mirror of
https://gitlab.com/shorewall/code.git
synced 2024-12-22 22:30:58 +01:00
Changes for 1.3.13
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@402 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
parent
5b9b519183
commit
f04d58006f
@ -70,7 +70,7 @@ list_count() {
|
||||
|
||||
#
|
||||
# Mutual exclusion -- These functions are jackets for the mutual exclusion
|
||||
# routines in /usr/lib/shorewall/functions. They invoke
|
||||
# routines in $FUNCTIONS. They invoke
|
||||
# the corresponding function in that file if the user did
|
||||
# not specify "nolock" on the runline.
|
||||
#
|
||||
@ -833,6 +833,11 @@ validate_rule() {
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
;;
|
||||
DNAT-)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
logtarget=DNAT
|
||||
;;
|
||||
REDIRECT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
@ -983,6 +988,17 @@ validate_policy()
|
||||
local zone1
|
||||
local pc
|
||||
local chain
|
||||
local policy
|
||||
local loglevel
|
||||
local synparams
|
||||
|
||||
print_policy() # $1 = source zone, $2 = destination zone
|
||||
{
|
||||
[ $command != check ] || \
|
||||
[ $1 = all ] || \
|
||||
[ $2 = all ] || \
|
||||
echo " Policy for $1 to $2 is $policy"
|
||||
}
|
||||
|
||||
all_policy_chains=
|
||||
|
||||
@ -1048,27 +1064,34 @@ validate_policy()
|
||||
for zone1 in $zones $FW all; do
|
||||
eval pc=\$${zone}2${zone1}_policychain
|
||||
|
||||
[ -n "$pc" ] || \
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${zone1}_policychain=$chain
|
||||
print_policy $zone $zone1
|
||||
fi
|
||||
done
|
||||
done
|
||||
else
|
||||
for zone in $zones $FW all; do
|
||||
eval pc=\$${zone}2${server}_policychain
|
||||
|
||||
[ -n "$pc" ] || \
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${server}_policychain=$chain
|
||||
print_policy $zone $server
|
||||
fi
|
||||
done
|
||||
fi
|
||||
elif [ -n "$serverwild" ]; then
|
||||
for zone in $zones $FW all; do
|
||||
eval pc=\$${client}2${zone}_policychain
|
||||
|
||||
[ -n "$pc" ] || \
|
||||
eval ${client}2${zone}_policychain=$chain
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${client}2${zone}_policychain=$chain
|
||||
print_policy $client $zone
|
||||
fi
|
||||
done
|
||||
else
|
||||
eval ${chain}_policychain=${chain}
|
||||
print_policy $client $server
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/policy
|
||||
@ -1234,7 +1257,7 @@ stop_firewall() {
|
||||
|
||||
[ -n "$NAT_ENABLED" ] && delete_nat
|
||||
delete_proxy_arp
|
||||
[ -n "$TC_ENABLED" ] && delete_tc
|
||||
[ -n "$CLEAR_TC" ] && delete_tc
|
||||
|
||||
setpolicy INPUT DROP
|
||||
setpolicy OUTPUT DROP
|
||||
@ -1344,12 +1367,18 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
|
||||
else
|
||||
run_iptables -A $inchain -p udp -s $1 --dport 500 $options
|
||||
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
|
||||
fi
|
||||
|
||||
for z in `separate_list $3`; do
|
||||
if validate_zone $z; then
|
||||
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options
|
||||
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
|
||||
if [ $2 = ipsec ]; then
|
||||
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
|
||||
else
|
||||
addrule ${z}2${FW} -p udp --dport 500 $options
|
||||
addrule ${z}2${FW} -p udp --dport 4500 $options
|
||||
fi
|
||||
else
|
||||
error_message "Warning: Invalid gateway zone ($z)" \
|
||||
" -- Tunnel \"$tunnel\" may encounter keying problems"
|
||||
@ -1820,6 +1849,7 @@ setup_tc() {
|
||||
#
|
||||
delete_tc()
|
||||
{
|
||||
|
||||
clear_one_tc() {
|
||||
tc qdisc del dev $1 root 2> /dev/null
|
||||
tc qdisc del dev $1 ingress 2> /dev/null
|
||||
@ -1830,11 +1860,11 @@ delete_tc()
|
||||
run_ip link list | \
|
||||
while read inx interface details; do
|
||||
case $inx in
|
||||
[0-9]*)
|
||||
clear_one_tc ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
[0-9]*)
|
||||
clear_one_tc ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
@ -1846,7 +1876,7 @@ refresh_tc() {
|
||||
|
||||
echo "Refreshing Traffic Control Rules..."
|
||||
|
||||
delete_tc
|
||||
[ -n "$CLEAR_TC" ] && delete_tc
|
||||
|
||||
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
|
||||
|
||||
@ -2152,7 +2182,7 @@ add_a_rule()
|
||||
add_nat_rule
|
||||
fi
|
||||
|
||||
if [ $chain != ${FW}2${FW} ]; then
|
||||
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
|
||||
serv="${serv:+-d $serv}"
|
||||
|
||||
if [ -n "$loglevel" ]; then
|
||||
@ -2229,14 +2259,23 @@ process_rule() # $1 = target
|
||||
fi
|
||||
|
||||
logtarget="$target"
|
||||
dnat_only=
|
||||
|
||||
# Convert 1.3 Rule formats to 1.2 format
|
||||
|
||||
[ "x$address" = "x-" ] && address=
|
||||
|
||||
case $target in
|
||||
DNAT)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
;;
|
||||
DNAT-)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
dnat_only=Yes
|
||||
logtarget=DNAT
|
||||
;;
|
||||
REDIRECT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
@ -2379,7 +2418,7 @@ process_rules() # $1 = name of rules file
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress; do
|
||||
case "$xtarget" in
|
||||
|
||||
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*)
|
||||
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
|
||||
expandv xclients xservers xprotocol xports xcports xaddress
|
||||
|
||||
if [ "x$xclients" = xall ]; then
|
||||
@ -3233,7 +3272,7 @@ initialize_netfilter () {
|
||||
run_iptables -t mangle -F && \
|
||||
run_iptables -t mangle -X
|
||||
|
||||
[ -n "$TC_ENABLED" ] && delete_tc
|
||||
[ -n "$CLEAR_TC" ] && delete_tc
|
||||
|
||||
run_user_exit init
|
||||
|
||||
@ -3267,7 +3306,7 @@ initialize_netfilter () {
|
||||
run_user_exit newnotsyn
|
||||
if [ -n "$LOGNEWNOTSYN" ]; then
|
||||
if [ "$LOGNEWNOTSYN" = ULOG ]; then
|
||||
run_iptables -A newnotsyn -j ULOG \
|
||||
run_iptables -A newnotsyn -j ULOG
|
||||
--ulog-prefix "Shorewall:newnotsyn:DROP:"
|
||||
else
|
||||
run_iptables -A newnotsyn -j LOG \
|
||||
@ -3352,7 +3391,7 @@ add_common_rules() {
|
||||
if [ "$RFC1918_LOG_LEVEL" = ULOG ]; then
|
||||
echo "ULOG --ulog-prefix Shorewall:${1}:DROP:"
|
||||
else
|
||||
echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level info"
|
||||
echo "LOG --log-prefix Shorewall:${1}:DROP: --log-level $RFC1918_LOG_LEVEL"
|
||||
fi
|
||||
}
|
||||
#
|
||||
@ -4432,6 +4471,10 @@ do_initialize() {
|
||||
TCP_FLAGS_LOG_LEVEL=
|
||||
RFC1918_LOG_LEVEL=
|
||||
MARK_IN_FORWARD_CHAIN=
|
||||
SHARED_DIR=/usr/lib/shorewall
|
||||
FUNCTIONS=
|
||||
VERSION_FILE=
|
||||
|
||||
stopping=
|
||||
have_mutex=
|
||||
masq_seq=1
|
||||
@ -4445,31 +4488,35 @@ do_initialize() {
|
||||
|
||||
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
|
||||
|
||||
functions=/usr/lib/shorewall/functions
|
||||
|
||||
if [ -f $functions ]; then
|
||||
. $functions
|
||||
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
|
||||
config=$SHOREWALL_DIR/shorewall.conf
|
||||
else
|
||||
startup_error "$functions does not exist!"
|
||||
config=/etc/shorewall/shorewall.conf
|
||||
fi
|
||||
|
||||
if [ -f $config ]; then
|
||||
. $config
|
||||
else
|
||||
echo "$config does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
version_file=/usr/lib/shorewall/version
|
||||
FUNCTIONS=$SHARED_DIR/functions
|
||||
|
||||
[ -f $version_file ] && version=`cat $version_file`
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
strip_file interfaces
|
||||
strip_file hosts
|
||||
if [ -f $FUNCTIONS ]; then
|
||||
. $FUNCTIONS
|
||||
else
|
||||
startup_error "$FUNCTIONS does not exist!"
|
||||
fi
|
||||
|
||||
run_user_exit shorewall.conf
|
||||
run_user_exit params
|
||||
VERSION_FILE=$SHARED_DIR/version
|
||||
|
||||
[ -f $VERSION_FILE ] && version=`cat $VERSION_FILE`
|
||||
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
|
||||
[ -d $STATEDIR ] || mkdir -p $STATEDIR
|
||||
|
||||
|
||||
[ -z "$FW" ] && FW=fw
|
||||
|
||||
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
|
||||
@ -4544,7 +4591,20 @@ do_initialize() {
|
||||
[ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info
|
||||
MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN`
|
||||
[ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre
|
||||
if [ -n "$TC_ENABLED" ]; then
|
||||
CLEAR_TC=`added_param_value_yes CLEAR_TC $CLEAR_TC`
|
||||
else
|
||||
CLEAR_TC=
|
||||
fi
|
||||
|
||||
|
||||
run_user_exit params
|
||||
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
strip_file interfaces
|
||||
strip_file hosts
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -24,6 +24,10 @@
|
||||
# DNAT -- Forward the request to another
|
||||
# system (and optionally another
|
||||
# port).
|
||||
# DNAT- -- Advanced users only.
|
||||
# Like DNAT but only generates the
|
||||
# DNAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
# REDIRECT -- Redirect the request to a local
|
||||
# port on the firewall.
|
||||
#
|
||||
|
@ -9,6 +9,13 @@
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
#
|
||||
# You should not have to change the variables in this section -- they are set
|
||||
# by the packager of your Shorewall distribution
|
||||
#
|
||||
SHARED_DIR=/usr/lib/shorewall
|
||||
#
|
||||
##############################################################################
|
||||
#
|
||||
# General note about log levels. Log levels are a method of describing
|
||||
# to syslog (8) the importance of a message and a number of parameters
|
||||
# in this file have log levels as their value.
|
||||
@ -51,7 +58,6 @@ PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
#
|
||||
FW=fw
|
||||
|
||||
|
||||
#
|
||||
# SUBSYSTEM LOCK FILE
|
||||
#
|
||||
|
@ -569,51 +569,65 @@ fi
|
||||
|
||||
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
|
||||
|
||||
functions=/usr/lib/shorewall/functions
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
SHARED_DIR=/usr/lib/shorewall
|
||||
MUTEX_TIMEOUT=
|
||||
|
||||
if [ -f $functions ]; then
|
||||
. $functions
|
||||
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
|
||||
config=$SHOREWALL_DIR/shorewall.conf
|
||||
else
|
||||
echo "$functions does not exist!" >&2
|
||||
config=/etc/shorewall/shorewall.conf
|
||||
fi
|
||||
|
||||
if [ -f $config ]; then
|
||||
. $config
|
||||
else
|
||||
echo "$config does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
firewall=/usr/lib/shorewall/firewall
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
|
||||
if [ ! -f $firewall ]; then
|
||||
FIREWALL=$SHARED_DIR/firewall
|
||||
FUNCTIONS=$SHARED_DIR/functions
|
||||
VERSION_FILE=$SHARED_DIR/version
|
||||
|
||||
if [ -f $FUNCTIONS ]; then
|
||||
. $FUNCTIONS
|
||||
else
|
||||
echo "$FUNCTIONS does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [ ! -f $FIREWALL ]; then
|
||||
echo "ERROR: Shorewall is not properly installed"
|
||||
if [ -L $firewall ]; then
|
||||
echo " $firewall is a symbolic link to a"
|
||||
if [ -L $FIREWALL ]; then
|
||||
echo " $FIREWALL is a symbolic link to a"
|
||||
echo " non-existant file"
|
||||
else
|
||||
echo " The file /usr/lib/shorewall/firewall does not exist"
|
||||
echo " The file $FIREWALL does not exist"
|
||||
fi
|
||||
|
||||
exit 2
|
||||
fi
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
version_file=/usr/lib/shorewall/version
|
||||
|
||||
if [ -f $version_file ]; then
|
||||
version=`cat $version_file`
|
||||
if [ -f $VERSION_FILE ]; then
|
||||
version=`cat $VERSION_FILE`
|
||||
else
|
||||
echo "ERROR: Shorewall is not properly installed"
|
||||
echo " The file /usr/lib/shorewall/version does not exist"
|
||||
echo " The file $VERSION_FILE does not exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
banner="Shorewall-$version Status at $HOSTNAME -"
|
||||
|
||||
get_statedir
|
||||
|
||||
case `echo -e` in
|
||||
-e*)
|
||||
RING_BELL="echo \'\a\'"
|
||||
RING_BELL="echo \a"
|
||||
;;
|
||||
*)
|
||||
RING_BELL="echo -e \'\a\'"
|
||||
RING_BELL="echo -e \a"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -629,11 +643,11 @@ esac
|
||||
case "$1" in
|
||||
start|stop|restart|reset|clear|refresh|check)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
exec $firewall $debugging $nolock $1
|
||||
exec $FIREWALL $debugging $nolock $1
|
||||
;;
|
||||
add|delete)
|
||||
[ $# -ne 3 ] && usage 1
|
||||
exec $firewall $debugging $nolock $1 $2 $3
|
||||
exec $FIREWALL $debugging $nolock $1 $2 $3
|
||||
;;
|
||||
show)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
|
@ -1 +1 @@
|
||||
1.3.12
|
||||
1.3.13
|
||||
|
@ -1,43 +1,10 @@
|
||||
Changes since 1.3.11
|
||||
Changes since 1.3.12
|
||||
|
||||
1. Fixed DNAT/REDIRECT bug with excluded sub-zones.
|
||||
1. Added 'DNAT-' target.
|
||||
|
||||
2. "shorewall refresh" now refreshes the traffic shaping rules
|
||||
2. Print policies in 'check' command.
|
||||
|
||||
3. Turned off debugging after error.
|
||||
3. Added CLEAR_TC option.
|
||||
|
||||
4. Removed drop of INVALID state output ICMP packets.
|
||||
4. Added SHARED_DIR option.
|
||||
|
||||
5. Replaced 'sed' invocation in separate_list() by shell code (speedup).
|
||||
|
||||
6. Replaced 'wc' invocation in list_count() by shell code (speedup)
|
||||
|
||||
7. Replaced 'sed' invocation in run_iptables() by shell code and
|
||||
optomized (speedup)
|
||||
|
||||
8. Only read the interfaces file once (speedup)
|
||||
|
||||
9. Only read the policy file once (speedup)
|
||||
|
||||
10. Removed redundant function input_chains() (duplicate of first_chains())
|
||||
|
||||
11. Generated an error if 'lo' is defined in the interfaces file.
|
||||
|
||||
12. Clarified error message where ORIGINAL DEST is specified on an
|
||||
ACCEPT, DROP or REJECT rule.
|
||||
|
||||
13. Added "shorewall show classifiers" command and added packet
|
||||
classification filter display to "shorewall monitor"
|
||||
|
||||
14. Added an error message when the destination in a rule contained a
|
||||
MAC address.
|
||||
|
||||
15. Added ULOG target support.
|
||||
|
||||
16. Add MARK_IN_FORWARD option.
|
||||
|
||||
17. General Cleanup for Release
|
||||
|
||||
18. Release changes and add init, start, stop and stopped files.
|
||||
|
||||
19. Add headings to NAT and Mangle tables in "shorewall status" output
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -1,28 +1,31 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>The Documentation Index</title>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>The Documentation Index</title>
|
||||
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<body>
|
||||
|
||||
<h1 align="center">The Shorewall Documentation Index</h1>
|
||||
<h1 align="center">has Moved
|
||||
<a href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
|
||||
|
||||
<p><font size="2">
|
||||
Last updated 8/9/2002
|
||||
-
|
||||
<a href="support.htm">Tom Eastep</a></font>
|
||||
</p>
|
||||
<p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
|
||||
|
||||
<h1 align="center">has Moved <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
|
||||
|
||||
<p><font size="2"> Last updated 8/9/2002 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p> <a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -188,9 +188,9 @@ system. The systems in the two masqueraded subnetworks can now talk to each
|
||||
other</p>
|
||||
<p><font size="2">Updated 8/22/2002 - <a href="support.htm">Tom
|
||||
Eastep</a> </font></p>
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
@ -359,8 +359,8 @@ script will issue the command":<br>
|
||||
<p><font size="2">Last updated 10/23/2002 - </font><font size="2">
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
|
||||
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<p><a href="copyright.htm"><font size="2">
|
||||
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -199,8 +199,8 @@ by traffic control/shaping.</li>
|
||||
<p><font size="2">Updated 10/28/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -2,111 +2,110 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>MAC Verification</title>
|
||||
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">MAC Verification</font><br>
|
||||
</h1>
|
||||
<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</h1>
|
||||
<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Beginning with Shorewall version 1.3.10, all traffic from an interface
|
||||
or from a subnet on an interface can be verified to originate from a defined
|
||||
set of MAC addresses. Furthermore, each MAC address may be optionally associated
|
||||
with one or more IP addresses. <br>
|
||||
<br>
|
||||
<b>You must have the iproute package (ip utility) installed to use MAC Verification.</b><br>
|
||||
<br>
|
||||
There are four components to this facility.<br>
|
||||
|
||||
<br>
|
||||
Beginning with Shorewall version 1.3.10, all traffic from an interface
|
||||
or from a subnet on an interface can be verified to originate from a defined
|
||||
set of MAC addresses. Furthermore, each MAC address may be optionally
|
||||
associated with one or more IP addresses. <br>
|
||||
<br>
|
||||
<b>You must have the iproute package (ip utility) installed to use MAC
|
||||
Verification and your kernel must include MAC match support (CONFIG_IP_NF_MATCH_MAC
|
||||
- module name ipt_mac.o).</b><br>
|
||||
<br>
|
||||
There are four components to this facility.<br>
|
||||
|
||||
<ol>
|
||||
<li>The <b>maclist</b> interface option in <a
|
||||
<li>The <b>maclist</b> interface option in <a
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. When
|
||||
this option is specified, all traffic arriving on the interface is subjet
|
||||
to MAC verification.</li>
|
||||
<li>The <b>maclist </b>option in <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>.
|
||||
When this option is specified for a subnet, all traffic from that subnet
|
||||
is subject to MAC verification.</li>
|
||||
<li>The /etc/shorewall/maclist file. This file is used to associate
|
||||
MAC addresses with interfaces and to optionally associate IP addresses with
|
||||
<li>The <b>maclist </b>option in <a
|
||||
href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>. When this option
|
||||
is specified for a subnet, all traffic from that subnet is subject to MAC
|
||||
verification.</li>
|
||||
<li>The /etc/shorewall/maclist file. This file is used to associate
|
||||
MAC addresses with interfaces and to optionally associate IP addresses with
|
||||
MAC addresses.</li>
|
||||
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
|
||||
<li>The <b>MACLIST_DISPOSITION </b>and <b>MACLIST_LOG_LEVEL </b>variables
|
||||
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf.</a>
|
||||
The MACLIST_DISPOSITION variable has the value DROP, REJECT or ACCEPT and
|
||||
determines the disposition of connection requests that fail MAC verification.
|
||||
The MACLIST_LOG_LEVEL variable gives the syslogd level at which connection
|
||||
requests that fail verification are to be logged. If set the the empty value
|
||||
(e.g., MACLIST_LOG_LEVEL="") then failing connection requests are not logged.<br>
|
||||
</li>
|
||||
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
The columns in /etc/shorewall/maclist are:<br>
|
||||
|
||||
The columns in /etc/shorewall/maclist are:<br>
|
||||
|
||||
<ul>
|
||||
<li>INTERFACE - The name of an ethernet interface on the Shorewall
|
||||
system.</li>
|
||||
<li>MAC - The MAC address of a device on the ethernet segment connected
|
||||
by INTERFACE. It is not necessary to use the Shorewall MAC format in this
|
||||
column although you may use that format if you so choose.</li>
|
||||
<li>IP Address - An optional comma-separated list of IP addresses for
|
||||
the device whose MAC is listed in the MAC column.</li>
|
||||
|
||||
<li>INTERFACE - The name of an ethernet interface on the Shorewall
|
||||
system.</li>
|
||||
<li>MAC - The MAC address of a device on the ethernet segment connected
|
||||
by INTERFACE. It is not necessary to use the Shorewall MAC format in this
|
||||
column although you may use that format if you so choose.</li>
|
||||
<li>IP Address - An optional comma-separated list of IP addresses
|
||||
for the device whose MAC is listed in the MAC column.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3>Example 1: Here are my files:</h3>
|
||||
<b>/etc/shorewall/shorewall.conf:<br>
|
||||
</b>
|
||||
<b>/etc/shorewall/shorewall.conf:<br>
|
||||
</b>
|
||||
<pre> MACLIST_DISPOSITION=REJECT<br> MACLIST_LOG_LEVEL=info<br></pre>
|
||||
<b>/etc/shorewall/interfaces:</b><br>
|
||||
|
||||
<b>/etc/shorewall/interfaces:</b><br>
|
||||
|
||||
<pre> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 norfc1918,filterping,dhcp,blacklist<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 192.168.2.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas 192.168.9.255 filterping<br> loc ppp+ - filterping<br></pre>
|
||||
<b>/etc/shorewall/maclist:</b><br>
|
||||
|
||||
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre>
|
||||
As shown above, I use MAC Verification on <a href="myfiles.htm">my local
|
||||
zone</a>.<br>
|
||||
|
||||
<b>/etc/shorewall/maclist:</b><br>
|
||||
|
||||
<pre> #INTERFACE MAC IP ADDRESSES (Optional)<br> eth2 00:A0:CC:63:66:89 192.168.1.3 #Wookie<br> eth2 00:10:B5:EC:FD:0B 192.168.1.4 #Tarry<br> eth2 00:A0:CC:DB:31:C4 192.168.1.5 #Ursa<br> eth2 00:A0:CC:DB:31:C4 192.168.1.128/26 #PPTP Clients to server on Ursa<br> eth2 00:06:25:aa:a8:0f 192.168.1.7 #Eastept1 (Wireless)<br> eth2 00:04:5A:0E:85:B9 192.168.1.250 #Wap<br></pre>
|
||||
As shown above, I use MAC Verification on <a href="myfiles.htm">my
|
||||
local zone</a>.<br>
|
||||
|
||||
<h3>Example 2: Router in Local Zone</h3>
|
||||
Suppose now that I add a second ethernet segment to my local zone and
|
||||
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
|
||||
IP address 192.168.1.253. Hosts in the second segment have IP addresses in
|
||||
the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
|
||||
file:<br>
|
||||
|
||||
Suppose now that I add a second ethernet segment to my local zone and
|
||||
gateway that segment via a router with MAC address 00:06:43:45:C6:15 and
|
||||
IP address 192.168.1.253. Hosts in the second segment have IP addresses
|
||||
in the subnet 192.168.2.0/24. I would add the following entry to my /etc/shorewall/maclist
|
||||
file:<br>
|
||||
|
||||
<pre> eth2 00:06:43:45:C6:15 192.168.1.253,192.168.2.0/24<br></pre>
|
||||
This entry accomodates traffic from the router itself (192.168.1.253)
|
||||
and from the second LAN segment (192.168.2.0/24). Remember that all traffic
|
||||
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
|
||||
by the router so that traffic's MAC address will be that of the router (00:06:43:45:C6:15)
|
||||
and not that of the host sending the traffic.
|
||||
<p><font size="2"> Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
This entry accomodates traffic from the router itself (192.168.1.253)
|
||||
and from the second LAN segment (192.168.2.0/24). Remember that all traffic
|
||||
being sent to my firewall from the 192.168.2.0/24 segment will be forwarded
|
||||
by the router so that traffic's MAC address will be that of the router
|
||||
(00:06:43:45:C6:15) and not that of the host sending the traffic.
|
||||
|
||||
<p><font size="2"> Updated 1/7/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> ©
|
||||
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,92 +1,114 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>Shorewall NAT</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall NAT</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<blockquote>
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<body>
|
||||
|
||||
<blockquote>
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#FFFFFF">Static NAT</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
<p><font color="#FF0000"><b>IMPORTANT: If all you want to do is forward
|
||||
ports to servers behind your firewall, you do NOT want to use static NAT.
|
||||
Port forwarding can be accomplished with simple entries in the
|
||||
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
|
||||
<p>Static NAT is a way to make systems behind a
|
||||
firewall and configured with private IP addresses (those
|
||||
reserved for private use in RFC1918) appear to have public IP
|
||||
addresses.</p>
|
||||
<p>The following figure represents a static NAT
|
||||
environment.</p>
|
||||
<p align="center"><strong>
|
||||
<img src="images/staticnat.png" width="435" height="397"></strong></p>
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
<p align="left">Static NAT can be used to make the systems with the
|
||||
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If we
|
||||
assume that the interface to the upper subnet is eth0, then the following
|
||||
/etc/shorewall/NAT file would make the lower left-hand system appear to have
|
||||
IP address 130.252.100.18 and the right-hand one to have IP address
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Static NAT</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p><font color="#ff0000"><b>IMPORTANT: If all you want to do is forward
|
||||
ports to servers behind your firewall, you do NOT want to use static
|
||||
NAT. Port forwarding can be accomplished with simple entries in the
|
||||
<a href="Documentation.htm#Rules">rules file</a>.</b></font></p>
|
||||
|
||||
<p>Static NAT is a way to make systems behind a firewall and configured
|
||||
with private IP addresses (those reserved for private use in RFC1918)
|
||||
appear to have public IP addresses. Before you try to use this technique,
|
||||
I strongly recommend that you read the <a
|
||||
href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
|
||||
|
||||
<p>The following figure represents a static NAT environment.</p>
|
||||
|
||||
<p align="center"><strong> <img src="images/staticnat.png"
|
||||
width="435" height="397">
|
||||
</strong></p>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<p align="left">Static NAT can be used to make the systems with the
|
||||
10.1.1.* addresses appear to be on the upper (130.252.100.*) subnet. If
|
||||
we assume that the interface to the upper subnet is eth0, then the following
|
||||
/etc/shorewall/NAT file would make the lower left-hand system appear
|
||||
to have IP address 130.252.100.18 and the right-hand one to have IP address
|
||||
130.252.100.19.</p>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>INTERNAL</b></td>
|
||||
<td><b>ALL INTERFACES</b></td>
|
||||
<td><b>LOCAL</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth0</td>
|
||||
<td>10.1.1.2</td>
|
||||
<td>yes</td>
|
||||
<td>yes</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth0</td>
|
||||
<td>10.1.1.3</td>
|
||||
<td>yes</td>
|
||||
<td>yes</td>
|
||||
</tr>
|
||||
</table>
|
||||
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
|
||||
example) is (are) not included in any specification in /etc/shorewall/masq
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>INTERNAL</b></td>
|
||||
<td><b>ALL INTERFACES</b></td>
|
||||
<td><b>LOCAL</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth0</td>
|
||||
<td>10.1.1.2</td>
|
||||
<td>yes</td>
|
||||
<td>yes</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth0</td>
|
||||
<td>10.1.1.3</td>
|
||||
<td>yes</td>
|
||||
<td>yes</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
|
||||
example) is (are) not included in any specification in /etc/shorewall/masq
|
||||
or /etc/shorewall/proxyarp.</p>
|
||||
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column
|
||||
is used to specify whether access to the external IP from all firewall
|
||||
interfaces should undergo NAT (Yes or yes) or if only access from the
|
||||
interface in the INTERFACE column should undergo NAT. If you leave this
|
||||
column empty, "Yes" is assumed. The ALL INTERFACES column was
|
||||
added in version 1.1.6.</p>
|
||||
<p>Note 2: Shorewall will automatically add the external address to the
|
||||
specified interface unless you specify <a href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no"
|
||||
(or "No") in /etc/shorewall/shorewall.conf; If you do not set
|
||||
ADD_IP_ALIASES or if you set it to "Yes" or "yes" then you must NOT configure your own alias(es).</p>
|
||||
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL"
|
||||
column determine whether packets originating on the firewall itself and
|
||||
destined for the EXTERNAL address are redirected to the internal ADDRESS. If
|
||||
this column contains "yes" or "Yes" (and the ALL
|
||||
INTERFACES COLUMN also contains "Yes" or "yes") then
|
||||
such packets are redirected; otherwise, such packets are not redirected. The
|
||||
LOCAL column was added in version 1.1.8.</p>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p><font size="2">Last updated 3/27/2002 - </font><font size="2">
|
||||
<a href="support.htm">Tom
|
||||
Eastep</a></font> </p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
|
||||
|
||||
<p><a name="AllInterFaces"></a>Note 1: The "ALL INTERFACES" column
|
||||
is used to specify whether access to the external IP from all firewall
|
||||
interfaces should undergo NAT (Yes or yes) or if only access from the
|
||||
interface in the INTERFACE column should undergo NAT. If you leave this
|
||||
column empty, "Yes" is assumed. The ALL INTERFACES column was added
|
||||
in version 1.1.6.</p>
|
||||
|
||||
<p>Note 2: Shorewall will automatically add the external address to the
|
||||
specified interface unless you specify <a
|
||||
href="Documentation.htm#Aliases">ADD_IP_ALIASES</a>="no" (or "No") in
|
||||
/etc/shorewall/shorewall.conf; If you do not set ADD_IP_ALIASES or if
|
||||
you set it to "Yes" or "yes" then you must NOT configure your own alias(es).</p>
|
||||
|
||||
<p><a name="LocalPackets"></a>Note 3: The contents of the "LOCAL" column
|
||||
determine whether packets originating on the firewall itself and destined
|
||||
for the EXTERNAL address are redirected to the internal ADDRESS. If this
|
||||
column contains "yes" or "Yes" (and the ALL INTERFACES COLUMN also contains
|
||||
"Yes" or "yes") then such packets are redirected; otherwise, such packets
|
||||
are not redirected. The LOCAL column was added in version 1.1.8.</p>
|
||||
</blockquote>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</body>
|
||||
</html>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -891,8 +891,8 @@ yet and reject the initial TCP connection request if I enable ECN :-( </p>
|
||||
|
||||
<p><font size="2">Last modified 10/23/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<p><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -1,106 +1,164 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Proxy ARP</title>
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Proxy ARP</title>
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Proxy ARP</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
|
||||
without changing their IP addresses and without having to re-subnet.
|
||||
Before you try to use this technique, I strongly recommend that you read
|
||||
the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></p>
|
||||
|
||||
<p>The following figure represents a Proxy ARP environment.</p>
|
||||
|
||||
<blockquote>
|
||||
<p align="center"><strong> <img src="images/proxyarp.png"
|
||||
width="519" height="397">
|
||||
</strong></p>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">Proxy ARP can be used to make the systems with addresses
|
||||
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
|
||||
subnet. Assuming that the upper firewall interface is eth0 and the
|
||||
lower interface is eth1, this is accomplished using the following entries
|
||||
in /etc/shorewall/proxyarp:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#FFFFFF">Proxy ARP</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</table>
|
||||
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
|
||||
without changing their IP addresses and without having to re-subnet.</p>
|
||||
<p>The following figure represents a Proxy ARP
|
||||
environment.</p>
|
||||
|
||||
<blockquote>
|
||||
<p align="center"><strong>
|
||||
<img src="images/proxyarp.png" width="519" height="397"></strong></p>
|
||||
<blockquote>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
<p align="left">Proxy ARP can be used to make the systems with addresses
|
||||
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
|
||||
subnet. Assuming that the upper firewall interface is eth0 and the
|
||||
lower interface is eth1, this is accomplished using the following entries in
|
||||
/etc/shorewall/proxyarp:</p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse">
|
||||
<tr>
|
||||
<td><b>ADDRESS</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>HAVEROUTE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19
|
||||
in the above example) are not included in any specification in
|
||||
/etc/shorewall/masq or /etc/shorewall/nat.</p>
|
||||
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
|
||||
irrelevant. </p>
|
||||
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
|
||||
subnet mask and default gateway configured exactly the same way that the
|
||||
Firewall system's eth0 is configured.</p>
|
||||
<div align="left">
|
||||
<p align="left">A word of warning is in order here. ISPs typically configure
|
||||
their routers with a long ARP cache timeout. If you move a system from
|
||||
parallel to your firewall to behind your firewall with Proxy ARP, it will
|
||||
probably be HOURS before that system can communicate with the internet. You
|
||||
can call your ISP and ask them to purge the stale ARP cache entry but many
|
||||
either can't or won't purge individual entries. You can determine if your
|
||||
ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we
|
||||
suspect that the gateway router has a stale ARP cache entry for 130.252.100.19.
|
||||
On the firewall, run tcpdump as follows:</div>
|
||||
<div align="left">
|
||||
<pre> tcpdump -nei eth0 icmp</pre>
|
||||
<td><b>ADDRESS</b></td>
|
||||
<td><b>INTERFACE</b></td>
|
||||
<td><b>EXTERNAL</b></td>
|
||||
<td><b>HAVEROUTE</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.18</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>130.252.100.19</td>
|
||||
<td>eth1</td>
|
||||
<td>eth0</td>
|
||||
<td>no</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19
|
||||
in the above example) are not included in any specification in
|
||||
/etc/shorewall/masq or /etc/shorewall/nat.</p>
|
||||
|
||||
<p>Note that I've used an RFC1918 IP address for eth1 - that IP address is
|
||||
irrelevant. </p>
|
||||
|
||||
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
|
||||
subnet mask and default gateway configured exactly the same way that
|
||||
the Firewall system's eth0 is configured.</p>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">A word of warning is in order here. ISPs typically configure
|
||||
their routers with a long ARP cache timeout. If you move a system from
|
||||
parallel to your firewall to behind your firewall with Proxy ARP, it will
|
||||
probably be HOURS before that system can communicate with the internet.
|
||||
There are a couple of things that you can try:<br>
|
||||
</p>
|
||||
<ol>
|
||||
<li>(Courtesy of Bradey Honsinger) A reading of Stevens' <i>TCP/IP Illustrated,
|
||||
Vol 1</i> reveals that a <br>
|
||||
<br>
|
||||
"gratuitous" ARP packet should cause the ISP's router to refresh their ARP
|
||||
cache (section 4.7). A gratuitous ARP is simply a host requesting the MAC
|
||||
address for its own IP; in addition to ensuring that the IP address isn't
|
||||
a duplicate...<br>
|
||||
<br>
|
||||
"if the host sending the gratuitous ARP has just changed its hardware address...,
|
||||
this packet causes any other host...that has an entry in its cache for the
|
||||
old hardware address to update its ARP cache entry accordingly."<br>
|
||||
<br>
|
||||
Which is, of course, exactly what you want to do when you switch a host from
|
||||
being exposed to the Internet to behind Shorewall using proxy ARP (or static
|
||||
NAT for that matter). Happily enough, recent versions of Redhat's iputils
|
||||
package include "arping", whose "-U" flag does just that:<br>
|
||||
<br>
|
||||
<font color="#009900"><b>arping -U -I <i><net if> <newly proxied
|
||||
IP></i></b></font><br>
|
||||
<font color="#009900"><b>arping -U -I eth0 66.58.99.83 # for example</b></font><br>
|
||||
<br>
|
||||
Stevens goes on to mention that not all systems respond correctly to gratuitous
|
||||
ARPs, but googling for "arping -U" seems to support the idea that it works
|
||||
most of the time.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>You can call your ISP and ask them to purge the stale ARP cache
|
||||
entry but many either can't or won't purge individual entries.</li>
|
||||
</ol>
|
||||
You can determine if your ISP's gateway ARP cache is stale using ping
|
||||
and tcpdump. Suppose that we suspect that the gateway router has a stale
|
||||
ARP cache entry for 130.252.100.19. On the firewall, run tcpdump as follows:</div>
|
||||
|
||||
<div align="left">
|
||||
<pre> <font color="#009900"><b>tcpdump -nei eth0 icmp</b></font></pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we
|
||||
will assume is 130.252.100.254):</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we will
|
||||
assume is 130.252.100.254):</div>
|
||||
<div align="left">
|
||||
<pre> ping 130.252.100.254</pre>
|
||||
|
||||
<div align="left">
|
||||
<pre> <b><font color="#009900">ping 130.252.100.254</font></b></pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">We can now observe the tcpdump output:</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">We can now observe the tcpdump output:</div>
|
||||
<div align="left">
|
||||
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)
|
||||
13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply</pre>
|
||||
|
||||
<div align="left">
|
||||
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 > 130.252.100.254: icmp: echo request (DF)<br> 13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 > 130.252.100.177 : icmp: echo reply</pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">Notice that the source MAC address in the echo request is
|
||||
different from the destination MAC address in the echo reply!! In this
|
||||
case 0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
|
||||
was the MAC address of the system on the lower left. In other words, the
|
||||
gateway's ARP cache still associates 130.252.100.19 with the NIC in that
|
||||
system rather than with the firewall's eth0.</p>
|
||||
</div>
|
||||
<div align="left">
|
||||
<p align="left">Notice that the source MAC address in the echo request is
|
||||
different from the destination MAC address in the echo reply!! In this case
|
||||
0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
|
||||
was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still
|
||||
associates 130.252.100.19 with the NIC in that system rather than with the firewall's
|
||||
eth0.</div>
|
||||
|
||||
<p><font size="2">Last updated 8/17/2002 - </font><font size="2">
|
||||
<a href="support.htm">Tom
|
||||
Eastep</a></font> </p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
|
||||
|
||||
<p><font size="2">Last updated 1/11/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -29,9 +29,9 @@
|
||||
I can hardly justify paying $200US+ a year to a Certificate Authority such
|
||||
as Thawte (A Division of VeriSign) for an X.509 certificate to prove that
|
||||
I am who I am. I have therefore established my own Certificate Authority (CA)
|
||||
and sign my own X.509 certificates. I use these certificates on my web server
|
||||
(<a href="http://www.shorewall.net">http://www.shorewall.net</a>) as well
|
||||
as on my mail server (mail.shorewall.net).<br>
|
||||
and sign my own X.509 certificates. I use these certificates on my mail server
|
||||
(<a href="https://mail.shorewall.net">https://mail.shorewall.net</a>)
|
||||
which hosts parts of this web site.<br>
|
||||
<br>
|
||||
X.509 certificates are the basis for the Secure Socket Layer (SSL). As part
|
||||
of establishing an SSL session (URL https://...), your browser verifies the
|
||||
@ -57,7 +57,7 @@ to accept the sleezy X.509 certificate being presented by my server. <br>
|
||||
There are two things that you can do:<br>
|
||||
|
||||
<ol>
|
||||
<li>You can accept the www.shorewall.net certificate when your browser
|
||||
<li>You can accept the mail.shorewall.net certificate when your browser
|
||||
asks -- your acceptence of the certificate can be temporary (for that access
|
||||
only) or perminent.</li>
|
||||
<li>You can download and install <a href="ca.crt">my (self-signed) CA
|
||||
@ -75,14 +75,14 @@ intented to go to your bank's server to one of my systems that will present
|
||||
your browser with a bogus certificate claiming that my server is that of
|
||||
your bank.</li>
|
||||
<li>If you only accept my server's certificate when prompted then the
|
||||
most that you have to loose is that when you connect to https://www.shorewall.net,
|
||||
most that you have to loose is that when you connect to https://mail.shorewall.net,
|
||||
the server you are connecting to might not be mine.</li>
|
||||
|
||||
</ol>
|
||||
I have my CA certificate loaded into all of my browsers but I certainly
|
||||
won't be offended if you decline to load it into yours... :-)<br>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 11/14/2002 - Tom Eastep</font></p>
|
||||
<p align="left"><font size="2">Last Updated 12/29/2002 - Tom Eastep</font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
|
@ -2,50 +2,51 @@
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall CVS Access</title>
|
||||
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall CVS Access</font>
|
||||
</h1>
|
||||
<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall CVS Access</font>
|
||||
</h1>
|
||||
<br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
Lots of people try to download the entire Shorewall website for off-line
|
||||
browsing, including the CVS portion. In addition to being an enormous volume
|
||||
of data (HTML versions of all versions of all Shorewall files), all of the
|
||||
pages in Shorewall CVS access are cgi-generated which places a tremendous
|
||||
load on my little server. I have therefore resorted to making CVS access
|
||||
password controlled. When you are asked to log in, enter "Shorewall" (NOTE
|
||||
THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
|
||||
<br>
|
||||
|
||||
<div align="center">
|
||||
<h3><a href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
|
||||
<br>
|
||||
Lots of people try to download the entire Shorewall website for off-line
|
||||
browsing, including the CVS portion. In addition to being an enormous volume
|
||||
of data (HTML versions of all versions of all Shorewall files), all of
|
||||
the pages in Shorewall CVS access are cgi-generated which places a tremendous
|
||||
load on my little server. I have therefore resorted to making CVS access
|
||||
password controlled. When you are asked to log in, enter "Shorewall" (NOTE
|
||||
THE CAPITALIZATION!!!!!) for both the user name and the password.<br>
|
||||
<br>
|
||||
|
||||
<div align="center">
|
||||
<h3><a href="http://cvs.shorewall.net/cgi-bin/cvs/cvsweb.cgi"
|
||||
target="_top">CVS Login</a> <br>
|
||||
</h3>
|
||||
</div>
|
||||
|
||||
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 9/23/2002
|
||||
- <a href="support.htm">Tom Eastep</a> </font>
|
||||
</p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
</h3>
|
||||
</div>
|
||||
|
||||
<p><font size="2" face="Century Gothic, Arial, Helvetica">Updated 1/14/2002
|
||||
- <a href="support.htm">Tom Eastep</a> </font>
|
||||
</p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
408
STABLE/documentation/Shorewall_Squid_Usage.html
Normal file
408
STABLE/documentation/Shorewall_Squid_Usage.html
Normal file
@ -0,0 +1,408 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall Squid Usage</title>
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table cellpadding="0" cellspacing="0" border="0" width="100%"
|
||||
bgcolor="#400169">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="middle" width="33%" bgcolor="#400169"><a
|
||||
href="http://www.squid-cache.org/"><img src="images/squidnow.gif"
|
||||
alt="" width="88" height="31" hspace="4">
|
||||
</a><br>
|
||||
</td>
|
||||
<td valign="middle" height="90" align="center" width="34%"><font
|
||||
color="#ffffff"><b><big><big><big><big>Using Shorewall with Squid</big></big></big></big></b></font><br>
|
||||
</td>
|
||||
<td valign="middle" height="90" width="33%" align="right"><a
|
||||
href="http://www.squid-cache.org/"><img src="images/cache_now.gif"
|
||||
alt="" width="100" height="31" hspace="4">
|
||||
</a><br>
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
This page covers Shorewall configuration to use with <a
|
||||
href="http://www.squid-cache.org/">Squid </a>running as a <u><b>Transparent
|
||||
Proxy</b></u>. <br>
|
||||
<a href="#DMZ"></a><br>
|
||||
<img border="0" src="images/j0213519.gif" width="60" height="60"
|
||||
alt="Caution" align="middle">
|
||||
Please observe the following general requirements:<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b>In all cases, Squid should be configured to run
|
||||
as a transparent proxy as described at <a
|
||||
href="http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html">http://www.tldp.org/HOWTO/mini/TransparentProxy-4.html</a>.<br>
|
||||
<b><br>
|
||||
</b><b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b>The following instructions mention the files /etc/shorewall/start
|
||||
and /etc/shorewall/init -- if you don't have those files, siimply create
|
||||
them.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> When the Squid server is in the DMZ zone or in
|
||||
the local zone, that zone must be defined ONLY by its interface -- no /etc/shorewall/hosts
|
||||
file entries. That is because the packets being routed to the Squid server
|
||||
still have their original destination IP addresses.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have iproute2 (<i>ip </i>utility) installed
|
||||
on your firewall.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have iptables installed on your Squid
|
||||
server.<br>
|
||||
<br>
|
||||
<b><img src="images/BD21298_3.gif" alt="" width="13" height="13">
|
||||
</b> You must have NAT and MANGLE enabled in your /etc/shorewall/conf
|
||||
file<br>
|
||||
<br>
|
||||
<b><font color="#009900"> NAT_ENABLED=Yes<br>
|
||||
</font></b> <font color="#009900"><b>MANGLE_ENABLED=Yes</b></font><br>
|
||||
<br>
|
||||
Three different configurations are covered:<br>
|
||||
|
||||
<ol>
|
||||
<li><a href="Shorewall_Squid_Usage.html#Firewall">Squid running on the
|
||||
Firewall.</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#Local">Squid running in the local
|
||||
network</a></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html#DMZ">Squid running in the DMZ</a></li>
|
||||
|
||||
</ol>
|
||||
|
||||
<h2><a name="Firewall"></a>Squid Running on the Firewall</h2>
|
||||
You want to redirect all local www connection requests EXCEPT
|
||||
those to your own
|
||||
http server (206.124.146.177)
|
||||
to a Squid transparent
|
||||
proxy running on the firewall and listening on port 3128. Squid
|
||||
will of course require access to remote web servers.<br>
|
||||
<br>
|
||||
In /etc/shorewall/rules:<br>
|
||||
<br>
|
||||
|
||||
<blockquote>
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
|
||||
</tr>
|
||||
<tr>
|
||||
<td>REDIRECT</td>
|
||||
<td>loc</td>
|
||||
<td>3128</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> -<br>
|
||||
</td>
|
||||
<td>!206.124.146.177</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT</td>
|
||||
<td>fw</td>
|
||||
<td>net</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<h2><a name="Local"></a>Squid Running in the local network</h2>
|
||||
You want to redirect all local www connection requests to a Squid
|
||||
transparent proxy
|
||||
running in your local zone at 192.168.1.3 and listening on port 3128.
|
||||
Your local interface is eth1. There may also be a web server running on
|
||||
192.168.1.3. It is assumed that web access is already enabled from the local
|
||||
zone to the internet.<br>
|
||||
|
||||
<p><font color="#ff0000"><b>WARNING: </b></font>This setup may conflict with
|
||||
other aspects of your gateway including but not limited to traffic shaping
|
||||
and route redirection. For that reason, I don't recommend it.<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>On your firewall system, issue the following command<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">echo 202 www.out >> /etc/iproute2/rt_tables</font></b><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/init, put:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.168.1.3 dev eth1 table www.out<br> ip route flush cache<br> echo 0 > /proc/sys/net/ipv4/conf/eth1/send_redirects<br>fi<br></font></b></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/rules:<br>
|
||||
<br>
|
||||
|
||||
<table border="1" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<td><b>ACTION</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b> PROTO</b></td>
|
||||
<td><b>DEST<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>SOURCE<br>
|
||||
PORT(S)</b></td>
|
||||
<td><b>ORIGINAL<br>
|
||||
DEST</b></td>
|
||||
|
||||
</tr>
|
||||
<tr>
|
||||
<td>ACCEPT<br>
|
||||
</td>
|
||||
<td>loc</td>
|
||||
<td>loc<br>
|
||||
</td>
|
||||
<td>tcp</td>
|
||||
<td>www</td>
|
||||
<td> <br>
|
||||
</td>
|
||||
<td><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
|
||||
</table>
|
||||
<br>
|
||||
</li>
|
||||
<li>Alternativfely, you can have the following policy:<br>
|
||||
<br>
|
||||
|
||||
<table cellpadding="2" cellspacing="0" border="1">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top"><b>SOURCE<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>DESTINATION<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>POLICY<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>LOG LEVEL<br>
|
||||
</b></td>
|
||||
<td valign="top"><b>BURST PARAMETERS<br>
|
||||
</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">loc<br>
|
||||
</td>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</li>
|
||||
<li>In /etc/shorewall/start add:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>iptables -t mangle -A PREROUTING -i eth1 -s ! 192.168.1.3 -p tcp --dport 80 -j MARK --set-mark 202</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>On 192.168.1.3, arrange for the following command to be executed
|
||||
after networking has come up<br>
|
||||
|
||||
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth0 -d ! 192.168.1.3 -p tcp --dport 80 -j REDIRECT --to-ports 3128</font></b><br></pre>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote> If you are running RedHat on the server, you can simply execute
|
||||
the following commands after you have typed the iptables command above:<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<pre><font color="#009900"><b>iptables-save > /etc/sysconfig/iptables</b></font><font
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<h2><a name="DMZ"></a>Squid Running in the DMZ (This is what I do)</h2>
|
||||
You have a single Linux system in your DMZ with IP address 192.0.2.177.
|
||||
You want to run both a web server and Squid on that system. Your DMZ interface
|
||||
is eth1 and your local interface is eth2.<br>
|
||||
|
||||
<ul>
|
||||
<li>On your firewall system, issue the following command<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>echo 202 www.out >> /etc/iproute2/rt_tables</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/init, put:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><font color="#009900"><b>if [ -z "`ip rule list | grep www.out`" ] ; then<br> ip rule add fwmark 202 table www.out<br> ip route add default via 192.0.2.177 dev eth1 table www.out<br> ip route flush cache<br>fi</b></font><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li> In /etc/shorewall/start add:<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<pre><b><font color="#009900">iptables -t nat -A PREROUTING -i eth2 -p tcp --dport 80 -j MARK --set-mark 202</font></b><br></pre>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>In /etc/shorewall/rules, you will need:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>
|
||||
<table cellpadding="2" border="1" cellspacing="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td valign="top">ACTION<br>
|
||||
</td>
|
||||
<td valign="top">SOURCE<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
</td>
|
||||
<td valign="top">PROTO<br>
|
||||
</td>
|
||||
<td valign="top">DEST<br>
|
||||
PORT(S)<br>
|
||||
</td>
|
||||
<td valign="top">CLIENT<br>
|
||||
PORT(2)<br>
|
||||
</td>
|
||||
<td valign="top">ORIGINAL<br>
|
||||
DEST<br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">ACCEPT<br>
|
||||
</td>
|
||||
<td valign="top">dmz<br>
|
||||
</td>
|
||||
<td valign="top">net<br>
|
||||
</td>
|
||||
<td valign="top">tcp<br>
|
||||
</td>
|
||||
<td valign="top">80<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>On 192.0.2.177 (your Web/Squid server), arrange for the following
|
||||
command to be executed after networking has come up<br>
|
||||
|
||||
<pre><font color="#009900"><b>iptables -t nat -A PREROUTING -i eth0 -d ! 192.0.2.177 -p tcp --dport 80 -j REDIRECT --to-ports 3128</b></font><br></pre>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote> If you are running RedHat on the server, you can simply execute
|
||||
the following commands after you have typed the iptables command above:<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote>
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<pre><font color="#009900"><b>iptables-save > /etc/sysconfig/iptables</b></font><font
|
||||
color="#009900"><b><br>chkconfig --level 35 iptables start<br></b></font></pre>
|
||||
</blockquote>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<p><font size="-1"> Updated 1/10/2003 - <a
|
||||
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
<a
|
||||
href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
@ -2,143 +2,149 @@
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
|
||||
<base target="main">
|
||||
|
||||
<base target="main">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#4b017c" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a href="shorewall_features.htm">Features</a></li>
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a
|
||||
href="shorewall_features.htm">Features</a></li>
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||
<li> <a href="Documentation.htm">Reference Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
|
||||
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
<li> <a href="Documentation.htm">Reference Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
|
||||
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://germany.shorewall.net">Germany</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://france.shorewall.net">France</a></li>
|
||||
<li><a href="http://www.shorewall.net" target="_top">Washington
|
||||
State, USA</a><br>
|
||||
</li>
|
||||
<li><a href="http://www.shorewall.net" target="_top">Washington
|
||||
State, USA</a><br>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS
|
||||
Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a
|
||||
href="seattlefirewall_index.htm#Donations">Donations</a></li>
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
|
||||
<strong><br>
|
||||
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
|
||||
GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
|
||||
GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
<p><strong>Quick Search</strong><br>
|
||||
<font face="Arial" size="-1"> <input
|
||||
<font face="Arial" size="-1"> <input
|
||||
type="text" name="words" size="15"></font><font size="-1"> </font> <font
|
||||
face="Arial" size="-1"> <input type="hidden" name="format"
|
||||
value="long"> <input type="hidden" name="method" value="and"> <input
|
||||
type="hidden" name="config" value="htdig"> <input type="submit"
|
||||
value="Search"></font> </p>
|
||||
<font face="Arial"> <input type="hidden"
|
||||
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
|
||||
</form>
|
||||
|
||||
<font face="Arial"> <input type="hidden"
|
||||
name="exclude" value="[http://mail.shorewall.net/pipermail/*]"> </font>
|
||||
</form>
|
||||
|
||||
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
||||
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
|
||||
<p><a href="http://www.shorewall.net" target="_top"> <img border="1"
|
||||
src="images/shorewall.jpg" width="119" height="38" hspace="0">
|
||||
</a><br>
|
||||
<br>
|
||||
</p>
|
||||
</a><br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
@ -2,144 +2,149 @@
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Index</title>
|
||||
|
||||
<base target="main">
|
||||
|
||||
<base target="main">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#4b017c" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
<h3 align="center"><font color="#ffffff">Shorewall</font></h3>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td width="100%" bgcolor="#ffffff">
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a
|
||||
<li> <a href="seattlefirewall_index.htm">Home</a></li>
|
||||
<li> <a
|
||||
href="shorewall_features.htm">Features</a></li>
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
<li> <a href="shorewall_prerequisites.htm">Requirements</a></li>
|
||||
<li> <a href="download.htm">Download</a><br>
|
||||
</li>
|
||||
<li> <a href="Install.htm">Installation/Upgrade/</a><br>
|
||||
<a href="Install.htm">Configuration</a><br>
|
||||
</li>
|
||||
<li> <a href="shorewall_quickstart_guide.htm">QuickStart
|
||||
Guides (HOWTOs)</a><br>
|
||||
</li>
|
||||
<li> <b><a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a></b></li>
|
||||
<li> <a href="Documentation.htm">Reference Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
|
||||
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
<li> <a href="Documentation.htm">Reference
|
||||
Manual</a></li>
|
||||
<li> <a href="FAQ.htm">FAQs</a></li>
|
||||
<li><a href="useful_links.html">Useful Links</a><br>
|
||||
</li>
|
||||
<li> <a href="troubleshoot.htm">Troubleshooting</a></li>
|
||||
<li> <a href="errata.htm">Errata</a></li>
|
||||
<li> <a href="upgrade_issues.htm">Upgrade Issues</a></li>
|
||||
<li> <a href="support.htm">Support</a></li>
|
||||
<li> <a href="mailing_list.htm">Mailing Lists</a></li>
|
||||
<li> <a href="shorewall_mirrors.htm">Mirrors</a>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://slovakia.shorewall.net">Slovak Republic</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.infohiiway.com">Texas, USA</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://germany.shorewall.net">Germany</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://shorewall.correofuego.com.ar">Argentina</a></li>
|
||||
<li><a target="_top"
|
||||
<li><a target="_top"
|
||||
href="http://france.shorewall.net">France</a></li>
|
||||
<li><a href="http://www.shorewall.net" target="_top">Washington
|
||||
State, USA</a><br>
|
||||
</li>
|
||||
<li><a href="http://www.shorewall.net" target="_top">Washington
|
||||
State, USA</a><br>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
</li>
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS
|
||||
Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a
|
||||
<li> <a href="News.htm">News Archive</a></li>
|
||||
<li> <a href="Shorewall_CVS_Access.html">CVS
|
||||
Repository</a></li>
|
||||
<li> <a href="quotes.htm">Quotes from Users</a></li>
|
||||
<li> <a href="shoreline.htm">About the Author</a></li>
|
||||
<li> <a
|
||||
href="sourceforge_index.htm#Donations">Donations</a></li>
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
|
||||
<strong><br>
|
||||
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
|
||||
GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
<b>Note: </b></strong>Search is unavailable Daily 0200-0330
|
||||
GMT.<br>
|
||||
<strong></strong>
|
||||
|
||||
<p><strong>Quick Search</strong><br>
|
||||
<font face="Arial" size="-1"> <input
|
||||
<font face="Arial" size="-1"> <input
|
||||
type="text" name="words" size="15"></font><font size="-1"> </font> <font
|
||||
face="Arial" size="-1"> <input type="hidden" name="format"
|
||||
value="long"> <input type="hidden" name="method" value="and"> <input
|
||||
type="hidden" name="config" value="htdig"> <input type="submit"
|
||||
value="Search"></font> </p>
|
||||
<font face="Arial"> <input type="hidden"
|
||||
name="exclude" value="[http://www.shorewall.net/pipermail/*]"> </font>
|
||||
</form>
|
||||
|
||||
<font face="Arial"> <input type="hidden"
|
||||
name="exclude" value="[http://mail.shorewall.net/pipermail/*]"> </font>
|
||||
</form>
|
||||
|
||||
<p><b><a href="http://www.shorewall.net/htdig/search.html">Extended Search</a></b></p>
|
||||
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
|
||||
<p><a href="http://www.shorewall.net" target="_top"> </a><br>
|
||||
</p>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,435 +1,340 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Configuration File Basics</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Configuration Files</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
|
||||
configuration files on a system running Microsoft Windows, you <u>must</u>
|
||||
run them through <a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
|
||||
before you use them with Shorewall.</b></p>
|
||||
|
||||
<h2>Files</h2>
|
||||
|
||||
|
||||
<p><b><font color="#ff0000">Warning: </font>If you copy or edit your
|
||||
configuration files on a system running Microsoft Windows, you <u>must</u>
|
||||
run them through <a
|
||||
href="http://www.megaloman.com/%7Ehany/software/hd2u/"> dos2unix</a>
|
||||
before you use them with Shorewall.</b></p>
|
||||
|
||||
<h2><a name="Files"></a>Files</h2>
|
||||
|
||||
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>/etc/shorewall/shorewall.conf - used to set several
|
||||
firewall parameters.</li>
|
||||
<li>/etc/shorewall/params - use this file to set shell
|
||||
<li>/etc/shorewall/shorewall.conf - used to set several
|
||||
firewall parameters.</li>
|
||||
<li>/etc/shorewall/params - use this file to set shell
|
||||
variables that you will expand in other files.</li>
|
||||
<li>/etc/shorewall/zones - partition the firewall's
|
||||
view of the world into <i>zones.</i></li>
|
||||
<li>/etc/shorewall/policy - establishes firewall high-level
|
||||
policy.</li>
|
||||
<li>/etc/shorewall/interfaces - describes the interfaces
|
||||
<li>/etc/shorewall/zones - partition the firewall's
|
||||
view of the world into <i>zones.</i></li>
|
||||
<li>/etc/shorewall/policy - establishes firewall high-level
|
||||
policy.</li>
|
||||
<li>/etc/shorewall/interfaces - describes the interfaces
|
||||
on the firewall system.</li>
|
||||
<li>/etc/shorewall/hosts - allows defining zones in
|
||||
terms of individual hosts and subnetworks.</li>
|
||||
<li>/etc/shorewall/masq - directs the firewall where
|
||||
to use many-to-one (dynamic) Network Address Translation (a.k.a.
|
||||
Masquerading) and Source Network Address Translation (SNAT).</li>
|
||||
<li>/etc/shorewall/modules - directs the firewall to
|
||||
load kernel modules.</li>
|
||||
<li>/etc/shorewall/rules - defines rules that are exceptions
|
||||
to the overall policies established in /etc/shorewall/policy.</li>
|
||||
<li>/etc/shorewall/nat - defines static NAT rules.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy
|
||||
<li>/etc/shorewall/hosts - allows defining zones in
|
||||
terms of individual hosts and subnetworks.</li>
|
||||
<li>/etc/shorewall/masq - directs the firewall where
|
||||
to use many-to-one (dynamic) Network Address Translation (a.k.a.
|
||||
Masquerading) and Source Network Address Translation (SNAT).</li>
|
||||
<li>/etc/shorewall/modules - directs the firewall
|
||||
to load kernel modules.</li>
|
||||
<li>/etc/shorewall/rules - defines rules that are
|
||||
exceptions to the overall policies established in /etc/shorewall/policy.</li>
|
||||
<li>/etc/shorewall/nat - defines static NAT rules.</li>
|
||||
<li>/etc/shorewall/proxyarp - defines use of Proxy
|
||||
ARP.</li>
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
|
||||
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and
|
||||
later) - defines hosts accessible when Shorewall is stopped.</li>
|
||||
<li>/etc/shorewall/tcrules - defines marking of packets
|
||||
for later use by traffic control/shaping or policy routing.</li>
|
||||
<li>/etc/shorewall/tos - defines rules for setting
|
||||
<li>/etc/shorewall/tcrules - defines marking of packets
|
||||
for later use by traffic control/shaping or policy routing.</li>
|
||||
<li>/etc/shorewall/tos - defines rules for setting
|
||||
the TOS field in packet headers.</li>
|
||||
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and
|
||||
IPIP tunnels with end-points on the firewall system.</li>
|
||||
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
|
||||
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and
|
||||
IPIP tunnels with end-points on the firewall system.</li>
|
||||
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC
|
||||
addresses.</li>
|
||||
<li>/etc/shorewall/init - commands that you wish to execute at the beginning
|
||||
of a "shorewall start" or "shorewall restart".</li>
|
||||
<li>/etc/shorewall/start - commands that you wish to execute at the completion
|
||||
of a "shorewall start" or "shorewall restart"</li>
|
||||
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning
|
||||
of a "shorewall stop".</li>
|
||||
<li>/etc/shorewall/stopped - commands that you wish to execute at the
|
||||
<li>/etc/shorewall/init - commands that you wish to execute at the beginning
|
||||
of a "shorewall start" or "shorewall restart".</li>
|
||||
<li>/etc/shorewall/start - commands that you wish to execute at the completion
|
||||
of a "shorewall start" or "shorewall restart"</li>
|
||||
<li>/etc/shorewall/stop - commands that you wish to execute at the beginning
|
||||
of a "shorewall stop".</li>
|
||||
<li>/etc/shorewall/stopped - commands that you wish to execute at the
|
||||
completion of a "shorewall stop".<br>
|
||||
</li>
|
||||
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2>Comments</h2>
|
||||
|
||||
<p>You may place comments in configuration files by making the first non-whitespace
|
||||
character a pound sign ("#"). You may also place comments at
|
||||
the end of any line, again by delimiting the comment from the rest
|
||||
|
||||
<h2><a name="Comments"></a>Comments</h2>
|
||||
|
||||
<p>You may place comments in configuration files by making the first non-whitespace
|
||||
character a pound sign ("#"). You may also place comments at
|
||||
the end of any line, again by delimiting the comment from the rest
|
||||
of the line with a pound sign.</p>
|
||||
|
||||
|
||||
<p>Examples:</p>
|
||||
|
||||
|
||||
<pre># This is a comment</pre>
|
||||
|
||||
|
||||
<pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
|
||||
|
||||
<h2>Line Continuation</h2>
|
||||
|
||||
<p>You may continue lines in the configuration files using the usual backslash
|
||||
("\") followed immediately by a new line character.</p>
|
||||
|
||||
|
||||
<h2><a name="Continuation"></a>Line Continuation</h2>
|
||||
|
||||
<p>You may continue lines in the configuration files using the usual backslash
|
||||
("\") followed immediately by a new line character.</p>
|
||||
|
||||
<p>Example:</p>
|
||||
|
||||
|
||||
<pre>ACCEPT net fw tcp \<br>smtp,www,pop3,imap #Services running on the firewall</pre>
|
||||
|
||||
|
||||
<h2><a name="dnsnames"></a>Using DNS Names</h2>
|
||||
|
||||
<p align="left"> </p>
|
||||
|
||||
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
|
||||
using DNS names in Shorewall configuration files. If you use DNS names
|
||||
and you are called out of bed at 2:00AM because Shorewall won't start
|
||||
as a result of DNS problems then don't say that you were not forewarned.
|
||||
<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left"><b> -Tom<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
|
||||
configuration files may be specified as either IP addresses or DNS
|
||||
Names.<br>
|
||||
<br>
|
||||
DNS names in iptables rules aren't nearly as useful as they
|
||||
first appear. When a DNS name appears in a rule, the iptables utility
|
||||
resolves the name to one or more IP addresses and inserts those addresses
|
||||
into the rule. So changes in the DNS->IP address relationship that
|
||||
occur after the firewall has started have absolutely no effect on the
|
||||
firewall's ruleset. </p>
|
||||
|
||||
<p align="left"> If your firewall rules include DNS names then:</p>
|
||||
|
||||
<p align="left"> </p>
|
||||
|
||||
<p align="left"><b>WARNING: I personally recommend strongly <u>against</u>
|
||||
using DNS names in Shorewall configuration files. If you use DNS names
|
||||
and you are called out of bed at 2:00AM because Shorewall won't start
|
||||
as a result of DNS problems then don't say that you were not forewarned.
|
||||
<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left"><b> -Tom<br>
|
||||
</b></p>
|
||||
|
||||
<p align="left">Beginning with Shorwall 1.3.9, Host addresses in Shorewall
|
||||
configuration files may be specified as either IP addresses or DNS
|
||||
Names.<br>
|
||||
<br>
|
||||
DNS names in iptables rules aren't nearly as useful as they
|
||||
first appear. When a DNS name appears in a rule, the iptables utility
|
||||
resolves the name to one or more IP addresses and inserts those addresses
|
||||
into the rule. So changes in the DNS->IP address relationship that
|
||||
occur after the firewall has started have absolutely no effect on the
|
||||
firewall's ruleset. </p>
|
||||
|
||||
<p align="left"> If your firewall rules include DNS names then:</p>
|
||||
|
||||
<ul>
|
||||
<li>If your /etc/resolv.conf is wrong then your firewall won't
|
||||
start.</li>
|
||||
<li>If your /etc/nsswitch.conf is wrong then your firewall
|
||||
<li>If your /etc/resolv.conf is wrong then your firewall
|
||||
won't start.</li>
|
||||
<li>If your Name Server(s) is(are) down then your firewall
|
||||
won't start.</li>
|
||||
<li>If your startup scripts try to start your firewall before
|
||||
<li>If your /etc/nsswitch.conf is wrong then your firewall
|
||||
won't start.</li>
|
||||
<li>If your Name Server(s) is(are) down then your firewall
|
||||
won't start.</li>
|
||||
<li>If your startup scripts try to start your firewall before
|
||||
starting your DNS server then your firewall won't start.<br>
|
||||
</li>
|
||||
<li>Factors totally outside your control (your ISP's router
|
||||
</li>
|
||||
<li>Factors totally outside your control (your ISP's router
|
||||
is down for example), can prevent your firewall from starting.</li>
|
||||
<li>You must bring up your network interfaces prior to starting
|
||||
your firewall.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
<li>You must bring up your network interfaces prior to starting
|
||||
your firewall.<br>
|
||||
</li>
|
||||
|
||||
<p align="left"> Each DNS name much be fully qualified and include a minumum
|
||||
of two periods (although one may be trailing). This restriction is imposed
|
||||
by Shorewall to insure backward compatibility with existing configuration
|
||||
files.<br>
|
||||
<br>
|
||||
Examples of valid DNS names:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>mail.shorewall.net</li>
|
||||
<li>shorewall.net. (note the trailing period).</li>
|
||||
|
||||
</ul>
|
||||
Examples of invalid DNS names:<br>
|
||||
|
||||
<p align="left"> Each DNS name much be fully qualified and include a minumum
|
||||
of two periods (although one may be trailing). This restriction is
|
||||
imposed by Shorewall to insure backward compatibility with existing
|
||||
configuration files.<br>
|
||||
<br>
|
||||
Examples of valid DNS names:<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>mail (not fully qualified)</li>
|
||||
<li>shorewall.net (only one period)</li>
|
||||
|
||||
</ul>
|
||||
DNS names may not be used as:<br>
|
||||
<li>mail.shorewall.net</li>
|
||||
<li>shorewall.net. (note the trailing period).</li>
|
||||
|
||||
</ul>
|
||||
Examples of invalid DNS names:<br>
|
||||
|
||||
<ul>
|
||||
<li>The server address in a DNAT rule (/etc/shorewall/rules
|
||||
<li>mail (not fully qualified)</li>
|
||||
<li>shorewall.net (only one period)</li>
|
||||
|
||||
</ul>
|
||||
DNS names may not be used as:<br>
|
||||
|
||||
<ul>
|
||||
<li>The server address in a DNAT rule (/etc/shorewall/rules
|
||||
file)</li>
|
||||
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
|
||||
<li>In the /etc/shorewall/nat file.</li>
|
||||
|
||||
</ul>
|
||||
These restrictions are not imposed by Shorewall simply for
|
||||
your inconvenience but are rather limitations of iptables.<br>
|
||||
|
||||
<h2>Complementing an Address or Subnet</h2>
|
||||
|
||||
<p>Where specifying an IP address, a subnet or an interface, you can
|
||||
precede the item with "!" to specify the complement of the item. For
|
||||
example, !192.168.1.4 means "any host but 192.168.1.4". There must be
|
||||
no white space following the "!".</p>
|
||||
|
||||
<h2>Comma-separated Lists</h2>
|
||||
|
||||
<p>Comma-separated lists are allowed in a number of contexts within the
|
||||
configuration files. A comma separated list:</p>
|
||||
|
||||
<ul>
|
||||
<li>Must not have any embedded white space.<br>
|
||||
Valid: routestopped,dhcp,norfc1918<br>
|
||||
Invalid: routestopped, dhcp, norfc1818</li>
|
||||
<li>If you use line continuation to break a comma-separated
|
||||
list, the continuation line(s) must begin in column 1 (or there
|
||||
would be embedded white space)</li>
|
||||
<li>Entries in a comma-separated list may appear in
|
||||
any order.</li>
|
||||
<li>In the ADDRESS column of an entry in /etc/shorewall/masq.</li>
|
||||
<li>In the /etc/shorewall/nat file.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2>Port Numbers/Service Names</h2>
|
||||
|
||||
<p>Unless otherwise specified, when giving a port number you can use
|
||||
either an integer or a service name from /etc/services. </p>
|
||||
|
||||
<h2>Port Ranges</h2>
|
||||
|
||||
<p>If you need to specify a range of ports, the proper syntax is <<i>low
|
||||
port number</i>>:<<i>high port number</i>>. For example,
|
||||
if you want to forward the range of tcp ports 4000 through 4100 to local
|
||||
host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
|
||||
</p>
|
||||
|
||||
These restrictions are not imposed by Shorewall simply for
|
||||
your inconvenience but are rather limitations of iptables.<br>
|
||||
|
||||
<h2><a name="Compliment"></a>Complementing an Address or Subnet</h2>
|
||||
|
||||
<p>Where specifying an IP address, a subnet or an interface, you can
|
||||
precede the item with "!" to specify the complement of the item. For
|
||||
example, !192.168.1.4 means "any host but 192.168.1.4". There must
|
||||
be no white space following the "!".</p>
|
||||
|
||||
<h2><a name="Lists"></a>Comma-separated Lists</h2>
|
||||
|
||||
<p>Comma-separated lists are allowed in a number of contexts within the
|
||||
configuration files. A comma separated list:</p>
|
||||
|
||||
<ul>
|
||||
<li>Must not have any embedded white space.<br>
|
||||
Valid: routestopped,dhcp,norfc1918<br>
|
||||
Invalid: routestopped, dhcp, norfc1818</li>
|
||||
<li>If you use line continuation to break a comma-separated
|
||||
list, the continuation line(s) must begin in column 1 (or
|
||||
there would be embedded white space)</li>
|
||||
<li>Entries in a comma-separated list may appear in
|
||||
any order.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h2><a name="Ports"></a>Port Numbers/Service Names</h2>
|
||||
|
||||
<p>Unless otherwise specified, when giving a port number you can use
|
||||
either an integer or a service name from /etc/services. </p>
|
||||
|
||||
<h2><a name="Ranges"></a>Port Ranges</h2>
|
||||
|
||||
<p>If you need to specify a range of ports, the proper syntax is <<i>low
|
||||
port number</i>>:<<i>high port number</i>>. For example,
|
||||
if you want to forward the range of tcp ports 4000 through 4100 to
|
||||
local host 192.168.1.3, the entry in /etc/shorewall/rules is:<br>
|
||||
</p>
|
||||
|
||||
<pre> DNAT net loc:192.168.1.3 tcp 4000:4100<br></pre>
|
||||
|
||||
<h2>Using Shell Variables</h2>
|
||||
|
||||
<p>You may use the /etc/shorewall/params file to set shell variables
|
||||
that you can then use in some of the other configuration files.</p>
|
||||
|
||||
|
||||
<h2><a name="Variables"></a>Using Shell Variables</h2>
|
||||
|
||||
<p>You may use the /etc/shorewall/params file to set shell variables
|
||||
that you can then use in some of the other configuration files.</p>
|
||||
|
||||
<p>It is suggested that variable names begin with an upper case letter<font
|
||||
size="1"> </font>to distinguish them from variables used internally
|
||||
within the Shorewall programs</p>
|
||||
|
||||
size="1"> </font>to distinguish them from variables used internally
|
||||
within the Shorewall programs</p>
|
||||
|
||||
<p>Example:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
|
||||
</blockquote>
|
||||
|
||||
<p><br>
|
||||
Example (/etc/shorewall/interfaces record):</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
|
||||
<p>The result will be the same as if the record had been written</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
|
||||
<p>Variables may be used anywhere in the other configuration
|
||||
files.</p>
|
||||
|
||||
<h2>Using MAC Addresses</h2>
|
||||
|
||||
<p>Media Access Control (MAC) addresses can be used to specify packet
|
||||
source in several of the configuration files. To use this feature,
|
||||
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
|
||||
included.</p>
|
||||
|
||||
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
|
||||
unique MAC address.<br>
|
||||
<br>
|
||||
In GNU/Linux, MAC addresses are usually written as a
|
||||
series of 6 hex numbers separated by colons. Example:<br>
|
||||
<br>
|
||||
[root@gateway root]# ifconfig eth0<br>
|
||||
eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
|
||||
inet addr:206.124.146.176 Bcast:206.124.146.255
|
||||
Mask:255.255.255.0<br>
|
||||
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
|
||||
RX packets:2398102 errors:0 dropped:0 overruns:0
|
||||
frame:0<br>
|
||||
TX packets:3044698 errors:0 dropped:0 overruns:0
|
||||
carrier:0<br>
|
||||
collisions:30394 txqueuelen:100<br>
|
||||
RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
|
||||
(1582.8 Mb)<br>
|
||||
Interrupt:11 Base address:0x1800<br>
|
||||
<br>
|
||||
Because Shorewall uses colons as a separator for address
|
||||
fields, Shorewall requires MAC addresses to be written in another
|
||||
way. In Shorewall, MAC addresses begin with a tilde ("~") and
|
||||
consist of 6 hex numbers separated by hyphens. In Shorewall, the
|
||||
MAC address in the example above would be written "~02-00-08-E3-FA-55".<br>
|
||||
</p>
|
||||
|
||||
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
|
||||
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
|
||||
</p>
|
||||
|
||||
<h2><a name="Levels"></a>Logging</h2>
|
||||
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
|
||||
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
|
||||
the notation <i>facility.priority</i>). <br>
|
||||
<br>
|
||||
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
|
||||
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
|
||||
<i>local7</i>.<br>
|
||||
<br>
|
||||
Throughout the Shorewall documentation, I will use the term <i>level</i>
|
||||
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
|
||||
The syslog documentation uses the term <i>priority</i>.<br>
|
||||
|
||||
<h3>Syslog Levels<br>
|
||||
</h3>
|
||||
Syslog levels are a method of describing to syslog (8) the importance
|
||||
of a message and a number of Shorewall parameters have a syslog level
|
||||
as their value.<br>
|
||||
<br>
|
||||
Valid levels are:<br>
|
||||
<br>
|
||||
7 debug<br>
|
||||
6 info<br>
|
||||
5 notice<br>
|
||||
4 warning<br>
|
||||
3 err<br>
|
||||
2 crit<br>
|
||||
1 alert<br>
|
||||
0 emerg<br>
|
||||
<br>
|
||||
For most Shorewall logging, a level of 6 (info) is appropriate. Shorewall
|
||||
log messages are generated by NetFilter and are logged using the <i>kern</i>
|
||||
facility and the level that you specify. If you are unsure of the level
|
||||
to choose, 6 (info) is a safe bet. You may specify levels by name or by
|
||||
number.<br>
|
||||
<br>
|
||||
Syslogd writes log messages to files (typically in /var/log/*) based
|
||||
on their facility and level. The mapping of these facility/level pairs to
|
||||
log files is done in /etc/syslog.conf (5). If you make changes to this file,
|
||||
you must restart syslogd before the changes can take effect.<br>
|
||||
|
||||
<h3>Configuring a Separate Log for Shorewall Messages</h3>
|
||||
There are a couple of limitations to syslogd-based logging:<br>
|
||||
|
||||
<ol>
|
||||
<li>If you give, for example, kern.info it's own log destination then
|
||||
that destination will also receive all kernel messages of levels 5 (notice)
|
||||
through 0 (emerg).</li>
|
||||
<li>All kernel.info messages will go to that destination and not just
|
||||
those from NetFilter.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
Beginning with Shorewall version 1.3.12, if your kernel has ULOG target
|
||||
support (and most vendor-supplied kernels do), you may also specify a log
|
||||
level of ULOG (must be all caps). When ULOG is used, Shorewall will direct
|
||||
netfilter to log the related messages via the ULOG target which will send
|
||||
them to a process called 'ulogd'. The ulogd program is available from http://www.gnumonks.org/projects/ulogd
|
||||
and can be configured to log all Shorewall message to their own log file.<br>
|
||||
<br>
|
||||
Download the ulod tar file and:<br>
|
||||
|
||||
<ol>
|
||||
<li>cd /usr/local/src (or wherever you do your builds)</li>
|
||||
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
|
||||
<li>cd ulogd-<i>version</i><br>
|
||||
</li>
|
||||
<li>./configure</li>
|
||||
<li>make</li>
|
||||
<li>make install<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
If you are like me and don't have a development environment on your firewall,
|
||||
you can do the first five steps on another system then either NFS mount your
|
||||
/usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
|
||||
directory and move it to your firewall system.<br>
|
||||
<br>
|
||||
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
|
||||
|
||||
<ol>
|
||||
<li>syslogfile <i><file that you wish to log to></i></li>
|
||||
<li>syslogsync 1</li>
|
||||
|
||||
</ol>
|
||||
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init to
|
||||
/etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
|
||||
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple "chkconfig
|
||||
--level 3 ulogd on" starts ulogd during boot up. Your init system may need
|
||||
something else done to activate the script.<br>
|
||||
<br>
|
||||
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i><file that
|
||||
you wish to log to></i>. This tells the /sbin/shorewall program where to
|
||||
look for the log when processing its "show log", "logwatch" and "monitor"
|
||||
commands.<br>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<h2><a name="Configs"></a>Shorewall Configurations</h2>
|
||||
|
||||
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
|
||||
The <a href="starting_and_stopping_shorewall.htm">shorewall start and
|
||||
restart</a> commands allow you to specify an alternate configuration
|
||||
directory and Shorewall will use the files in the alternate directory
|
||||
rather than the corresponding files in /etc/shorewall. The alternate directory
|
||||
need not contain a complete configuration; those files not in the alternate
|
||||
directory will be read from /etc/shorewall.</p>
|
||||
|
||||
<p> This facility permits you to easily create a test or temporary configuration
|
||||
by:</p>
|
||||
|
||||
<pre>NET_IF=eth0<br>NET_BCAST=130.252.100.255<br>NET_OPTIONS=noping,norfc1918</pre>
|
||||
</blockquote>
|
||||
|
||||
<p><br>
|
||||
Example (/etc/shorewall/interfaces record):</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
|
||||
<p>The result will be the same as if the record had been written</p>
|
||||
<font
|
||||
face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote>
|
||||
|
||||
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
|
||||
</blockquote>
|
||||
</font>
|
||||
|
||||
<p>Variables may be used anywhere in the other configuration
|
||||
files.</p>
|
||||
|
||||
<h2><a name="MAC"></a>Using MAC Addresses</h2>
|
||||
|
||||
<p>Media Access Control (MAC) addresses can be used to specify packet
|
||||
source in several of the configuration files. To use this feature,
|
||||
your kernel must have MAC Address Match support (CONFIG_IP_NF_MATCH_MAC)
|
||||
included.</p>
|
||||
|
||||
<p>MAC addresses are 48 bits wide and each Ethernet Controller has a
|
||||
unique MAC address.<br>
|
||||
<br>
|
||||
In GNU/Linux, MAC addresses are usually written as a
|
||||
series of 6 hex numbers separated by colons. Example:<br>
|
||||
<br>
|
||||
[root@gateway root]# ifconfig eth0<br>
|
||||
eth0 Link encap:Ethernet HWaddr <b><u>02:00:08:E3:FA:55</u></b><br>
|
||||
inet addr:206.124.146.176 Bcast:206.124.146.255
|
||||
Mask:255.255.255.0<br>
|
||||
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1<br>
|
||||
RX packets:2398102 errors:0 dropped:0 overruns:0
|
||||
frame:0<br>
|
||||
TX packets:3044698 errors:0 dropped:0 overruns:0
|
||||
carrier:0<br>
|
||||
collisions:30394 txqueuelen:100<br>
|
||||
RX bytes:419871805 (400.4 Mb) TX bytes:1659782221
|
||||
(1582.8 Mb)<br>
|
||||
Interrupt:11 Base address:0x1800<br>
|
||||
<br>
|
||||
Because Shorewall uses colons as a separator for address
|
||||
fields, Shorewall requires MAC addresses to be written in another
|
||||
way. In Shorewall, MAC addresses begin with a tilde ("~") and consist
|
||||
of 6 hex numbers separated by hyphens. In Shorewall, the MAC address
|
||||
in the example above would be written "~02-00-08-E3-FA-55".<br>
|
||||
</p>
|
||||
|
||||
<p><b>Note: </b>It is not necessary to use the special Shorewall notation
|
||||
in the <a href="MAC_Validation.html">/etc/shorewall/maclist</a> file.<br>
|
||||
</p>
|
||||
|
||||
<h2><a name="Levels"></a>Shorewall Configurations</h2>
|
||||
|
||||
<p> Shorewall allows you to have configuration directories other than /etc/shorewall.
|
||||
The <a href="starting_and_stopping_shorewall.htm">shorewall start
|
||||
and restart</a> commands allow you to specify an alternate configuration
|
||||
directory and Shorewall will use the files in the alternate directory
|
||||
rather than the corresponding files in /etc/shorewall. The alternate
|
||||
directory need not contain a complete configuration; those files not
|
||||
in the alternate directory will be read from /etc/shorewall.</p>
|
||||
|
||||
<p> This facility permits you to easily create a test or temporary configuration
|
||||
by:</p>
|
||||
|
||||
<ol>
|
||||
<li> copying the files that need modification from
|
||||
/etc/shorewall to a separate directory;</li>
|
||||
<li> modify those files in the separate directory;
|
||||
and</li>
|
||||
<li> specifying the separate directory in a shorewall
|
||||
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
|
||||
restart</b></i> ).</li>
|
||||
|
||||
<li> copying the files that need modification from
|
||||
/etc/shorewall to a separate directory;</li>
|
||||
<li> modify those files in the separate directory;
|
||||
and</li>
|
||||
<li> specifying the separate directory in a shorewall
|
||||
start or shorewall restart command (e.g., <i><b>shorewall -c /etc/testconfig
|
||||
restart</b></i> ).</li>
|
||||
|
||||
</ol>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><font size="2"> Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
|
||||
<p><font size="2"> Updated 12/29/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -1,34 +1,45 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
|
||||
<head>
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
|
||||
<title>Copyright</title>
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Copyright</title>
|
||||
</head>
|
||||
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#FFFFFF">Copyright</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">Copyright</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<p align="left">Copyright <font face="Trebuchet MS">©</font> 2000, 2001
|
||||
Thomas M Eastep<br>
|
||||
</p>
|
||||
<blockquote>
|
||||
<p align="left">Permission is granted to copy, distribute and/or modify this
|
||||
document under the terms of the GNU Free Documentation License, Version 1.1 or
|
||||
any later version published by the Free Software Foundation; with no Invariant
|
||||
Sections, with no Front-Cover, and with no Back-Cover Texts. A copy of the
|
||||
license is included in the section entitled "<a href="GnuCopyright.htm">GNU Free Documentation License</a>".<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p align="left">Copyright <font face="Trebuchet MS">©</font> 2000, 2001,
|
||||
2003 Thomas M Eastep<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">Permission is granted to copy, distribute and/or modify
|
||||
this document under the terms of the GNU Free Documentation License, Version
|
||||
1.1 or any later version published by the Free Software Foundation; with
|
||||
no Invariant Sections, with no Front-Cover, and with no Back-Cover Texts.
|
||||
A copy of the license is included in the section entitled "<a
|
||||
href="GnuCopyright.htm">GNU Free Documentation License</a>".<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
<br>
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
@ -1,387 +1,393 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Download</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Download</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p><b>I strongly urge you to read and print a copy of the <a
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
|
||||
for the configuration that most closely matches your own.<br>
|
||||
</b></p>
|
||||
|
||||
<p>The entire set of Shorewall documentation is available in PDF format at:</p>
|
||||
|
||||
href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
|
||||
for the configuration that most closely matches your own.<br>
|
||||
</b></p>
|
||||
|
||||
<p>The entire set of Shorewall documentation is available in PDF format
|
||||
at:</p>
|
||||
|
||||
<p> <a href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
|
||||
<a href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
<a href="rsync://slovakia.shorewall.net/shorewall/pdf/">rsync://slovakia.shorewall.net/shorewall/pdf/</a>
|
||||
</p>
|
||||
|
||||
<p>The documentation in HTML format is included in the .rpm and in the .tgz
|
||||
packages below.</p>
|
||||
|
||||
|
||||
<p>The documentation in HTML format is included in the .rpm and in the
|
||||
.tgz packages below.</p>
|
||||
|
||||
<p> Once you've done that, download <u> one</u> of the modules:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
|
||||
Linux PPC</b> or <b> TurboLinux</b> distribution with
|
||||
a 2.4 kernel, you can use the RPM version (note: the RPM
|
||||
should also work with other distributions that store init
|
||||
scripts in /etc/init.d and that include chkconfig or insserv).
|
||||
If you find that it works in other cases, let <a
|
||||
href="mailto:teastep@shorewall.net"> me</a> know so that
|
||||
I can mention them here. See the <a href="Install.htm">Installation Instructions</a>
|
||||
if you have problems installing the RPM.</li>
|
||||
<li>If you are running LRP, download the .lrp file (you might
|
||||
also want to download the .tgz so you will have a copy of the documentation).</li>
|
||||
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
|
||||
and would like a .deb package, Shorewall is included in both the
|
||||
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||||
Testing Branch</a> and the <a
|
||||
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
||||
Unstable Branch</a>.</li>
|
||||
<li>Otherwise, download the <i>shorewall</i>
|
||||
module (.tgz)</li>
|
||||
|
||||
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b>
|
||||
Linux PPC</b> or <b> TurboLinux</b> distribution with
|
||||
a 2.4 kernel, you can use the RPM version (note: the
|
||||
RPM should also work with other distributions that store
|
||||
init scripts in /etc/init.d and that include chkconfig or
|
||||
insserv). If you find that it works in other cases, let <a
|
||||
href="mailto:teastep@shorewall.net"> me</a> know so that
|
||||
I can mention them here. See the <a href="Install.htm">Installation
|
||||
Instructions</a> if you have problems installing the RPM.</li>
|
||||
<li>If you are running LRP, download the .lrp file (you
|
||||
might also want to download the .tgz so you will have a copy of
|
||||
the documentation).</li>
|
||||
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a>
|
||||
and would like a .deb package, Shorewall is included in both the
|
||||
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
|
||||
Testing Branch</a> and the <a
|
||||
href="http://packages.debian.org/unstable/net/shorewall.html">Debian
|
||||
Unstable Branch</a>.</li>
|
||||
<li>Otherwise, download the <i>shorewall</i>
|
||||
module (.tgz)</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>The documentation in HTML format is included in the .tgz and .rpm files
|
||||
and there is an documentation .deb that also contains the documentation.</p>
|
||||
|
||||
<p>Please verify the version that you have downloaded -- during the
|
||||
release of a new version of Shorewall, the links below may point
|
||||
to a newer or an older version than is shown below.</p>
|
||||
|
||||
|
||||
<p>The documentation in HTML format is included in the .tgz and .rpm files
|
||||
and there is an documentation .deb that also contains the documentation.</p>
|
||||
|
||||
<p>Please verify the version that you have downloaded -- during the
|
||||
release of a new version of Shorewall, the links below may
|
||||
point to a newer or an older version than is shown below.</p>
|
||||
|
||||
<ul>
|
||||
<li>RPM - "rpm -qip LATEST.rpm"</li>
|
||||
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
|
||||
<li>RPM - "rpm -qip LATEST.rpm"</li>
|
||||
<li>TARBALL - "tar -ztf LATEST.tgz" (the directory name
|
||||
will contain the version)</li>
|
||||
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
|
||||
-zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version" </li>
|
||||
|
||||
<li>LRP - "mkdir Shorewall.lrp; cd Shorewall.lrp; tar
|
||||
-zxf <downloaded .lrp>; cat var/lib/lrpkg/shorwall.version"
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p><font face="Arial">Once you have verified the version, check the
|
||||
</font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font
|
||||
face="Arial"> to see if there are updates that apply to the version
|
||||
that you have downloaded.</font></p>
|
||||
|
||||
<p><font color="#ff0000" face="Arial"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY
|
||||
INSTALL THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
|
||||
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed
|
||||
configuration of your firewall, you can enable startup by removing the
|
||||
file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
|
||||
<p><b>Download Latest Version</b> (<b>1.3.12</b>): <b>Remember that updates
|
||||
to the mirrors occur 1-12 hours after an update to the Washington
|
||||
State site.</b></p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p>Once you have verified the version, check the <font
|
||||
color="#ff0000"> <a href="errata.htm"> errata</a></font> to see
|
||||
if there are updates that apply to the version that you have
|
||||
downloaded.</p>
|
||||
|
||||
<p><font color="#ff0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL
|
||||
THE RPM AND ISSUE A "shorewall start" COMMAND. SOME CONFIGURATION
|
||||
IS REQUIRED BEFORE THE FIREWALL WILL START. Once you have completed configuration
|
||||
of your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.</b></font></p>
|
||||
|
||||
<p><b>Download Latest Version</b> (<b>1.3.13</b>): <b>Remember that updates
|
||||
to the mirrors occur 1-12 hours after an update to the Washington State
|
||||
site.</b></p>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellspacing="3" cellpadding="3"
|
||||
style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">SourceForge<br>
|
||||
</td>
|
||||
<td valign="top">sf.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
<td valign="top">SourceForge<br>
|
||||
</td>
|
||||
<td valign="top">sf.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Download</a><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td> <a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Paris, France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.tgz">Download .tgz</a> <br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.lrp">Download .lrp</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="middle">Washington State, USA<br>
|
||||
</td>
|
||||
<td valign="middle">Shorewall.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a><br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
|
||||
Download .rpm</a> <br>
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a><br>
|
||||
</td>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp"> Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
|
||||
.rpm</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://germany.shorewall.net/pub/shorewall/LATEST.md5sums">
|
||||
Download.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm"> Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td> <a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
|
||||
Download .lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Paris, France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://france.shorewall.net/pub/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.rpm">Download
|
||||
.rpm</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="middle">Washington State, USA<br>
|
||||
</td>
|
||||
<td valign="middle">Shorewall.net<br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
|
||||
.lrp</a><br>
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a><br>
|
||||
</td>
|
||||
<td valign="top"><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
|
||||
Download .rpm</a> <br>
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
|
||||
.tgz</a> <br>
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
|
||||
.lrp</a><br>
|
||||
<a target="_blank"
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.md5sums">Download
|
||||
.md5sums</a><br>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p><b>Browse Download Sites:</b></p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<blockquote>
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>SourceForge<br>
|
||||
</td>
|
||||
<td>sf.net</td>
|
||||
<td><a
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>SERVER LOCATION</b></td>
|
||||
<td><b>DOMAIN</b></td>
|
||||
<td><b>HTTP</b></td>
|
||||
<td><b>FTP</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>SourceForge<br>
|
||||
</td>
|
||||
<td>sf.net</td>
|
||||
<td><a
|
||||
href="http://sourceforge.net/project/showfiles.php?group_id=22587">Browse</a></td>
|
||||
<td>N/A</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td><a
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<td>N/A</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Washington State, USA</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/"
|
||||
target="_blank">Browse</a></td>
|
||||
<td>Slovak Republic</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Texas, USA</td>
|
||||
<td>Infohiiway.com</td>
|
||||
<td><a
|
||||
href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Hamburg, Germany</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a target="_blank"
|
||||
href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Martinez (Zona Norte - GBA), Argentina</td>
|
||||
<td>Correofuego.com.ar</td>
|
||||
<td><a
|
||||
href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall"> Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>France</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://france.shorewall.net/pub/shorewall/LATEST.lrp">Browse</a></td>
|
||||
<td> <a target="_blank"
|
||||
href="ftp://france.shorewall.net/pub/mirrors/shorewall/">Browse</a></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>Washington State, USA</td>
|
||||
<td>Shorewall.net</td>
|
||||
<td><a
|
||||
href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
|
||||
<td><a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><b>CVS:</b></p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p align="left">The <a target="_top"
|
||||
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
|
||||
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
|
||||
component. There's no guarantee that what you find there will work at
|
||||
all.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 12/12/2002 - <a
|
||||
href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS repository at
|
||||
cvs.shorewall.net</a> contains the latest snapshots of the each Shorewall
|
||||
component. There's no guarantee that what you find there will work
|
||||
at all.<br>
|
||||
</p>
|
||||
</blockquote>
|
||||
|
||||
<p align="left"><font size="2">Last Updated 1/13/2003 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,214 +1,240 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall 1.3 Errata</title>
|
||||
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Errata/Upgrade Issues</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p align="center"> <b><u>IMPORTANT</u></b></p>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>
|
||||
|
||||
<li>
|
||||
|
||||
<p align="left"> <b><u>I</u>f you use a Windows system to download
|
||||
a corrected script, be sure to run the script through <u>
|
||||
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
||||
a corrected script, be sure to run the script through <u>
|
||||
<a href="http://www.megaloman.com/%7Ehany/software/hd2u/"
|
||||
style="text-decoration: none;"> dos2unix</a></u> after you have moved
|
||||
it to your Linux system.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
it to your Linux system.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left"> <b>If you are installing Shorewall for the
|
||||
first time and plan to use the .tgz and install.sh script, you can
|
||||
untar the archive, replace the 'firewall' script in the untarred directory
|
||||
with the one you downloaded below, and then run install.sh.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left"> <b>When the instructions say to install a corrected
|
||||
firewall script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
|
||||
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to
|
||||
overwrite the existing file. DO NOT REMOVE OR RENAME THE OLD
|
||||
/etc/shorewall/firewall or /var/lib/shorewall/firewall before
|
||||
you do that. /etc/shorewall/firewall and /var/lib/shorewall/firewall
|
||||
are symbolic links that point to the 'shorewall' file used by your
|
||||
system initialization scripts to start Shorewall during boot.
|
||||
It is that file that must be overwritten with the corrected
|
||||
script.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
|
||||
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
|
||||
example, do NOT install the 1.3.9a firewall script if you are running 1.3.7c.</font></b><br>
|
||||
</p>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<ul>
|
||||
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
|
||||
<li> <b><a href="#V1.3">Problems
|
||||
in Version 1.3</a></b></li>
|
||||
<li> <b><a
|
||||
href="errata_2.htm">Problems in Version 1.2</a></b></li>
|
||||
<li> <b><font color="#660066">
|
||||
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
||||
<li> <b><font color="#660066"><a
|
||||
href="#iptables"> Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
|
||||
<li> <b><a href="#Debug">Problems
|
||||
with kernels >= 2.4.18 and RedHat iptables</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading RPM
|
||||
on SuSE</a></b></li>
|
||||
<li><b><a href="#Multiport">Problems with iptables version
|
||||
1.2.7 and MULTIPORT=Yes</a></b></li>
|
||||
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
|
||||
with the one you downloaded below, and then run install.sh.</b></p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left"> <b>If you are running a Shorewall version earlier
|
||||
than 1.3.11, when the instructions say to install a corrected firewall
|
||||
script in /etc/shorewall/firewall, /usr/lib/shorewall/firewall
|
||||
or /var/lib/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite
|
||||
the existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
|
||||
or /var/lib/shorewall/firewall before you do that. /etc/shorewall/firewall
|
||||
and /var/lib/shorewall/firewall are symbolic links that point
|
||||
to the 'shorewall' file used by your system initialization scripts
|
||||
to start Shorewall during boot. It is that file that must be overwritten
|
||||
with the corrected script. Beginning with Shorewall 1.3.11, you
|
||||
may rename the existing file before copying in the new file.</b></p>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
<p align="left"><b><font color="#ff0000">DO NOT INSTALL CORRECTED COMPONENTS
|
||||
ON A RELEASE EARLIER THAN THE ONE THAT THEY ARE LISTED UNDER BELOW. For
|
||||
example, do NOT install the 1.3.9a firewall script if you are running
|
||||
1.3.7c.</font></b><br>
|
||||
</p>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<ul>
|
||||
<li><b><a href="upgrade_issues.htm">Upgrade Issues</a></b></li>
|
||||
<li> <b><a href="#V1.3">Problems
|
||||
in Version 1.3</a></b></li>
|
||||
<li> <b><a
|
||||
href="errata_2.htm">Problems in Version 1.2</a></b></li>
|
||||
<li> <b><font
|
||||
color="#660066"> <a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
|
||||
<li> <b><font
|
||||
color="#660066"><a href="#iptables"> Problem with iptables version 1.2.3
|
||||
on RH7.2</a></font></b></li>
|
||||
<li> <b><a href="#Debug">Problems
|
||||
with kernels >= 2.4.18 and RedHat iptables</a></b></li>
|
||||
<li><b><a href="#SuSE">Problems installing/upgrading RPM
|
||||
on SuSE</a></b></li>
|
||||
<li><b><a href="#Multiport">Problems with iptables version
|
||||
1.2.7 and MULTIPORT=Yes</a></b></li>
|
||||
<li><b><a href="#NAT">Problems with RH Kernel 2.4.18-10 and NAT</a></b><br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<hr>
|
||||
|
||||
<hr>
|
||||
<h2 align="left"><a name="V1.3"></a>Problems in Version 1.3</h2>
|
||||
|
||||
<h3>Version 1.3.11a</h3>
|
||||
|
||||
<h3>Version 1.3.12</h3>
|
||||
<ul>
|
||||
<li><a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
|
||||
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
|
||||
<li>If RFC_1918_LOG_LEVEL is set to anything but ULOG, the effect is the
|
||||
same as if RFC_1918_LOG_LEVEL=info had been specified. The problem is corrected
|
||||
by <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.12/firewall">this
|
||||
firewall script</a> which may be installed in /usr/lib/shorewall as described
|
||||
above.<br>
|
||||
</li>
|
||||
</ul>
|
||||
<h3>Version 1.3.11</h3>
|
||||
|
||||
<h3>Version 1.3.12 LRP</h3>
|
||||
|
||||
<ul>
|
||||
<li>When installing/upgrading using the .rpm, you may receive the following
|
||||
warnings:<br>
|
||||
<br>
|
||||
user teastep does not exist - using root<br>
|
||||
group teastep does not exist - using root<br>
|
||||
<br>
|
||||
These warnings are harmless and may be ignored. Users downloading the
|
||||
.rpm from shorewall.net or mirrors should no longer see these warnings as
|
||||
the .rpm you will get from there has been corrected.</li>
|
||||
<li>DNAT rules that exclude a source subzone (SOURCE column contains
|
||||
! followed by a sub-zone list) result in an error message and Shorewall
|
||||
fails to start.<br>
|
||||
<br>
|
||||
Install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
|
||||
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
|
||||
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
|
||||
<br>
|
||||
This problem is corrected in version 1.3.11a.<br>
|
||||
<li>The .lrp was missing the /etc/shorewall/routestopped file -- a new
|
||||
lrp (shorwall-1.3.12a.lrp) has been released which corrects this problem.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.11a</h3>
|
||||
|
||||
<ul>
|
||||
<li><a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/rfc1918">This
|
||||
copy of /etc/shorewall/rfc1918</a> reflects the recent allocation of 82.0.0.0/8.<br>
|
||||
</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3>Version 1.3.11</h3>
|
||||
|
||||
<ul>
|
||||
<li>When installing/upgrading using the .rpm, you may receive the
|
||||
following warnings:<br>
|
||||
<br>
|
||||
user teastep does not exist - using root<br>
|
||||
group teastep does not exist - using root<br>
|
||||
<br>
|
||||
These warnings are harmless and may be ignored. Users downloading the
|
||||
.rpm from shorewall.net or mirrors should no longer see these warnings
|
||||
as the .rpm you will get from there has been corrected.</li>
|
||||
<li>DNAT rules that exclude a source subzone (SOURCE column contains
|
||||
! followed by a sub-zone list) result in an error message and Shorewall
|
||||
fails to start.<br>
|
||||
<br>
|
||||
Install <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.11/firewall">this
|
||||
corrected script</a> in /usr/lib/shorewall/firewall to correct this problem.
|
||||
Thanks go to Roger Aich who analyzed this problem and provided a fix.<br>
|
||||
<br>
|
||||
This problem is corrected in version 1.3.11a.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.10</h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>If you experience problems connecting to a PPTP server running
|
||||
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
|
||||
<a
|
||||
<li>If you experience problems connecting to a PPTP server running
|
||||
on your firewall and you have a 'pptpserver' entry in /etc/shorewall/tunnels,
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.10/firewall">this
|
||||
version of the firewall script</a> may help. Please report any cases where
|
||||
installing this script in /usr/lib/shorewall/firewall solved your connection
|
||||
problems. Beginning with version 1.3.10, it is safe to save the old version
|
||||
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
|
||||
is the real script now and not just a symbolic link to the real script.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.9a</h3>
|
||||
|
||||
<ul>
|
||||
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
|
||||
then the following message appears during "shorewall [re]start":</li>
|
||||
|
||||
version of the firewall script</a> may help. Please report any cases where
|
||||
installing this script in /usr/lib/shorewall/firewall solved your connection
|
||||
problems. Beginning with version 1.3.10, it is safe to save the old version
|
||||
of /usr/lib/shorewall/firewall before copying in the new one since /usr/lib/shorewall/firewall
|
||||
is the real script now and not just a symbolic link to the real script.<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3>Version 1.3.9a</h3>
|
||||
|
||||
<ul>
|
||||
<li> If entries are used in /etc/shorewall/hosts and MERGE_HOSTS=No
|
||||
then the following message appears during "shorewall [re]start":</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<pre> recalculate_interfacess: command not found<br></pre>
|
||||
|
||||
|
||||
<blockquote> The updated firewall script at <a
|
||||
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
|
||||
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
|
||||
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
|
||||
described above.<br>
|
||||
</blockquote>
|
||||
|
||||
corrects this problem.Copy the script to /usr/lib/shorewall/firewall as
|
||||
described above.<br>
|
||||
</blockquote>
|
||||
|
||||
<blockquote> Alternatively, edit /usr/lob/shorewall/firewall and change the
|
||||
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
|
||||
to 'recalculate_interface'. <br>
|
||||
</blockquote>
|
||||
|
||||
single occurence (line 483 in version 1.3.9a) of 'recalculate_interefacess'
|
||||
to 'recalculate_interface'. <br>
|
||||
</blockquote>
|
||||
|
||||
<ul>
|
||||
<li>The installer (install.sh) issues a misleading message "Common
|
||||
functions installed in /var/lib/shorewall/functions" whereas the file
|
||||
<li>The installer (install.sh) issues a misleading message "Common
|
||||
functions installed in /var/lib/shorewall/functions" whereas the file
|
||||
is installed in /usr/lib/shorewall/functions. The installer also performs
|
||||
incorrectly when updating old configurations that had the file /etc/shorewall/functions.
|
||||
<a
|
||||
<a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.3.9/install.sh">Here
|
||||
is an updated version that corrects these problems.<br>
|
||||
</a></li>
|
||||
|
||||
is an updated version that corrects these problems.<br>
|
||||
</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3>Version 1.3.9</h3>
|
||||
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall script
|
||||
at <a
|
||||
<b>TUNNELS Broken in 1.3.9!!! </b>There is an updated firewall
|
||||
script at <a
|
||||
href="ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall"
|
||||
target="_top">ftp://www.shorewall.net/pub/shorewall/errata/1.3.9/firewall</a>
|
||||
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
|
||||
<br>
|
||||
Version 1.3.8
|
||||
-- copy that file to /usr/lib/shorewall/firewall as described above.<br>
|
||||
<br>
|
||||
Version 1.3.8
|
||||
<ul>
|
||||
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
|
||||
of the policy file doesn't work.</li>
|
||||
<li>A DNAT rule with the same original and new IP addresses
|
||||
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
|
||||
tcp 25 - 10.1.1.1")<br>
|
||||
</li>
|
||||
|
||||
<li> Use of shell variables in the LOG LEVEL or SYNPARMS columns
|
||||
of the policy file doesn't work.</li>
|
||||
<li>A DNAT rule with the same original and new IP addresses
|
||||
but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:24
|
||||
tcp 25 - 10.1.1.1")<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
Installing <a
|
||||
Installing <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.8/firewall">
|
||||
this corrected firewall script</a> in /var/lib/shorewall/firewall
|
||||
as described above corrects these problems.
|
||||
|
||||
as described above corrects these problems.
|
||||
|
||||
<h3>Version 1.3.7b</h3>
|
||||
|
||||
|
||||
<p>DNAT rules where the source zone is 'fw' ($FW)
|
||||
result in an error message. Installing
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
|
||||
this corrected firewall script</a> in /var/lib/shorewall/firewall
|
||||
as described above corrects this problem.</p>
|
||||
|
||||
as described above corrects this problem.</p>
|
||||
|
||||
<h3>Version 1.3.7a</h3>
|
||||
|
||||
|
||||
<p>"shorewall refresh" is not creating the proper
|
||||
rule for FORWARDPING=Yes. Consequently, after
|
||||
"shorewall refresh", the firewall will not forward
|
||||
@ -216,349 +242,358 @@ but with different port numbers doesn't work (e.g., "DNAT loc dmz:10.1.1.1:
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
|
||||
this corrected firewall script</a> in /var/lib/shorewall/firewall
|
||||
as described above corrects this problem.</p>
|
||||
|
||||
as described above corrects this problem.</p>
|
||||
|
||||
<h3>Version <= 1.3.7a</h3>
|
||||
|
||||
|
||||
<p>If "norfc1918" and "dhcp" are both specified as
|
||||
options on a given interface then RFC 1918
|
||||
checking is occurring before DHCP checking. This
|
||||
means that if a DHCP client broadcasts using an
|
||||
RFC 1918 source address, then the firewall will
|
||||
reject the broadcast (usually logging it). This
|
||||
has two problems:</p>
|
||||
|
||||
has two problems:</p>
|
||||
|
||||
<ol>
|
||||
<li>If the firewall is running
|
||||
a DHCP server, the client won't be able
|
||||
to obtain an IP address lease from
|
||||
<li>If the firewall is running
|
||||
a DHCP server, the client won't be
|
||||
able to obtain an IP address lease from
|
||||
that server.</li>
|
||||
<li>With this order of checking,
|
||||
the "dhcp" option cannot be used as
|
||||
a noise-reduction measure where there
|
||||
are both dynamic and static clients on
|
||||
a LAN segment.</li>
|
||||
|
||||
<li>With this order of checking,
|
||||
the "dhcp" option cannot be used as
|
||||
a noise-reduction measure where there
|
||||
are both dynamic and static clients
|
||||
on a LAN segment.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
|
||||
<p> <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.7/firewall">
|
||||
This version of the 1.3.7a firewall script </a>
|
||||
corrects the problem. It must be installed
|
||||
in /var/lib/shorewall as described above.</p>
|
||||
|
||||
corrects the problem. It must be installed
|
||||
in /var/lib/shorewall as described
|
||||
above.</p>
|
||||
|
||||
<h3>Version 1.3.7</h3>
|
||||
|
||||
|
||||
<p>Version 1.3.7 dead on arrival -- please use
|
||||
version 1.3.7a and check your version against
|
||||
these md5sums -- if there's a difference, please
|
||||
download again.</p>
|
||||
|
||||
|
||||
<pre> d2fffb7fb99bcc6cb047ea34db1df10 shorewall-1.3.7a.tgz<br> 6a7fd284c8685b2b471a2f47b469fb94 shorewall-1.3.7a-1.noarch.rpm<br> 3decd14296effcff16853106771f7035 shorwall-1.3.7a.lrp</pre>
|
||||
|
||||
|
||||
<p>In other words, type "md5sum <<i>whatever package you downloaded</i>>
|
||||
and compare the result with what you see above.</p>
|
||||
|
||||
and compare the result with what you see above.</p>
|
||||
|
||||
<p>I'm embarrassed to report that 1.2.7 was also DOA -- maybe I'll skip the
|
||||
.7 version in each sequence from now on.</p>
|
||||
|
||||
.7 version in each sequence from now on.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.6</h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
|
||||
<li>
|
||||
|
||||
<p align="left">If ADD_SNAT_ALIASES=Yes is specified in /etc/shorewall/shorewall.conf,
|
||||
an error occurs when the firewall script attempts to add
|
||||
an SNAT alias. </p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
an error occurs when the firewall script attempts to add
|
||||
an SNAT alias. </p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left">The <b>logunclean </b>and <b>dropunclean</b> options
|
||||
cause errors during startup when Shorewall is run with iptables
|
||||
1.2.7. </p>
|
||||
</li>
|
||||
|
||||
1.2.7. </p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p align="left">These problems are fixed in <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
||||
this correct firewall script</a> which must be installed in
|
||||
/var/lib/shorewall/ as described above. These problems are also
|
||||
corrected in version 1.3.7.</p>
|
||||
|
||||
|
||||
<h3 align="left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
|
||||
|
||||
|
||||
<p align="left">A line was inadvertently deleted from the "interfaces
|
||||
file" -- this line should be added back in if the version that you
|
||||
downloaded is missing it:</p>
|
||||
|
||||
downloaded is missing it:</p>
|
||||
|
||||
<p align="left">net eth0 detect routefilter,dhcp,norfc1918</p>
|
||||
|
||||
|
||||
<p align="left">If you downloaded two-interfaces-a.tgz then the above
|
||||
line should already be in the file.</p>
|
||||
|
||||
|
||||
<h3 align="left">Version 1.3.5-1.3.5b</h3>
|
||||
|
||||
|
||||
<p align="left">The new 'proxyarp' interface option doesn't work :-(
|
||||
This is fixed in <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
|
||||
this corrected firewall script</a> which must be installed in
|
||||
/var/lib/shorewall/ as described above.</p>
|
||||
|
||||
|
||||
<h3 align="left">Versions 1.3.4-1.3.5a</h3>
|
||||
|
||||
|
||||
<p align="left">Prior to version 1.3.4, host file entries such as the
|
||||
following were allowed:</p>
|
||||
|
||||
<div align="left">
|
||||
|
||||
<div align="left">
|
||||
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">That capability was lost in version 1.3.4 so that it is only
|
||||
possible to include a single host specification on each line.
|
||||
possible to include a single host specification on each line.
|
||||
This problem is corrected by <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5a/firewall">this
|
||||
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
|
||||
as instructed above.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
modified 1.3.5a firewall script</a>. Install the script in /var/lib/pub/shorewall/firewall
|
||||
as instructed above.</p>
|
||||
</div>
|
||||
|
||||
<div align="left">
|
||||
<p align="left">This problem is corrected in version 1.3.5b.</p>
|
||||
</div>
|
||||
|
||||
</div>
|
||||
|
||||
<h3 align="left">Version 1.3.5</h3>
|
||||
|
||||
|
||||
<p align="left">REDIRECT rules are broken in this version. Install
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
|
||||
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
|
||||
as instructed above. This problem is corrected in version
|
||||
1.3.5a.</p>
|
||||
|
||||
as instructed above. This problem is corrected in version
|
||||
1.3.5a.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.n, n < 4</h3>
|
||||
|
||||
|
||||
<p align="left">The "shorewall start" and "shorewall restart" commands
|
||||
to not verify that the zones named in the /etc/shorewall/policy
|
||||
file have been previously defined in the /etc/shorewall/zones
|
||||
file. The "shorewall check" command does perform this verification
|
||||
so it's a good idea to run that command after you have made configuration
|
||||
changes.</p>
|
||||
|
||||
changes.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.n, n < 3</h3>
|
||||
|
||||
|
||||
<p align="left">If you have upgraded from Shorewall 1.2 and after
|
||||
"Activating rules..." you see the message: "iptables: No chains/target/match
|
||||
by that name" then you probably have an entry in /etc/shorewall/hosts
|
||||
that specifies an interface that you didn't include in /etc/shorewall/interfaces.
|
||||
To correct this problem, you must add an entry to /etc/shorewall/interfaces.
|
||||
Shorewall 1.3.3 and later versions produce a clearer error
|
||||
message in this case.</p>
|
||||
|
||||
by that name" then you probably have an entry in /etc/shorewall/hosts
|
||||
that specifies an interface that you didn't include in
|
||||
/etc/shorewall/interfaces. To correct this problem, you
|
||||
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
|
||||
later versions produce a clearer error message in this case.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.2</h3>
|
||||
|
||||
|
||||
<p align="left">Until approximately 2130 GMT on 17 June 2002, the
|
||||
download sites contained an incorrect version of the .lrp file. That
|
||||
file can be identified by its size (56284 bytes). The correct
|
||||
version has a size of 38126 bytes.</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>The code to detect a duplicate interface entry
|
||||
in /etc/shorewall/interfaces contained a typo that prevented
|
||||
it from working correctly. </li>
|
||||
<li>"NAT_BEFORE_RULES=No" was broken; it behaved
|
||||
just like "NAT_BEFORE_RULES=Yes".</li>
|
||||
|
||||
<li>The code to detect a duplicate interface entry
|
||||
in /etc/shorewall/interfaces contained a typo that prevented
|
||||
it from working correctly. </li>
|
||||
<li>"NAT_BEFORE_RULES=No" was broken; it behaved
|
||||
just like "NAT_BEFORE_RULES=Yes".</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p align="left">Both problems are corrected in <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
|
||||
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b>
|
||||
as described above.</p>
|
||||
|
||||
as described above.</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
|
||||
<li>
|
||||
|
||||
<p align="left">The IANA have just announced the allocation of subnet
|
||||
221.0.0.0/8. This <a
|
||||
221.0.0.0/8. This <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
|
||||
updated rfc1918</a> file reflects that allocation.</p>
|
||||
</li>
|
||||
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3 align="left">Version 1.3.1</h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>TCP SYN packets may be double counted when
|
||||
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e.,
|
||||
each packet is sent through the limit chain twice).</li>
|
||||
<li>An unnecessary jump to the policy chain is sometimes
|
||||
generated for a CONTINUE policy.</li>
|
||||
<li>When an option is given for more than one interface
|
||||
in /etc/shorewall/interfaces then depending on the option,
|
||||
Shorewall may ignore all but the first appearence of the
|
||||
option. For example:<br>
|
||||
<br>
|
||||
net eth0 dhcp<br>
|
||||
loc eth1 dhcp<br>
|
||||
<br>
|
||||
Shorewall will ignore the 'dhcp' on eth1.</li>
|
||||
<li>Update 17 June 2002 - The bug described in the
|
||||
prior bullet affects the following options: dhcp, dropunclean,
|
||||
logunclean, norfc1918, routefilter, multi, filterping and
|
||||
noping. An additional bug has been found that affects only
|
||||
the 'routestopped' option.<br>
|
||||
<br>
|
||||
Users who downloaded the corrected script prior
|
||||
to 1850 GMT today should download and install the corrected
|
||||
script again to ensure that this second problem is corrected.</li>
|
||||
|
||||
<li>TCP SYN packets may be double counted when
|
||||
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e.,
|
||||
each packet is sent through the limit chain twice).</li>
|
||||
<li>An unnecessary jump to the policy chain is
|
||||
sometimes generated for a CONTINUE policy.</li>
|
||||
<li>When an option is given for more than one
|
||||
interface in /etc/shorewall/interfaces then depending
|
||||
on the option, Shorewall may ignore all but the first
|
||||
appearence of the option. For example:<br>
|
||||
<br>
|
||||
net eth0 dhcp<br>
|
||||
loc eth1 dhcp<br>
|
||||
<br>
|
||||
Shorewall will ignore the 'dhcp' on eth1.</li>
|
||||
<li>Update 17 June 2002 - The bug described in
|
||||
the prior bullet affects the following options: dhcp, dropunclean,
|
||||
logunclean, norfc1918, routefilter, multi, filterping and
|
||||
noping. An additional bug has been found that affects only
|
||||
the 'routestopped' option.<br>
|
||||
<br>
|
||||
Users who downloaded the corrected script prior
|
||||
to 1850 GMT today should download and install the corrected
|
||||
script again to ensure that this second problem is corrected.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p align="left">These problems are corrected in <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
|
||||
this firewall script</a> which should be installed in /etc/shorewall/firewall
|
||||
as described above.</p>
|
||||
|
||||
as described above.</p>
|
||||
|
||||
<h3 align="left">Version 1.3.0</h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>Folks who downloaded 1.3.0 from the links on
|
||||
the download page before 23:40 GMT, 29 May 2002 may have
|
||||
downloaded 1.2.13 rather than 1.3.0. The "shorewall version"
|
||||
command will tell you which version that you have installed.</li>
|
||||
<li>The documentation NAT.htm file uses non-existent
|
||||
wallpaper and bullet graphic files. The <a
|
||||
<li>Folks who downloaded 1.3.0 from the links
|
||||
on the download page before 23:40 GMT, 29 May 2002 may
|
||||
have downloaded 1.2.13 rather than 1.3.0. The "shorewall
|
||||
version" command will tell you which version that you
|
||||
have installed.</li>
|
||||
<li>The documentation NAT.htm file uses non-existent
|
||||
wallpaper and bullet graphic files. The <a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
|
||||
corrected version is here</a>.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
<hr>
|
||||
|
||||
<hr>
|
||||
<h2 align="left"><a name="Upgrade"></a>Upgrade Issues</h2>
|
||||
|
||||
|
||||
<p align="left">The upgrade issues have moved to <a
|
||||
href="upgrade_issues.htm">a separate page</a>.</p>
|
||||
|
||||
<hr>
|
||||
|
||||
<hr>
|
||||
<h3 align="left"><a name="iptables"></a><font color="#660066"> Problem with
|
||||
iptables version 1.2.3</font></h3>
|
||||
|
||||
<blockquote>
|
||||
iptables version 1.2.3</font></h3>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p align="left">There are a couple of serious bugs in iptables 1.2.3 that
|
||||
prevent it from working with Shorewall. Regrettably, RedHat
|
||||
released this buggy iptables in RedHat 7.2. </p>
|
||||
|
||||
prevent it from working with Shorewall. Regrettably, RedHat
|
||||
released this buggy iptables in RedHat 7.2. </p>
|
||||
|
||||
|
||||
<p align="left"> I have built a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have also
|
||||
built an <a
|
||||
corrected 1.2.3 rpm which you can download here</a> and I have also
|
||||
built an <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
|
||||
iptables-1.2.4 rpm which you can download here</a>. If you are currently
|
||||
running RedHat 7.1, you can install either of these RPMs
|
||||
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
|
||||
|
||||
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
||||
has released an iptables-1.2.4 RPM of their own which you can download
|
||||
from<font color="#ff6633"> <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
|
||||
</font>I have installed this RPM on my firewall and it works fine.</p>
|
||||
|
||||
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
||||
the patches are available for download. This <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
||||
which corrects a problem with parsing of the --log-level specification
|
||||
while this <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
||||
corrects a problem in handling the TOS target.</p>
|
||||
running RedHat 7.1, you can install either of these RPMs
|
||||
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
|
||||
|
||||
<p align="left"><font color="#ff6633"><b>Update 11/9/2001: </b></font>RedHat
|
||||
has released an iptables-1.2.4 RPM of their own which you can download
|
||||
from<font color="#ff6633"> <a
|
||||
href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
|
||||
</font>I have installed this RPM on my firewall and it works fine.</p>
|
||||
|
||||
|
||||
<p align="left">If you would like to patch iptables 1.2.3 yourself,
|
||||
the patches are available for download. This <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
|
||||
which corrects a problem with parsing of the --log-level specification
|
||||
while this <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
|
||||
corrects a problem in handling the TOS target.</p>
|
||||
|
||||
|
||||
<p align="left">To install one of the above patches:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>cd iptables-1.2.3/extensions</li>
|
||||
<li>patch -p0 < <i>the-patch-file</i></li>
|
||||
|
||||
<li>cd iptables-1.2.3/extensions</li>
|
||||
<li>patch -p0 < <i>the-patch-file</i></li>
|
||||
|
||||
</ul>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<h3><a name="Debug"></a>Problems with kernels >= 2.4.18
|
||||
and RedHat iptables</h3>
|
||||
|
||||
<blockquote>
|
||||
|
||||
<blockquote>
|
||||
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19
|
||||
may experience the following:</p>
|
||||
|
||||
may experience the following:</p>
|
||||
|
||||
<blockquote>
|
||||
|
||||
|
||||
<pre># shorewall start<br>Processing /etc/shorewall/shorewall.conf ...<br>Processing /etc/shorewall/params ...<br>Starting Shorewall...<br>Loading Modules...<br>Initializing...<br>Determining Zones...<br>Zones: net<br>Validating interfaces file...<br>Validating hosts file...<br>Determining Hosts in Zones...<br>Net Zone: eth0:0.0.0.0/0<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br>iptables: libiptc/libip4tc.c:380: do_check: Assertion<br>`h->info.valid_hooks == (1 << 0 | 1 << 3)' failed.<br>Aborted (core dumped)<br></pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p>The RedHat iptables RPM is compiled with debugging enabled but the
|
||||
user-space debugging code was not updated to reflect recent changes in
|
||||
the Netfilter 'mangle' table. You can correct the problem by installing
|
||||
<a
|
||||
the Netfilter 'mangle' table. You can correct the problem by installing
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
|
||||
this iptables RPM</a>. If you are already running a 1.2.5 version
|
||||
of iptables, you will need to specify the --oldpackage option to rpm
|
||||
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||
</blockquote>
|
||||
this iptables RPM</a>. If you are already running a 1.2.5 version
|
||||
of iptables, you will need to specify the --oldpackage option to rpm
|
||||
(e.g., "iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm").</p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
|
||||
<h3><a name="SuSE"></a>Problems installing/upgrading
|
||||
RPM on SuSE</h3>
|
||||
|
||||
RPM on SuSE</h3>
|
||||
|
||||
<p>If you find that rpm complains about a conflict
|
||||
with kernel <= 2.2 yet you have a 2.4 kernel
|
||||
installed, simply use the "--nodeps" option to
|
||||
rpm.</p>
|
||||
|
||||
|
||||
<p>Installing: rpm -ivh --nodeps <i><shorewall rpm></i></p>
|
||||
|
||||
|
||||
<p>Upgrading: rpm -Uvh --nodeps <i><shorewall rpm></i></p>
|
||||
|
||||
|
||||
<h3><a name="Multiport"></a><b>Problems with
|
||||
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
|
||||
|
||||
|
||||
<p>The iptables 1.2.7 release of iptables has made
|
||||
an incompatible change to the syntax used to
|
||||
specify multiport match rules; as a consequence,
|
||||
if you install iptables 1.2.7 you must be running
|
||||
Shorewall 1.3.7a or later or:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>set MULTIPORT=No in
|
||||
/etc/shorewall/shorewall.conf; or </li>
|
||||
<li>if you are running Shorewall
|
||||
1.3.6 you may install
|
||||
<a
|
||||
<li>set MULTIPORT=No in
|
||||
/etc/shorewall/shorewall.conf; or </li>
|
||||
<li>if you are running Shorewall
|
||||
1.3.6 you may install
|
||||
<a
|
||||
href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
|
||||
this firewall script</a> in /var/lib/shorewall/firewall
|
||||
as described above.</li>
|
||||
|
||||
as described above.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3><a name="NAT"></a>Problems with RH Kernel 2.4.18-10 and NAT<br>
|
||||
</h3>
|
||||
/etc/shorewall/nat entries of the following form will result in Shorewall
|
||||
being unable to start:<br>
|
||||
<br>
|
||||
|
||||
</h3>
|
||||
/etc/shorewall/nat entries of the following form will result in
|
||||
Shorewall being unable to start:<br>
|
||||
<br>
|
||||
|
||||
<pre>#EXTERNAL INTERFACE INTERNAL ALL INTERFACES LOCAL<br>192.0.2.22 eth0 192.168.9.22 yes yes<br>#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</pre>
|
||||
Error message is:<br>
|
||||
|
||||
Error message is:<br>
|
||||
|
||||
<pre>Setting up NAT...<br>iptables: Invalid argument<br>Terminated<br><br></pre>
|
||||
The solution is to put "no" in the LOCAL column. Kernel support for
|
||||
LOCAL=yes has never worked properly and 2.4.18-10 has disabled it. The
|
||||
2.4.19 kernel contains corrected support under a new kernel configuraiton
|
||||
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
|
||||
<p><font size="2"> Last updated 12/3/2002 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
The solution is to put "no" in the LOCAL column. Kernel support
|
||||
for LOCAL=yes has never worked properly and 2.4.18-10 has disabled it.
|
||||
The 2.4.19 kernel contains corrected support under a new kernel configuraiton
|
||||
option; see <a href="Documentation.htm#NAT">http://www.shorewall.net/Documentation.htm#NAT</a><br>
|
||||
|
||||
<p><font size="2"> Last updated 1/3/2003 -
|
||||
<a href="support.htm">Tom Eastep</a></font> </p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> © <font
|
||||
size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
@ -207,9 +207,9 @@ ignored<br>
|
||||
<a href="support.htm">Tom Eastep</a></font>
|
||||
</p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
|
||||
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<p align="left"><a href="copyright.htm">
|
||||
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
</body>
|
||||
|
||||
</html>
|
||||
</html>
|
||||
|
@ -70,5 +70,5 @@ type "rpm -e shorewall".</p>
|
||||
<p><font size="2">Last updated 3/26/2001 - </font><font size="2">
|
||||
<a href="support.htm">Tom
|
||||
Eastep</a></font> </p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>
|
||||
|
@ -1,76 +1,79 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>GNU Mailman</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<h1 align="center"><font color="#ffffff">GNU Mailman/Postfix the Easy
|
||||
Way</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
Way</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<h1 align="center"> </h1>
|
||||
|
||||
|
||||
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
|
||||
Tokarev as a suggested addition to the Postfix FAQ.</h4>
|
||||
|
||||
Tokarev as a suggested addition to the Postfix FAQ.</h4>
|
||||
|
||||
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
|
||||
<br>
|
||||
A: Mailman uses a setgid wrapper that is designed to be used in system-wide
|
||||
aliases file so that rest of mailman's mail handling processes will run
|
||||
<br>
|
||||
A: Mailman uses a setgid wrapper that is designed to be used in system-wide
|
||||
aliases file so that rest of mailman's mail handling processes will run
|
||||
with proper uid/gid. Postfix has an ability to run a command specified in
|
||||
an alias as owner of that alias, thus mailman's wrapper is not needed here.
|
||||
The best method to invoke mailman's mail handling via aliases is to use
|
||||
The best method to invoke mailman's mail handling via aliases is to use
|
||||
separate alias file especially for mailman, and made it owned by mailman
|
||||
and group mailman. Like:<br>
|
||||
<br>
|
||||
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
|
||||
<br>
|
||||
Make sure that /var/mailman/aliases.db is owned by mailman user (this may
|
||||
be done by executing postalias as mailman userid).<br>
|
||||
<br>
|
||||
Next, instead of using mailman-suggested aliases entries with wrapper, use
|
||||
the following:<br>
|
||||
<br>
|
||||
instead of<br>
|
||||
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
|
||||
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
|
||||
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
|
||||
...<br>
|
||||
<br>
|
||||
use<br>
|
||||
mailinglist: /var/mailman/scripts/post mailinglist<br>
|
||||
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
|
||||
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
|
||||
...</p>
|
||||
|
||||
<h4>The Shorewall mailing lists are currently running Postfix 1.1.11 together
|
||||
with the stock RedHat Mailman-2.0.13 RPM configured as shown above.</h4>
|
||||
|
||||
<p align="left"><font size="2">Last updated 9/14/2002 - <a
|
||||
<br>
|
||||
alias_maps = hash:/etc/postfix/aliases, hash:/var/mailman/aliases<br>
|
||||
<br>
|
||||
Make sure that /var/mailman/aliases.db is owned by mailman user (this
|
||||
may be done by executing postalias as mailman userid).<br>
|
||||
<br>
|
||||
Next, instead of using mailman-suggested aliases entries with wrapper,
|
||||
use the following:<br>
|
||||
<br>
|
||||
instead of<br>
|
||||
mailinglist: /var/mailman/mail/wrapper post mailinglist<br>
|
||||
mailinglist-admin: /var/mailman/mail/wrapper mailowner mailinglist<br>
|
||||
mailinglist-request: /var/mailman/mail/wrapper mailcmd mailinglist<br>
|
||||
...<br>
|
||||
<br>
|
||||
use<br>
|
||||
mailinglist: /var/mailman/scripts/post mailinglist<br>
|
||||
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
|
||||
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
|
||||
...</p>
|
||||
|
||||
<h4>The above tip works with Mailman 2.0; Mailman 2.1 has adopted something
|
||||
very similar so that no workaround is necessary. See the README.POSTFIX file
|
||||
included with Mailman-2.1. </h4>
|
||||
|
||||
<p align="left"><font size="2">Last updated 12/29/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
BIN
STABLE/documentation/images/cache_now.gif
Normal file
BIN
STABLE/documentation/images/cache_now.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 493 B |
BIN
STABLE/documentation/images/squidnow.gif
Normal file
BIN
STABLE/documentation/images/squidnow.gif
Normal file
Binary file not shown.
After Width: | Height: | Size: 1.7 KiB |
@ -142,5 +142,5 @@ the options selected above built as modules:</p>
|
||||
<p><font size="2">Last updated 3/10/2002 - </font><font size="2">
|
||||
<a href="support.htm">Tom
|
||||
Eastep</a></font> </p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></body></html>
|
||||
|
@ -1,124 +1,138 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Shorewall Mailing Lists</title>
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table height="90" bgcolor="#400169" id="AutoNumber1" width="100%"
|
||||
style="border-collapse: collapse;" cellspacing="0" cellpadding="0"
|
||||
border="0">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="33%" valign="middle">
|
||||
|
||||
|
||||
<h1 align="center"><a
|
||||
href="http://www.centralcommand.com/linux_products.html"><img
|
||||
src="images/Vexira_Antivirus_Logo.gif" alt="Vexira Logo" width="78"
|
||||
height="79" align="left">
|
||||
</a><a href="http://www.gnu.org/software/mailman/mailman.html">
|
||||
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5"
|
||||
width="110" height="35">
|
||||
</a><a href="http://www.postfix.org/"> <img
|
||||
src="images/small-picture.gif" align="right" border="0" width="115"
|
||||
height="45">
|
||||
</a><font color="#ffffff">Shorewall Mailing Lists<a
|
||||
href="http://www.inter7.com/courierimap/"><img
|
||||
src="images/courier-imap.png" alt="Courier-Imap" width="100"
|
||||
height="38" align="right">
|
||||
</a></font></h1>
|
||||
</a></h1>
|
||||
|
||||
|
||||
<p align="right"><font color="#ffffff"><b><br>
|
||||
</b></font></p>
|
||||
|
||||
<p align="right"><font color="#ffffff"><b><br>
|
||||
Powered by Postfix </b></font> </p>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
<h1 align="center"><a
|
||||
href="http://www.gnu.org/software/mailman/mailman.html"> <img
|
||||
border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110"
|
||||
height="35" alt="">
|
||||
</a></h1>
|
||||
|
||||
<p align="right"><br>
|
||||
<font color="#ffffff"><b> </b></font> </p>
|
||||
</td>
|
||||
<td valign="middle" width="34%" align="center">
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Mailing Lists</font></h1>
|
||||
</td>
|
||||
<td valign="middle" width="33%">
|
||||
<h1 align="center"><a href="http://www.postfix.org/"> <img
|
||||
src="images/small-picture.gif" align="right" border="0" width="115"
|
||||
height="45" alt="(Postfix Logo)">
|
||||
</a></h1>
|
||||
<br>
|
||||
|
||||
<div align="right"><br>
|
||||
<b><font color="#ffffff">Powered by Postfix </font></b><br>
|
||||
</div>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.</p>
|
||||
|
||||
|
||||
<h2 align="left">Not getting List Mail? -- <a
|
||||
href="mailing_list_problems.htm">Check Here</a></h2>
|
||||
|
||||
<p align="left">If you experience problems with any of these lists, please
|
||||
let <a href="mailto:teastep@shorewall.net">me</a> know</p>
|
||||
|
||||
|
||||
<p align="left">If you experience problems with any of these lists, please
|
||||
let <a href="mailto:teastep@shorewall.net">me</a> know</p>
|
||||
|
||||
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
|
||||
|
||||
<p align="left">You can report such problems by sending mail to tom dot eastep
|
||||
at hp dot com.</p>
|
||||
|
||||
<h2>A Word about SPAM Filters <a href="http://ordb.org"> <img border="0"
|
||||
src="images/but3.png" hspace="3" width="88" height="31">
|
||||
</a><a href="http://osirusoft.com/"> </a></h2>
|
||||
|
||||
<p>Before subscribing please read my <a href="spam_filters.htm">policy
|
||||
about list traffic that bounces.</a> Also please note that the mail server
|
||||
at shorewall.net checks incoming mail:<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>against the open relay databases at <a
|
||||
href="http://ordb.org">ordb.org.</a></li>
|
||||
<li>to ensure that the sender address is fully qualified.</li>
|
||||
<li>to verify that the sender's domain has an A or MX record in DNS.</li>
|
||||
<li>to ensure that the host name in the HELO/EHLO command is a valid
|
||||
fully-qualified DNS name.</li>
|
||||
|
||||
</ol>
|
||||
<h2>Please post in plain text</h2>
|
||||
While the list server here at shorewall.net accepts and distributes HTML
|
||||
posts, a growing number of MTAs serving list subscribers are rejecting this
|
||||
HTML list traffic. At least one MTA has gone so far as to blacklist shorewall.net
|
||||
"for continuous abuse"!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a rather draconian way to control spam
|
||||
and that the unltimate loser here is not the spammers but the list subscribers
|
||||
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you
|
||||
can help by restricting your list posts to plain text.<br>
|
||||
<br>
|
||||
And as a bonus, subscribers who use email clients like pine and mutt will
|
||||
be able to read your plain text posts whereas they are most likely simply
|
||||
ignoring your HTML posts.<br>
|
||||
<br>
|
||||
A final bonus for the use of HTML is that it cuts down the size of messages
|
||||
by a large percentage -- that is important when the same message must be
|
||||
sent 500 times over the slow DSL line connecting the list server to the internet.<br>
|
||||
|
||||
<h2></h2>
|
||||
|
||||
<h2 align="left">Mailing Lists Archive Search</h2>
|
||||
|
||||
<p align="left">You can report such problems by sending mail to tom dot eastep
|
||||
at hp dot com.</p>
|
||||
|
||||
<h2>A Word about SPAM Filters <a href="http://ordb.org"></a><a
|
||||
href="http://osirusoft.com/"> </a></h2>
|
||||
|
||||
<p>Before subscribing please read my <a href="spam_filters.htm">policy
|
||||
about list traffic that bounces.</a> Also please note that the mail server
|
||||
at shorewall.net checks incoming mail:<br>
|
||||
</p>
|
||||
|
||||
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
|
||||
|
||||
<p> <font size="-1"> Match:
|
||||
<ol>
|
||||
<li>against <a href="http://spamassassin.org">Spamassassin</a>
|
||||
(including <a href="http://razor.sourceforge.net/">Vipul's Razor</a>).<br>
|
||||
</li>
|
||||
<li>to ensure that the sender address is fully qualified.</li>
|
||||
<li>to verify that the sender's domain has an A or MX record
|
||||
in DNS.</li>
|
||||
<li>to ensure that the host name in the HELO/EHLO command is
|
||||
a valid fully-qualified DNS name that resolves.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<h2>Please post in plain text</h2>
|
||||
A growing number of MTAs serving list subscribers are rejecting all
|
||||
HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
|
||||
"for continuous abuse" because it has been my policy to allow HTML in list
|
||||
posts!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a Draconian way to control spam and
|
||||
that the ultimate losers here are not the spammers but the list subscribers
|
||||
whose MTAs are bouncing all shorewall.net mail. As one list subscriber wrote
|
||||
to me privately "These e-mail admin's need to get a <i>(explitive deleted)</i>
|
||||
life instead of trying to rid the planet of HTML based e-mail". Nevertheless,
|
||||
to allow subscribers to receive list posts as must as possible, I have now
|
||||
configured the list server at shorewall.net to strip all HTML from outgoing
|
||||
posts. This means that HTML-only posts will be bounced by the list server.<br>
|
||||
|
||||
<p align="left"> <b>Note: </b>The list server limits posts to 120kb.<br>
|
||||
</p>
|
||||
|
||||
<h2>Other Mail Delivery Problems</h2>
|
||||
If you find that you are missing an occasional list post, your e-mail
|
||||
admin may be blocking mail whose <i>Received:</i> headers contain the names
|
||||
of certain ISPs. Again, I believe that such policies hurt more than they
|
||||
help but I'm not prepared to go so far as to start stripping <i>Received:</i>
|
||||
headers to circumvent those policies.<br>
|
||||
|
||||
<h2 align="left">Mailing Lists Archive Search</h2>
|
||||
|
||||
<form method="post" action="http://mail.shorewall.net/cgi-bin/htsearch">
|
||||
|
||||
<p> <font size="-1"> Match:
|
||||
<select name="method">
|
||||
<option value="and">All </option>
|
||||
<option value="or">Any </option>
|
||||
<option value="boolean">Boolean </option>
|
||||
</select>
|
||||
Format:
|
||||
Format:
|
||||
<select name="format">
|
||||
<option value="builtin-long">Long </option>
|
||||
<option value="builtin-short">Short </option>
|
||||
</select>
|
||||
Sort by:
|
||||
Sort by:
|
||||
<select name="sort">
|
||||
<option value="score">Score </option>
|
||||
<option value="time">Time </option>
|
||||
@ -127,120 +141,130 @@ sent 500 times over the slow DSL line connecting the list server to the internet
|
||||
<option value="revtime">Reverse Time </option>
|
||||
<option value="revtitle">Reverse Title </option>
|
||||
</select>
|
||||
</font> <input type="hidden" name="config" value="htdig"> <input
|
||||
type="hidden" name="restrict"
|
||||
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||
</font> <input type="hidden" name="config" value="htdig">
|
||||
<input type="hidden" name="restrict"
|
||||
value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||
name="exclude" value=""> <br>
|
||||
Search: <input type="text" size="30" name="words" value=""> <input
|
||||
type="submit" value="Search"> </p>
|
||||
</form>
|
||||
|
||||
<h2 align="left"><font color="#ff0000">Please do not try to download the entire
|
||||
Archive -- its 75MB (and growing daily) and my slow DSL line simply won't
|
||||
stand the traffic. If I catch you, you'll be blacklisted.<br>
|
||||
</font></h2>
|
||||
|
||||
Search: <input type="text" size="30" name="words"
|
||||
value=""> <input type="submit" value="Search"> </p>
|
||||
</form>
|
||||
|
||||
<h2 align="left"><font color="#ff0000">Please do not try to download the
|
||||
entire Archive -- it is 75MB (and growing daily) and my slow DSL line simply
|
||||
won't stand the traffic. If I catch you, you will be blacklisted.<br>
|
||||
</font></h2>
|
||||
|
||||
<h2 align="left">Shorewall CA Certificate</h2>
|
||||
If you want to trust X.509 certificates issued by Shoreline Firewall
|
||||
(such as the one used on my web site), you may <a
|
||||
href="Shorewall_CA_html.html">download and install my CA certificate</a>
|
||||
in your browser. If you don't wish to trust my certificates then you
|
||||
can either use unencrypted access when subscribing to Shorewall mailing
|
||||
lists or you can use secure access (SSL) and accept the server's certificate
|
||||
when prompted by your browser.<br>
|
||||
|
||||
If you want to trust X.509 certificates issued by Shoreline
|
||||
Firewall (such as the one used on my web site), you may <a
|
||||
href="Shorewall_CA_html.html">download and install my CA certificate</a>
|
||||
in your browser. If you don't wish to trust my certificates then you
|
||||
can either use unencrypted access when subscribing to Shorewall mailing
|
||||
lists or you can use secure access (SSL) and accept the server's certificate
|
||||
when prompted by your browser.<br>
|
||||
|
||||
<h2 align="left">Shorewall Users Mailing List</h2>
|
||||
|
||||
<p align="left">The Shorewall Users Mailing list provides a way for users
|
||||
to get answers to questions and to report problems. Information of general
|
||||
interest to the Shorewall user community is also posted to this list.</p>
|
||||
|
||||
<p align="left"><b>Before posting a problem report to this list, please see
|
||||
the <a href="support.htm">problem reporting guidelines</a>.</b></p>
|
||||
|
||||
|
||||
<p align="left">The Shorewall Users Mailing list provides a way for users
|
||||
to get answers to questions and to report problems. Information of
|
||||
general interest to the Shorewall user community is also posted to this
|
||||
list.</p>
|
||||
|
||||
<p align="left"><b>Before posting a problem report to this list, please see
|
||||
the <a href="support.htm">problem reporting guidelines</a>.</b></p>
|
||||
|
||||
<p align="left">To subscribe to the mailing list, go to <a
|
||||
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
SSL: <a
|
||||
href="https://www.shorewall.net/mailman/listinfo/shorewall-users"
|
||||
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-users</a></p>
|
||||
|
||||
href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
SSL: <a
|
||||
href="https://mail.shorewall.net/mailman/listinfo/shorewall-users"
|
||||
target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-users</a></p>
|
||||
|
||||
<p align="left">To post to the list, post to <a
|
||||
href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
|
||||
|
||||
|
||||
<p align="left">The list archives are at <a
|
||||
href="http://www.shorewall.net/pipermail/shorewall-users/index.html">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
|
||||
|
||||
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted
|
||||
at <a href="http://sourceforge.net">Sourceforge</a>. The archives from that
|
||||
list may be found at <a
|
||||
href="http://mail.shorewall.net/pipermail/shorewall-users/index.html">http://mail.shorewall.net/pipermail/shorewall-users</a>.</p>
|
||||
|
||||
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at
|
||||
<a href="http://sourceforge.net">Sourceforge</a>. The archives from that list
|
||||
may be found at <a
|
||||
href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
|
||||
|
||||
|
||||
<h2 align="left">Shorewall Announce Mailing List</h2>
|
||||
|
||||
<p align="left">This list is for announcements of general interest to the
|
||||
Shorewall community. To subscribe, go to <a
|
||||
href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>
|
||||
SSL: <a
|
||||
href="https://www.shorewall.net/mailman/listinfo/shorewall-announce"
|
||||
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-announce.<br>
|
||||
</a><br>
|
||||
The list archives are at <a
|
||||
href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
|
||||
|
||||
|
||||
<p align="left">This list is for announcements of general interest to the
|
||||
Shorewall community. To subscribe, go to <a
|
||||
href="http://mail.shorewall.net/mailman/listinfo/shorewall-announce">http://mail.shorewall.net/mailman/listinfo/shorewall-announce</a>
|
||||
SSL: <a
|
||||
href="https://mail.shorewall.net/mailman/listinfo/shorewall-announce"
|
||||
target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-announce.<br>
|
||||
</a><br>
|
||||
The list archives are at <a
|
||||
href="http://mail.shorewall.net/pipermail/shorewall-announce">http://mail.shorewall.net/pipermail/shorewall-announce</a>.</p>
|
||||
|
||||
<h2 align="left">Shorewall Development Mailing List</h2>
|
||||
|
||||
<p align="left">The Shorewall Development Mailing list provides a forum for
|
||||
the exchange of ideas about the future of Shorewall and for coordinating
|
||||
ongoing Shorewall Development.</p>
|
||||
|
||||
|
||||
<p align="left">The Shorewall Development Mailing list provides a forum for
|
||||
the exchange of ideas about the future of Shorewall and for coordinating
|
||||
ongoing Shorewall Development.</p>
|
||||
|
||||
<p align="left">To subscribe to the mailing list, go to <a
|
||||
href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>
|
||||
SSL: <a
|
||||
href="https://www.shorewall.net/mailman/listinfo/shorewall-devel"
|
||||
target="_top">https//www.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
|
||||
To post to the list, post to <a
|
||||
href="http://mail.shorewall.net/mailman/listinfo/shorewall-devel">http://mail.shorewall.net/mailman/listinfo/shorewall-devel</a>
|
||||
SSL: <a
|
||||
href="https://mail.shorewall.net/mailman/listinfo/shorewall-devel"
|
||||
target="_top">https//mail.shorewall.net/mailman/listinfo/shorewall-devel.</a><br>
|
||||
To post to the list, post to <a
|
||||
href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>. </p>
|
||||
|
||||
|
||||
<p align="left">The list archives are at <a
|
||||
href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
|
||||
|
||||
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
|
||||
the Mailing Lists</h2>
|
||||
|
||||
<p align="left">There seems to be near-universal confusion about unsubscribing
|
||||
from Mailman-managed lists. To unsubscribe:</p>
|
||||
|
||||
href="http://mail.shorewall.net/pipermail/shorewall-devel">http://mail.shorewall.net/pipermail/shorewall-devel</a>.</p>
|
||||
|
||||
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of
|
||||
the Mailing Lists</h2>
|
||||
|
||||
<p align="left">There seems to be near-universal confusion about unsubscribing
|
||||
from Mailman-managed lists although Mailman 2.1 has attempted to make
|
||||
this less confusing. To unsubscribe:</p>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<p align="left">Follow the same link above that you used to subscribe
|
||||
to the list.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">Down at the bottom of that page is the following text:
|
||||
"To change your subscription (set options like digest and delivery
|
||||
modes, get a reminder of your password, <b>or unsubscribe</b> from
|
||||
<name of list>), enter your subscription email address:". Enter
|
||||
your email address in the box and click on the "Edit Options" button.</p>
|
||||
</li>
|
||||
<li>
|
||||
<p align="left">There will now be a box where you can enter your password
|
||||
and click on "Unsubscribe"; if you have forgotten your password, there
|
||||
is another button that will cause your password to be emailed to you.</p>
|
||||
</li>
|
||||
|
||||
<li>
|
||||
|
||||
<p align="left">Follow the same link above that you used to subscribe
|
||||
to the list.</p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left">Down at the bottom of that page is the following text:
|
||||
" To <b>unsubscribe</b> from <i><list name></i>, get a password
|
||||
reminder, or change your subscription options enter your subscription
|
||||
email address:". Enter your email address in the box and click
|
||||
on the "<b>Unsubscribe</b> or edit options" button.</p>
|
||||
</li>
|
||||
<li>
|
||||
|
||||
<p align="left">There will now be a box where you can enter your password
|
||||
and click on "Unsubscribe"; if you have forgotten your password, there
|
||||
is another button that will cause your password to be emailed to you.</p>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<hr>
|
||||
|
||||
<hr>
|
||||
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
|
||||
|
||||
|
||||
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
|
||||
|
||||
<p align="left"><font size="2">Last updated 12/27/2002 - <a
|
||||
|
||||
<p align="left"><font size="2">Last updated 12/31/2002 - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"> <font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -40,21 +40,10 @@
|
||||
<p align="left"><font size="2">Last updated 12/17/2002 02:51 GMT - <a
|
||||
href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p align="left"><a href="copyright.htm"> <font face="Trebuchet MS"> <font
|
||||
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></font></a></p>
|
||||
<p align="left"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></p>
|
||||
|
||||
<p align="left"> </p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,134 +1,144 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>My Shorewall Configuration</title>
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">About My Network</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<h1>My Current Network </h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
<blockquote>
|
||||
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
|
||||
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
|
||||
is connected to eth0. I have a local network connected to eth2 (subnet
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
|
||||
<h1>My Current Network </h1>
|
||||
|
||||
<blockquote>
|
||||
<p><big><font color="#ff0000"><b>Warning: </b></font><b><small>I</small></b></big><big><b><small>
|
||||
use a combination of Static NAT and Proxy ARP, neither of which are relevant
|
||||
to a simple configuration with a single public IP address.</small></b></big><big><b><small>
|
||||
If you have just a single public IP address, most of what you see here won't
|
||||
apply to your setup so beware of copying parts of this configuration and
|
||||
expecting them to work for you. They may or may not work in your setup. </small></b></big><br>
|
||||
</p>
|
||||
<p> I have DSL service and have 5 static IP addresses (206.124.146.176-180).
|
||||
My DSL "modem" (<a href="http://www.fujitsu.com">Fujitsu</a> Speedport)
|
||||
is connected to eth0. I have a local network connected to eth2 (subnet
|
||||
192.168.1.0/24) and a DMZ connected to eth1 (192.168.2.0/24). </p>
|
||||
|
||||
|
||||
<p> I use:<br>
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
|
||||
and external address 206.124.146.178.</li>
|
||||
<li>Proxy ARP for wookie (my Linux System). This system has two IP
|
||||
addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
|
||||
<li>SNAT through the primary gateway address (206.124.146.176) for
|
||||
my Wife's system (tarry) and the Wireless Access Point (wap)</li>
|
||||
|
||||
<li>Static NAT for ursa (my XP System) - Internal address 192.168.1.5
|
||||
and external address 206.124.146.178.</li>
|
||||
<li>Proxy ARP for wookie (my Linux System). This system has two
|
||||
IP addresses: 192.168.1.3/24 and 206.124.146.179/24.</li>
|
||||
<li>SNAT through the primary gateway address (206.124.146.176)
|
||||
for my Wife's system (tarry) and the Wireless Access Point (wap)</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p> The firewall runs on a 128MB PII/233 with RH7.2 and Kernel 2.4.20-pre6.</p>
|
||||
|
||||
<p> Wookie runs Samba and acts as the a WINS server. Wookie is in its
|
||||
own 'whitelist' zone called 'me'.</p>
|
||||
|
||||
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
|
||||
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
|
||||
and is managed by Proxy ARP. It connects to the local network through
|
||||
|
||||
<p> Wookie runs Samba and acts as the a WINS server. Wookie is in its
|
||||
own 'whitelist' zone called 'me'.</p>
|
||||
|
||||
<p> My laptop (eastept1) is connected to eth3 using a cross-over cable.
|
||||
It runs its own <a href="http://www.sygate.com"> Sygate</a> firewall software
|
||||
and is managed by Proxy ARP. It connects to the local network through
|
||||
the PopTop server running on my firewall. </p>
|
||||
|
||||
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
|
||||
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
|
||||
(Pure-ftpd). The system also runs fetchmail to fetch our email from our
|
||||
old and current ISPs. That server is managed through Proxy ARP.</p>
|
||||
|
||||
<p> The firewall system itself runs a DHCP server that serves the local
|
||||
network.</p>
|
||||
|
||||
|
||||
<p> The single system in the DMZ (address 206.124.146.177) runs postfix,
|
||||
Courier IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
|
||||
(Pure-ftpd). The system also runs fetchmail to fetch our email from
|
||||
our old and current ISPs. That server is managed through Proxy ARP.</p>
|
||||
|
||||
<p> The firewall system itself runs a DHCP server that serves the local
|
||||
network.</p>
|
||||
|
||||
<p> All administration and publishing is done using ssh/scp.</p>
|
||||
|
||||
|
||||
<p> I run an SNMP server on my firewall to serve <a
|
||||
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
|
||||
in the DMZ.</p>
|
||||
|
||||
href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/"> MRTG</a> running
|
||||
in the DMZ.</p>
|
||||
|
||||
<p align="center"> <img border="0"
|
||||
src="images/network.png" width="764" height="846">
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<p> </p>
|
||||
|
||||
<p>The ethernet interface in the Server is configured
|
||||
with IP address 206.124.146.177, netmask
|
||||
255.255.255.0. The server's default gateway is
|
||||
206.124.146.254 (Router at my ISP. This is the same
|
||||
default gateway used by the firewall itself). On the firewall,
|
||||
Shorewall automatically adds a host route to
|
||||
206.124.146.177 through eth1 (192.168.2.1) because
|
||||
of the entry in /etc/shorewall/proxyarp (see
|
||||
|
||||
<p>The ethernet interface in the Server is configured
|
||||
with IP address 206.124.146.177, netmask
|
||||
255.255.255.0. The server's default gateway is
|
||||
206.124.146.254 (Router at my ISP. This is the same
|
||||
default gateway used by the firewall itself). On the firewall,
|
||||
Shorewall automatically adds a host route to
|
||||
206.124.146.177 through eth1 (192.168.2.1) because
|
||||
of the entry in /etc/shorewall/proxyarp (see
|
||||
below).</p>
|
||||
|
||||
<p>A similar setup is used on eth3 (192.168.3.1) which
|
||||
interfaces to my laptop (206.124.146.180).</p>
|
||||
|
||||
<p><font color="#ff0000" size="5"> Note: My files
|
||||
use features not available before Shorewall
|
||||
version 1.3.4.</font></p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p>A similar setup is used on eth3 (192.168.3.1) which
|
||||
interfaces to my laptop (206.124.146.180).<br>
|
||||
</p>
|
||||
|
||||
<p>Ursa (192.168.1.5 AKA 206.124.146.178) runs a PPTP server for Road Warrior
|
||||
access.<br>
|
||||
</p>
|
||||
|
||||
<p><font color="#ff0000" size="5"></font></p>
|
||||
</blockquote>
|
||||
|
||||
<h3>Shorewall.conf</h3>
|
||||
|
||||
|
||||
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall<br> STATEDIR=/var/state/shorewall<br><br> LOGRATE=<br> LOGBURST=<br><br> ADD_IP_ALIASES="Yes"<br><br> CLAMPMSS=Yes<br><br> MULTIPORT=Yes</pre>
|
||||
|
||||
|
||||
<h3>Zones File:</h3>
|
||||
|
||||
|
||||
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS<br> net Internet Internet<br> me Eastep My Workstation<br> loc Local Local networks<br> dmz DMZ Demilitarized zone<br> tx Texas Peer Network in Dallas Texas<br> #LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
|
||||
|
||||
|
||||
<h3>Interfaces File: </h3>
|
||||
|
||||
<blockquote>
|
||||
<p> This is set up so that I can start the firewall before bringing up
|
||||
my Ethernet interfaces. </p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<blockquote>
|
||||
<p> This is set up so that I can start the firewall before bringing up my
|
||||
Ethernet interfaces. </p>
|
||||
</blockquote>
|
||||
|
||||
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS<br> net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping<br> loc eth2 192.168.1.255 dhcp,filterping,maclist<br> dmz eth1 206.124.146.255 filterping<br> net eth3 206.124.146.255 filterping,blacklist<br> - texas - filterping<br> loc ppp+ - filterping<br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
|
||||
<h3>Hosts File: </h3>
|
||||
|
||||
|
||||
<pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS<br> me eth2:192.168.1.3,eth2:206.124.146.179<br> tx texas:192.168.9.0/24<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
|
||||
<h3>Routestopped File:</h3>
|
||||
|
||||
|
||||
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)<br> eth1 206.124.146.177<br> eth2 -<br> eth3 206.124.146.180</font></pre>
|
||||
|
||||
|
||||
<h3>Common File: </h3>
|
||||
|
||||
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br> run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre>
|
||||
|
||||
|
||||
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def<br> run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP<br></font></pre>
|
||||
<h3>Policy File:</h3>
|
||||
|
||||
|
||||
<pre><font size="2" face="Courier">
|
||||
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
|
||||
me all ACCEPT
|
||||
@ -136,40 +146,42 @@ my Ethernet interfaces. </p>
|
||||
all me CONTINUE #<font
|
||||
color="#ff0000">WARNING: You must be running Shorewall 1.3.1 or later for<br> </font>#<font
|
||||
color="#ff0000"> this policy to work as expected!!!</font> <br> loc loc ACCEPT<br> loc net ACCEPT<br> $FW loc ACCEPT<br> $FW tx ACCEPT<br> loc tx ACCEPT<br> loc fw REJECT<br> net net ACCEPT<br> net all DROP info 10/sec:40<br> all all REJECT info<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
|
||||
|
||||
|
||||
<h3>Masq File: </h3>
|
||||
|
||||
<blockquote>
|
||||
<p> Although most of our internal systems use static NAT, my wife's system
|
||||
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
|
||||
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> Although most of our internal systems use static NAT, my wife's system
|
||||
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with
|
||||
laptops. Also, I masquerade wookie to the peer subnet in Texas.</p>
|
||||
</blockquote>
|
||||
|
||||
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS<br> eth0 192.168.1.0/24 206.124.146.176<br> texas 206.124.146.179 192.168.1.254<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
|
||||
<h3>NAT File: </h3>
|
||||
|
||||
|
||||
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL<br> 206.124.146.178 eth0 192.168.1.5 No No<br> 206.124.146.179 eth0 192.168.1.3 No No<br> #LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
|
||||
<h3>Proxy ARP File:</h3>
|
||||
|
||||
|
||||
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROU</font><font
|
||||
face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br></font><font
|
||||
face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
<h3>Rules File (The shell variables
|
||||
are set in /etc/shorewall/params):</h3>
|
||||
|
||||
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> ACCEPT net fw tcp 1723<br> ACCEPT net fw gre<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
<p><font size="2"> Last updated 10/14/2002 - </font><font size="2">
|
||||
<a href="support.htm">Tom Eastep</a></font>
|
||||
</p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
face="Courier" size="2">TE<br> 206.124.146.177 eth1 eth0 No<br> 206.124.146.180 eth3 eth0 No<br></font><pre><font
|
||||
face="Courier" size="2"> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre></pre>
|
||||
|
||||
<h3>Tunnels File (Shell variable TEXAS set in /etc/shorewall/params):</h3>
|
||||
|
||||
<pre><small> #TYPE ZONE GATEWAY</small><small> <br> gre net $TEXAS</small><small><br> #LAST LINE -- DO NOT REMOVE<br></small></pre>
|
||||
|
||||
<h3>Rules File (The shell variables
|
||||
are set in /etc/shorewall/params):</h3>
|
||||
|
||||
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL<br> # PORT(S) PORT(S) PORT(S) DEST<br> #<br> # Local Network to Internet - Reject attempts by Trojans to call home<br> #<br> REJECT:info loc net tcp 6667<br> #<br> # Local Network to Firewall <br> #<br> ACCEPT loc fw tcp ssh<br> ACCEPT loc fw tcp time<br> #<br> # Local Network to DMZ <br> #<br> ACCEPT loc dmz udp domain<br> ACCEPT loc dmz tcp smtp<br> ACCEPT loc dmz tcp domain<br> ACCEPT loc dmz tcp ssh<br> ACCEPT loc dmz tcp auth<br> ACCEPT loc dmz tcp imap<br> ACCEPT loc dmz tcp https<br> ACCEPT loc dmz tcp imaps<br> ACCEPT loc dmz tcp cvspserver<br> ACCEPT loc dmz tcp www<br> ACCEPT loc dmz tcp ftp<br> ACCEPT loc dmz tcp pop3<br> ACCEPT loc dmz icmp echo-request<br> #<br> # Internet to DMZ <br> #<br> ACCEPT net dmz tcp www<br> ACCEPT net dmz tcp smtp<br> ACCEPT net dmz tcp ftp<br> ACCEPT net dmz tcp auth<br> ACCEPT net dmz tcp https<br> ACCEPT net dmz tcp imaps<br> ACCEPT net dmz tcp domain<br> ACCEPT net dmz tcp cvspserver<br> ACCEPT net dmz udp domain<br> ACCEPT net dmz icmp echo-request<br> ACCEPT net:$MIRRORS dmz tcp rsync<br> #<br> # Net to Me (ICQ chat and file transfers) <br> #<br> ACCEPT net me tcp 4000:4100<br> #<br> # Net to Local <br> #<br> ACCEPT net loc tcp auth<br> REJECT net loc tcp www<br> ACCEPT net loc:192.168.1.5 tcp 1723<br> ACCEPT net loc:192.168.1.5 gre<br> #<br> # DMZ to Internet<br> #<br> ACCEPT dmz net icmp echo-request<br> ACCEPT dmz net tcp smtp<br> ACCEPT dmz net tcp auth<br> ACCEPT dmz net tcp domain<br> ACCEPT dmz net tcp www<br> ACCEPT dmz net tcp https<br> ACCEPT dmz net tcp whois<br> ACCEPT dmz net tcp echo<br> ACCEPT dmz net udp domain<br> ACCEPT dmz net:$NTPSERVERS udp ntp<br> ACCEPT dmz net:$POPSERVERS tcp pop3<br> #<br> # The following compensates for a bug, either in some FTP clients or in the<br> # Netfilter connection tracking code that occasionally denies active mode<br> # FTP clients<br> #<br> ACCEPT:info dmz net tcp 1024: 20<br> #<br> # DMZ to Firewall -- snmp<br> #<br> ACCEPT dmz fw tcp snmp<br> ACCEPT dmz fw udp snmp<br> #<br> # DMZ to Local Network <br> #<br> ACCEPT dmz loc tcp smtp<br> ACCEPT dmz loc tcp auth<br> ACCEPT dmz loc icmp echo-request<br> # Internet to Firewall<br> #<br> REJECT net fw tcp www<br> #<br> # Firewall to Internet<br> #<br> ACCEPT fw net:$NTPSERVERS udp ntp<br> ACCEPT fw net udp domain<br> ACCEPT fw net tcp domain<br> ACCEPT fw net tcp www<br> ACCEPT fw net tcp https<br> ACCEPT fw net tcp ssh<br> ACCEPT fw net tcp whois<br> ACCEPT fw net icmp echo-request<br> #<br> # Firewall to DMZ<br> #<br> ACCEPT fw dmz tcp www<br> ACCEPT fw dmz tcp ftp<br> ACCEPT fw dmz tcp ssh<br> ACCEPT fw dmz tcp smtp<br> ACCEPT fw dmz udp domain<br> #<br> # Let Texas Ping<br> #<br> ACCEPT tx fw icmp echo-request<br> ACCEPT tx loc icmp echo-request<br><br> #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
|
||||
|
||||
<p><font size="2"> Last updated 1/12/2003 - </font><font size="2">
|
||||
<a href="support.htm">Tom Eastep</a></font>
|
||||
</p>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font> ©
|
||||
<font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -26,11 +26,11 @@ way. This page describes how it now works.<br>
|
||||
There are several aspects to Shorewall Ping management:<br>
|
||||
<ol>
|
||||
<li>The <b>noping</b> and <b>filterping </b>interface options in <a
|
||||
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
<li>The <b>FORWARDPING</b> option in<a
|
||||
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
|
||||
href="Documentation.htm#Conf"> /etc/shorewall/shorewall.conf</a>.</li>
|
||||
<li>Explicit rules in <a
|
||||
href="file:///home/teastep/Shorewall-docs/Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
|
||||
href="Documentation.htm#Rules">/etc/shorewall/rules</a>.</li>
|
||||
</ol>
|
||||
There are two cases to consider:<br>
|
||||
<ol>
|
||||
@ -81,10 +81,10 @@ then the request is responded to with an ICMP echo-reply.</li>
|
||||
is either rejected or simply ignored.</li>
|
||||
</ol>
|
||||
<p><font size="2">Updated 12/13/2002 - <a
|
||||
href="file:///home/teastep/Shorewall-docs/support.htm">Tom Eastep</a> </font></p>
|
||||
href="support.htm">Tom Eastep</a> </font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -187,8 +187,8 @@ Shorewall starts, then you should include the port list in /etc/modules.conf:<br
|
||||
|
||||
<p><font size="2">Last updated 11/10/2002 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
<a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a><br>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -5,6 +5,7 @@
|
||||
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shoreline Firewall (Shorewall) 1.3</title>
|
||||
@ -12,78 +13,86 @@
|
||||
|
||||
|
||||
|
||||
<base target="_self">
|
||||
<base target="_self">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="4"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<tbody>
|
||||
|
||||
<td width="100%" height="90">
|
||||
<tr>
|
||||
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h1 align="center"> <font size="4"><i> <a
|
||||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
|
||||
</a></i></font><font color="#ffffff">Shorewall 1.3 -
|
||||
<font size="4">"<i>iptables made easy"</i></font></font></h1>
|
||||
</a></i></font><font color="#ffffff">Shorewall 1.3
|
||||
- <font size="4">"<i>iptables made easy"</i></font></font></h1>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div align="center"><a
|
||||
href="http://shorewall.sf.net/1.2/index.html" target="_top"><font
|
||||
color="#ffffff">Shorewall 1.2 Site here</font></a><br>
|
||||
</div>
|
||||
<br>
|
||||
|
||||
</td>
|
||||
</div>
|
||||
|
||||
</tr>
|
||||
<br>
|
||||
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
|
||||
<div align="center">
|
||||
|
||||
|
||||
<center>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<tbody>
|
||||
|
||||
<td width="90%">
|
||||
<tr>
|
||||
|
||||
<td width="90%">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2 align="left">What is it?</h2>
|
||||
|
||||
|
||||
@ -93,7 +102,7 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||||
firewall that can be used on a dedicated firewall system, a multi-function
|
||||
@ -106,26 +115,26 @@ firewall that can be used on a dedicated firewall system, a multi-functio
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of <a
|
||||
it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
This program is distributed in the hope that it
|
||||
will be useful, but WITHOUT ANY WARRANTY; without
|
||||
even the implied warranty of MERCHANTABILITY or FITNESS
|
||||
FOR A PARTICULAR PURPOSE. See the GNU General Public
|
||||
License for more details.<br>
|
||||
This program is distributed in the hope that
|
||||
it will be useful, but WITHOUT ANY WARRANTY;
|
||||
without even the implied warranty of MERCHANTABILITY
|
||||
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
General Public License for more details.<br>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
|
||||
You should have received a copy of the GNU General
|
||||
Public License along with this program; if not,
|
||||
write to the Free Software Foundation, Inc., 675
|
||||
Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
You should have received a copy of the GNU
|
||||
General Public License along with this program;
|
||||
if not, write to the Free Software Foundation,
|
||||
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
|
||||
|
||||
|
||||
@ -134,8 +143,8 @@ License for more details.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
|
||||
|
||||
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
||||
|
||||
|
||||
|
||||
@ -144,23 +153,27 @@ License for more details.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
|
||||
</a>Jacques Nilo and Eric Wolzak have a LEAF
|
||||
(router/firewall/gateway on a floppy, CD or compact flash) distribution
|
||||
called <i>Bering</i> that features Shorewall-1.3.10
|
||||
and Kernel-2.4.18. You can find their work at:
|
||||
<a href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
</a></p>
|
||||
</a>Jacques Nilo and Eric Wolzak have
|
||||
a LEAF (router/firewall/gateway on a floppy, CD or compact
|
||||
flash) distribution called <i>Bering</i> that
|
||||
features Shorewall-1.3.10 and Kernel-2.4.18. You
|
||||
can find their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo<br>
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>Congratulations to Jacques and Eric on the recent release of
|
||||
Bering 1.0 Final!!! </b><br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<h2>This is a mirror of the main Shorewall web site at SourceForge
|
||||
(<a href="http://shorewall.sf.net" target="_top">http://shorewall.sf.net</a>)</h2>
|
||||
|
||||
@ -173,7 +186,8 @@ Bering 1.0 Final!!! </b><br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2>News</h2>
|
||||
|
||||
|
||||
@ -182,194 +196,295 @@ Bering 1.0 Final!!! </b><br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2></h2>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
|
||||
<p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
|
||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b><br>
|
||||
</p>
|
||||
|
||||
<p> Features include:<br>
|
||||
</p>
|
||||
<p>Just includes a few things that I had on the burner:<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules (tcrules
|
||||
and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after an
|
||||
error occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than 40% with
|
||||
my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added which shows
|
||||
the current packet classification filters. The output from this command
|
||||
is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog level
|
||||
and causes the subject packets to be logged using the ULOG target rather
|
||||
than the LOG target. This allows you to run ulogd (available from <a
|
||||
href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a
|
||||
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain in the mangle
|
||||
table ("shorewall show mangle" will show you the chains in the mangle table),
|
||||
you can set MARK_IN_FORWARD_CHAIN=Yes in <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
|
||||
input packets based on their destination even when you are using Masquerading
|
||||
or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with empty 'init',
|
||||
'start', 'stop' and 'stopped' files. If you already have a file with one
|
||||
of these names, don't worry -- the upgrade process won't overwrite your file.</li>
|
||||
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
|
||||
the syslog level at which packets are logged as a result of entries in the
|
||||
/etc/shorewall/rfc1918 file. Previously, these packets were always logged
|
||||
at the 'info' level.<br>
|
||||
<li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
|
||||
file. DNAT- is intended for advanced users who wish to minimize the number
|
||||
of rules that connection requests must traverse.<br>
|
||||
<br>
|
||||
A Shorewall DNAT rule actually generates two iptables rules: a header rewriting
|
||||
rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT-
|
||||
rule only generates the first of these rules. This is handy when you have
|
||||
several DNAT rules that would generate the same ACCEPT rule.<br>
|
||||
<br>
|
||||
Here are three rules from my previous rules file:<br>
|
||||
<br>
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
|
||||
<br>
|
||||
These three rules ended up generating _three_ copies of<br>
|
||||
<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp smtp<br>
|
||||
<br>
|
||||
By writing the rules this way, I end up with only one copy of the ACCEPT
|
||||
rule.<br>
|
||||
<br>
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The 'shorewall check' command now prints out the applicable policy
|
||||
between each pair of zones.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>A new CLEAR_TC option has been added to shorewall.conf. If this
|
||||
option is set to 'No' then Shorewall won't clear the current traffic control
|
||||
rules during [re]start. This setting is intended for use by people that prefer
|
||||
to configure traffic shaping when the network interfaces come up rather than
|
||||
when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
|
||||
and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way,
|
||||
your traffic shaping rules can still use the 'fwmark' classifier based on
|
||||
packet marking defined in /etc/shorewall/tcrules.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>A new SHARED_DIR variable has been added that allows distribution
|
||||
packagers to easily move the shared directory (default /usr/lib/shorewall).
|
||||
Users should never have a need to change the value of this shorewall.conf
|
||||
setting.<br>
|
||||
</li>
|
||||
</ol>
|
||||
|
||||
<p><b>1/6/2003 -</b><b><big><big><big><big><big><big><big><big> B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
|
||||
</b></p>
|
||||
|
||||
<p><b>Until further notice, I will not be involved in either Shorewall
|
||||
Development or Shorewall Support</b></p>
|
||||
|
||||
<p><b>-Tom Eastep</b><br>
|
||||
</p>
|
||||
|
||||
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
|
||||
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
|
||||
</b></p>
|
||||
|
||||
<p> Features include:<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules
|
||||
(tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after
|
||||
an error occurs. This places the point of the failure near the end of
|
||||
the trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than
|
||||
40% with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added
|
||||
which shows the current packet classification filters. The output from
|
||||
this command is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog
|
||||
level and causes the subject packets to be logged using the ULOG target
|
||||
rather than the LOG target. This allows you to run ulogd (available from
|
||||
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a href="shorewall_logging.html">to a
|
||||
separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain
|
||||
in the mangle table ("shorewall show mangle" will show you the chains
|
||||
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
|
||||
input packets based on their destination even when you are using Masquerading
|
||||
or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with
|
||||
empty 'init', 'start', 'stop' and 'stopped' files. If you already have
|
||||
a file with one of these names, don't worry -- the upgrade process won't
|
||||
overwrite your file.</li>
|
||||
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
|
||||
the syslog level at which packets are logged as a result of entries in
|
||||
the /etc/shorewall/rfc1918 file. Previously, these packets were always
|
||||
logged at the 'info' level.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
|
||||
</p>
|
||||
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
|
||||
was set to anything but ULOG, the firewall would fail to start and "shorewall
|
||||
refresh" would also fail.<br>
|
||||
|
||||
</p>
|
||||
This version corrects a problem with Blacklist logging. In Beta
|
||||
2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would
|
||||
fail to start and "shorewall refresh" would also fail.<br>
|
||||
|
||||
<p> You may download the Beta from:<br>
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
|
||||
</b></p>
|
||||
The first public Beta version of Shorewall 1.3.12 is now available (Beta
|
||||
1 was made available to a limited audience). <br>
|
||||
<br>
|
||||
Features include:<br>
|
||||
<br>
|
||||
|
||||
The first public Beta version of Shorewall 1.3.12 is now available
|
||||
(Beta 1 was made available to a limited audience). <br>
|
||||
<br>
|
||||
Features include:<br>
|
||||
<br>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules
|
||||
(tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after
|
||||
an error occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than 40%
|
||||
with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added which
|
||||
shows the current packet classification filters. The output from this command
|
||||
is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog
|
||||
level and causes the subject packets to be logged using the ULOG target
|
||||
rather than the LOG target. This allows you to run ulogd (available from
|
||||
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a
|
||||
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain in
|
||||
the mangle table ("shorewall show mangle" will show you the chains in the
|
||||
mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
|
||||
This allows for marking input packets based on their destination even when
|
||||
you are using Masquerading or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with empty
|
||||
'init', 'start', 'stop' and 'stopped' files. If you already have a file
|
||||
with one of these names, don't worry -- the upgrade process won't overwrite
|
||||
your file.</li>
|
||||
|
||||
<li>"shorewall refresh" now reloads the traffic shaping
|
||||
rules (tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging
|
||||
after an error occurs. This places the point of the failure near the
|
||||
end of the trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more
|
||||
than 40% with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been
|
||||
added which shows the current packet classification filters. The output
|
||||
from this command is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid
|
||||
syslog level and causes the subject packets to be logged using the ULOG
|
||||
target rather than the LOG target. This allows you to run ulogd (available
|
||||
from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a href="shorewall_logging.html">to a
|
||||
separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain
|
||||
in the mangle table ("shorewall show mangle" will show you the chains
|
||||
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
|
||||
This allows for marking input packets based on their destination even
|
||||
when you are using Masquerading or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory
|
||||
with empty 'init', 'start', 'stop' and 'stopped' files. If you already
|
||||
have a file with one of these names, don't worry -- the upgrade process
|
||||
won't overwrite your file.</li>
|
||||
|
||||
|
||||
</ol>
|
||||
You may download the Beta from:<br>
|
||||
|
||||
You may download the Beta from:<br>
|
||||
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
|
||||
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
|
||||
alt="Powered by Mandrake Linux" width="150" height="21" border="0">
|
||||
</a></b></p>
|
||||
Shorewall is at the center of MandrakeSoft's recently-announced <a
|
||||
</a></b></p>
|
||||
Shorewall is at the center of MandrakeSoft's recently-announced
|
||||
<a
|
||||
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi
|
||||
Network Firewall (MNF)</a> product. Here is the <a
|
||||
Network Firewall (MNF)</a> product. Here is the <a
|
||||
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
|
||||
release</a>.<br>
|
||||
|
||||
release</a>.<br>
|
||||
|
||||
|
||||
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
|
||||
delivered. I have installed 9.0 on one of my systems and I am now in
|
||||
a position to support Shorewall users who run Mandrake 9.0.</p>
|
||||
delivered. I have installed 9.0 on one of my systems and I am now
|
||||
in a position to support Shorewall users who run Mandrake 9.0.</p>
|
||||
|
||||
|
||||
|
||||
<p><b>12/6/2002 - Debian 1.3.11a Packages Available</b><br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>Apt-get sources listed at <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
|
||||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
|
||||
who don't need rules of this type need not upgrade to 1.3.11.</p>
|
||||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
|
||||
users who don't need rules of this type need not upgrade to 1.3.11.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b> </b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>A 'tcpflags' option has been added to entries
|
||||
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the SOURCE or
|
||||
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
|
||||
used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command is now compatible
|
||||
with bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup error.
|
||||
fw->fw rules generate a warning and are ignored</li>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li>A 'tcpflags' option has been added to
|
||||
entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the
|
||||
SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>.
|
||||
When used, 'all' must appear by itself (in may not be qualified) and
|
||||
it does not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command
|
||||
is now compatible with bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup
|
||||
error. fw->fw rules generate a warning and are ignored</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b></b><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
@ -379,48 +494,53 @@ used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
<td width="88" bgcolor="#4b017c" valign="top"
|
||||
<td width="88" bgcolor="#4b017c" valign="top"
|
||||
align="center"> <a href="http://sourceforge.net">M</a></td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
</center>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="5" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
<tbody>
|
||||
<tr>
|
||||
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p align="center"><a href="http://www.starlight.org"> <img
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
|
||||
</a></p>
|
||||
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
@ -428,28 +548,31 @@ used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||
but if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
<p><font size="2">Updated 12/27/2002 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<p><font size="2">Updated 1/13/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
|
@ -1,124 +1,125 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>About the Shorewall Author</title>
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Tom Eastep</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p align="center"> <img border="3" src="images/TomNTarry.png"
|
||||
alt="Tom on the PCT - 1991" width="316" height="392">
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<p align="center">Tarry & Tom -- August 2002<br>
|
||||
<br>
|
||||
</p>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>Born 1945 in <a
|
||||
<li>Born 1945 in <a
|
||||
href="http://www.experiencewashington.com">Washington State</a> .</li>
|
||||
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
|
||||
State University</a> 1967</li>
|
||||
<li>MA Mathematics from <a
|
||||
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington
|
||||
State University</a> 1967</li>
|
||||
<li>MA Mathematics from <a
|
||||
href="http://www.washington.edu">University of Washington</a> 1969</li>
|
||||
<li>Burroughs Corporation (now <a
|
||||
<li>Burroughs Corporation (now <a
|
||||
href="http://www.unisys.com">Unisys</a> ) 1969 - 1980</li>
|
||||
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
|
||||
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
|
||||
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
|
||||
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 -
|
||||
present</li>
|
||||
<li>Married 1969 - no children.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>I am currently a member of the design team for the next-generation
|
||||
operating system from the NonStop Enterprise Division of HP. </p>
|
||||
|
||||
<p>I became interested in Internet Security when I established a home office
|
||||
in 1999 and had DSL service installed in our home. I investigated
|
||||
ipchains and developed the scripts which are now collectively known as
|
||||
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
|
||||
on what I learned from Seattle Firewall, I then designed and wrote
|
||||
Shorewall. </p>
|
||||
|
||||
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
|
||||
Washington</a> where I live with my wife Tarry. </p>
|
||||
|
||||
<p>Our current home network consists of: </p>
|
||||
<li>Married 1969 - no children.</li>
|
||||
|
||||
<ul>
|
||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 20GB
|
||||
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system. Also
|
||||
has <a href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
|
||||
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
|
||||
NIC - My personal Linux System which runs Samba configured as a WINS
|
||||
server. This system also has <a href="http://www.vmware.com/">VMware</a>
|
||||
installed and can run both <a href="http://www.debian.org">Debian
|
||||
Woody</a> and <a href="http://www.suse.com">SuSE 8.1</a> in virtual
|
||||
machines.</li>
|
||||
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC -
|
||||
Email (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS
|
||||
server (Bind).</li>
|
||||
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX
|
||||
(Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.11 and a DHCP
|
||||
server. Also runs PoPToP for road warrior access.</li>
|
||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
|
||||
wife's personal system.</li>
|
||||
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
|
||||
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
|
||||
work system.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p>I am currently a member of the design team for the next-generation
|
||||
operating system from the NonStop Enterprise Division of HP. </p>
|
||||
|
||||
<p>I became interested in Internet Security when I established a home office
|
||||
in 1999 and had DSL service installed in our home. I investigated
|
||||
ipchains and developed the scripts which are now collectively known as
|
||||
<a href="http://seawall.sourceforge.net"> Seattle Firewall</a>. Expanding
|
||||
on what I learned from Seattle Firewall, I then designed and wrote
|
||||
Shorewall. </p>
|
||||
|
||||
<p>I telework from our home in <a href="http://www.cityofshoreline.com">Shoreline,
|
||||
Washington</a> where I live with my wife Tarry. </p>
|
||||
|
||||
<p>Our current home network consists of: </p>
|
||||
|
||||
<ul>
|
||||
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB & 20GB
|
||||
IDE HDs and LNE100TX (Tulip) NIC - My personal Windows system.
|
||||
Serves as a PPTP server for Road Warrior access. Also has <a
|
||||
href="http://www.mandrakelinux.com">Mandrake</a> 9.0 installed.</li>
|
||||
<li>Celeron 1.4Gz, RH8.0, 384MB RAM, 60GB HD, LNE100TX(Tulip)
|
||||
NIC - My personal Linux System which runs Samba configured as a
|
||||
WINS server. This system also has <a
|
||||
href="http://www.vmware.com/">VMware</a> installed and can run
|
||||
both <a href="http://www.debian.org">Debian Woody</a> and <a
|
||||
href="http://www.suse.com">SuSE 8.1</a> in virtual machines.</li>
|
||||
<li>K6-2/350, RH8.0, 384MB RAM, 8GB IDE HD, EEPRO100 NIC
|
||||
- Email (Postfix & Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd),
|
||||
DNS server (Bind).</li>
|
||||
<li>PII/233, RH8.0, 256MB MB RAM, 2GB SCSI HD - 3 LNE100TX
|
||||
(Tulip) and 1 TLAN NICs - Firewall running Shorewall 1.3.12+ and a
|
||||
DHCP server.</li>
|
||||
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My
|
||||
wife's personal system.</li>
|
||||
<li>PII/400 Laptop, WinXP SP1, 224MB RAM, 12GB HD, onboard
|
||||
EEPRO100 and EEPRO100 in expansion base and LinkSys WAC11 - My main
|
||||
work system.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p>For more about our network see <a href="myfiles.htm">my Shorewall Configuration</a>.</p>
|
||||
|
||||
|
||||
<p>All of our other systems are made by <a
|
||||
href="http://www.compaq.com">Compaq</a> (part of the new <a
|
||||
href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a
|
||||
href="http://www.netgear.com">Netgear</a> FA310TXs.</p>
|
||||
|
||||
|
||||
<p><a href="http://www.redhat.com"><img border="0"
|
||||
src="images/poweredby.png" width="88" height="31">
|
||||
</a><a href="http://www.compaq.com"><img border="0"
|
||||
</a><a href="http://www.compaq.com"><img border="0"
|
||||
src="images/poweredbycompaqlog0.gif" hspace="3" width="83" height="25">
|
||||
</a><a href="http://www.pureftpd.org"><img border="0"
|
||||
</a><a href="http://www.pureftpd.org"><img border="0"
|
||||
src="images/pure.jpg" width="88" height="31">
|
||||
</a><font size="4"><a href="http://www.apache.org"><img
|
||||
</a><font size="4"><a href="http://www.apache.org"><img
|
||||
border="0" src="images/apache_pb1.gif" hspace="2" width="170"
|
||||
height="20">
|
||||
</a><a href="http://www.mandrakelinux.com"><img
|
||||
</a><a href="http://www.mandrakelinux.com"><img
|
||||
src="images/medbutton.png" alt="Powered by Mandrake" width="90"
|
||||
height="32">
|
||||
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
|
||||
</a><img src="images/shorewall.jpg" alt="Protected by Shorewall"
|
||||
width="125" height="40" hspace="4">
|
||||
</font></p>
|
||||
|
||||
<p><font size="2">Last updated 12/7/2002 - </font><font size="2"> <a
|
||||
</font></p>
|
||||
|
||||
<p><font size="2">Last updated 1/7/2003 - </font><font size="2"> <a
|
||||
href="support.htm">Tom Eastep</a></font> </p>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
<br>
|
||||
<br>
|
||||
<font face="Trebuchet MS"><a href="copyright.htm"><font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas
|
||||
M. Eastep.</font></a></font><br>
|
||||
</body>
|
||||
</html>
|
||||
|
156
STABLE/documentation/shorewall_logging.html
Executable file
156
STABLE/documentation/shorewall_logging.html
Executable file
@ -0,0 +1,156 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
<title>Shorewall Logging</title>
|
||||
|
||||
<meta http-equiv="content-type"
|
||||
content="text/html; charset=ISO-8859-1">
|
||||
|
||||
<meta name="author" content="Tom Eastep">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Logging</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
<br>
|
||||
By default, Shorewall directs NetFilter to log using syslog (8). Syslog
|
||||
classifies log messages by a <i>facility</i> and a <i>priority</i> (using
|
||||
the notation <i>facility.priority</i>). <br>
|
||||
<br>
|
||||
The facilities defined by syslog are <i>auth, authpriv, cron, daemon,
|
||||
kern, lpr, mail, mark, news, syslog, user, uucp</i> and <i>local0</i> through
|
||||
<i>local7</i>.<br>
|
||||
<br>
|
||||
Throughout the Shorewall documentation, I will use the term <i>level</i>
|
||||
rather than <i>priority</i> since <i>level</i> is the term used by NetFilter.
|
||||
The syslog documentation uses the term <i>priority</i>.<br>
|
||||
|
||||
<h3>Syslog Levels<br>
|
||||
</h3>
|
||||
Syslog levels are a method of describing to syslog (8) the importance
|
||||
of a message and a number of Shorewall parameters have a syslog level
|
||||
as their value.<br>
|
||||
<br>
|
||||
Valid levels are:<br>
|
||||
<br>
|
||||
7
|
||||
debug<br>
|
||||
6
|
||||
info<br>
|
||||
5
|
||||
notice<br>
|
||||
4
|
||||
warning<br>
|
||||
3
|
||||
err<br>
|
||||
2
|
||||
crit<br>
|
||||
1
|
||||
alert<br>
|
||||
0
|
||||
emerg<br>
|
||||
<br>
|
||||
For most Shorewall logging, a level of 6 (info) is appropriate.
|
||||
Shorewall log messages are generated by NetFilter and are logged using
|
||||
the <i>kern</i> facility and the level that you specify. If you are unsure
|
||||
of the level to choose, 6 (info) is a safe bet. You may specify levels
|
||||
by name or by number.<br>
|
||||
<br>
|
||||
Syslogd writes log messages to files (typically in /var/log/*) based
|
||||
on their facility and level. The mapping of these facility/level pairs
|
||||
to log files is done in /etc/syslog.conf (5). If you make changes to this
|
||||
file, you must restart syslogd before the changes can take effect.<br>
|
||||
|
||||
<h3>Configuring a Separate Log for Shorewall Messages</h3>
|
||||
There are a couple of limitations to syslogd-based logging:<br>
|
||||
|
||||
<ol>
|
||||
<li>If you give, for example, kern.info it's own log destination then
|
||||
that destination will also receive all kernel messages of levels 5 (notice)
|
||||
through 0 (emerg).</li>
|
||||
<li>All kernel.info messages will go to that destination and not just
|
||||
those from NetFilter.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
Beginning with Shorewall version 1.3.12, if your kernel has ULOG
|
||||
target support (and most vendor-supplied kernels do), you may also specify
|
||||
a log level of ULOG (must be all caps). When ULOG is used, Shorewall will
|
||||
direct netfilter to log the related messages via the ULOG target which will
|
||||
send them to a process called 'ulogd'. The ulogd program is available from
|
||||
http://www.gnumonks.org/projects/ulogd and can be configured to log all
|
||||
Shorewall message to their own log file.<br>
|
||||
<br>
|
||||
<b>Note: </b>The ULOG logging mechanism is <u>completely separate</u> from
|
||||
syslog. Once you switch to ULOG, the settings in /etc/syslog.conf have absolutely
|
||||
no effect on your Shorewall logging (except for Shorewall status messages
|
||||
which still go to syslog).<br>
|
||||
<br>
|
||||
You will need to have the kernel source available to compile ulogd.<br>
|
||||
<br>
|
||||
Download the ulod tar file and:<br>
|
||||
|
||||
<ol>
|
||||
<li>Be sure that /usr/src/linux is linked to your kernel source tree<br>
|
||||
</li>
|
||||
<li>cd /usr/local/src (or wherever you do your builds)</li>
|
||||
<li>tar -zxf <i>source-tarball-that-you-downloaded</i></li>
|
||||
<li>cd ulogd-<i>version</i><br>
|
||||
</li>
|
||||
<li>./configure</li>
|
||||
<li>make</li>
|
||||
<li>make install<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
If you are like me and don't have a development environment on your firewall,
|
||||
you can do the first six steps on another system then either NFS mount
|
||||
your /usr/local/src directory or tar up the /usr/local/src/ulogd-<i>version</i>
|
||||
directory and move it to your firewall system.<br>
|
||||
<br>
|
||||
Now on the firewall system, edit /usr/local/etc/ulogd.conf and set:<br>
|
||||
|
||||
<ol>
|
||||
<li>syslogfile <i><file that you wish to log to></i></li>
|
||||
<li>syslogsync 1</li>
|
||||
|
||||
</ol>
|
||||
I also copied the file /usr/local/src/ulogd-<i>version</i>/ulogd.init
|
||||
to /etc/init.d/ulogd. I had to edit the line that read "daemon /usr/local/sbin/ulogd"
|
||||
to read daemon /usr/local/sbin/ulogd -d". On a RedHat system, a simple
|
||||
"chkconfig --level 3 ulogd on" starts ulogd during boot up. Your init system
|
||||
may need something else done to activate the script.<br>
|
||||
<br>
|
||||
You will need to change all instances of log levels (usually 'info') in
|
||||
your configuration files to 'ULOG' - this includes entries in the policy,
|
||||
rules and shorewall.conf files. Here's what I have:<br>
|
||||
|
||||
<pre> [root@gateway shorewall]# grep ULOG *<br> policy:loc fw REJECT ULOG<br> policy:net all DROP ULOG 10/sec:40<br> policy:all all REJECT ULOG<br> rules:REJECT:ULOG loc net tcp 6667<br> shorewall.conf:TCP_FLAGS_LOG_LEVEL=ULOG<br> shorewall.conf:RFC1918_LOG_LEVEL=ULOG<br> [root@gateway shorewall]#<br></pre>
|
||||
Finally edit /etc/shorewall/shorewall.conf and set LOGFILE=<i><file
|
||||
that you wish to log to></i>. This tells the /sbin/shorewall program
|
||||
where to look for the log when processing its "show log", "logwatch" and
|
||||
"monitor" commands.<br>
|
||||
|
||||
<p><font size="2"> Updated 1/11/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright</font> ©
|
||||
<font size="2">2001, 2002, 2003 Thomas M. Eastep</font></a><br>
|
||||
</p>
|
||||
|
||||
</body>
|
||||
</html>
|
@ -1,268 +1,288 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall QuickStart Guide</title>
|
||||
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides<br>
|
||||
Version 3.1</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall QuickStart Guides
|
||||
(HOWTO's)<br>
|
||||
Version 3.1</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p align="center">With thanks to Richard who reminded me once again that
|
||||
we must all first walk before we can run.</p>
|
||||
|
||||
|
||||
<p align="center">With thanks to Richard who reminded me once again that we
|
||||
must all first walk before we can run.</p>
|
||||
|
||||
<h2>The Guides</h2>
|
||||
|
||||
<p>These guides provide step-by-step instructions for configuring Shorewall
|
||||
in common firewall setups.</p>
|
||||
|
||||
|
||||
<p>These guides provide step-by-step instructions for configuring Shorewall
|
||||
in common firewall setups.</p>
|
||||
|
||||
<p>The following guides are for <b>users who have a single public IP address</b>:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="standalone.htm">Standalone</a> Linux System</li>
|
||||
<li><a href="two-interface.htm">Two-interface</a> Linux System
|
||||
acting as a firewall/router for a small local network</li>
|
||||
<li><a href="three-interface.htm">Three-interface</a> Linux
|
||||
System acting as a firewall/router for a small local network and
|
||||
<li><a href="standalone.htm">Standalone</a> Linux System</li>
|
||||
<li><a href="two-interface.htm">Two-interface</a> Linux
|
||||
System acting as a firewall/router for a small local network</li>
|
||||
<li><a href="three-interface.htm">Three-interface</a> Linux
|
||||
System acting as a firewall/router for a small local network and
|
||||
a DMZ.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
<p>The above guides are designed to get your first firewall up and running
|
||||
quickly in the three most common Shorewall configurations.</p>
|
||||
|
||||
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
|
||||
the steps necessary to set up a firewall where <b>there are multiple
|
||||
public IP addresses involved or if you want to learn more about Shorewall
|
||||
than is explained in the single-address guides above.</b></p>
|
||||
|
||||
|
||||
<p>The above guides are designed to get your first firewall up and running
|
||||
quickly in the three most common Shorewall configurations.</p>
|
||||
|
||||
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
|
||||
the steps necessary to set up a firewall where <b>there are multiple
|
||||
public IP addresses involved or if you want to learn more about Shorewall
|
||||
than is explained in the single-address guides above.</b></p>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
|
||||
Concepts</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network
|
||||
Interfaces</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing,
|
||||
Subnets and Routing</a>
|
||||
|
||||
<li><a href="shorewall_setup_guide.htm#Introduction">1.0
|
||||
Introduction</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall
|
||||
Concepts</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0
|
||||
Network Interfaces</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Addressing">4.0
|
||||
Addressing, Subnets and Routing</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP
|
||||
Addresses</a></li>
|
||||
<li><a
|
||||
<li><a href="shorewall_setup_guide.htm#Addresses">4.1
|
||||
IP Addresses</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
|
||||
Resolution Protocol</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address
|
||||
Resolution Protocol</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
|
||||
1918</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC
|
||||
1918</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
|
||||
up your Network</a>
|
||||
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting
|
||||
up your Network</a>
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a>
|
||||
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2
|
||||
Non-routed</a>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
|
||||
Proxy ARP</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
|
||||
NAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1
|
||||
SNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2
|
||||
DNAT</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3
|
||||
Proxy ARP</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static
|
||||
NAT</a></li>
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
|
||||
Odds and Ends</a></li>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
|
||||
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4
|
||||
Odds and Ends</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
|
||||
Stopping the Firewall</a></li>
|
||||
|
||||
</li>
|
||||
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
|
||||
<li><a
|
||||
href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
|
||||
Stopping the Firewall</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h2><a name="Documentation"></a>Documentation Index</h2>
|
||||
|
||||
<p>The following documentation covers a variety of topics and <b>supplements
|
||||
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
|
||||
described above</b>. Please review the appropriate guide before trying
|
||||
to use this documentation directly.</p>
|
||||
|
||||
|
||||
<p>The following documentation covers a variety of topics and <b>supplements
|
||||
the <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a>
|
||||
described above</b>. Please review the appropriate guide before trying
|
||||
to use this documentation directly.</p>
|
||||
|
||||
<ul>
|
||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||
|
||||
<ul>
|
||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||
<li><a href="blacklisting_support.htm">Blacklisting</a>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="configuration_file_basics.htm">Common configuration
|
||||
file features</a>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>Comments in configuration files</li>
|
||||
<li>Line Continuation</li>
|
||||
<li>Port Numbers/Service Names</li>
|
||||
<li>Port Ranges</li>
|
||||
<li>Using Shell Variables</li>
|
||||
<li>Using DNS Names<br>
|
||||
</li>
|
||||
<li>Complementing an IP address or Subnet</li>
|
||||
<li>Shorewall Configurations (making a test configuration)</li>
|
||||
<li>Using MAC Addresses in Shorewall</li>
|
||||
<li>Logging<br>
|
||||
</li>
|
||||
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
|
||||
<li>Dynamic Blacklisting using /sbin/shorewall</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="Documentation.htm">Configuration File Reference
|
||||
Manual</a>
|
||||
|
||||
</li>
|
||||
<li><a href="configuration_file_basics.htm">Common configuration
|
||||
file features</a>
|
||||
|
||||
<ul>
|
||||
<li> <a href="Documentation.htm#Variables">params</a></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><a href="configuration_file_basics.htm#Comments">Comments
|
||||
in configuration files</a></li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Continuation">Line Continuation</a></li>
|
||||
<li><a href="configuration_file_basics.htm#Ports">Port
|
||||
Numbers/Service Names</a></li>
|
||||
<li><a href="configuration_file_basics.htm#Ranges">Port
|
||||
Ranges</a></li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Variables">Using Shell Variables</a></li>
|
||||
<li><a href="configuration_file_basics.htm#dnsnames">Using
|
||||
DNS Names</a><br>
|
||||
</li>
|
||||
<li><a
|
||||
href="configuration_file_basics.htm#Compliment">Complementing an IP address
|
||||
or Subnet</a></li>
|
||||
<li><a href="configuration_file_basics.htm#Configs">Shorewall
|
||||
Configurations (making a test configuration)</a></li>
|
||||
<li><a href="configuration_file_basics.htm#MAC">Using
|
||||
MAC Addresses in Shorewall</a></li>
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="Documentation.htm">Configuration File Reference
|
||||
Manual</a>
|
||||
|
||||
<ul>
|
||||
<li> <a href="Documentation.htm#Variables">params</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Zones">zones</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Interfaces">interfaces</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Hosts">hosts</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Policy">policy</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Rules">rules</a></font></li>
|
||||
<li><a href="Documentation.htm#Common">common</a></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><a href="Documentation.htm#Common">common</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Masq">masq</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#NAT">nat</a></font></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Tunnels">tunnels</a></font></li>
|
||||
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
|
||||
<li><font color="#000099"><a
|
||||
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a></font></li>
|
||||
<li><a href="Documentation.htm#modules">modules</a></li>
|
||||
<li><a href="Documentation.htm#TOS">tos</a> </li>
|
||||
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
|
||||
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
|
||||
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
|
||||
<li><a href="Documentation.htm#modules">modules</a></li>
|
||||
<li><a href="Documentation.htm#TOS">tos</a> </li>
|
||||
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
|
||||
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
|
||||
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="dhcp.htm">DHCP</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="shorewall_extension_scripts.htm">Extension Scripts</a></font> (How
|
||||
to extend Shorewall without modifying Shorewall code)</li>
|
||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
|
||||
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
|
||||
<li><a href="configuration_file_basics.htm#Levels">Logging</a><br>
|
||||
</li>
|
||||
<li><a href="myfiles.htm">My Configuration Files</a> (How
|
||||
I personally use Shorewall)</li>
|
||||
<li><a href="ping.html">'Ping' Management</a><br>
|
||||
</li>
|
||||
<li><a href="ports.htm">Port Information</a>
|
||||
|
||||
</li>
|
||||
<li><a href="dhcp.htm">DHCP</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
|
||||
(How to extend Shorewall without modifying Shorewall code)</li>
|
||||
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
|
||||
<li><a href="shorewall_firewall_structure.htm">Firewall
|
||||
Structure</a></li>
|
||||
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
|
||||
<li><a href="shorewall_logging.html">Logging</a><br>
|
||||
</li>
|
||||
<li><a href="MAC_Validation.html">MAC Verification</a><br>
|
||||
</li>
|
||||
<li><a href="myfiles.htm">My Configuration Files</a> (How I personally
|
||||
use Shorewall)</li>
|
||||
<li><a href="ping.html">'Ping' Management</a><br>
|
||||
</li>
|
||||
<li><a href="ports.htm">Port Information</a>
|
||||
|
||||
<ul>
|
||||
<li>Which applications use which ports</li>
|
||||
<li>Ports used by Trojans</li>
|
||||
<li>Which applications use which ports</li>
|
||||
<li>Ports used by Trojans</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||
<li><a href="samba.htm">Samba</a></li>
|
||||
<li><font color="#000099"><a
|
||||
</li>
|
||||
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
|
||||
<li><a href="samba.htm">Samba</a></li>
|
||||
<li><font color="#000099"><a
|
||||
href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>Description of all /sbin/shorewall commands</li>
|
||||
<li>How to safely test a Shorewall configuration change<br>
|
||||
</li>
|
||||
|
||||
<li>Description of all /sbin/shorewall commands</li>
|
||||
<li>How to safely test a Shorewall configuration change<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
|
||||
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
|
||||
<li>VPN
|
||||
|
||||
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
|
||||
<li><a href="Shorewall_Squid_Usage.html">Squid as a Transparent Proxy with
|
||||
Shorewall</a><br>
|
||||
</li>
|
||||
<li><a href="traffic_shaping.htm">Traffic Shaping/QOS</a></li>
|
||||
<li>VPN
|
||||
|
||||
<ul>
|
||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||
<li><a href="PPTP.htm">PPTP</a></li>
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
|
||||
your firewall to a remote network.</li>
|
||||
<li><a href="IPSEC.htm">IPSEC</a></li>
|
||||
<li><a href="IPIP.htm">GRE and IPIP</a></li>
|
||||
<li><a href="PPTP.htm">PPTP</a></li>
|
||||
<li><a href="VPN.htm">IPSEC/PPTP</a> from a system behind
|
||||
your firewall to a remote network.</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
</li>
|
||||
<li><a href="whitelisting_under_shorewall.htm">White List
|
||||
Creation</a></li>
|
||||
|
||||
</li>
|
||||
<li><a href="whitelisting_under_shorewall.htm">White List
|
||||
Creation</a></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p>If you use one of these guides and have a suggestion for improvement <a
|
||||
href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
|
||||
|
||||
<p><font size="2">Last modified 12/13/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
<p><font size="2">Last modified 1/9/2003 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><a href="copyright.htm"><font size="2">Copyright 2002, 2003 Thomas M.
|
||||
Eastep</font></a><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -5,7 +5,7 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shoreline Firewall (Shorewall) 1.3</title>
|
||||
@ -13,36 +13,38 @@
|
||||
|
||||
|
||||
|
||||
<base target="_self">
|
||||
<base
|
||||
target="_self">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="4"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber3"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%" height="90">
|
||||
<td width="100%" height="90">
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h1 align="center"> <font size="4"><i> <a
|
||||
href="http://www.cityofshoreline.com"> <img vspace="4" hspace="4"
|
||||
alt="Shorwall Logo" height="70" width="85" align="left"
|
||||
src="images/washington.jpg" border="0">
|
||||
|
||||
</a></i></font><font color="#ffffff">Shorewall 1.3 -
|
||||
<font size="4">"<i>iptables made easy"</i></font></font><a
|
||||
href="http://www.sf.net"> </a></h1>
|
||||
</a></i></font><font color="#ffffff">Shorewall
|
||||
1.3 - <font size="4">"<i>iptables made
|
||||
easy"</i></font></font><a href="http://www.sf.net"> </a></h1>
|
||||
|
||||
|
||||
|
||||
@ -50,32 +52,33 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<div align="center"><a href="/1.2/index.html" target="_top"><font
|
||||
color="#ffffff">Shorewall 1.2 Site here</font></a></div>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
<div align="center">
|
||||
|
||||
<center>
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
<div align="center">
|
||||
|
||||
<center>
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber4">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="90%">
|
||||
<td width="90%">
|
||||
|
||||
|
||||
|
||||
@ -83,7 +86,8 @@
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2 align="left">What is it?</h2>
|
||||
|
||||
|
||||
@ -93,39 +97,12 @@
|
||||
|
||||
|
||||
|
||||
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is a
|
||||
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
|
||||
that can be used on a dedicated firewall system, a multi-function
|
||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General
|
||||
Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
<br>
|
||||
|
||||
This program is distributed in the hope that
|
||||
it will be useful, but WITHOUT ANY WARRANTY; without
|
||||
even the implied warranty of MERCHANTABILITY or
|
||||
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General
|
||||
Public License for more details.<br>
|
||||
|
||||
<br>
|
||||
|
||||
You should have received a copy of the GNU
|
||||
General Public License along with this program;
|
||||
if not, write to the Free Software Foundation,
|
||||
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
<p>The Shoreline Firewall, more commonly known as "Shorewall", is
|
||||
a <a href="http://www.netfilter.org">Netfilter</a> (iptables) based
|
||||
firewall that can be used on a dedicated firewall system, a multi-function
|
||||
gateway/router/server or on a standalone GNU/Linux system.</p>
|
||||
|
||||
|
||||
|
||||
@ -134,8 +111,40 @@ Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
|
||||
|
||||
|
||||
<p>This program is free software; you can redistribute it and/or modify
|
||||
it under the terms of <a
|
||||
href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU
|
||||
General Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
<br>
|
||||
|
||||
This program is distributed in the
|
||||
hope that it will be useful, but WITHOUT ANY
|
||||
WARRANTY; without even the implied warranty of MERCHANTABILITY
|
||||
or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.<br>
|
||||
|
||||
<br>
|
||||
|
||||
You should have received a copy of the
|
||||
GNU General Public License along with this
|
||||
program; if not, write to the Free Software Foundation,
|
||||
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><a href="copyright.htm">Copyright 2001, 2002, 2003 Thomas M. Eastep</a></p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
@ -144,21 +153,21 @@ Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p> <a href="http://leaf.sourceforge.net" target="_top"><img
|
||||
border="0" src="images/leaflogo.gif" width="49" height="36">
|
||||
|
||||
</a>Jacques Nilo and Eric Wolzak have
|
||||
a LEAF (router/firewall/gateway on a floppy, CD or compact
|
||||
flash) distribution called <i>Bering</i> that
|
||||
features Shorewall-1.3.10 and Kernel-2.4.18. You
|
||||
can find their work at: <a
|
||||
</a>Jacques Nilo and Eric Wolzak
|
||||
have a LEAF (router/firewall/gateway on a floppy, CD
|
||||
or compact flash) distribution called <i>Bering</i>
|
||||
that features Shorewall-1.3.10 and Kernel-2.4.18.
|
||||
You can find their work at: <a
|
||||
href="http://leaf.sourceforge.net/devel/jnilo"> http://leaf.sourceforge.net/devel/jnilo</a></p>
|
||||
<b>Congratulations to Jacques and Eric on the recent
|
||||
release of Bering 1.0 Final!!! <br>
|
||||
</b>
|
||||
|
||||
<b>Congratulations to Jacques and Eric on
|
||||
the recent release of Bering 1.0 Final!!! <br>
|
||||
</b>
|
||||
|
||||
|
||||
<h2>News</h2>
|
||||
|
||||
|
||||
@ -171,175 +180,319 @@ Public License</a> as published by the Free Software Foundation.<br>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b><br>
|
||||
|
||||
|
||||
<p><b>1/13/2003 - Shorewall 1.3.13</b><b> </b><b><img border="0"
|
||||
src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b><br>
|
||||
</p>
|
||||
This version corrects a problem with Blacklist logging. In Beta 2, if BLACKLIST_LOG_LEVEL
|
||||
was set to anything but ULOG, the firewall would fail to start and "shorewall
|
||||
refresh" would also fail.<br>
|
||||
|
||||
<p> You may download the Beta from:<br>
|
||||
</p>
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b> </b><b><img
|
||||
border="0" src="images/new10.gif" width="28" height="12" alt="(New)">
|
||||
</b></p>
|
||||
The first public Beta version of Shorewall 1.3.12 is now available (Beta
|
||||
1 was made available only to a limited audience). <br>
|
||||
<br>
|
||||
Features include:<br>
|
||||
<br>
|
||||
|
||||
|
||||
<p>Just includes a few things that I had on the burner:<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules
|
||||
(tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after
|
||||
an error occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than 40%
|
||||
with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added which
|
||||
shows the current packet classification filters. The output from this command
|
||||
is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog
|
||||
level and causes the subject packets to be logged using the ULOG target rather
|
||||
than the LOG target. This allows you to run ulogd (available from
|
||||
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a
|
||||
href="configuration_file_basics.htm#Levels">to a separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain in the
|
||||
mangle table ("shorewall show mangle" will show you the chains in the mangle
|
||||
table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf. This allows
|
||||
for marking input packets based on their destination even when you are using
|
||||
Masquerading or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with empty
|
||||
'init', 'start', 'stop' and 'stopped' files. If you already have a file with
|
||||
one of these names, don't worry -- the upgrade process won't overwrite your
|
||||
file.</li>
|
||||
|
||||
<li>A new 'DNAT-' action has been added for entries in the /etc/shorewall/rules
|
||||
file. DNAT- is intended for advanced users who wish to minimize the number
|
||||
of rules that connection requests must traverse.<br>
|
||||
<br>
|
||||
A Shorewall DNAT rule actually generates two iptables rules: a header rewriting
|
||||
rule in the 'nat' table and an ACCEPT rule in the 'filter' table. A DNAT-
|
||||
rule only generates the first of these rules. This is handy when you have
|
||||
several DNAT rules that would generate the same ACCEPT rule.<br>
|
||||
<br>
|
||||
Here are three rules from my previous rules file:<br>
|
||||
<br>
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...<br>
|
||||
<br>
|
||||
These three rules ended up generating _three_ copies of<br>
|
||||
<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp smtp<br>
|
||||
<br>
|
||||
By writing the rules this way, I end up with only one copy of the ACCEPT
|
||||
rule.<br>
|
||||
<br>
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178<br>
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179<br>
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,....<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>The 'shorewall check' command now prints out the applicable policy
|
||||
between each pair of zones.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>A new CLEAR_TC option has been added to shorewall.conf. If this
|
||||
option is set to 'No' then Shorewall won't clear the current traffic control
|
||||
rules during [re]start. This setting is intended for use by people that prefer
|
||||
to configure traffic shaping when the network interfaces come up rather than
|
||||
when the firewall is started. If that is what you want to do, set TC_ENABLED=Yes
|
||||
and CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That way,
|
||||
your traffic shaping rules can still use the 'fwmark' classifier based on
|
||||
packet marking defined in /etc/shorewall/tcrules.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>A new SHARED_DIR variable has been added that allows distribution
|
||||
packagers to easily move the shared directory (default /usr/lib/shorewall).
|
||||
Users should never have a need to change the value of this shorewall.conf
|
||||
setting.</li>
|
||||
</ol>
|
||||
You may download the Beta from:<br>
|
||||
|
||||
<p><b>1/6/2003 - </b><b><big><big><big><big><big><big><big><big>B</big></big></big></big></big><small>U<small>R<small>N<small>O<small>U<small>T</small></small></small></small></small></small></big></big></big></b><b>
|
||||
</b></p>
|
||||
|
||||
<p><b>Until further notice, I will not be involved in either Shorewall
|
||||
Development or Shorewall Support</b></p>
|
||||
|
||||
<p><b>-Tom Eastep</b><br>
|
||||
</p>
|
||||
|
||||
<p><b>12/30/2002 - Shorewall Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.12
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/"
|
||||
target="_self">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>12/27/2002 - Shorewall 1.3.12 Released</b><b>
|
||||
</b></p>
|
||||
|
||||
<p> Features include:<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping rules
|
||||
(tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging after
|
||||
an error occurs. This places the point of the failure near the end of
|
||||
the trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more than
|
||||
40% with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been added
|
||||
which shows the current packet classification filters. The output from
|
||||
this command is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid syslog
|
||||
level and causes the subject packets to be logged using the ULOG target
|
||||
rather than the LOG target. This allows you to run ulogd (available from
|
||||
<a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a href="shorewall_logging.html">to a
|
||||
separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain
|
||||
in the mangle table ("shorewall show mangle" will show you the chains
|
||||
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This allows for marking
|
||||
input packets based on their destination even when you are using Masquerading
|
||||
or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory with
|
||||
empty 'init', 'start', 'stop' and 'stopped' files. If you already have
|
||||
a file with one of these names, don't worry -- the upgrade process won't
|
||||
overwrite your file.</li>
|
||||
<li>I have added a new RFC1918_LOG_LEVEL variable to <a
|
||||
href="Documentation.htm#Conf">shorewall.conf</a>. This variable specifies
|
||||
the syslog level at which packets are logged as a result of entries in
|
||||
the /etc/shorewall/rfc1918 file. Previously, these packets were always
|
||||
logged at the 'info' level.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 3</b><br>
|
||||
</p>
|
||||
This version corrects a problem with Blacklist logging. In Beta
|
||||
2, if BLACKLIST_LOG_LEVEL was set to anything but ULOG, the firewall would
|
||||
fail to start and "shorewall refresh" would also fail.<br>
|
||||
|
||||
<p> You may download the Beta from:<br>
|
||||
</p>
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p><b>12/20/2002 - Shorewall 1.3.12 Beta 2</b><b>
|
||||
</b></p>
|
||||
The first public Beta version of Shorewall 1.3.12 is now available
|
||||
(Beta 1 was made available only to a limited audience). <br>
|
||||
<br>
|
||||
Features include:<br>
|
||||
<br>
|
||||
|
||||
|
||||
<ol>
|
||||
<li>"shorewall refresh" now reloads the traffic shaping
|
||||
rules (tcrules and tcstart).</li>
|
||||
<li>"shorewall debug [re]start" now turns off debugging
|
||||
after an error occurs. This places the point of the failure near the
|
||||
end of the trace rather than up in the middle of it.</li>
|
||||
<li>"shorewall [re]start" has been speeded up by more
|
||||
than 40% with my configuration. Your milage may vary.</li>
|
||||
<li>A "shorewall show classifiers" command has been
|
||||
added which shows the current packet classification filters. The output
|
||||
from this command is also added as a separate page in "shorewall monitor"</li>
|
||||
<li>ULOG (must be all caps) is now accepted as a valid
|
||||
syslog level and causes the subject packets to be logged using the ULOG
|
||||
target rather than the LOG target. This allows you to run ulogd (available
|
||||
from <a href="http://www.gnumonks.org/projects/ulogd">http://www.gnumonks.org/projects/ulogd</a>)
|
||||
and log all Shorewall messages <a href="shorewall_logging.html">to a
|
||||
separate log file</a>.</li>
|
||||
<li>If you are running a kernel that has a FORWARD chain
|
||||
in the mangle table ("shorewall show mangle" will show you the chains
|
||||
in the mangle table), you can set MARK_IN_FORWARD_CHAIN=Yes in shorewall.conf.
|
||||
This allows for marking input packets based on their destination even
|
||||
when you are using Masquerading or SNAT.</li>
|
||||
<li>I have cluttered up the /etc/shorewall directory
|
||||
with empty 'init', 'start', 'stop' and 'stopped' files. If you already
|
||||
have a file with one of these names, don't worry -- the upgrade process
|
||||
won't overwrite your file.</li>
|
||||
|
||||
|
||||
</ol>
|
||||
You may download the Beta from:<br>
|
||||
|
||||
|
||||
<blockquote><a href="http://www.shorewall.net/pub/shorewall/Beta">http://www.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
<a href="ftp://ftp.shorewall.net/pub/shorewall/Beta"
|
||||
target="_top">ftp://ftp.shorewall.net/pub/shorewall/Beta</a><br>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p><b>12/12/2002 - Mandrake Multi Network Firewall <a
|
||||
href="http://www.mandrakesoft.com"><img src="images/logo2.png"
|
||||
alt="Powered by Mandrake Linux" width="150" height="23" border="0">
|
||||
</a></b></p>
|
||||
Shorewall is at the center of MandrakeSofts's recently-announced <a
|
||||
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi
|
||||
Network Firewall (MNF)</a> product. Here is the <a
|
||||
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
|
||||
release</a>.<br>
|
||||
|
||||
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
|
||||
</b></p>
|
||||
</a></b></p>
|
||||
Shorewall is at the center of MandrakeSofts's recently-announced
|
||||
<a
|
||||
href="http://www.mandrakestore.com/mdkinc/index.php?PAGE=tab_0/menu_0.php&id_art=250&LANG_=en#GOTO_250">Multi
|
||||
Network Firewall (MNF)</a> product. Here is the <a
|
||||
href="http://www.mandrakesoft.com/company/press/pr?n=/pr/products/2403">press
|
||||
release</a>.<br>
|
||||
|
||||
|
||||
<p><b>12/7/2002 - Shorewall Support for Mandrake 9.0</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
|
||||
delivered. I have installed 9.0 on one of my systems and I am now
|
||||
in a position to support Shorewall users who run Mandrake 9.0.</p>
|
||||
|
||||
|
||||
<p>Two months and 3 days after I pre-ordered Mandrake 9.0, it was finally
|
||||
delivered. I have installed 9.0 on one of my systems and I am now in a
|
||||
position to support Shorewall users who run Mandrake 9.0.</p>
|
||||
|
||||
|
||||
<p><b>12/6/2002 - Debian 1.3.11a Packages Available</b><b></b><br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>Apt-get sources listed at <a
|
||||
href="http://security.dsi.unimi.it/%7Elorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html.</a></p>
|
||||
|
||||
|
||||
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
|
||||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11 users
|
||||
who don't need rules of this type need not upgrade to 1.3.11.</p>
|
||||
|
||||
<p><b>12/3/2002 - Shorewall 1.3.11a</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
<p>This is a bug-fix roll up which includes Roger Aich's fix for DNAT
|
||||
with excluded subnets (e.g., "DNAT foo!bar ..."). Current 1.3.11
|
||||
users who don't need rules of this type need not upgrade to 1.3.11.</p>
|
||||
|
||||
|
||||
|
||||
<p><b>11/25/2002 - Shorewall 1.3.11 Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b>
|
||||
</b></p>
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.11
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
<p><b>11/24/2002 - Shorewall 1.3.11</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
<p>In this version:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>A 'tcpflags' option has been added to entries
|
||||
in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the SOURCE or
|
||||
DEST column in a <a href="Documentation.htm#Rules">rule</a>. When
|
||||
used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command is now compatible
|
||||
with bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup error.
|
||||
fw->fw rules generate a warning and are ignored</li>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li>A 'tcpflags' option has been added to
|
||||
entries in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.
|
||||
This option causes Shorewall to make a set of sanity check on TCP packet
|
||||
header flags.</li>
|
||||
<li>It is now allowed to use 'all' in the
|
||||
SOURCE or DEST column in a <a href="Documentation.htm#Rules">rule</a>.
|
||||
When used, 'all' must appear by itself (in may not be qualified)
|
||||
and it does not enable intra-zone traffic. For example, the rule <br>
|
||||
<br>
|
||||
ACCEPT loc all tcp 80<br>
|
||||
<br>
|
||||
does not enable http traffic from 'loc' to 'loc'.</li>
|
||||
<li>Shorewall's use of the 'echo' command
|
||||
is now compatible with bash clones such as ash and dash.</li>
|
||||
<li>fw->fw policies now generate a startup
|
||||
error. fw->fw rules generate a warning and are ignored</li>
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
<p><b>11/14/2002 - Shorewall Documentation in PDF Format</b><b>
|
||||
</b></p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p>Juraj Ontkanin has produced a PDF containing the Shorewall 1.3.10
|
||||
documenation. the PDF may be downloaded from</p>
|
||||
|
||||
|
||||
|
||||
<p> <a
|
||||
href="ftp://slovakia.shorewall.net/mirror/shorewall/pdf/" target="_top">ftp://slovakia.shorewall.net/mirror/shorewall/pdf/</a><br>
|
||||
<a
|
||||
<a
|
||||
href="http://slovakia.shorewall.net/pub/shorewall/pdf/">http://slovakia.shorewall.net/pub/shorewall/pdf/</a><br>
|
||||
</p>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b></b></p>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><b></b><a href="News.htm">More News</a></p>
|
||||
|
||||
|
||||
@ -349,61 +502,66 @@ used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2> </h2>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h1 align="center"><a href="http://www.sf.net"><img align="left"
|
||||
alt="SourceForge Logo"
|
||||
src="http://sourceforge.net/sflogo.php?group_id=22587&type=3">
|
||||
</a></h1>
|
||||
</a></h1>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h4> </h4>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2>This site is hosted by the generous folks at <a
|
||||
href="http://www.sf.net">SourceForge.net</a> </h2>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<h2><a name="Donations"></a>Donations</h2>
|
||||
|
||||
</td>
|
||||
</td>
|
||||
|
||||
<td width="88" bgcolor="#4b017c" valign="top"
|
||||
align="center"> <br>
|
||||
</td>
|
||||
<td width="88" bgcolor="#4b017c"
|
||||
valign="top" align="center"> <br>
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
</center>
|
||||
</center>
|
||||
|
||||
</div>
|
||||
</div>
|
||||
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="5" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber2"
|
||||
bgcolor="#4b017c">
|
||||
|
||||
<tbody>
|
||||
<tbody>
|
||||
|
||||
<tr>
|
||||
<tr>
|
||||
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
<td width="100%" style="margin-top: 1px;">
|
||||
|
||||
|
||||
|
||||
@ -411,12 +569,13 @@ used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p align="center"><a href="http://www.starlight.org"> <img
|
||||
border="4" src="images/newlog.gif" width="57" height="100" align="left"
|
||||
hspace="10">
|
||||
|
||||
</a></p>
|
||||
</a></p>
|
||||
|
||||
|
||||
|
||||
@ -425,30 +584,32 @@ used, 'all' must appear by itself (in may not be qualified) and it does
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free
|
||||
but if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight
|
||||
Children's Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
<p align="center"><font size="4" color="#ffffff">Shorewall is free but
|
||||
if you try it and find it useful, please consider making a donation
|
||||
to <a
|
||||
href="http://www.starlight.org"><font color="#ffffff">Starlight Children's
|
||||
Foundation.</font></a> Thanks!</font></p>
|
||||
|
||||
</td>
|
||||
|
||||
</tr>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
<p><font size="2">Updated 12/22/2002 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
|
||||
<p><font size="2">Updated 1/6/2003 - <a href="support.htm">Tom Eastep</a></font>
|
||||
|
||||
<br>
|
||||
</p>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,13 +1,13 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Starting and Stopping Shorewall</title>
|
||||
@ -15,231 +15,238 @@
|
||||
<body>
|
||||
|
||||
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<tbody>
|
||||
<tr>
|
||||
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
|
||||
the Firewall</font></h1>
|
||||
<td width="100%">
|
||||
|
||||
</td>
|
||||
<h1 align="center"><font color="#ffffff">Starting/Stopping and Monitoring
|
||||
the Firewall</font></h1>
|
||||
|
||||
</tr>
|
||||
</td>
|
||||
|
||||
|
||||
</tbody>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
|
||||
|
||||
<p> If you have a permanent internet connection such as DSL or Cable,
|
||||
I recommend that you start the firewall automatically at boot. Once
|
||||
you have installed "firewall" in your init.d directory, simply type
|
||||
"chkconfig --add firewall". This will start the firewall in run levels
|
||||
2-5 and stop it in run levels 1 and 6. If you want to configure your
|
||||
firewall differently from this default, you can use the "--level" option
|
||||
in chkconfig (see "man chkconfig") or using your favorite graphical
|
||||
run-level editor.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>Shorewall startup is disabled by default. Once you have configured
|
||||
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
|
||||
Note: Users of the .deb package must edit /etc/default/shorewall and set
|
||||
'startup=1'.<br>
|
||||
</li>
|
||||
<li>If you use dialup, you may want to start the firewall in your
|
||||
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
|
||||
in that script.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
|
||||
<p> If you have a permanent internet connection such as DSL or Cable,
|
||||
I recommend that you start the firewall automatically at boot. Once
|
||||
you have installed "firewall" in your init.d directory, simply type
|
||||
"chkconfig --add firewall". This will start the firewall in run
|
||||
levels 2-5 and stop it in run levels 1 and 6. If you want to configure
|
||||
your firewall differently from this default, you can use the "--level"
|
||||
option in chkconfig (see "man chkconfig") or using your favorite
|
||||
graphical run-level editor.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p><strong><u> <font color="#000099"> Important Notes:</font></u></strong><br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>Shorewall startup is disabled by default. Once you have configured
|
||||
your firewall, you can enable startup by removing the file /etc/shorewall/startup_disabled.
|
||||
Note: Users of the .deb package must edit /etc/default/shorewall and set
|
||||
'startup=1'.<br>
|
||||
</li>
|
||||
<li>If you use dialup, you may want to start the firewall in your
|
||||
/etc/ppp/ip-up.local script. I recommend just placing "shorewall restart"
|
||||
in that script.</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p>
|
||||
</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p> You can manually start and stop Shoreline Firewall using the "shorewall"
|
||||
shell program: </p>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li>shorewall start - starts the firewall</li>
|
||||
<li>shorewall stop - stops the firewall</li>
|
||||
<li>shorewall restart - stops the firewall (if it's running)
|
||||
and then starts it again</li>
|
||||
<li>shorewall reset - reset the packet and byte counters
|
||||
in the firewall</li>
|
||||
<li>shorewall clear - remove all rules and chains installed
|
||||
by Shoreline Firewall</li>
|
||||
<li>shorewall refresh - refresh the rules involving the broadcast
|
||||
<li>shorewall start - starts the firewall</li>
|
||||
<li>shorewall stop - stops the firewall</li>
|
||||
<li>shorewall restart - stops the firewall (if it's running)
|
||||
and then starts it again</li>
|
||||
<li>shorewall reset - reset the packet and byte counters
|
||||
in the firewall</li>
|
||||
<li>shorewall clear - remove all rules and chains installed
|
||||
by Shoreline Firewall</li>
|
||||
<li>shorewall refresh - refresh the rules involving the broadcast
|
||||
addresses of firewall interfaces and the black and white lists.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
If you include the keyword <i>debug</i> as the first argument, then a shell
|
||||
trace of the command is produced as in:<br>
|
||||
<pre> <font color="#009900"><b>shorewall debug start 2> /tmp/trace</b></font><br></pre>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p>The above command would trace the 'start' command and place the trace
|
||||
information in the file /tmp/trace</p>
|
||||
<p> The "shorewall" program may also be used to monitor the firewall.</p>
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
<li>shorewall status - produce a verbose report about the firewall
|
||||
(iptables -L -n -v)</li>
|
||||
<li>shorewall show <i>chain</i> - produce a verbose report about <i>chain
|
||||
</i>(iptables -L <i>chain</i> -n -v)</li>
|
||||
<li>shorewall show nat - produce a verbose report about the nat table
|
||||
(iptables -t nat -L -n -v)</li>
|
||||
<li>shorewall show tos - produce a verbose report about the mangle
|
||||
table (iptables -t mangle -L -n -v)</li>
|
||||
<li>shorewall show log - display the last 20 packet log entries.</li>
|
||||
<li>shorewall show connections - displays the IP connections currently
|
||||
being tracked by the firewall.</li>
|
||||
<li>shorewall
|
||||
show
|
||||
tc - displays information
|
||||
about the traffic control/shaping configuration.</li>
|
||||
<li>shorewall monitor [ delay ] - Continuously display the firewall
|
||||
status, last 20 log entries and nat. When the log entry display
|
||||
changes, an audible alarm is sounded.</li>
|
||||
<li>shorewall hits - Produces several reports about the Shorewall
|
||||
<li>shorewall status - produce a verbose report about the firewall
|
||||
(iptables -L -n -v)</li>
|
||||
<li>shorewall show <i>chain</i> - produce a verbose report about
|
||||
<i>chain </i>(iptables -L <i>chain</i> -n -v)</li>
|
||||
<li>shorewall show nat - produce a verbose report about the nat table
|
||||
(iptables -t nat -L -n -v)</li>
|
||||
<li>shorewall show tos - produce a verbose report about the mangle
|
||||
table (iptables -t mangle -L -n -v)</li>
|
||||
<li>shorewall show log - display the last 20 packet log entries.</li>
|
||||
<li>shorewall show connections - displays the IP connections currently
|
||||
being tracked by the firewall.</li>
|
||||
<li>shorewall
|
||||
show
|
||||
tc - displays information
|
||||
about the traffic control/shaping configuration.</li>
|
||||
<li>shorewall monitor [ delay ] - Continuously display the firewall
|
||||
status, last 20 log entries and nat. When the log entry display
|
||||
changes, an audible alarm is sounded.</li>
|
||||
<li>shorewall hits - Produces several reports about the Shorewall
|
||||
packet log messages in the current /var/log/messages file.</li>
|
||||
<li>shorewall version - Displays the installed version number.</li>
|
||||
<li>shorewall check - Performs a <u>cursory</u> validation of
|
||||
the zones, interfaces, hosts, rules and policy files. <font size="4"
|
||||
color="#ff6666"><b>The "check" command does not parse and validate the
|
||||
generated iptables commands so even though the "check" command completes
|
||||
successfully, the configuration may fail to start. See the recommended
|
||||
way to make configuration changes described below. </b></font> </li>
|
||||
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
|
||||
] - Restart shorewall using the specified configuration and if an error
|
||||
occurs or if the<i> timeout </i> option is given and the new configuration
|
||||
has been up for that many seconds then shorewall is restarted using the
|
||||
standard configuration.</li>
|
||||
<li>shorewall deny, shorewall reject, shorewall accept and shorewall
|
||||
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
|
||||
<li>shorewall logwatch (added in version 1.3.2) - Monitors the
|
||||
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
|
||||
messages are logged.</li>
|
||||
|
||||
<li>shorewall version - Displays the installed version number.</li>
|
||||
<li>shorewall check - Performs a <u>cursory</u> validation of
|
||||
the zones, interfaces, hosts, rules and policy files. <font
|
||||
size="4" color="#ff6666"><b>The "check" command does not parse and validate
|
||||
the generated iptables commands so even though the "check" command
|
||||
completes successfully, the configuration may fail to start. See the
|
||||
recommended way to make configuration changes described below. </b></font>
|
||||
</li>
|
||||
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i>
|
||||
] - Restart shorewall using the specified configuration and if an error
|
||||
occurs or if the<i> timeout </i> option is given and the new configuration
|
||||
has been up for that many seconds then shorewall is restarted using
|
||||
the standard configuration.</li>
|
||||
<li>shorewall deny, shorewall reject, shorewall accept and shorewall
|
||||
save implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
|
||||
<li>shorewall logwatch (added in version 1.3.2) - Monitors the
|
||||
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
|
||||
messages are logged.</li>
|
||||
|
||||
</ul>
|
||||
Finally, the "shorewall" program may be used to dynamically alter the contents
|
||||
of a zone.<br>
|
||||
|
||||
<ul>
|
||||
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
|
||||
specified interface (and host if included) to the specified zone.</li>
|
||||
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
|
||||
the specified interface (and host if included) from the specified zone.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>Examples:<br>
|
||||
Finally, the "shorewall" program may be used to dynamically alter the contents
|
||||
of a zone.<br>
|
||||
|
||||
<blockquote>shorewall add ipsec0:192.0.2.24 vpn1 -- adds the address 192.0.2.24
|
||||
from interface ipsec0 to the zone vpn1<br>
|
||||
shorewall delete ipsec0:192.0.2.24 vpn1 -- deletes the address 192.0.2.24
|
||||
from interface ipsec0 from zone vpn1<br>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
<ul>
|
||||
<li>shorewall add <i>interface</i>[:<i>host]</i> <i>zone </i>- Adds the
|
||||
specified interface (and host if included) to the specified zone.</li>
|
||||
<li>shorewall delete <i>interface</i>[:<i>host]</i> <i>zone </i>- Deletes
|
||||
the specified interface (and host if included) from the specified zone.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<blockquote>Examples:<br>
|
||||
|
||||
<blockquote><font color="#009900"><b>shorewall add ipsec0:192.0.2.24 vpn1</b></font>
|
||||
-- adds the address 192.0.2.24 from interface ipsec0 to the zone vpn1<br>
|
||||
<font color="#009900"><b> shorewall delete ipsec0:192.0.2.24 vpn1</b></font>
|
||||
-- deletes the address 192.0.2.24 from interface ipsec0 from zone vpn1<br>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
|
||||
|
||||
<p> The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b> and
|
||||
<b>shorewall try </b>commands allow you to specify which <a
|
||||
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
|
||||
href="configuration_file_basics.htm#Configs"> Shorewall configuration</a>
|
||||
to use:</p>
|
||||
|
||||
|
||||
<blockquote>
|
||||
|
||||
|
||||
<blockquote>
|
||||
|
||||
<p> shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
|
||||
shorewall try <i>configuration-directory</i></p>
|
||||
</blockquote>
|
||||
shorewall try <i>configuration-directory</i></p>
|
||||
</blockquote>
|
||||
|
||||
|
||||
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
|
||||
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
|
||||
. If the file is present in the <i>configuration-directory</i>, that
|
||||
file will be used; otherwise, the file in /etc/shorewall will be used.</p>
|
||||
|
||||
<p> If a <i>configuration-directory</i> is specified, each time that Shorewall
|
||||
is going to use a file in /etc/shorewall it will first look in the <i>configuration-directory</i>
|
||||
. If the file is present in the <i>configuration-directory</i>, that file
|
||||
will be used; otherwise, the file in /etc/shorewall will be used.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
<p> When changing the configuration of a production firewall, I recommend
|
||||
the following:</p>
|
||||
|
||||
<p> When changing the configuration of a production firewall, I recommend
|
||||
the following:</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
|
||||
<li>mkdir /etc/test</li>
|
||||
<li><font color="#009900"><b>mkdir /etc/test</b></font></li>
|
||||
|
||||
<li>cd /etc/test</li>
|
||||
<li><font color="#009900"><b>cd /etc/test</b></font></li>
|
||||
|
||||
<li><copy any files that you need to change from /etc/shorewall
|
||||
to . and change them here></li>
|
||||
<li><copy any files that you need to change from /etc/shorewall
|
||||
to . and change them here></li>
|
||||
|
||||
<li>shorewall -c . check</li>
|
||||
<li><font color="#009900"><b>shorewall -c . check</b></font></li>
|
||||
|
||||
<li><correct any errors found by check and check again></li>
|
||||
<li><correct any errors found by check and check again></li>
|
||||
|
||||
<li>/sbin/shorewall try .</li>
|
||||
|
||||
<li><font color="#009900"><b>/sbin/shorewall try .</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p> If the configuration starts but doesn't work, just "shorewall restart"
|
||||
to restore the old configuration. If the new configuration fails to start,
|
||||
the "try" command will automatically start the old one for you.</p>
|
||||
|
||||
<p> If the configuration starts but doesn't work, just "shorewall restart"
|
||||
to restore the old configuration. If the new configuration fails to start,
|
||||
the "try" command will automatically start the old one for you.</p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<p> When the new configuration works then just </p>
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
<ul>
|
||||
|
||||
<li>cp * /etc/shorewall</li>
|
||||
<li><font color="#009900"><b>cp * /etc/shorewall</b></font></li>
|
||||
|
||||
<li>cd</li>
|
||||
<li><font color="#009900"><b>cd</b></font></li>
|
||||
|
||||
<li>rm -rf /etc/test</li>
|
||||
|
||||
<li><font color="#009900"><b>rm -rf /etc/test</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
|
||||
|
||||
<p><font size="2"> Updated 11/21/2002 - <a href="support.htm">Tom Eastep</a>
|
||||
|
||||
<p><font size="2"> Updated 1/9/2003 - <a href="support.htm">Tom Eastep</a>
|
||||
</font></p>
|
||||
|
||||
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font></p>
|
||||
|
||||
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
|
@ -2,121 +2,120 @@
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Support</title>
|
||||
|
||||
|
||||
|
||||
|
||||
<meta name="Microsoft Theme" content="none">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" width="100%" id="AutoNumber1"
|
||||
bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
|
||||
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Support<img
|
||||
src="images/obrasinf.gif" alt="" width="90" height="90" align="middle">
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
|
||||
</tbody>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
<p> <br>
|
||||
<span style="font-weight: 400;"></span></p>
|
||||
|
||||
<h2><big><font color="#ff0000"><b>I don't look at problems sent to me directly
|
||||
but I try to spend some amount of time each day responding to problems
|
||||
posted on the Shorewall mailing list.</b></font></big></h2>
|
||||
|
||||
<h2 align="center"><big><font color="#ff0000"><b>-Tom</b></font></big></h2>
|
||||
|
||||
|
||||
<p> <b><big><big><font color="#ff0000">Due to "Shorewall burnout", I am currently
|
||||
not involved in either Shorewall development or Shorewall support. Nevertheless,
|
||||
the mailing list is being ably manned by other Shorewall users.</font></big><span
|
||||
style="font-weight: 400;"></span></big></b></p>
|
||||
|
||||
<h2 align="center"><big><font color="#ff0000"><b>-Tom Eastep</b></font></big></h2>
|
||||
|
||||
<h2>Before Reporting a Problem</h2>
|
||||
|
||||
<h3>T<b>here are a number of sources for problem solution information. Please
|
||||
try these before you post.</b></h3>
|
||||
There are a number of sources for problem
|
||||
solution information. Please try these before you post.
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The <a href="FAQ.htm">FAQ</a> has solutions to more than 20 common
|
||||
problems.</b></h3>
|
||||
<li>More than half of the questions posted on the support list
|
||||
have answers directly accessible from the <a
|
||||
href="shorewall_quickstart_guide.htm#Documentation">Documentation Index</a><br>
|
||||
<br>
|
||||
</li>
|
||||
|
||||
<li> The <a href="FAQ.htm">FAQ</a>
|
||||
has solutions to more than 20 common problems. </li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The <a href="troubleshoot.htm">Troubleshooting</a> Information
|
||||
contains a number of tips to help you solve common problems.</b></h3>
|
||||
</li>
|
||||
|
||||
<li> The <a
|
||||
href="troubleshoot.htm">Troubleshooting</a> Information contains
|
||||
a number of tips to help you solve common problems. </li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The <a href="errata.htm"> Errata</a> has links to download
|
||||
updated components.</b></h3>
|
||||
</li>
|
||||
|
||||
<li> The <a
|
||||
href="errata.htm"> Errata</a> has links to download updated
|
||||
components. </li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The Mailing List Archives search facility can locate posts
|
||||
about similar problems:</b></h3>
|
||||
</li>
|
||||
|
||||
<li> The Mailing List Archives
|
||||
search facility can locate posts about similar problems:
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h2> </h2>
|
||||
|
||||
<h2>Mailing List Archive Search</h2>
|
||||
|
||||
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
|
||||
|
||||
<h2>Mailing List Archive Search</h2>
|
||||
|
||||
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch">
|
||||
|
||||
|
||||
<p> <font size="-1"> Match:
|
||||
|
||||
|
||||
<select name="method">
|
||||
<option value="and">All </option>
|
||||
<option value="or">Any </option>
|
||||
<option value="boolean">Boolean </option>
|
||||
</select>
|
||||
Format:
|
||||
|
||||
Format:
|
||||
|
||||
<select name="format">
|
||||
<option value="builtin-long">Long </option>
|
||||
<option value="builtin-short">Short </option>
|
||||
</select>
|
||||
Sort by:
|
||||
|
||||
Sort by:
|
||||
|
||||
<select name="sort">
|
||||
<option value="score">Score </option>
|
||||
<option value="time">Time </option>
|
||||
@ -125,163 +124,239 @@
|
||||
<option value="revtime">Reverse Time </option>
|
||||
<option value="revtitle">Reverse Title </option>
|
||||
</select>
|
||||
</font> <input type="hidden" name="config"
|
||||
</font> <input type="hidden" name="config"
|
||||
value="htdig"> <input type="hidden" name="restrict"
|
||||
value="[http://www.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||
value="[http://mail.shorewall.net/pipermail/.*]"> <input type="hidden"
|
||||
name="exclude" value=""> <br>
|
||||
Search: <input type="text" size="30" name="words"
|
||||
value=""> <input type="submit" value="Search"> </p>
|
||||
</form>
|
||||
|
||||
<h2>Problem Reporting Guidelines</h2>
|
||||
<i>"Let me see if I can translate your message into a real-world example.
|
||||
It would be like saying that you have three rooms at home, and when you
|
||||
walk into one of the rooms, you detect this strange smell. Can anyone tell
|
||||
you what that strange smell is?<br>
|
||||
<br>
|
||||
Now, all of us could do some wonderful guessing as to the smell and even
|
||||
what's causing it. You would be absolutely amazed at the range and variety
|
||||
of smells we could come up with. Even more amazing is that all of the explanations
|
||||
for the smells would be completely plausible."<br>
|
||||
</i><br>
|
||||
|
||||
<div align="center"> - Russell Mosemann<br>
|
||||
</div>
|
||||
<br>
|
||||
|
||||
Search: <input type="text" size="30"
|
||||
name="words" value=""> <input type="submit" value="Search"> </p>
|
||||
</form>
|
||||
|
||||
<h2>Problem Reporting Guidelines </h2>
|
||||
<i>"Let me see if I can translate your message into a real-world
|
||||
example. It would be like saying that you have three rooms at home,
|
||||
and when you walk into one of the rooms, you detect this strange smell.
|
||||
Can anyone tell you what that strange smell is?<br>
|
||||
<br>
|
||||
Now, all of us could do some wonderful guessing as to the smell
|
||||
and even what's causing it. You would be absolutely amazed at the range
|
||||
and variety of smells we could come up with. Even more amazing is that
|
||||
all of the explanations for the smells would be completely plausible."<br>
|
||||
</i><br>
|
||||
|
||||
<div align="center"> - <i>Russell Mosemann</i> on the Postfix mailing list<br>
|
||||
</div>
|
||||
<br>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>When reporting a problem, give as much information as you can.
|
||||
Reports that say "I tried XYZ and it didn't work" are not at all helpful.</b></h3>
|
||||
</li>
|
||||
|
||||
<li>Please remember we only know what is posted in your message. Do
|
||||
not leave out any information that appears to be correct, or was mentioned
|
||||
in a previous post. There have been countless posts by people who were
|
||||
sure that some part of their configuration was correct when it actually
|
||||
contained a small error. We tend to be skeptics where detail is lacking.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please keep in mind that you're asking for <strong>free</strong>
|
||||
technical support. Any help we offer is an act of generosity, not an obligation.
|
||||
Try to make it easy for us to help you. Follow good, courteous practices
|
||||
in writing and formatting your e-mail. Provide details that we need if
|
||||
you expect good answers. <em>Exact quoting </em> of error messages, log
|
||||
entries, command output, and other output is better than a paraphrase or
|
||||
summary.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li> Please don't describe your environment
|
||||
and then ask us to send you custom configuration files.
|
||||
We're here to answer your questions but we can't do your
|
||||
job for you.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>When reporting a problem, <strong>ALWAYS</strong> include this
|
||||
information:</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<ul>
|
||||
|
||||
<ul>
|
||||
<li>the exact version of Shorewall you are running.<br>
|
||||
<br>
|
||||
<b><font color="#009900">shorewall version</font><br>
|
||||
</b> <br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>the exact kernel version you are running<br>
|
||||
<br>
|
||||
<font color="#009900"><b>uname -a<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip addr show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>the complete, exact output of<br>
|
||||
<br>
|
||||
<font color="#009900"><b>ip route show<br>
|
||||
<br>
|
||||
</b></font></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li>If your kernel is modularized, the exact output from<br>
|
||||
<br>
|
||||
<font color="#009900"><b>lsmod</b></font><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>the exact wording of any <code
|
||||
style="color: green; font-weight: bold;">ping</code> failure responses.<br>
|
||||
<br>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
<li><b>NEVER </b>include the output of "<b><font color="#009900">iptables
|
||||
-L</font></b>". Instead, please post the exact output of<br>
|
||||
<br>
|
||||
<b><font color="#009900">/sbin/shorewall status<br>
|
||||
<br>
|
||||
</font></b>Since that command generates a lot of output, we suggest
|
||||
that you redirect the output to a file and attach the file to your post<br>
|
||||
<br>
|
||||
<b><font color="#009900">/sbin/shorewall status > /tmp/status.txt</font></b><br>
|
||||
<br>
|
||||
</li>
|
||||
<li>As a general matter, please <strong>do not edit the diagnostic
|
||||
information</strong> in an attempt to conceal your IP address, netmask,
|
||||
nameserver addresses, domain name, etc. These aren't secrets, and concealing
|
||||
them often misleads us (and 80% of the time, a hacker could derive them
|
||||
anyway from information contained in the SMTP headers of your post).<strong></strong></li>
|
||||
|
||||
</ul>
|
||||
|
||||
<ul>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Please don't describe your environment and then ask us to send
|
||||
you custom configuration files. We're here to answer your
|
||||
questions but we can't do your job for you.</b></h3>
|
||||
</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Do you see any "Shorewall" messages in /var/log/messages
|
||||
when you exercise the function that is giving you problems?</b></h3>
|
||||
</li>
|
||||
|
||||
<li> Do you see any "Shorewall"
|
||||
messages ("<b><font color="#009900">/sbin/shorewall show log</font></b>")
|
||||
when you exercise the function that is giving you problems? If
|
||||
so, include the message(s) in your post along with a copy of your /etc/shorewall/interfaces
|
||||
file.<br>
|
||||
<br>
|
||||
</li>
|
||||
<li>Please include any of the Shorewall configuration files (especially
|
||||
the /etc/shorewall/hosts file if you have modified that file)
|
||||
that you think are relevant. If you include /etc/shorewall/rules,
|
||||
please include /etc/shorewall/policy as well (rules are meaningless unless
|
||||
one also knows the policies). </li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Have you looked at the packet flow with a tool like tcpdump
|
||||
to try to understand what is going on?</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Have you tried using the diagnostic capabilities of the
|
||||
application that isn't working? For example, if "ssh" isn't able
|
||||
to connect, using the "-v" option gives you a lot of valuable diagnostic
|
||||
information.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>Please include any of the Shorewall configuration files (especially
|
||||
the /etc/shorewall/hosts file if you have modified that file)
|
||||
that you think are relevant.</b></h3>
|
||||
</li>
|
||||
<li>
|
||||
<h3><b>If an error occurs when you try to "shorewall start", include
|
||||
a trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section
|
||||
for instructions).</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The list server limits posts to 120kb so don't post GIFs of
|
||||
your network layout, etc to the Mailing List -- your post
|
||||
will be rejected.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<h2>Please post in plain text</h2>
|
||||
<blockquote>
|
||||
<h3><b> While the list server here at shorewall.net accepts and distributes
|
||||
HTML posts, a growing number of MTAs serving list subscribers are rejecting
|
||||
this HTML list traffic. At least one MTA has gone so far as to blacklist
|
||||
shorewall.net "for continuous abuse"!!</b></h3>
|
||||
<h3><b> I think that blocking all HTML is a rather draconian way to control
|
||||
spam and that the unltimate loser here is not the spammers but the list subscribers
|
||||
whose MTAs are bouncing all shorewall.net mail. Nevertheless, all of you can
|
||||
help by restricting your list posts to plain text.</b></h3>
|
||||
<h3><b> And as a bonus, subscribers who use email clients like pine and
|
||||
mutt will be able to read your plain text posts whereas they are most likely
|
||||
simply ignoring your HTML posts.</b></h3>
|
||||
<h3><b> A final bonus for the use of HTML is that it cuts down the size
|
||||
of messages by a large percentage -- that is important when the same message
|
||||
must be sent 500 times over the slow DSL line connecting the list server
|
||||
to the internet.</b> </h3>
|
||||
</blockquote>
|
||||
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
||||
|
||||
<h3></h3>
|
||||
|
||||
<blockquote>
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li> If an error occurs when
|
||||
you try to "<font color="#009900"><b>shorewall start</b></font>",
|
||||
include a trace (See the <a href="troubleshoot.htm">Troubleshooting</a>
|
||||
section for instructions). </li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3> </h3>
|
||||
|
||||
<ul>
|
||||
<li>
|
||||
<h3><b>The list server limits posts to 120kb so don't post GIFs of
|
||||
your network layout, etc. to the Mailing List -- your
|
||||
post will be rejected.</b></h3>
|
||||
</li>
|
||||
|
||||
</ul>
|
||||
The author gratefully acknowleges that the above list was heavily plagiarized
|
||||
from the excellent LEAF document by <i>Ray</i> <em>Olszewski</em> found
|
||||
at <a href="http://leaf-project.org/pub/doc/docmanager/docid_1891.html">http://leaf-project.org/pub/doc/docmanager/docid_1891.html</a>.<br>
|
||||
|
||||
<h2>Please post in plain text</h2>
|
||||
|
||||
<blockquote> </blockquote>
|
||||
A growing number of MTAs serving list subscribers are rejecting all
|
||||
HTML traffic. At least one MTA has gone so far as to blacklist shorewall.net
|
||||
"for continuous abuse" because it has been my policy to allow HTML in list
|
||||
posts!!<br>
|
||||
<br>
|
||||
I think that blocking all HTML is a Draconian way to control spam
|
||||
and that the ultimate losers here are not the spammers but the list subscribers
|
||||
whose MTAs are bouncing all shorewall.net mail. As one list subscriber
|
||||
wrote to me privately "These e-mail admin's need to get a <i>(expletive
|
||||
deleted)</i> life instead of trying to rid the planet of HTML based e-mail".
|
||||
Nevertheless, to allow subscribers to receive list posts as must as possible,
|
||||
I have now configured the list server at shorewall.net to strip all HTML
|
||||
from outgoing posts.<br>
|
||||
|
||||
<h2>Where to Send your Problem Report or to Ask for Help</h2>
|
||||
|
||||
<blockquote>
|
||||
<h4>If you run Shorewall under Bering -- <span
|
||||
style="font-weight: 400;">please post your question or problem
|
||||
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
|
||||
list</a>.</span></h4>
|
||||
|
||||
to the <a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing
|
||||
list</a>.</span></h4>
|
||||
<b>If you run Shorewall under MandrakeSoft Multi Network Firewall
|
||||
(MNF) and you have not purchased an MNF license from MandrakeSoft then
|
||||
you can post non MNF-specific Shorewall questions to the </b><a
|
||||
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a>
|
||||
<b>Do not expect to get free MNF support on the list.</b><br>
|
||||
|
||||
<p>Otherwise, please post your question or problem to the <a
|
||||
href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list.</a></p>
|
||||
</blockquote>
|
||||
</blockquote>
|
||||
|
||||
|
||||
|
||||
<p align="center"><big><font color="#ff0000"><b></b></font></big></p>
|
||||
|
||||
|
||||
|
||||
<p>To Subscribe to the mailing list go to <a
|
||||
href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
.</p>
|
||||
href="http://mail.shorewall.net/mailman/listinfo/shorewall-users">http://mail.shorewall.net/mailman/listinfo/shorewall-users</a>
|
||||
.</p>
|
||||
|
||||
|
||||
<p align="left"><font size="2">Last Updated 12/27/2002 - Tom Eastep</font></p>
|
||||
|
||||
|
||||
<p align="left"><font size="2">Last Updated 1/9/2002 - Tom Eastep</font></p>
|
||||
|
||||
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm"> <font
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
size="2">Copyright</font> © <font size="2">2001, 2002, 2003 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,293 +1,324 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Language" content="en-us">
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
<title>Traffic Shaping</title>
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Traffic Shaping/Control</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p align="left">Beginning with version 1.2.0, Shorewall has limited support
|
||||
for traffic shaping/control. In order to use traffic shaping under Shorewall,
|
||||
it is essential that you get a copy of the <a
|
||||
for traffic shaping/control. In order to use traffic shaping under Shorewall,
|
||||
it is essential that you get a copy of the <a
|
||||
href="http://ds9a.nl/lartc">Linux Advanced Routing and Shaping HOWTO</a>,
|
||||
version 0.3.0 or later. You must also install the iproute (iproute2) package
|
||||
to provide the "ip" and "tc" utilities.</p>
|
||||
|
||||
version 0.3.0 or later. You must also install the iproute (iproute2) package
|
||||
to provide the "ip" and "tc" utilities.</p>
|
||||
|
||||
<p align="left">Shorewall traffic shaping support consists of the following:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
|
||||
Shaping also requires that you enable packet mangling.<br>
|
||||
</li>
|
||||
<li>/etc/shorewall/tcrules - A file where you can specify firewall
|
||||
marking of packets. The firewall mark value may be used to classify
|
||||
packets for traffic shaping/control.<br>
|
||||
</li>
|
||||
<li>/etc/shorewall/tcstart - A user-supplied file that is sourced
|
||||
by Shorewall during "shorewall start" and which you can use to define
|
||||
your traffic shaping disciplines and classes. I have provided a <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
|
||||
table-driven CBQ shaping but if you read the traffic shaping sections of
|
||||
the HOWTO mentioned above, you can probably code your own faster than
|
||||
you can learn how to use my sample. I personally use <a
|
||||
href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below). HTB
|
||||
support may eventually become an integral part of Shorewall since
|
||||
HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
|
||||
<li>A new <b>TC_ENABLED</b> parameter in /etc/shorewall.conf.
|
||||
Traffic Shaping also requires that you enable packet mangling.</li>
|
||||
<li>A new <b>CLEAR_TC </b>parameter in /etc/shorewall.conf (Added in Shorewall
|
||||
1.3.13). When Traffic Shaping is enabled (TC_ENABLED=Yes), the setting of
|
||||
this variable determines whether Shorewall clears the traffic shaping configuration
|
||||
during Shorewall [re]start and Shorewall stop. <br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcrules</b> - A file where you can specify
|
||||
firewall marking of packets. The firewall mark value may be used to
|
||||
classify packets for traffic shaping/control.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcstart </b>- A user-supplied file that
|
||||
is sourced by Shorewall during "shorewall start" and which you can
|
||||
use to define your traffic shaping disciplines and classes. I have
|
||||
provided a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a>
|
||||
that does table-driven CBQ shaping but if you read the traffic shaping
|
||||
sections of the HOWTO mentioned above, you can probably code your
|
||||
own faster than you can learn how to use my sample. I personally use
|
||||
<a href="http://luxik.cdi.cz/%7Edevik/qos/htb/">HTB</a> (see below).
|
||||
HTB support may eventually become an integral part of Shorewall since
|
||||
HTB is a lot simpler and better-documented than CBQ. As of 2.4.20,
|
||||
HTB is a standard part of the kernel but iproute2 must be patched in
|
||||
order to use it.<br>
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility, use the run_tc
|
||||
function supplied by shorewall if you want tc errors to stop the firewall.<br>
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by simply copying
|
||||
them to /etc/shorewall/tcstart. I use <a
|
||||
<br>
|
||||
In tcstart, when you want to run the 'tc' utility, use the
|
||||
run_tc function supplied by shorewall if you want tc errors to stop
|
||||
the firewall.<br>
|
||||
<br>
|
||||
You can generally use off-the-shelf traffic shaping scripts by simply
|
||||
copying them to /etc/shorewall/tcstart. I use <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (HTB version)
|
||||
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
|
||||
that way (i.e., I just copied wshaper.htb to /etc/shorewall/tcstart and
|
||||
modified it according to the Wonder Shaper README). <b>WARNING: </b>If you
|
||||
use use Masquerading or SNAT (i.e., you only have one external IP address)
|
||||
then listing internal hosts in the NOPRIOHOSTSRC variable in the wshaper[.htb]
|
||||
script won't work. Traffic shaping occurs after SNAT has already been applied
|
||||
so when traffic shaping happens, all outbound traffic will have as a source
|
||||
address the IP addresss of your firewall's external interface.<br>
|
||||
</li>
|
||||
<li>/etc/shorewall/tcclear - A user-supplied file that is sourced
|
||||
by Shorewall when it is clearing traffic shaping. This file is normally
|
||||
not required as Shorewall's method of clearing qdisc and filter definitions
|
||||
is pretty general.</li>
|
||||
|
||||
address the IP addresss of your firewall's external interface.<br>
|
||||
</li>
|
||||
<li><b>/etc/shorewall/tcclear</b> - A user-supplied file that
|
||||
is sourced by Shorewall when it is clearing traffic shaping. This
|
||||
file is normally not required as Shorewall's method of clearing qdisc
|
||||
and filter definitions is pretty general.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
Shorewall allows you to start traffic shaping when Shorewall itself starts
|
||||
or it allows you to bring up traffic shaping when you bring up your interfaces.<br>
|
||||
<br>
|
||||
To start traffic shaping when Shorewall starts:<br>
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=Yes</li>
|
||||
<li>Supply an /etc/shorewall/tcstart script to configure your traffic shaping
|
||||
rules.</li>
|
||||
<li>Optionally supply an /etc/shorewall/tcclear script to stop traffic
|
||||
shaping. That is usually unnecessary.</li>
|
||||
<li>If your tcstart script uses the 'fwmark' classifier, you can mark packets
|
||||
using entries in /etc/shorewall/tcrules.</li>
|
||||
</ol>
|
||||
To start traffic shaping when you bring up your network interfaces, you will
|
||||
have to arrange for your traffic shaping configuration script to be run at
|
||||
that time. How you do that is distribution dependent and will not be covered
|
||||
here. You then should:<br>
|
||||
<ol>
|
||||
<li>Set TC_ENABLED=Yes and CLEAR_TC=No</li>
|
||||
<li>Do not supply /etc/shorewall/tcstart or /etc/shorewall/tcclear scripts.</li>
|
||||
<li value="4">If your tcstart script uses the 'fwmark' classifier, you
|
||||
can mark packets using entries in /etc/shorewall/tcrules.</li>
|
||||
</ol>
|
||||
|
||||
<h3 align="left">Kernel Configuration</h3>
|
||||
|
||||
|
||||
<p align="left">This screen shot show how I've configured QoS in my Kernel:</p>
|
||||
|
||||
|
||||
<p align="center"><img border="0" src="images/QoS.png" width="590"
|
||||
height="764">
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
|
||||
|
||||
|
||||
<p align="left">The fwmark classifier provides a convenient way to classify
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides
|
||||
a means for specifying these marks in a tabular fashion.<br>
|
||||
</p>
|
||||
packets for traffic shaping. The /etc/shorewall/tcrules file provides
|
||||
a means for specifying these marks in a tabular fashion.<br>
|
||||
</p>
|
||||
|
||||
<p align="left">Normally, packet marking occurs in the PREROUTING chain before
|
||||
any address rewriting takes place. This makes it impossible to mark inbound
|
||||
packets based on their destination address when SNAT or Masquerading are
|
||||
any address rewriting takes place. This makes it impossible to mark inbound
|
||||
packets based on their destination address when SNAT or Masquerading are
|
||||
being used. Beginning with Shorewall 1.3.12, you can cause packet marking
|
||||
to occur in the FORWARD chain by using the MARK_IN_FORWARD_CHAIN option in
|
||||
<a href="Documentation.htm#Conf">shorewall.conf</a>.<br>
|
||||
</p>
|
||||
|
||||
</p>
|
||||
|
||||
<p align="left">Columns in the file are as follows:</p>
|
||||
|
||||
|
||||
<ul>
|
||||
<li>MARK - Specifies the mark value is to be assigned in case of
|
||||
a match. This is an integer in the range 1-255.<br>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet originates
|
||||
on the firewall, place "fw" in this column. Otherwise, this is a
|
||||
comma-separated list of interface names, IP addresses, MAC addresses in
|
||||
<li>MARK - Specifies the mark value is to be assigned in case
|
||||
of a match. This is an integer in the range 1-255.<br>
|
||||
<br>
|
||||
Example - 5<br>
|
||||
</li>
|
||||
<li>SOURCE - The source of the packet. If the packet originates
|
||||
on the firewall, place "fw" in this column. Otherwise, this is a
|
||||
comma-separated list of interface names, IP addresses, MAC addresses in
|
||||
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated list of
|
||||
IP addresses and/or subnets.<br>
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol from
|
||||
/etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list of Port
|
||||
names (from /etc/services), port numbers or port ranges (e.g., 21:22);
|
||||
if the protocol is "icmp", this column is interpreted as the destination
|
||||
icmp type(s).<br>
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
|
||||
omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</li>
|
||||
|
||||
<br>
|
||||
Examples<br>
|
||||
eth0<br>
|
||||
192.168.2.4,192.168.1.0/24<br>
|
||||
</li>
|
||||
<li>DEST -- Destination of the packet. Comma-separated list of
|
||||
IP addresses and/or subnets.<br>
|
||||
</li>
|
||||
<li>PROTO - Protocol - Must be the name of a protocol from
|
||||
/etc/protocol, a number or "all"<br>
|
||||
</li>
|
||||
<li>PORT(S) - Destination Ports. A comma-separated list of Port
|
||||
names (from /etc/services), port numbers or port ranges (e.g., 21:22);
|
||||
if the protocol is "icmp", this column is interpreted as the
|
||||
destination icmp type(s).<br>
|
||||
</li>
|
||||
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
|
||||
omitted, any source port is acceptable. Specified as a comma-separate
|
||||
list of port names, port numbers or port ranges.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<p align="left">Example 1 - All packets arriving on eth1 should be marked
|
||||
with 1. All packets arriving on eth2 and eth3 should be marked with 2.
|
||||
All packets originating on the firewall itself should be marked with 3.</p>
|
||||
|
||||
with 1. All packets arriving on eth2 and eth3 should be marked with 2.
|
||||
All packets originating on the firewall itself should be marked with 3.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>1</td>
|
||||
<td>eth1</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>2</td>
|
||||
<td>eth2</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>1</td>
|
||||
<td>eth1</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>2</td>
|
||||
<td>eth2</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">2<br>
|
||||
</td>
|
||||
<td valign="top">eth3<br>
|
||||
</td>
|
||||
<td valign="top">0.0.0.0/0<br>
|
||||
</td>
|
||||
<td valign="top">all<br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
<td valign="top"><br>
|
||||
</td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>3</td>
|
||||
<td>fw</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>all</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p align="left">Example 2 - All GRE (protocol 47) packets not originating
|
||||
on the firewall and destined for 155.186.235.151 should be marked with
|
||||
12.</p>
|
||||
|
||||
on the firewall and destined for 155.186.235.151 should be marked with
|
||||
12.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>12</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>47</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>12</td>
|
||||
<td>0.0.0.0/0</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>47</td>
|
||||
<td> </td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
|
||||
and destined for 155.186.235.151 should be marked with 22.</p>
|
||||
|
||||
<table border="2" cellpadding="2" style="border-collapse: collapse;">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>22</td>
|
||||
<td>192.168.1.0/24</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
<tbody>
|
||||
<tr>
|
||||
<td><b>MARK</b></td>
|
||||
<td><b>SOURCE</b></td>
|
||||
<td><b>DEST</b></td>
|
||||
<td><b>PROTO</b></td>
|
||||
<td><b>PORT(S)</b></td>
|
||||
<td><b>CLIENT PORT(S)</b></td>
|
||||
</tr>
|
||||
<tr>
|
||||
<td>22</td>
|
||||
<td>192.168.1.0/24</td>
|
||||
<td>155.186.235.151</td>
|
||||
<td>tcp</td>
|
||||
<td>22</td>
|
||||
<td> </td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<h3>My Setup<br>
|
||||
</h3>
|
||||
|
||||
</h3>
|
||||
|
||||
<p>While I am currently using the HTB version of <a
|
||||
href="http://lartc.org/wondershaper/">The Wonder Shaper</a> (I just copied
|
||||
wshaper.htb to /etc/shorewall/tcstart and modified it as shown in the Wondershaper
|
||||
README), I have also run with the following set of hand-crafted rules in
|
||||
my tcstart file:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
wshaper.htb to <b>/etc/shorewall/tcstart</b> and modified it as shown in
|
||||
the Wondershaper README), I have also run with the following set of hand-crafted
|
||||
rules in my <b>/etc/shorewall/tcstart</b> file:<br>
|
||||
</p>
|
||||
|
||||
<blockquote>
|
||||
<pre>run_tc qdisc add dev eth0 root handle 1: htb default 30<br><br>run_tc class add dev eth0 parent 1: classid 1:1 htb rate 384kbit burst 15k<br><br>echo " Added Top Level Class -- rate 384kbit"</pre>
|
||||
|
||||
|
||||
<pre>run_tc class add dev eth0 parent 1:1 classid 1:10 htb rate 140kbit ceil 384kbit burst 15k prio 1<br>run_tc class add dev eth0 parent 1:1 classid 1:20 htb rate 224kbit ceil 384kbit burst 15k prio 0<br>run_tc class add dev eth0 parent 1:1 classid 1:30 htb rate 20kbit ceil 384kbit burst 15k quantum 1500 prio 1</pre>
|
||||
|
||||
|
||||
<pre>echo " Added Second Level Classes -- rates 140kbit, 224kbit, 20kbit"</pre>
|
||||
|
||||
|
||||
<pre>run_tc qdisc add dev eth0 parent 1:10 pfifo limit 5<br>run_tc qdisc add dev eth0 parent 1:20 pfifo limit 10<br>run_tc qdisc add dev eth0 parent 1:30 pfifo limit 5</pre>
|
||||
|
||||
|
||||
<pre>echo " Enabled PFIFO on Second Level Classes"</pre>
|
||||
|
||||
|
||||
<pre>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 1 fw classid 1:10<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 0 handle 2 fw classid 1:20<br>run_tc filter add dev eth0 protocol ip parent 1:0 prio 1 handle 3 fw classid 1:30</pre>
|
||||
|
||||
|
||||
<pre>echo " Defined fwmark filters"<br></pre>
|
||||
</blockquote>
|
||||
|
||||
</blockquote>
|
||||
|
||||
<p>My tcrules file that went with this tcstart file is shown in Example 1
|
||||
above. You can look at my <a href="myfiles.htm">network configuration</a>
|
||||
to get an idea of why I wanted these particular rules.<br>
|
||||
</p>
|
||||
|
||||
above. You can look at my <a href="myfiles.htm">network configuration</a>
|
||||
to get an idea of why I wanted these particular rules.<br>
|
||||
</p>
|
||||
|
||||
<ol>
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound from
|
||||
my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
|
||||
<li>I wanted to allow up to 140kbits/second for traffic outbound from
|
||||
my DMZ (note that the ceiling is set to 384kbit so outbound DMZ traffic
|
||||
can use all available bandwidth if there is no traffic from the local systems
|
||||
or from my laptop or firewall).</li>
|
||||
<li>My laptop and local systems could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.<br>
|
||||
</li>
|
||||
|
||||
or from my laptop or firewall).</li>
|
||||
<li>My laptop and local systems could use up to 224kbits/second.</li>
|
||||
<li>My firewall could use up to 20kbits/second.<br>
|
||||
</li>
|
||||
|
||||
</ol>
|
||||
|
||||
<p><font size="2">Last Updated 12/31/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font size="2">Last Updated 12/20/2002 - <a href="support.htm">Tom Eastep</a></font></p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
</body>
|
||||
</html>
|
||||
|
@ -1,234 +1,237 @@
|
||||
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
|
||||
<html>
|
||||
<head>
|
||||
|
||||
|
||||
<meta http-equiv="Content-Type"
|
||||
content="text/html; charset=windows-1252">
|
||||
<title>Shorewall Troubleshooting</title>
|
||||
|
||||
|
||||
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
|
||||
|
||||
|
||||
<meta name="ProgId" content="FrontPage.Editor.Document">
|
||||
</head>
|
||||
<body>
|
||||
|
||||
|
||||
<table border="0" cellpadding="0" cellspacing="0"
|
||||
style="border-collapse: collapse;" bordercolor="#111111" width="100%"
|
||||
id="AutoNumber1" bgcolor="#400169" height="90">
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<tbody>
|
||||
<tr>
|
||||
<td width="100%">
|
||||
|
||||
<h1 align="center"><font color="#ffffff">Shorewall Troubleshooting<img
|
||||
src="images/obrasinf.gif" alt="Beating head on table" width="90"
|
||||
height="90" align="middle">
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</font></h1>
|
||||
</td>
|
||||
</tr>
|
||||
|
||||
</tbody>
|
||||
</table>
|
||||
|
||||
|
||||
<h3 align="left">Check the Errata</h3>
|
||||
|
||||
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
|
||||
sure that there isn't an update that you are missing for your version
|
||||
|
||||
<p align="left">Check the <a href="errata.htm">Shorewall Errata</a> to be
|
||||
sure that there isn't an update that you are missing for your version
|
||||
of the firewall.</p>
|
||||
|
||||
|
||||
<h3 align="left">Check the FAQs</h3>
|
||||
|
||||
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
|
||||
|
||||
<p align="left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common
|
||||
problems.</p>
|
||||
|
||||
|
||||
<h3 align="left">If the firewall fails to start</h3>
|
||||
If you receive an error message when starting or restarting the
|
||||
firewall and you can't determine the cause, then do the following:
|
||||
|
||||
<ul>
|
||||
<li>Make a note of the error message that you see.<br>
|
||||
</li>
|
||||
<li>shorewall debug start 2> /tmp/trace</li>
|
||||
<li>Look at the /tmp/trace file and see if that helps you
|
||||
determine what the problem is. Be sure you find the place in the log where
|
||||
the error message you saw is generated -- in 99.9% of the cases, it will
|
||||
not be near the end of the log because after startup errors, Shorewall goes
|
||||
through a "shorewall stop" phase which will also be traced.</li>
|
||||
<li>If you still can't determine what's wrong then see the
|
||||
<a href="support.htm">support page</a>.</li>
|
||||
|
||||
</ul>
|
||||
Here's an example. During startup, a user sees the following:<br>
|
||||
<blockquote>
|
||||
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
|
||||
</blockquote>
|
||||
A search through the trace for "No chain/target/match by that name" turned
|
||||
up the following:
|
||||
<blockquote>
|
||||
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
|
||||
</blockquote>
|
||||
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
|
||||
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
|
||||
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
|
||||
|
||||
<h3>Your network environment</h3>
|
||||
|
||||
<p>Many times when people have problems with Shorewall, the problem is
|
||||
actually an ill-conceived network setup. Here are several popular snafus:
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>Port Forwarding where client and server are in the
|
||||
same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
|
||||
<li>Changing the IP address of a local system to be in the external
|
||||
subnet, thinking that Shorewall will suddenly believe that the system
|
||||
is in the 'net' zone.</li>
|
||||
<li>Multiple interfaces connected to the same HUB or Switch. Given
|
||||
the way that the Linux kernel respond to ARP "who-has" requests, this
|
||||
type of setup does NOT work the way that you expect it to.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3 align="left">If you are having connection problems:</h3>
|
||||
|
||||
<p align="left">If the appropriate policy for the connection that you are
|
||||
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
|
||||
TO MAKE IT WORK. Such additional rules will NEVER make it work, they add
|
||||
clutter to your rule set and they represent a big security hole in the event
|
||||
that you forget to remove them later.</p>
|
||||
|
||||
<p align="left">I also recommend against setting all of your policies to
|
||||
ACCEPT in an effort to make something work. That robs you of one of
|
||||
your best diagnostic tools - the "Shorewall" messages that Netfilter
|
||||
will generate when you try to connect in a way that isn't permitted
|
||||
by your rule set.</p>
|
||||
|
||||
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
|
||||
see Shorewall messages, then your problem is probably NOT a Shorewall problem.
|
||||
If you DO see packet messages, it may be an indication that you are missing
|
||||
one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
|
||||
|
||||
<p align="left">While you are troubleshooting, it is a good idea to clear
|
||||
two variables in /etc/shorewall/shorewall.conf:</p>
|
||||
|
||||
<p align="left">LOGRATE=""<br>
|
||||
LOGBURST=""</p>
|
||||
|
||||
<p align="left">This way, you will see all of the log messages being
|
||||
generated (be sure to restart shorewall after clearing these variables).</p>
|
||||
|
||||
<p align="left">Example:</p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
|
||||
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
|
||||
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
|
||||
LEN=47</font></p>
|
||||
</font>
|
||||
<p align="left">Let's look at the important parts of this message:</p>
|
||||
|
||||
<ul>
|
||||
<li>all2all:REJECT - This packet was REJECTed out of the all2all
|
||||
chain -- the packet was rejected under the "all"->"all" REJECT policy
|
||||
(see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
|
||||
<li>IN=eth2 - the packet entered the firewall via eth2</li>
|
||||
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
|
||||
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
|
||||
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
|
||||
<li>PROTO=UDP - UDP Protocol</li>
|
||||
<li>DPT=53 - DNS</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
|
||||
is in the "loc" zone. I was missing the rule:</p>
|
||||
|
||||
<p align="left">ACCEPT dmz loc udp 53<br>
|
||||
</p>
|
||||
If you receive an error message when starting or restarting
|
||||
the firewall and you can't determine the cause, then do the following:
|
||||
|
||||
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
|
||||
about how to interpret the chain name appearing in a Shorewall log message.<br>
|
||||
</p>
|
||||
|
||||
<h3 align="left">Other Gotchas</h3>
|
||||
|
||||
<ul>
|
||||
<li>Seeing rejected/dropped packets logged out of the INPUT or
|
||||
FORWARD chains? This means that:
|
||||
<li>Make a note of the error message that you see.<br>
|
||||
</li>
|
||||
<li>shorewall debug start 2> /tmp/trace</li>
|
||||
<li>Look at the /tmp/trace file and see if that helps you
|
||||
determine what the problem is. Be sure you find the place in the log
|
||||
where the error message you saw is generated -- in 99.9% of the cases, it
|
||||
will not be near the end of the log because after startup errors, Shorewall
|
||||
goes through a "shorewall stop" phase which will also be traced.</li>
|
||||
<li>If you still can't determine what's wrong then see the
|
||||
<a href="support.htm">support page</a>.</li>
|
||||
|
||||
</ul>
|
||||
Here's an example. During startup, a user sees the following:<br>
|
||||
|
||||
<blockquote>
|
||||
<pre>Adding Common Rules<br>iptables: No chain/target/match by that name<br>Terminated<br></pre>
|
||||
</blockquote>
|
||||
A search through the trace for "No chain/target/match by that name" turned
|
||||
up the following:
|
||||
<blockquote>
|
||||
<pre>+ echo 'Adding Common Rules'<br>+ add_common_rules<br>+ run_iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ echo -A reject -p tcp -j REJECT --reject-with tcp-reset<br>++ sed 's/!/! /g'<br>+ iptables -A reject -p tcp -j REJECT --reject-with tcp-reset<br>iptables: No chain/target/match by that name<br></pre>
|
||||
</blockquote>
|
||||
The command that failed was: "iptables -A reject -p tcp -j REJECT --reject-with
|
||||
tcp-reset". In this case, the user had compiled his own kernel and had forgotten
|
||||
to include REJECT target support (see <a href="kernel.htm">kernel.htm</a>)
|
||||
|
||||
<h3>Your network environment</h3>
|
||||
|
||||
<p>Many times when people have problems with Shorewall, the problem is
|
||||
actually an ill-conceived network setup. Here are several popular snafus:
|
||||
</p>
|
||||
|
||||
<ul>
|
||||
<li>Port Forwarding where client and server are in
|
||||
the same subnet. See <a href="FAQ.htm">FAQ 2.</a></li>
|
||||
<li>Changing the IP address of a local system to be in the external
|
||||
subnet, thinking that Shorewall will suddenly believe that the system
|
||||
is in the 'net' zone.</li>
|
||||
<li>Multiple interfaces connected to the same HUB or Switch.
|
||||
Given the way that the Linux kernel respond to ARP "who-has" requests,
|
||||
this type of setup does NOT work the way that you expect it to.</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<h3 align="left">If you are having connection problems:</h3>
|
||||
|
||||
<p align="left">If the appropriate policy for the connection that you are
|
||||
trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
|
||||
TO MAKE IT WORK. Such additional rules will NEVER make it work, they
|
||||
add clutter to your rule set and they represent a big security hole in
|
||||
the event that you forget to remove them later.</p>
|
||||
|
||||
<p align="left">I also recommend against setting all of your policies to
|
||||
ACCEPT in an effort to make something work. That robs you of one of
|
||||
your best diagnostic tools - the "Shorewall" messages that Netfilter
|
||||
will generate when you try to connect in a way that isn't permitted
|
||||
by your rule set.</p>
|
||||
|
||||
<p align="left">Check your log ("/sbin/shorewall show log"). If you don't
|
||||
see Shorewall messages, then your problem is probably NOT a Shorewall
|
||||
problem. If you DO see packet messages, it may be an indication that you
|
||||
are missing one or more rules -- see <a href="FAQ.htm#faq17">FAQ 17</a>.</p>
|
||||
|
||||
<p align="left">While you are troubleshooting, it is a good idea to clear
|
||||
two variables in /etc/shorewall/shorewall.conf:</p>
|
||||
|
||||
<p align="left">LOGRATE=""<br>
|
||||
LOGBURST=""</p>
|
||||
|
||||
<p align="left">This way, you will see all of the log messages being
|
||||
generated (be sure to restart shorewall after clearing these variables).</p>
|
||||
|
||||
<p align="left">Example:</p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<p align="left"><font face="Courier">Jun 27 15:37:56 gateway kernel:
|
||||
Shorewall:all2all:REJECT:IN=eth2 OUT=eth1 SRC=192.168.2.2 DST=192.168.1.3
|
||||
LEN=67 TOS=0x00 PREC=0x00 TTL=63 ID=5805 DF PROTO=UDP SPT=1803 DPT=53
|
||||
LEN=47</font></p>
|
||||
</font>
|
||||
<p align="left">Let's look at the important parts of this message:</p>
|
||||
|
||||
<ul>
|
||||
<li>all2all:REJECT - This packet was REJECTed out of the all2all
|
||||
chain -- the packet was rejected under the "all"->"all" REJECT
|
||||
policy (see <a href="FAQ.htm#faq17">FAQ 17).</a></li>
|
||||
<li>IN=eth2 - the packet entered the firewall via eth2</li>
|
||||
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
|
||||
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
|
||||
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
|
||||
<li>PROTO=UDP - UDP Protocol</li>
|
||||
<li>DPT=53 - DNS</li>
|
||||
|
||||
</ul>
|
||||
|
||||
<p align="left">In this case, 192.168.2.2 was in the "dmz" zone and 192.168.1.3
|
||||
is in the "loc" zone. I was missing the rule:</p>
|
||||
|
||||
<p align="left">ACCEPT dmz loc udp 53<br>
|
||||
</p>
|
||||
|
||||
<p align="left">See <a href="FAQ.htm#faq17">FAQ 17</a> for additional information
|
||||
about how to interpret the chain name appearing in a Shorewall log message.<br>
|
||||
</p>
|
||||
|
||||
<h3 align="left">'Ping' Problems?</h3>
|
||||
Either can't ping when you think you should be able to or are able to ping
|
||||
when you think that you shouldn't be allowed? Shorewall's 'Ping' Management<a
|
||||
href="ping.html"> is described here</a>.<br>
|
||||
<h3 align="left">Other Gotchas</h3>
|
||||
|
||||
<ul>
|
||||
<li>Seeing rejected/dropped packets logged out of the INPUT or
|
||||
FORWARD chains? This means that:
|
||||
|
||||
<ol>
|
||||
<li>your zone definitions are screwed up and the host that is
|
||||
sending the packets or the destination host isn't in any zone (using
|
||||
an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file
|
||||
are you?); or</li>
|
||||
<li>the source and destination hosts are both connected to the
|
||||
same interface and that interface doesn't have the 'multi' option
|
||||
specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
|
||||
<li>your zone definitions are screwed up and the host that
|
||||
is sending the packets or the destination host isn't in any zone
|
||||
(using an <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a>
|
||||
file are you?); or</li>
|
||||
<li>the source and destination hosts are both connected to
|
||||
the same interface and that interface doesn't have the 'multi'
|
||||
option specified in <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>.</li>
|
||||
|
||||
</ol>
|
||||
</li>
|
||||
<li>Remember that Shorewall doesn't automatically allow ICMP
|
||||
type 8 ("ping") requests to be sent between zones. If you want pings
|
||||
to be allowed between zones, you need a rule of the form:<br>
|
||||
<br>
|
||||
ACCEPT <source zone> <destination zone>
|
||||
icmp echo-request<br>
|
||||
<br>
|
||||
The ramifications of this can be subtle. For example, if you
|
||||
</li>
|
||||
<li>Remember that Shorewall doesn't automatically allow ICMP
|
||||
type 8 ("ping") requests to be sent between zones. If you want pings
|
||||
to be allowed between zones, you need a rule of the form:<br>
|
||||
<br>
|
||||
ACCEPT <source zone> <destination zone>
|
||||
icmp echo-request<br>
|
||||
<br>
|
||||
The ramifications of this can be subtle. For example, if you
|
||||
have the following in /etc/shorewall/nat:<br>
|
||||
<br>
|
||||
10.1.1.2 eth0 130.252.100.18<br>
|
||||
<br>
|
||||
and you ping 130.252.100.18, unless you have allowed icmp type
|
||||
8 between the zone containing the system you are pinging from and
|
||||
the zone containing 10.1.1.2, the ping requests will be dropped. This
|
||||
is true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
|
||||
<li>If you specify "routefilter" for an interface, that interface
|
||||
<br>
|
||||
10.1.1.2 eth0 130.252.100.18<br>
|
||||
<br>
|
||||
and you ping 130.252.100.18, unless you have allowed icmp type
|
||||
8 between the zone containing the system you are pinging from and the
|
||||
zone containing 10.1.1.2, the ping requests will be dropped. This is
|
||||
true even if you have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
|
||||
<li>If you specify "routefilter" for an interface, that interface
|
||||
must be up prior to starting the firewall.</li>
|
||||
<li>Is your routing correct? For example, internal systems usually
|
||||
need to be configured with their default gateway set to the IP address
|
||||
of their nearest firewall interface. One often overlooked aspect of
|
||||
routing is that in order for two hosts to communicate, the routing between
|
||||
them must be set up <u>in both directions.</u> So when setting up routing
|
||||
between <b>A</b> and<b> B</b>, be sure to verify that the route from
|
||||
<b>B</b> back to <b>A</b> is defined.</li>
|
||||
<li>Some versions of LRP (EigerStein2Beta for example) have a
|
||||
<li>Is your routing correct? For example, internal systems usually
|
||||
need to be configured with their default gateway set to the IP address
|
||||
of their nearest firewall interface. One often overlooked aspect
|
||||
of routing is that in order for two hosts to communicate, the routing
|
||||
between them must be set up <u>in both directions.</u> So when setting
|
||||
up routing between <b>A</b> and<b> B</b>, be sure to verify that the
|
||||
route from <b>B</b> back to <b>A</b> is defined.</li>
|
||||
<li>Some versions of LRP (EigerStein2Beta for example) have a
|
||||
shell with broken variable expansion. <a
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
|
||||
href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz"> You can get a corrected
|
||||
shell from the Shorewall Errata download site.</a> </li>
|
||||
<li>Do you have your kernel properly configured? <a
|
||||
<li>Do you have your kernel properly configured? <a
|
||||
href="kernel.htm">Click here to see my kernel configuration.</a> </li>
|
||||
<li>Some features require the "ip" program. That program is
|
||||
generally included in the "iproute" package which should be included
|
||||
with your distribution (though many distributions don't install iproute
|
||||
<li>Some features require the "ip" program. That program
|
||||
is generally included in the "iproute" package which should be included
|
||||
with your distribution (though many distributions don't install iproute
|
||||
by default). You may also download the latest source tarball from <a
|
||||
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
|
||||
.</li>
|
||||
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
|
||||
then the zone must be entirely defined in /etc/shorewall/hosts unless
|
||||
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
|
||||
For example, if a zone has two interfaces but only one interface has
|
||||
an entry in /etc/shorewall/hosts then hosts attached to the other interface
|
||||
href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank"> ftp://ftp.inr.ac.ru/ip-routing</a>
|
||||
.</li>
|
||||
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts
|
||||
then the zone must be entirely defined in /etc/shorewall/hosts unless
|
||||
you have specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later).
|
||||
For example, if a zone has two interfaces but only one interface has an
|
||||
entry in /etc/shorewall/hosts then hosts attached to the other interface
|
||||
will <u>not</u> be considered part of the zone.</li>
|
||||
<li>Problems with NAT? Be sure that you let Shorewall add all
|
||||
<li>Problems with NAT? Be sure that you let Shorewall add all
|
||||
external addresses to be use with NAT unless you have set <a
|
||||
href="Documentation.htm#Aliases"> ADD_IP_ALIASES</a> =No in /etc/shorewall/shorewall.conf.</li>
|
||||
|
||||
|
||||
</ul>
|
||||
|
||||
|
||||
<h3>Still Having Problems?</h3>
|
||||
|
||||
<p>See the<a href="support.htm"> support page.</a></p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
|
||||
<p>See the<a href="support.htm"> support page.<br>
|
||||
</a></p>
|
||||
<font face="Century Gothic, Arial, Helvetica">
|
||||
|
||||
<blockquote> </blockquote>
|
||||
</font>
|
||||
<p><font size="2">Last updated 12/4/2002 - Tom Eastep</font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
</font>
|
||||
<p><font size="2">Last updated 1/7/2003 - Tom Eastep</font> </p>
|
||||
|
||||
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
|
||||
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><br>
|
||||
</p>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
<br>
|
||||
</p>
|
||||
</body>
|
||||
</html>
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -28,7 +28,7 @@
|
||||
# shown below. Simply run this script to revert to your prior version of
|
||||
# Shoreline Firewall.
|
||||
|
||||
VERSION=1.3.12
|
||||
VERSION=1.3.13
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
124
STABLE/firewall
124
STABLE/firewall
@ -70,7 +70,7 @@ list_count() {
|
||||
|
||||
#
|
||||
# Mutual exclusion -- These functions are jackets for the mutual exclusion
|
||||
# routines in /usr/lib/shorewall/functions. They invoke
|
||||
# routines in $FUNCTIONS. They invoke
|
||||
# the corresponding function in that file if the user did
|
||||
# not specify "nolock" on the runline.
|
||||
#
|
||||
@ -833,6 +833,11 @@ validate_rule() {
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
;;
|
||||
DNAT-)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
logtarget=DNAT
|
||||
;;
|
||||
REDIRECT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
@ -983,6 +988,17 @@ validate_policy()
|
||||
local zone1
|
||||
local pc
|
||||
local chain
|
||||
local policy
|
||||
local loglevel
|
||||
local synparams
|
||||
|
||||
print_policy() # $1 = source zone, $2 = destination zone
|
||||
{
|
||||
[ $command != check ] || \
|
||||
[ $1 = all ] || \
|
||||
[ $2 = all ] || \
|
||||
echo " Policy for $1 to $2 is $policy"
|
||||
}
|
||||
|
||||
all_policy_chains=
|
||||
|
||||
@ -1048,27 +1064,34 @@ validate_policy()
|
||||
for zone1 in $zones $FW all; do
|
||||
eval pc=\$${zone}2${zone1}_policychain
|
||||
|
||||
[ -n "$pc" ] || \
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${zone1}_policychain=$chain
|
||||
print_policy $zone $zone1
|
||||
fi
|
||||
done
|
||||
done
|
||||
else
|
||||
for zone in $zones $FW all; do
|
||||
eval pc=\$${zone}2${server}_policychain
|
||||
|
||||
[ -n "$pc" ] || \
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${zone}2${server}_policychain=$chain
|
||||
print_policy $zone $server
|
||||
fi
|
||||
done
|
||||
fi
|
||||
elif [ -n "$serverwild" ]; then
|
||||
for zone in $zones $FW all; do
|
||||
eval pc=\$${client}2${zone}_policychain
|
||||
|
||||
[ -n "$pc" ] || \
|
||||
eval ${client}2${zone}_policychain=$chain
|
||||
if [ -z "$pc" ]; then
|
||||
eval ${client}2${zone}_policychain=$chain
|
||||
print_policy $client $zone
|
||||
fi
|
||||
done
|
||||
else
|
||||
eval ${chain}_policychain=${chain}
|
||||
print_policy $client $server
|
||||
fi
|
||||
|
||||
done < $TMP_DIR/policy
|
||||
@ -1234,7 +1257,7 @@ stop_firewall() {
|
||||
|
||||
[ -n "$NAT_ENABLED" ] && delete_nat
|
||||
delete_proxy_arp
|
||||
[ -n "$TC_ENABLED" ] && delete_tc
|
||||
[ -n "$CLEAR_TC" ] && delete_tc
|
||||
|
||||
setpolicy INPUT DROP
|
||||
setpolicy OUTPUT DROP
|
||||
@ -1344,12 +1367,18 @@ setup_tunnels() # $1 = name of tunnels file
|
||||
run_iptables -A $inchain -p udp -s $1 --sport 500 --dport 500 $options
|
||||
else
|
||||
run_iptables -A $inchain -p udp -s $1 --dport 500 $options
|
||||
run_iptables -A $inchain -p udp -s $1 --dport 4500 $options
|
||||
fi
|
||||
|
||||
for z in `separate_list $3`; do
|
||||
if validate_zone $z; then
|
||||
addrule ${FW}2${z} -p udp --sport 500 --dport 500 $options
|
||||
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
|
||||
if [ $2 = ipsec ]; then
|
||||
addrule ${z}2${FW} -p udp --sport 500 --dport 500 $options
|
||||
else
|
||||
addrule ${z}2${FW} -p udp --dport 500 $options
|
||||
addrule ${z}2${FW} -p udp --dport 4500 $options
|
||||
fi
|
||||
else
|
||||
error_message "Warning: Invalid gateway zone ($z)" \
|
||||
" -- Tunnel \"$tunnel\" may encounter keying problems"
|
||||
@ -1820,6 +1849,7 @@ setup_tc() {
|
||||
#
|
||||
delete_tc()
|
||||
{
|
||||
|
||||
clear_one_tc() {
|
||||
tc qdisc del dev $1 root 2> /dev/null
|
||||
tc qdisc del dev $1 ingress 2> /dev/null
|
||||
@ -1830,11 +1860,11 @@ delete_tc()
|
||||
run_ip link list | \
|
||||
while read inx interface details; do
|
||||
case $inx in
|
||||
[0-9]*)
|
||||
clear_one_tc ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
[0-9]*)
|
||||
clear_one_tc ${interface%:}
|
||||
;;
|
||||
*)
|
||||
;;
|
||||
esac
|
||||
done
|
||||
}
|
||||
@ -1846,7 +1876,7 @@ refresh_tc() {
|
||||
|
||||
echo "Refreshing Traffic Control Rules..."
|
||||
|
||||
delete_tc
|
||||
[ -n "$CLEAR_TC" ] && delete_tc
|
||||
|
||||
[ -n "$MARK_IN_FORWARD_CHAIN" ] && chain=tcfor || chain=tcpre
|
||||
|
||||
@ -2152,7 +2182,7 @@ add_a_rule()
|
||||
add_nat_rule
|
||||
fi
|
||||
|
||||
if [ $chain != ${FW}2${FW} ]; then
|
||||
if [ -z "$dnat_only" -a $chain != ${FW}2${FW} ]; then
|
||||
serv="${serv:+-d $serv}"
|
||||
|
||||
if [ -n "$loglevel" ]; then
|
||||
@ -2229,14 +2259,23 @@ process_rule() # $1 = target
|
||||
fi
|
||||
|
||||
logtarget="$target"
|
||||
dnat_only=
|
||||
|
||||
# Convert 1.3 Rule formats to 1.2 format
|
||||
|
||||
[ "x$address" = "x-" ] && address=
|
||||
|
||||
case $target in
|
||||
DNAT)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
;;
|
||||
DNAT-)
|
||||
target=ACCEPT
|
||||
address=${address:=detect}
|
||||
dnat_only=Yes
|
||||
logtarget=DNAT
|
||||
;;
|
||||
REDIRECT)
|
||||
target=ACCEPT
|
||||
address=${address:=all}
|
||||
@ -2379,7 +2418,7 @@ process_rules() # $1 = name of rules file
|
||||
while read xtarget xclients xservers xprotocol xports xcports xaddress; do
|
||||
case "$xtarget" in
|
||||
|
||||
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT:*|REDIRECT|REDIRECT:*)
|
||||
ACCEPT|ACCEPT:*|DROP|DROP:*|REJECT|REJECT:*|DNAT|DNAT-|DNAT:*|DNAT-:*|REDIRECT|REDIRECT:*)
|
||||
expandv xclients xservers xprotocol xports xcports xaddress
|
||||
|
||||
if [ "x$xclients" = xall ]; then
|
||||
@ -3233,7 +3272,7 @@ initialize_netfilter () {
|
||||
run_iptables -t mangle -F && \
|
||||
run_iptables -t mangle -X
|
||||
|
||||
[ -n "$TC_ENABLED" ] && delete_tc
|
||||
[ -n "$CLEAR_TC" ] && delete_tc
|
||||
|
||||
run_user_exit init
|
||||
|
||||
@ -3267,7 +3306,7 @@ initialize_netfilter () {
|
||||
run_user_exit newnotsyn
|
||||
if [ -n "$LOGNEWNOTSYN" ]; then
|
||||
if [ "$LOGNEWNOTSYN" = ULOG ]; then
|
||||
run_iptables -A newnotsyn -j ULOG \
|
||||
run_iptables -A newnotsyn -j ULOG
|
||||
--ulog-prefix "Shorewall:newnotsyn:DROP:"
|
||||
else
|
||||
run_iptables -A newnotsyn -j LOG \
|
||||
@ -4432,6 +4471,10 @@ do_initialize() {
|
||||
TCP_FLAGS_LOG_LEVEL=
|
||||
RFC1918_LOG_LEVEL=
|
||||
MARK_IN_FORWARD_CHAIN=
|
||||
SHARED_DIR=/usr/lib/shorewall
|
||||
FUNCTIONS=
|
||||
VERSION_FILE=
|
||||
|
||||
stopping=
|
||||
have_mutex=
|
||||
masq_seq=1
|
||||
@ -4445,31 +4488,35 @@ do_initialize() {
|
||||
|
||||
trap "rm -rf $TMP_DIR; my_mutex_off; exit 2" 1 2 3 4 5 6 9
|
||||
|
||||
functions=/usr/lib/shorewall/functions
|
||||
|
||||
if [ -f $functions ]; then
|
||||
. $functions
|
||||
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
|
||||
config=$SHOREWALL_DIR/shorewall.conf
|
||||
else
|
||||
startup_error "$functions does not exist!"
|
||||
config=/etc/shorewall/shorewall.conf
|
||||
fi
|
||||
|
||||
if [ -f $config ]; then
|
||||
. $config
|
||||
else
|
||||
echo "$config does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
version_file=/usr/lib/shorewall/version
|
||||
FUNCTIONS=$SHARED_DIR/functions
|
||||
|
||||
[ -f $version_file ] && version=`cat $version_file`
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
strip_file interfaces
|
||||
strip_file hosts
|
||||
if [ -f $FUNCTIONS ]; then
|
||||
. $FUNCTIONS
|
||||
else
|
||||
startup_error "$FUNCTIONS does not exist!"
|
||||
fi
|
||||
|
||||
run_user_exit shorewall.conf
|
||||
run_user_exit params
|
||||
VERSION_FILE=$SHARED_DIR/version
|
||||
|
||||
[ -f $VERSION_FILE ] && version=`cat $VERSION_FILE`
|
||||
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
|
||||
[ -d $STATEDIR ] || mkdir -p $STATEDIR
|
||||
|
||||
|
||||
[ -z "$FW" ] && FW=fw
|
||||
|
||||
ALLOWRELATED="`added_param_value_yes ALLOWRELATED $ALLOWRELATED`"
|
||||
@ -4544,7 +4591,20 @@ do_initialize() {
|
||||
[ -z "$RFC1918_LOG_LEVEL" ] && RFC1918_LOG_LEVEL=info
|
||||
MARK_IN_FORWARD_CHAIN=`added_param_value_no MARK_IN_FORWARD_CHAIN $MARK_IN_FORWARD_CHAIN`
|
||||
[ -n "$MARK_IN_FORWARD_CHAIN" ] && marking_chain=tcfor || marking_chain=tcpre
|
||||
if [ -n "$TC_ENABLED" ]; then
|
||||
CLEAR_TC=`added_param_value_yes CLEAR_TC $CLEAR_TC`
|
||||
else
|
||||
CLEAR_TC=
|
||||
fi
|
||||
|
||||
|
||||
run_user_exit params
|
||||
|
||||
#
|
||||
# Strip the files that we use often
|
||||
#
|
||||
strip_file interfaces
|
||||
strip_file hosts
|
||||
}
|
||||
|
||||
#
|
||||
|
@ -54,7 +54,7 @@
|
||||
# /etc/rc.d/rc.local file is modified to start the firewall.
|
||||
#
|
||||
|
||||
VERSION=1.3.12
|
||||
VERSION=1.3.13
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
@ -2,39 +2,48 @@ This is a minor release of Shorewall that has a couple of new features.
|
||||
|
||||
New features include:
|
||||
|
||||
1) "shorewall refresh" now reloads the traffic shaping rules (tcrules
|
||||
and tcstart).
|
||||
1) A new 'DNAT-' action has been added for entries in the
|
||||
/etc/shorewall/rules file. DNAT- is intended for advanced users who
|
||||
wish to minimize the number of rules that connection requests must
|
||||
traverse.
|
||||
|
||||
A Shorewall DNAT rule actually generates two iptables rules: a
|
||||
header rewriting rule in the 'nat' table and an ACCEPT rule in the
|
||||
'filter' table. A DNAT- rule only generates the first of these
|
||||
rules. This is handy when you have several DNAT rules that would
|
||||
generate the same ACCEPT rule.
|
||||
|
||||
2) "shorewall debug [re]start" now turns off debugging after an error
|
||||
occurs. This places the point of the failure near the end of the
|
||||
trace rather than up in the middle of it.
|
||||
Here are three rules from my previous rules file:
|
||||
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
||||
DNAT net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
||||
|
||||
3) "shorewall [re]start" has been speeded up by more than 40% with
|
||||
my configuration. Your milage may vary.
|
||||
These three rules ended up generating _three_ copies of
|
||||
|
||||
4) A "shorewall show classifiers" command has been added which shows
|
||||
the current packet classification filters. The output from this
|
||||
command is also added as a separate page in "shorewall monitor"
|
||||
ACCEPT net dmz:206.124.146.177 tcp smtp
|
||||
|
||||
5) ULOG (must be all caps) is now accepted as a valid syslog level and
|
||||
causes the subject packets to be logged using the ULOG target rather
|
||||
than the LOG target. This allows you to run ulogd (available from
|
||||
www.gnumonks.org/projects/ulogd) and log all Shorewall messages to
|
||||
a separate log file.
|
||||
By writing the rules this way, I end up with only one copy of the
|
||||
ACCEPT rule.
|
||||
|
||||
6) If you are running a kernel that has a FORWARD chain in the mangle
|
||||
table ("shorewall show mangle" will show you the chains in the
|
||||
mangle table), you can set MARK_IN_FORWARD=Yes in
|
||||
shorewall.conf. This allows for marking inbound packets based on
|
||||
their destination even when you are using Masquerading or SNAT.
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.178
|
||||
DNAT- net dmz:206.124.146.177 tcp smtp - 206.124.146.179
|
||||
ACCEPT net dmz:206.124.146.177 tcp www,smtp,ftp,...
|
||||
|
||||
7) I have cluttered up the /etc/shorewall directory with empty 'init',
|
||||
'start', 'stop' and 'stopped' files. If you already have a file with
|
||||
one of these names, don't worry -- the upgrade process won't
|
||||
overwrite your file.
|
||||
2) The 'shorewall check' command now prints out the applicable policy
|
||||
between each pair of zones.
|
||||
|
||||
8) I have added a new RFC1918_LOG_LEVEL variable to
|
||||
shorewall.conf. This variable specifies the syslog level at which
|
||||
packets are logged as a result of entries in the
|
||||
/etc/shorewall/rfc1918 file. Previously, these packets were always
|
||||
logged at the 'info' level.
|
||||
3. A new CLEAR_TC option has been added to shorewall.conf. If this
|
||||
option is set to 'No' then Shorewall won't clear the current
|
||||
traffic control rules during [re]start. This setting is intended
|
||||
for use by people that prefer to configure traffic shaping when
|
||||
the network interfaces come up rather than when the firewall
|
||||
is started. If that is what you want to do, set TC_ENABLED=Yes and
|
||||
CLEAR_TC=No and do not supply an /etc/shorewall/tcstart file. That
|
||||
way, your traffic shaping rules can still use the 'fwmark'
|
||||
classifier based on packet marking defined in /etc/shorewall/tcrules.
|
||||
|
||||
4. A new SHARED_DIR variable has been added that allows distribution
|
||||
packagers to easily move the shared directory (default
|
||||
/usr/lib/shorewall). Users should never have a need to change the
|
||||
value of this shorewall.conf setting.
|
||||
|
@ -24,6 +24,10 @@
|
||||
# DNAT -- Forward the request to another
|
||||
# system (and optionally another
|
||||
# port).
|
||||
# DNAT- -- Advanced users only.
|
||||
# Like DNAT but only generates the
|
||||
# DNAT iptables rule and not
|
||||
# the companion ACCEPT rule.
|
||||
# REDIRECT -- Redirect the request to a local
|
||||
# port on the firewall.
|
||||
#
|
||||
|
@ -569,51 +569,65 @@ fi
|
||||
|
||||
[ -n "$SHOREWALL_DIR" ] && export SHOREWALL_DIR
|
||||
|
||||
functions=/usr/lib/shorewall/functions
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
SHARED_DIR=/usr/lib/shorewall
|
||||
MUTEX_TIMEOUT=
|
||||
|
||||
if [ -f $functions ]; then
|
||||
. $functions
|
||||
if [ -n "$SHOREWALL_DIR" -a -f $SHOREWALL_DIR/shorewall.conf ]; then
|
||||
config=$SHOREWALL_DIR/shorewall.conf
|
||||
else
|
||||
echo "$functions does not exist!" >&2
|
||||
config=/etc/shorewall/shorewall.conf
|
||||
fi
|
||||
|
||||
if [ -f $config ]; then
|
||||
. $config
|
||||
else
|
||||
echo "$config does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
firewall=/usr/lib/shorewall/firewall
|
||||
[ -z "${STATEDIR}" ] && STATEDIR=/var/state/shorewall
|
||||
|
||||
if [ ! -f $firewall ]; then
|
||||
FIREWALL=$SHARED_DIR/firewall
|
||||
FUNCTIONS=$SHARED_DIR/functions
|
||||
VERSION_FILE=$SHARED_DIR/version
|
||||
|
||||
if [ -f $FUNCTIONS ]; then
|
||||
. $FUNCTIONS
|
||||
else
|
||||
echo "$FUNCTIONS does not exist!" >&2
|
||||
exit 2
|
||||
fi
|
||||
|
||||
if [ ! -f $FIREWALL ]; then
|
||||
echo "ERROR: Shorewall is not properly installed"
|
||||
if [ -L $firewall ]; then
|
||||
echo " $firewall is a symbolic link to a"
|
||||
if [ -L $FIREWALL ]; then
|
||||
echo " $FIREWALL is a symbolic link to a"
|
||||
echo " non-existant file"
|
||||
else
|
||||
echo " The file /usr/lib/shorewall/firewall does not exist"
|
||||
echo " The file $FIREWALL does not exist"
|
||||
fi
|
||||
|
||||
exit 2
|
||||
fi
|
||||
|
||||
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin
|
||||
|
||||
version_file=/usr/lib/shorewall/version
|
||||
|
||||
if [ -f $version_file ]; then
|
||||
version=`cat $version_file`
|
||||
if [ -f $VERSION_FILE ]; then
|
||||
version=`cat $VERSION_FILE`
|
||||
else
|
||||
echo "ERROR: Shorewall is not properly installed"
|
||||
echo " The file /usr/lib/shorewall/version does not exist"
|
||||
echo " The file $VERSION_FILE does not exist"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
banner="Shorewall-$version Status at $HOSTNAME -"
|
||||
|
||||
get_statedir
|
||||
|
||||
case `echo -e` in
|
||||
-e*)
|
||||
RING_BELL="echo \'\a\'"
|
||||
RING_BELL="echo \a"
|
||||
;;
|
||||
*)
|
||||
RING_BELL="echo -e \'\a\'"
|
||||
RING_BELL="echo -e \a"
|
||||
;;
|
||||
esac
|
||||
|
||||
@ -629,11 +643,11 @@ esac
|
||||
case "$1" in
|
||||
start|stop|restart|reset|clear|refresh|check)
|
||||
[ $# -ne 1 ] && usage 1
|
||||
exec $firewall $debugging $nolock $1
|
||||
exec $FIREWALL $debugging $nolock $1
|
||||
;;
|
||||
add|delete)
|
||||
[ $# -ne 3 ] && usage 1
|
||||
exec $firewall $debugging $nolock $1 $2 $3
|
||||
exec $FIREWALL $debugging $nolock $1 $2 $3
|
||||
;;
|
||||
show)
|
||||
[ $# -gt 2 ] && usage 1
|
||||
|
@ -9,6 +9,13 @@
|
||||
# (c) 1999,2000,2001,2002 - Tom Eastep (teastep@shorewall.net)
|
||||
##############################################################################
|
||||
#
|
||||
# You should not have to change the variables in this section -- they are set
|
||||
# by the packager of your Shorewall distribution
|
||||
#
|
||||
SHARED_DIR=/usr/lib/shorewall
|
||||
#
|
||||
##############################################################################
|
||||
#
|
||||
# General note about log levels. Log levels are a method of describing
|
||||
# to syslog (8) the importance of a message and a number of parameters
|
||||
# in this file have log levels as their value.
|
||||
|
@ -1,5 +1,5 @@
|
||||
%define name shorewall
|
||||
%define version 1.3.12
|
||||
%define version 1.3.13
|
||||
%define release 1
|
||||
%define prefix /usr
|
||||
|
||||
@ -105,6 +105,8 @@ fi
|
||||
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
|
||||
|
||||
%changelog
|
||||
* Mon Jan 13 2003 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.13
|
||||
* Fri Dec 27 2002 Tom Eastep <tom@shorewall.net>
|
||||
- Changes version to 1.3.12
|
||||
* Sun Dec 22 2002 Tom Eastep <tom@shorewall.net>
|
||||
|
@ -26,7 +26,7 @@
|
||||
# You may only use this script to uninstall the version
|
||||
# shown below. Simply run this script to remove Seattle Firewall
|
||||
|
||||
VERSION=1.3.12
|
||||
VERSION=1.3.13
|
||||
|
||||
usage() # $1 = exit status
|
||||
{
|
||||
|
Loading…
Reference in New Issue
Block a user