name="Donations"></a>Donations</h2> <h2><a name="Donations"></a>Donations</h2>
</td> </td>
@ -310,8 +233,9 @@ features Shorewall-1.3.14 and Kernel-2.4.20.
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<strong><br> <strong><br>
<font color="#ffffff"><b>Note: </b></font></strong><font <font color="#ffffff"><b>Note:
color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br> </b></font></strong><font color="#ffffff">Search is unavailable
Daily 0200-0330 GMT.</font><br>
<strong></strong> <strong></strong>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
@ -330,6 +254,7 @@ features Shorewall-1.3.14 and Kernel-2.4.20.
color="#ffffff">Extended Search</font></a></b></font></p> color="#ffffff">Extended Search</font></a></b></font></p>
<br> <br>
</td> </td>
</tr> </tr>
@ -350,15 +275,16 @@ features Shorewall-1.3.14 and Kernel-2.4.20.
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free but
but if you try it and find it useful, please consider making a donation if you try it and find it useful, please consider making a donation
to to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight <a href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
Children's Foundation.</font></a> Thanks!</font></p> Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -366,8 +292,10 @@ Children's Foundation.</font></a> Thanks!</font></p>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 5/12/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a></font>
<br>
<br> <br>
</p> </p>
<br>
</body> </body>
</html> </html>

28
Shorewall-docs/shorewall_quickstart_guide.htm
View File

@ -32,8 +32,8 @@
</tbody> </tbody>
</table> </table>
<p align="center">With thanks to Richard who reminded me once again that <p align="center">With thanks to Richard who reminded me once again that we
we must all first walk before we can run.<br> must all first walk before we can run.<br>
The French Translations are courtesy of Patrice Vetsel<br> The French Translations are courtesy of Patrice Vetsel<br>
</p> </p>
@ -113,8 +113,8 @@ the single-address guides above.</b></p>
href="configuration_file_basics.htm#Compliment">Complementing an IP address href="configuration_file_basics.htm#Compliment">Complementing an IP address
or Subnet</a></li> or Subnet</a></li>
<li><a <li><a
href="configuration_file_basics.htm#Configs">Shorewall Configurations (making href="configuration_file_basics.htm#Configs">Shorewall Configurations
a test configuration)</a></li> (making a test configuration)</a></li>
<li><a <li><a
href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li> href="configuration_file_basics.htm#MAC">Using MAC Addresses in Shorewall</a></li>
@ -148,12 +148,14 @@ a test configuration)</a></li>
href="traffic_shaping.htm#tcrules">tcrules</a></li> href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a <li><font color="#000099"><a
href="Documentation.htm#Conf">shorewall.conf</a></font></li> href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li> <li><a
href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> <li><a href="Documentation.htm#TOS">tos</a>
</li> </li>
<li><a <li><a
href="Documentation.htm#Blacklist">blacklist</a></li> href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li> <li><a
href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a <li><a
href="Documentation.htm#Routestopped">routestopped</a></li> href="Documentation.htm#Routestopped">routestopped</a></li>
@ -203,8 +205,10 @@ etc.)</li>
Interfaces</a></li> Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, <li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
Subnets and Routing</a> Subnets and Routing</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li> <li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li> <li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li> <li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address <li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
@ -213,7 +217,8 @@ etc.)</li>
</ul> </ul>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li> <li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
1918</a></li>
</ul> </ul>
</li> </li>
@ -227,6 +232,7 @@ etc.)</li>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a> <li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
<ul> <ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li> <li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li> <li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
@ -266,12 +272,15 @@ change<br>
<li><a href="traffic_shaping.htm">Traffic <li><a href="traffic_shaping.htm">Traffic
Shaping/QOS</a></li> Shaping/QOS</a></li>
<li>VPN <li>VPN
<ul> <ul>
<li><a href="IPSEC.htm">IPSEC</a></li> <li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li> <li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="OPENVPN.html">OpenVPN</a><br> <li><a href="OPENVPN.html">OpenVPN</a><br>
</li> </li>
<li><a href="PPTP.htm">PPTP</a></li> <li><a href="PPTP.htm">PPTP</a></li>
<li><a href="6to4.htm">6t04</a><br>
</li>
<li><a href="VPN.htm">IPSEC/PPTP</a> from <li><a href="VPN.htm">IPSEC/PPTP</a> from
a system behind your firewall to a remote network.</li> a system behind your firewall to a remote network.</li>
@ -285,7 +294,7 @@ Shaping/QOS</a></li>
<p>If you use one of these guides and have a suggestion for improvement <a <p>If you use one of these guides and have a suggestion for improvement <a
href="mailto:webmaster@shorewall.net">please let me know</a>.</p> href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><font size="2">Last modified 5/03/2003 - <a href="support.htm">Tom Eastep</a></font></p> <p><font size="2">Last modified 5/18/2003 - <a href="support.htm">Tom Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M. <p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
Eastep</font></a><br> Eastep</font></a><br>
@ -294,5 +303,6 @@ Shaping/QOS</a></li>
<br> <br>
<br> <br>
<br> <br>
<br>
</body> </body>
</html> </html>

216
Shorewall-docs/sourceforge_index.htm
View File

@ -24,9 +24,9 @@
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4" href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
alt="Shorwall Logo" height="70" width="85" align="left" alt="Shorwall Logo" height="70" width="85" align="left"
src="images/washington.jpg" border="0"> src="images/washington.jpg" border="0">
</a></i></font><font
color="#ffffff">Shorewall 1.4 - <font </a></i></font><font color="#ffffff">Shorewall 1.4 -
size="4">"<i>iptables made easy"</i></font></font><br> <font size="4">"<i>iptables made easy"</i></font></font><br>
<a target="_top" href="1.3/index.html"><font <a target="_top" href="1.3/index.html"><font
color="#ffffff"> </font></a><a target="_top" color="#ffffff"> </font></a><a target="_top"
href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br> href="http://www1.shorewall.net/1.2/index.htm"><font color="#ffffff"><small><small><small><br>
@ -36,6 +36,7 @@
</td> </td>
</tr> </tr>
</tbody> </tbody>
</table> </table>
@ -43,6 +44,7 @@
<center> <center>
<table border="0" cellpadding="0" cellspacing="0" <table border="0" cellpadding="0" cellspacing="0"
style="border-collapse: collapse;" width="100%" id="AutoNumber4"> style="border-collapse: collapse;" width="100%" id="AutoNumber4">
<tbody> <tbody>
<tr> <tr>
@ -64,8 +66,8 @@ a dedicated firewall system, a multi-function gateway/r
<p>This program is free software; you can redistribute it and/or modify <p>This program is free software; you can redistribute it and/or modify
it it
under the terms of <a under the terms of <a
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
GNU General Public License</a> as published by the Free Software General Public License</a> as published by the Free Software
Foundation.<br> Foundation.<br>
<br> <br>
@ -74,7 +76,8 @@ GNU General Public License</a> as published by the Free Software
it will be useful, but WITHOUT ANY WARRANTY; it will be useful, but WITHOUT ANY WARRANTY;
without even the implied warranty of MERCHANTABILITY without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. or FITNESS FOR A PARTICULAR PURPOSE.
See the GNU General Public License for more details.<br> See the GNU General Public License for more
details.<br>
<br> <br>
You You
@ -90,6 +93,14 @@ See the GNU General Public License for more details.<
<h2>Running Shorewall on Mandrake with a two-interface setup?</h2>
If so, almost <b>NOTHING </b>on this site will apply directly to your setup.
If you want to use the documentation that you find here, it is best if you
uninstall what you have and install a setup that matches the documentation
on this site. See the <a href="two-interface.htm">Two-interface QuickStart
Guide</a> for details.<br>
<h2>Getting Started with Shorewall</h2> <h2>Getting Started with Shorewall</h2>
New to Shorewall? Start by selecting the <a New to Shorewall? Start by selecting the <a
href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely href="shorewall_quickstart_guide.htm">QuickStart Guide</a> that most closely
@ -99,35 +110,55 @@ See the GNU General Public License for more details.<
<b> </b> <b> </b>
<p><b>5/10/2003 - Shorewall Mirror in Asia </b><b><img border="0" <p><b>5/18/2003 - Shorewall 1.4.3 </b><b><img border="0"
src="images/new10.gif" width="28" height="12" alt="(New)"> src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br> </b><br>
</p> </p>
    <b>Problems Corrected:<br>
</b>
<ol>
<li>There were several cases where Shorewall would fail to remove
a temporary directory from /tmp. These cases have been corrected.</li>
<li>The rules for allowing all traffic via the loopback interface
have been moved to before the rule that drops status=INVALID packets. This
insures that all loopback traffic is allowed even if Netfilter connection
tracking is confused.</li>
</ol>
    <b>New Features:<br>
</b>
<ol>
<li><a href="6to4.htm"> </a><a href="6to4.htm">IPV6-IPV4 (6to4)
tunnels </a>are now supported in the /etc/shorewall/tunnels file.</li>
<li>Shorewall can now be easily integrated with fireparse (http://www.fireparse.com)
by setting LOGMARKER="fp=" in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
Note: You may not use ULOG with fireparse unless you modify fireparse. </li>
</ol>
<p><b>5/10/2003 - Shorewall Mirror in Asia</b><b> </b><br>
</p>
Ed Greshko has established a mirror in Taiwan -- Thanks Ed! Ed Greshko has established a mirror in Taiwan -- Thanks Ed!
<p><b>5/8/2003 - Shorewall Mirror in Chile </b><b><img border="0" <p><b>5/8/2003 - Shorewall Mirror in Chile</b><b>  </b></p>
src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br> <p>Thanks to Darcy Ganga, there is now an HTTP mirror in Santiago Chile.<br>
</p> </p>
<p><b>4/26/2003 - lists.shorewall.net Downtime </b><b><img <p><b>4/26/2003 - lists.shorewall.net Downtime</b><b>  </b></p>
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
 </b></p>
<p>The list server will be down this morning for upgrade to RH9.0.<br> <p>The list server will be down this morning for upgrade to RH9.0.<br>
</p> </p>
<p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b> </b><b><img <p><b>4/21/2003 - Samples updated for Shorewall version 1.4.2</b><b>
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b></p> </b></p>
<p>Thanks to Francesca Smith, the sample configurations are now upgraded <p>Thanks to Francesca Smith, the sample configurations are now upgraded
to Shorewall version 1.4.2.</p> to Shorewall version 1.4.2.</p>
<p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation </b><b><img
border="0" src="images/new10.gif" width="28" height="12" alt="(New)"> <p><b>4/12/2002 - Greater Seattle Linux Users Group Presentation</b><b>
</b></p> </b></p>
@ -139,123 +170,17 @@ work reasonably well as does Opera 7.1.0). Neither Opera 6 nor Netscape
work well to view the presentation.</blockquote> work well to view the presentation.</blockquote>
<p><b>4/9/2003 - Shorewall 1.4.2</b><b> </b><b> </b><b><img <p><b></b></p>
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
</b><br>
</p>
<p><b>    Problems Corrected:</b></p>
<blockquote> <blockquote>
<ol> <ol>
<li>TCP connection requests rejected out of the <b>common</b>
chain are now properly rejected with TCP RST; previously, some of these
requests were rejected with an ICMP port-unreachable response.</li>
<li>'traceroute -I' from behind the firewall previously
timed out on the first hop (e.g., to the firewall). This has been worked
around.</li>
</ol> </ol>
</blockquote> </blockquote>
<p><b>    New Features:</b></p>
<blockquote>
<ol>
<li>Where an entry in the/etc/shorewall/hosts file
specifies a particular host or network, Shorewall now creates an intermediate
chain for handling input from the related zone. This can substantially
reduce the number of rules traversed by connections requests from such
zones.<br>
<br>
</li>
<li>Any file may include an INCLUDE directive. An
INCLUDE directive consists of the word INCLUDE followed by a file name
and causes the contents of the named file to be logically included into
the file containing the INCLUDE. File names given in an INCLUDE directive
are assumed to reside in /etc/shorewall or in an alternate configuration
directory if one has been specified for the command. <br>
 <br>
   Examples:<br>
   shorewall/params.mgmt:<br>
   MGMT_SERVERS=1.1.1.1,2.2.2.2,3.3.3.3<br>
   TIME_SERVERS=4.4.4.4<br>
   BACKUP_SERVERS=5.5.5.5<br>
   ----- end params.mgmt -----<br>
 <br>
 <br>
   shorewall/params:<br>
   # Shorewall 1.3 /etc/shorewall/params<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE params.mgmt    <br>
  <br>
   # params unique to this host here<br>
   #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE<br>
   ----- end params -----<br>
 <br>
 <br>
   shorewall/rules.mgmt:<br>
   ACCEPT net:$MGMT_SERVERS          $FW    tcp    22<br>
   ACCEPT $FW          net:$TIME_SERVERS    udp    123<br>
   ACCEPT $FW          net:$BACKUP_SERVERS  tcp    22<br>
   ----- end rules.mgmt -----<br>
 <br>
   shorewall/rules:<br>
   # Shorewall version 1.3 - Rules File<br>
   [..]<br>
   #######################################<br>
 <br>
   INCLUDE rules.mgmt     <br>
  <br>
   # rules unique to this host here<br>
   #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT
REMOVE<br>
   ----- end rules -----<br>
 <br>
INCLUDE's may be nested to a level of 3 -- further nested
INCLUDE directives are ignored with a warning message.<br>
<br>
</li>
<li>Routing traffic from an interface back out that
interface continues to be a problem. While I firmly believe that this
should never happen, people continue to want to do it. To limit the
damage that such nonsense produces, I have added a new 'routeback' option
in /etc/shorewall/interfaces and /etc/shorewall/hosts. When used in
/etc/shorewall/interfaces, the 'ZONE' column may not contain '-'; in
other words, 'routeback' can't be used as an option for a multi-zone
interface. The 'routeback' option CAN be specified however on individual
group entries in /etc/shorewall/hosts.<br>
 <br>
The 'routeback' option is similar to the old 'multi' option
with two exceptions:<br>
 <br>
   a) The option pertains to a particular zone,interface,address
tuple.<br>
 <br>
   b) The option only created infrastructure to pass traffic
from (zone,interface,address) tuples back to themselves (the 'multi'
option affected all (zone,interface,address) tuples associated with
the given 'interface').<br>
 <br>
See the '<a href="upgrade_issues.htm">Upgrade Issues</a>'
for information about how this new option may affect your configuration.<br>
</li>
</ol>
</blockquote>
<p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p> <p><a href="file:///Z:/Shorewall-docs/News.htm"></a></p>
<b> </b> <b> </b>
@ -272,16 +197,18 @@ for information about how this new option may affect your configuration.<b
<p> <a href="http://leaf.sourceforge.net" target="_top"><img <p> <a href="http://leaf.sourceforge.net" target="_top"><img
border="0" src="images/leaflogo.gif" width="49" height="36" border="0" src="images/leaflogo.gif" width="49" height="36"
alt="(Leaf Logo)"> alt="(Leaf Logo)">
</a>Jacques
Nilo and Eric Wolzak have a LEAF (router/firewall/gateway </a>Jacques Nilo and Eric Wolzak have
on a floppy, CD or compact flash) distribution a LEAF (router/firewall/gateway on a floppy,
called <i>Bering</i> that CD or compact flash) distribution called
features Shorewall-1.3.14 and Kernel-2.4.20. <i>Bering</i> that features Shorewall-1.3.14
You can find their work at: <a and Kernel-2.4.20. You can find their
work at: <a
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p> href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
<b>Congratulations to Jacques and Eric on the <b>Congratulations to Jacques and Eric on
recent release of Bering 1.2!!! </b><br> the recent release of Bering 1.2!!! </b><br>
<h1 align="center"><b><a href="http://www.sf.net"><img <h1 align="center"><b><a href="http://www.sf.net"><img
align="left" alt="SourceForge Logo" align="left" alt="SourceForge Logo"
src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3"> src="http://sourceforge.net/sflogo.php?group_id=22587&amp;type=3">
@ -302,19 +229,20 @@ for information about how this new option may affect your configuration.<b
<h2><b><a name="Donations"></a>Donations</b></h2> <h2><b><a name="Donations"></a>Donations</b></h2>
<b> </b></td> <b> </b></td>
<td width="88" bgcolor="#4b017c" valign="top" align="center"> <td width="88" bgcolor="#4b017c" valign="top"
align="center">
<form method="post" <form method="post"
action="http://lists.shorewall.net/cgi-bin/htsearch"> action="http://lists.shorewall.net/cgi-bin/htsearch">
<p><strong><br> <p><strong><br>
<font color="#ffffff"><b>Note: </b></font></strong> <font color="#ffffff"><b>Note: </b></font></strong>
<font color="#ffffff">Search is unavailable Daily 0200-0330 GMT.</font><br> <font color="#ffffff">Search is unavailable Daily 0200-0330
GMT.</font><br>
 </p>  </p>
<p><font color="#ffffff"><strong>Quick Search</strong></font><br> <p><font color="#ffffff"><strong>Quick Search</strong></font><br>
<font face="Arial" size="-1"> <input type="text" <font face="Arial" size="-1"> <input
name="words" size="15"></font><font size="-1"> </font><font type="text" name="words" size="15"></font><font size="-1"> </font><font
face="Arial" size="-1"> <input type="hidden" name="format" face="Arial" size="-1"> <input type="hidden" name="format"
value="long"> <input type="hidden" name="method" value="and"> value="long"> <input type="hidden" name="method" value="and">
<input type="hidden" name="config" value="htdig"> <input <input type="hidden" name="config" value="htdig"> <input
@ -345,22 +273,24 @@ for information about how this new option may affect your configuration.<b
bgcolor="#4b017c"> bgcolor="#4b017c">
<tbody> <tbody>
<tr> <tr>
<td
width="100%" style="margin-top: 1px;"> <td width="100%" style="margin-top: 1px;">
<p align="center"><a href="http://www.starlight.org"> <img <p align="center"><a href="http://www.starlight.org"> <img
border="4" src="images/newlog.gif" width="57" height="100" align="left" border="4" src="images/newlog.gif" width="57" height="100" align="left"
hspace="10"> hspace="10">
</a></p> </a></p>
<p align="center"><font size="4" color="#ffffff">Shorewall is free <p align="center"><font size="4" color="#ffffff">Shorewall is free but
but if you try it and find it useful, please consider making a donation if you try it and find it useful, please consider making a donation
to to
<a href="http://www.starlight.org"><font color="#ffffff">Starlight <a href="http://www.starlight.org"><font color="#ffffff">Starlight
Children's Foundation.</font></a> Thanks!</font></p> Children's Foundation.</font></a> Thanks!</font></p>
</td> </td>
</tr> </tr>
@ -368,7 +298,7 @@ Children's Foundation.</font></a> Thanks!</font></p>
</tbody> </tbody>
</table> </table>
<p><font size="2">Updated 5/10/2003 - <a href="support.htm">Tom Eastep</a></font> <p><font size="2">Updated 5/18/2003 - <a href="support.htm">Tom Eastep</a></font>
<br> <br>
</p> </p>
<br> <br>