extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-02-23 21:21:49 +01:00
Code Issues Packages Projects Releases Wiki Activity

Changes for 1.3.7

Browse Source 
git-svn-id: https://shorewall.svn.sourceforge.net/svnroot/shorewall/trunk@208 fbd18981-670d-0410-9b5c-8dc0c1a9a2bb
This commit is contained in:
teastep 2002-08-22 21:33:54 +00:00
parent 72f67478b2
commit f158c11a41
97 changed files with 6516 additions and 5133 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
Lrp/etc/init.d/shorewall
View File

@ -1565,7 +1565,13 @@ add_nat_rule() {
# Replace destination port by the new destination port
[ -n "$servport" ] && dports="--dport ${servport#*:}"
if [ -n "$servport" ]; then
if [ -z "$multiport" ]; then
dports="--dport ${servport#*:}"
else
dports="--dports ${servport#*:}"
fi
fi
# Handle SNAT
@ -1650,18 +1656,21 @@ add_a_rule()
case $proto in
tcp|udp|TCP|UDP|6|17)
if [ -n "$port" -a "x${port}" != "x-" ]; then
[ -n "$multioption" ] && \
[ "$port" != "${port%,*}" ] && \
dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption"
dports="--dport $port"
dports="--dports"
fi
dports="$dports $ports"
fi
if [ -n "$cport" -a "x${cport}" != "x-" ]; then
[ -n "$multioption" ] && \
[ -z "$multiport" ] && \
[ "$cport" != "${cport%,*}" ] && \
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
sports="--sport $cport"
sports="--sports"
fi
sports="$sports $cport"
fi
;;
icmp|ICMP|1)
@ -2428,7 +2437,7 @@ setup_masq()
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
list_search $address $aliases_to_add || \
aliases_to_add="$aliases_to_add $external $address"
aliases_to_add="$aliases_to_add $address $interface"
fi
destination=$destnet
@ -2778,7 +2787,8 @@ add_common_rules() {
logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options
run_iptables -A badpkt -p !tcp -j LOG $logoptions
run_iptables -A badpkt -p tcp -j DROP # Workaround for iptables 1.2.7
run_iptables -A badpkt -j LOG $logoptions
fi
run_iptables -A badpkt -j DROP
@ -2803,7 +2813,8 @@ add_common_rules() {
logoptions="$LOGPARAMS --log-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
run_iptables -A logpkt -p tcp -j LOG $logoptions --log-tcp-options
run_iptables -A logpkt -p !tcp -j LOG $logoptions
run_iptables -A logpkt -p tcp -j RETURN # Workaround for iptables 1.2.7
run_iptables -A logpkt -j LOG $logoptions
echo "Mangled/Invalid Packet Logging enabled on:"
@ -2814,16 +2825,15 @@ add_common_rules() {
echo " $interface"
done
fi
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common ICMP rules
#
icmpdef=`find_file icmpdef`
if [ -f $icmpdef ]; then
. $icmpdef
else
. `find_file icmp.def`
fi
run_user_exit icmpdef
############################################################################
# Common rules in each chain
#
@ -2838,7 +2848,6 @@ add_common_rules() {
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
###########################################################################
# RFC 1918
#
@ -3400,6 +3409,7 @@ do_initialize() {
MERGE_HOSTS=
MUTEX_TIMEOUT=
LOGNEWNOTSYN=
FORWARDPING=
stopping=
have_mutex=
masq_seq=1
@ -3476,6 +3486,7 @@ do_initialize() {
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
}
################################################################################

9
Lrp/etc/shorewall/common.def
View File

@ -8,7 +8,7 @@
#
# Do not modify this file -- if you wish to change these rules, create
# /etc/shorewall/common to replace it. It is suggested that you include
# the command "source /etc/shorewall/common.def" in your
# the command ". /etc/shorewall/common.def" in your
# /etc/shorewall/common file so that you will continue to get the
# advantage of new releases of this file.
#
@ -18,13 +18,6 @@ run_iptables -A common -p icmp -j icmpdef
#
run_iptables -A common -m state -p tcp --state INVALID -j DROP
############################################################################
# accept ACKs and RSTs that aren't related to any session so that the
# protocol stack can handle them and so the ACKs can create connection
# tracking entries.
#
run_iptables -A common -p tcp --tcp-flags ACK ACK -j ACCEPT
run_iptables -A common -p tcp --tcp-flags RST RST -j ACCEPT
############################################################################
# NETBIOS chatter
#
run_iptables -A common -p udp --dport 137:139 -j REJECT

20
Lrp/etc/shorewall/icmp.def
View File

@ -1,22 +1,6 @@
##############################################################################
# Shorewall 1.3 /etc/shorewall/icmp.def
#
# This file defines the default rules for accepting ICMP packets.
# This file is obsolete and is included for compatibility with existing
# icmpdef extension scripts that source it.
#
# Do not modify this file -- if you wish to change these rules, create
# /etc/shorewall/icmpdef to replace it. It is suggested that you include
# the command "source /etc/shorewall/icmp.def" in your
# /etc/shorewall/icmpdef file so that you will continue to get the
# advantage of new releases of this file.
#
# For example, if you want to accept 'ping' everywhere then create
# /etc/shorewall/icmpdef with the following two lines:
#
# source /etc/shorewall/icmp.def
# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
#
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT

14
Lrp/etc/shorewall/interfaces
View File

@ -12,20 +12,24 @@
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you may
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE Name of interface
# INTERFACE Name of interface. Each interface may be listed only
# once in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.
# column is left black.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started and you must have iproute
# installed.
# the firewall is started, you must have iproute
# installed and the interface must only be associated
# with a single subnet.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter

2
Lrp/etc/shorewall/policy
View File

@ -18,7 +18,7 @@
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DENY", "REJECT" or "CONTINUE"
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no

2
Lrp/etc/shorewall/rfc1918
View File

@ -45,13 +45,13 @@
42.0.0.0/8 logdrop # Reserved
58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved
69.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved
82.0.0.0/7 logdrop # Reserved
84.0.0.0/6 logdrop # Reserved
88.0.0.0/5 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback
197.0.0.0/8 logdrop # Reserved
222.0.0.0/7 logdrop # Reserved
240.0.0.0/4 logdrop # Reserved

8
Lrp/etc/shorewall/shorewall.conf
View File

@ -350,4 +350,12 @@ MUTEX_TIMEOUT=60
LOGNEWNOTSYN=
#
# Forward "Ping"
#
# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
# forwarded by the firewall.
FORWARDPING=Yes
#LAST LINE -- DO NOT REMOVE

2
Lrp/var/lib/shorewall/version
View File

@ -1 +1 @@
1.3.6
1.3.7

27
STABLE/changelog.txt
View File

@ -1,15 +1,26 @@
Changes since 1.3.5
Changes since 1.3.6
1. REDIRECT rules are now working again.
1. Comments in the common.def file have been updated.
2. proxyarp option now works.
2. icmp.def deimplemented
3. FORWARDPING implemented.
4. Made MULTIPORT work with iptables 1.2.7
5. Corrected ADD_SNAT_ALIASES
6. Work around iptables 1.2.7 protocol match bug.
7. Remove themes from documentation and web site.
8. Comments in the interfaces file improved.
9. Typo in the policy file corrected.
10. Loopback class A added to rfc1918.
3. It is once again possible to specify a host list in an
/etc/shorewall/hosts entry.
4. The lock file is now removed when the firewall script is killed by a
signal.
5. Implemented "new not SYN" dropping.

2
STABLE/common.def
View File

@ -8,7 +8,7 @@
#
# Do not modify this file -- if you wish to change these rules, create
# /etc/shorewall/common to replace it. It is suggested that you include
# the command "source /etc/shorewall/common.def" in your
# the command ". /etc/shorewall/common.def" in your
# /etc/shorewall/common file so that you will continue to get the
# advantage of new releases of this file.
#

1747
STABLE/documentation/Documentation.htm
View File

File diff suppressed because it is too large Load Diff

28
STABLE/documentation/Documentation_Index.htm Normal file
View File

@ -0,0 +1,28 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>The Documentation Index</title>
</head>
<body>
<h1 align="center">The Shorewall Documentation Index</h1>
<h1 align="center">has Moved
<a href="shorewall_quickstart_guide.htm#Documentation">Here</a></h1>
<p><font size="2">
Last updated 8/9/2002
-
<a href="support.htm">Tom Eastep</a></font>
</p>
<p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

532
STABLE/documentation/FAQ.htm
View File

@ -6,187 +6,194 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall FAQ</title>
<meta name="Microsoft Theme" content="radial 011">
<meta name="Microsoft Theme" content="none">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall FAQs<!--mstheme--></font></h1>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">About Shorewall<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq13">Why do you call it &quot;Shorewall&quot;?</a></p>
<p align="left"><a href="#faq10">What distributions does it work with?</a></p>
<p align="left"><a href="shorewall_features.htm">What features does it support?</a></p>
<p align="left"><a href="#faq12">Why isn't there a GUI?</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Filtering<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq14">I'm connected via a cable modem and it has an
internel web server that allows me to configure/monitor it but as expected if I
enable rfc1918 blocking for my eth0 interface, it also blocks the cable modems
web server</a>.</p>
<p align="left"><a href="#faq14a">Even though it assigns public IP addresses, my
ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918 filtering on my
external interface, my DHCP client cannot renew its lease.</a></p>
<p align="left"><a href="#faq4">I just used an online port scanner to check my
firewall and it shows some ports as 'closed' rather than 'blocked'. Why?</a></p>
<p align="left"><a href="#faq4a">I just ran an nmap UDP scan of my firewall and
it showed 100s of ports as open!!!!</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Forwarding<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq1">I want to forward UDP port 7777 to my my personal PC with IP
address 192.168.1.5. I've looked everywhere and can't find how to do it.</a></p>
<p align="left"><a href="#faq1a">Ok -- I followed those instructions but it
doesn't work.</a></p>
<p align="left"><a href="#faq2">I port forward www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse
http://www.mydomain.com but internal clients can't.</a></p>
<p align="left"><a href="#faq3">I have a zone &quot;Z&quot; with an RFC1918 subnet and I
use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
communicate with each other using their external (non-RFC1918 addresses) so they
can't access each other using their DNS names.</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Applications<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq3">I want to use Netmeeting with Shorewall. What do I do?</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Connection Problems<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq5">I've installed Shorewall and now I can't ping through the
firewall</a></p>
<p align="left"><a href="#faq15">My local systems can't see out to the net</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Logging<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq6">Where are the log messages written and&nbsp;
how do I change the destination?</a></p>
<p align="left"><a href="#faq16">Shorewall is writing log messages all over my
console making it unusable!</a></p>
<p align="left"><a href="#faq6a">Are there any log parsers that work with
Shorewall?</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Starting and stopping the firewall<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq7">When I stop Shorewall using 'shorewall stop',
I can't connect to anything. Why doesn't that command work?</a></p>
<p align="left"><a href="#faq8">When I try to start Shorewall on RedHat 7.x, I
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber4" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall FAQs</font></h1>
</td>
</tr>
</table>
<p align="left"><b>1. </b><a href="#faq1">&nbsp;I want to <b>forward</b> UDP <b>
port</b> 7777 to my my personal PC with IP address 192.168.1.5. I've looked
everywhere and can't find <b>how to do it</b>.</a></p>
<p align="left"><b>1a. </b><a href="#faq1a">Ok -- I followed those instructions
but it doesn't work.</a></p>
<p align="left"><b>2.</b> <a href="#faq2">I <b>port forward</b> www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. <b>External clients can browse</b>
http://www.mydomain.com but <b>internal clients can't</b>.</a></p>
<p align="left"><b>2a. </b><a href="#faq3">I have a zone &quot;Z&quot; with an RFC1918
subnet and I use <b>static NAT</b> to assign non-RFC1918 addresses to hosts in
Z. Hosts in Z cannot communicate with each other using their external
(non-RFC1918 addresses) so they <b>can't access each other using their DNS
names.</b></a></p>
<p align="left"><b>3. </b><a href="#faq3">I want to use <b>Netmeeting </b>with
Shorewall. What do I do?</a></p>
<p align="left"><b>4. </b><a href="#faq4">I just used an online port scanner to
check my firewall and it shows <b>some ports as 'closed' rather than 'blocked'.</b>
Why?</a></p>
<p align="left"><b>4a. </b><a href="#faq4a">I just ran an <b>nmap UDP scan</b>
of my firewall and it showed 100s of ports as open!!!!</a></p>
<p align="left"><b>5. </b><a href="#faq5">I've installed Shorewall and now I <b>
can't ping</b> through the firewall</a></p>
<p align="left"><b>6. </b><a href="#faq6">Where are the <b>log messages</b>
written and&nbsp; how do I <b>change the destination</b>?</a></p>
<p align="left"><b>6a. </b><a href="#faq6a">Are there any <b>log parsers</b>
that work with Shorewall?</a></p>
<p align="left"><b>7. </b><a href="#faq7">When I stop Shorewall <b>using
'shorewall stop', I can't connect to anything</b>. Why doesn't that command
work?</a></p>
<p align="left"><b>8. </b><a href="#faq8">When I try to <b>start Shorewall on RedHat 7.x</b>, I
get messages about insmod failing -- what's wrong?</a></p>
<p align="left"><a href="#faq17">Why can't Shorewall detect my interfaces
properly?</a></p>
</blockquote>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Design<!--mstheme--></font></h2>
<blockquote>
<p align="left"><a href="#faq9">Why does Shorewall only accept IP addresses as
<p align="left"><b>9. </b><a href="#faq9"><b>Why </b>does Shorewall <b>only accept IP addresses</b> as
opposed to FQDNs?</a></p>
<p align="left"><b>10. </b><a href="#faq10">What <b>distributions</b> does it
work with?</a></p>
<p align="left"><b>11. </b><a href="#faq18">What <b>features</b> does it
support?</a></p>
<p align="left"><b>12. </b><a href="#faq12">Why isn't there a <b>GUI</b></a></p>
<p align="left"><b>13. </b><a href="#faq13">Why do you call it <b>&quot;Shorewall&quot;?</b></a></p>
<p align="left"><b>14. </b><a href="#faq14">I'm connected via a cable modem and it has an internel
web server that allows me to configure/monitor it but as expected if I enable <b>
rfc1918 blocking</b> for my eth0 interface, it also blocks the <b>cable modems
web server</b></a>.</p>
<p align="left"><b>14a. </b><a href="#faq14a">Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918
filtering on my external interface, <b>my DHCP client cannot renew its lease</b>.</a></p>
<p align="left"><b>15. </b><a href="#faq15"><b>My local systems can't see out to
the net</b></a></p>
<p align="left"><b>16. </b><a href="#faq16">Shorewall is writing <b>log messages
all over my console</b> making it unusable!</a></p>
<p align="left"><b>17. </b><a href="#faq17">Why can't Shorewall <b>detect my
interfaces </b>properly?</a></p>
<blockquote>
<p align="left">&nbsp;</p>
</blockquote>
<!--msthemeseparator--><p align="center"><img src="_themes/radial/aradrule.gif" width="614" height="7"></p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq1"></a>1. I want to forward UDP port 7777 to my my personal PC with IP
address 192.168.1.5. I've looked everywhere and can't find how to do it.<!--mstheme--></font></h4>
<hr>
<h4 align="left"><a name="faq1"></a>1. I want to forward UDP port 7777 to my my personal PC with IP
address 192.168.1.5. I've looked everywhere and can't find how to do it.</h4>
<p align="left"><b>Answer: </b>The <a href="Documentation.htm#PortForward"> first example</a> in the <a href="Documentation.htm#Rules">rules
file documentation</a> shows how to do port forwarding under Shorewall. Assuming
that you have a dynamic external IP address, the format of a port-forwarding
rule to a local system is as follows:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber1" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIG. DEST.</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIG. DEST.</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;protocol&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;port #&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p align="left">So to forward UDP port 7777 to internal system 192.168.1.5, the
rule is:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber1" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIG. DEST.</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIG. DEST.</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:192.168.1.5<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">udp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">7777<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>DNAT</td>
<td>net</td>
<td>loc:192.168.1.5</td>
<td>udp</td>
<td>7777</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<div align="left">
<!--mstheme--></font><pre align="left"><font face="Courier"> DNAT net loc:192.168.1.5 udp 7777</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre align="left"><font face="Courier"> DNAT net loc:192.168.1.5 udp 7777</font></pre>
</div>
<p align="left">If you want to forward requests directed to a particular
address ( <i>&lt;external IP&gt;</i> ) on your firewall to an internal system:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber1" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIG. DEST.</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIG. DEST.</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;protocol&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;port #&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;external IP&gt;</i><!--mstheme--></font></td>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;local IP address&gt;</i>[:<i>&lt;local port</i>&gt;]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port #&gt;</i></td>
<td>-</td>
<td><i>&lt;external IP&gt;</i></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq1a"></a>1a. Ok -- I followed those instructions but
it doesn't work<!--mstheme--></font></h4>
<h4 align="left"><a name="faq1a"></a>1a. Ok -- I followed those instructions but
it doesn't work</h4>
<p align="left"><b>Answer: </b>That is usually the result of one of two things:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You are trying to test from inside your firewall (no, that
won't work -- see <a href="#faq2">FAQ #2</a>).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You have a more basic problem with your local system such as an
<ul>
<li>You are trying to test from inside your firewall (no, that
won't work -- see <a href="#faq2">FAQ #2</a>).</li>
<li>You have a more basic problem with your local system such as an
incorrect default gateway configured (it should be set to the IP address of your
firewall's internal interface).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com (IP
firewall's internal interface).</li>
</ul>
<h4 align="left"><a name="faq2"></a>2. I port forward www requests to www.mydomain.com (IP
130.151.100.69) to system 192.168.1.5 in my local network. External clients can browse
http://www.mydomain.com but internal clients can't.<!--mstheme--></font></h4>
http://www.mydomain.com but internal clients can't.</h4>
<p align="left"><b>Answer: </b>I have two objections to this setup.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Having an internet-accessible server in your local network
<ul>
<li>Having an internet-accessible server in your local network
is like raising foxes in the corner of your hen house. If the server is
compromised, there's nothing between that server and your other internal
systems. For the cost of another NIC and a cross-over cable, you can put
your server in a DMZ such that it is isolated from your local systems -
assuming that the Server can be located near the Firewall, of course :-)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The accessibility problem is best solved using
assuming that the Server can be located near the Firewall, of course :-)</li>
<li>The accessibility problem is best solved using
<a href="shorewall_setup_guide.htm#DNS">Bind Version
9 &quot;views&quot;</a> (or using a separate DNS server for local clients) such that www.mydomain.com resolves to 130.141.100.69
externally and 192.168.1.5 internally. That's what I do here at
shorewall.net for my local systems that use static NAT.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
shorewall.net for my local systems that use static NAT.</li>
</ul>
<p align="left">If you insist on an IP solution to the accessibility problem
rather than a DNS solution, then assuming that your external interface is eth0
and your internal interface is eth1
@ -197,30 +204,30 @@ for eth1.</p>
<p align="left">b) In /etc/shorewall/rules, add:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber1" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIG. DEST.</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIG. DEST.</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:192.168.1.5<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">www<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">130.151.100.69:192.168.1.254<!--mstheme--></font></td>
<td>DNAT</td>
<td>loc:192.168.1.0/24</td>
<td>loc:192.168.1.5</td>
<td>tcp</td>
<td>www</td>
<td>-</td>
<td>130.151.100.69:192.168.1.254</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
<!--mstheme--></font><pre align="left"> <font face="Courier">DNAT&nbsp;&nbsp;&nbsp; loc:192.168.1.0/24&nbsp;&nbsp;&nbsp; loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; www&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; 130.151.100.69:192.168.1.254</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre align="left"> <font face="Courier">DNAT&nbsp;&nbsp;&nbsp; loc:192.168.1.0/24&nbsp;&nbsp;&nbsp; loc:192.168.1.5&nbsp;&nbsp;&nbsp; tcp&nbsp;&nbsp;&nbsp; www&nbsp;&nbsp;&nbsp; -&nbsp;&nbsp;&nbsp; 130.151.100.69:192.168.1.254</font></pre>
</div>
<div align="left">
<p align="left">That rule only works of course if you have a static external IP
@ -228,42 +235,42 @@ address. If you
have a dynamic IP address and are running Shorewall 1.3.4 or later then include this in
/etc/shorewall/params:</div>
<div align="left">
<!--mstheme--></font><pre> ETH0_IP=`find_interface_address eth0`</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre> ETH0_IP=`find_interface_address eth0`</pre>
</div>
<div align="left">
<p align="left">and make your DNAT rule:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber1" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber1">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIG. DEST.</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIG. DEST.</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:192.168.1.5<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">www<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">$ETH0_IP:192.168.1.254<!--mstheme--></font></td>
<td>DNAT</td>
<td>loc:192.168.1.0/24</td>
<td>loc:192.168.1.5</td>
<td>tcp</td>
<td>www</td>
<td>-</td>
<td>$ETH0_IP:192.168.1.254</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Using this technique, you will want to configure your DHCP/PPPoE
client to automatically restart Shorewall each time that you get a new IP
address.</div>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq2a"></a>2a. I have a zone &quot;Z&quot; with an RFC1918 subnet and I
<h4 align="left"><a name="faq2a"></a>2a. I have a zone &quot;Z&quot; with an RFC1918 subnet and I
use static NAT to assign non-RFC1918 addresses to hosts in Z. Hosts in Z cannot
communicate with each other using their external (non-RFC1918 addresses) so they
can't access each other using their DNS names.<!--mstheme--></font></h4>
can't access each other using their DNS names.</h4>
<p align="left"><b>Answer: </b>This is another problem that is best solved using Bind Version 9
&quot;views&quot;. It allows both external and internal clients to access a
NATed host using the host's DNS name.</p>
@ -283,63 +290,63 @@ Interface: eth2<br>
Subnet: 192.168.2.0/24</p>
<p align="left">In /etc/shorewall/interfaces:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber2" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber2">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ZONE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>INTERFACE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>BROADCAST</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>OPTIONS</b></u><!--mstheme--></font></td>
<td><u><b>ZONE</b></u></td>
<td><u><b>INTERFACE</b></u></td>
<td><u><b>BROADCAST</b></u></td>
<td><u><b>OPTIONS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">dmz<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">192.168.2.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">multi<!--mstheme--></font></td>
<td>dmz</td>
<td>eth2</td>
<td>192.168.2.255</td>
<td>multi</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p align="left">In /etc/shorewall/policy:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE </b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>POLICY</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>LIMIT:BURST</b></u><!--mstheme--></font></td>
<td><u><b>SOURCE </b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">dmz<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">dmz<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>dmz</td>
<td>dmz</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<div align="left">
<!--mstheme--></font><pre align="left"> dmz&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; ACCEPT</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre align="left"> dmz&nbsp;&nbsp;&nbsp; dmz&nbsp;&nbsp;&nbsp; ACCEPT</pre>
</div>
<p align="left">In /etc/shorewall/masq:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3" width="369" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3" width="369">
<tr>
<td width="93"><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>INTERFACE </b></u><!--mstheme--></font></td>
<td width="31"><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SUBNET</b></u><!--mstheme--></font></td>
<td width="120"><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ADDRESS</b></u><!--mstheme--></font></td>
<td width="93"><u><b>INTERFACE </b></u></td>
<td width="31"><u><b>SUBNET</b></u></td>
<td width="120"><u><b>ADDRESS</b></u></td>
</tr>
<tr>
<td width="93"><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td width="31"><!--mstheme--><font face="arial, Arial, Helvetica">192.168.2.0/24<!--mstheme--></font></td>
<td width="120"><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td width="93">eth2</td>
<td width="31">192.168.2.0/24</td>
<td width="120">&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq3"></a>3. I want to use Netmeeting with Shorewall. What do I do?<!--mstheme--></font></h4>
<h4 align="left"><a name="faq3"></a>3. I want to use Netmeeting with Shorewall. What do I do?</h4>
<p align="left"><b>Answer: </b>There is an <a href="http://www.kfki.hu/~kadlec/sw/netfilter/newnat-suite/"> H.323 connection tracking/NAT module</a> that may help.
Also check the Netfilter mailing list archives at <a href="http://netfilter.samba.org">http://netfilter.samba.org</a>. </p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq4"></a>4. I just used an online port scanner to
<h4 align="left"><a name="faq4"></a>4. I just used an online port scanner to
check my firewall and it shows some ports as 'closed' rather than 'blocked'.
Why?<!--mstheme--></font></h4>
Why?</h4>
<p align="left"><b>Answer: </b>The common.def included with version 1.3.x always
rejects connection requests on TCP port 113 rather than dropping them. This is
@ -355,8 +362,8 @@ Also check the Netfilter mailing list archives at <a href="http://netfilter.samb
ISP preventing you from running a web server in violation of your Service
Agreement.</p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!<!--mstheme--></font></h4>
<h4 align="left"><a name="faq4a"></a>4a. I just ran an nmap UDP scan of my
firewall and it showed 100s of ports as open!!!!</h4>
<p align="left"><b>Answer: </b>Take a deep breath and read the nmap man page section about
UDP scans. If nmap gets <b>nothing</b> back from your firewall then it reports
@ -364,8 +371,8 @@ Also check the Netfilter mailing list archives at <a href="http://netfilter.samb
temporarily change your net-&gt;all policy to REJECT, restart Shorewall and do
the nmap UDP scan again.</p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq5"></a>5. I've installed Shorewall and now I can't ping through the
firewall<!--mstheme--></font></h4>
<h4 align="left"><a name="faq5"></a>5. I've installed Shorewall and now I can't ping through the
firewall</h4>
<p align="left"><b>Answer: </b>If you want your firewall to be totally open for
&quot;ping&quot;: </p>
<p align="left">a) Do NOT specify 'noping' on any interface in
@ -376,8 +383,8 @@ c) Add the following to /etc/shorewall/icmpdef: </p>
<p align="left">run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j
ACCEPT </p>
</blockquote>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq6"></a>6. Where are the log messages written
and&nbsp; how do I change the destination?<!--mstheme--></font></h4>
<h4 align="left"><a name="faq6"></a>6. Where are the log messages written
and&nbsp; how do I change the destination?</h4>
<p align="left"><b>Answer: </b>NetFilter uses the kernel's equivalent of syslog (see &quot;man
syslog&quot;) to log messages. It always uses the LOG_KERN (kern) facility (see
&quot;man openlog&quot;) and you get to choose the log level (again, see
@ -390,11 +397,11 @@ syslogd (on a RedHat system, &quot;service syslog restart&quot;). </p>
<a href="Documentation.htm#Conf">settings</a>
in /etc/shorewall/shorewall.conf -- If you want to log all messages, set: </p>
<div align="left">
<!--mstheme--></font><pre align="left"> LOGLIMIT=&quot;&quot;
LOGBURST=&quot;&quot;</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre align="left"> LOGLIMIT=&quot;&quot;
LOGBURST=&quot;&quot;</pre>
</div>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq6a"></a>6a. Are there any log parsers that work
with Shorewall?<!--mstheme--></font></h4>
<h4 align="left"><a name="faq6a"></a>6a. Are there any log parsers that work
with Shorewall?</h4>
<p align="left"><b>Answer: </b>Here are several links that may be helpful: </p>
<blockquote>
<p align="left"><a href="http://www.shorewall.net/pub/shorewall/parsefw/">
@ -402,33 +409,33 @@ http://www.shorewall.net/pub/shorewall/parsefw/</a><br>
<a href="http://www.fireparse.com">http://www.fireparse.com</a><br>
<a href="http://cert.uni-stuttgart.de/projects/fwlogwatch">http://cert.uni-stuttgart.de/projects/fwlogwatch</a></p>
</blockquote>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
stop', I can't connect to anything. Why doesn't that command work?<!--mstheme--></font></h4>
<h4 align="left"><a name="faq7"></a>7. When I stop Shorewall using 'shorewall
stop', I can't connect to anything. Why doesn't that command work?</h4>
<p align="left">The 'stop' command is intended to place your firewall into a
safe state whereby only those interfaces/hosts having the 'routestopped' option
in /etc/shorewall/interfaces and /etc/shorewall/hosts are activated. If you want
to totally open up your firewall, you must use the 'shorewall clear' command. </p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
7.x, I get messages about insmod failing -- what's wrong?<!--mstheme--></font></h4>
<h4 align="left"><a name="faq8"></a>8. When I try to start Shorewall on RedHat
7.x, I get messages about insmod failing -- what's wrong?</h4>
<p align="left"><b>Answer: </b>The output you will see looks something like this:</p>
<!--mstheme--></font><pre> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
<pre> /lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: init_module: Device or resource busy
Hint: insmod errors can be caused by incorrect module parameters, including invalid IO or IRQ parameters
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o failed
/lib/modules/2.4.17/kernel/net/ipv4/netfilter/ip_tables.o: insmod ip_tables failed
iptables v1.2.3: can't initialize iptables table `nat': iptables who? (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.</pre><!--mstheme--><font face="arial, Arial, Helvetica">
Perhaps iptables or your kernel needs to be upgraded.</pre>
<p align="left">This is usually cured by the following sequence of commands: </p>
<div align="left">
<!--mstheme--></font><pre align="left"> service ipchains stop
<pre align="left"> service ipchains stop
chkconfig --delete ipchains
rmmod ipchains</pre><!--mstheme--><font face="arial, Arial, Helvetica">
rmmod ipchains</pre>
</div>
<div align="left">
<p align="left">Also, be sure to check the <a href="errata.htm">errata</a> for
problems concerning the version of iptables (v1.2.3) shipped with RH7.2.</div>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"> <a name="faq9"></a>9. Why does Shorewall only accept IP
addresses as opposed to FQDNs?<!--mstheme--></font></h4><p align="left"> <b>Answer: </b>FQDNs in iptables rules
<h4 align="left"> <a name="faq9"></a>9. Why does Shorewall only accept IP
addresses as opposed to FQDNs?</h4><p align="left"> <b>Answer: </b>FQDNs in iptables rules
aren't nearly as useful as they first appear. When a DNS name appears in a rule,
the iptables utility resolves the name to one or more IP addresses and inserts
those addresses into the rule. So change in the DNS-&gt;IP address relationship
@ -436,71 +443,71 @@ that occur after the firewall has started have absolutely no effect on the
firewall's ruleset.</p>
<p align="left"> I'm also trying to protect
people from themselves. If your firewall rules include FQDN's then:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If your /etc/resolv.conf is wrong then your firewall won't
start.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If your /etc/nsswitch.conf is wrong then your firewall won't
start.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If your Name Server(s) is(are) down then your firewall won't
start.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq10"></a>10. What Distributions does it work
with?<!--mstheme--></font></h4>
<ul>
<li>If your /etc/resolv.conf is wrong then your firewall won't
start.</li>
<li>If your /etc/nsswitch.conf is wrong then your firewall won't
start.</li>
<li>If your Name Server(s) is(are) down then your firewall won't
start.</li>
<li>Factors totally outside your control (your ISP's router is
down for example), can prevent your firewall from starting.</li>
</ul>
<h4 align="left"><a name="faq10"></a>10. What Distributions does it work
with?</h4>
<p align="left">Shorewall works with any GNU/Linux distribution that includes
the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">11. What Features does it have?<!--mstheme--></font></h4>
the <a href="shorewall_prerequisites.htm">proper prerequisites</a>.<h4 align="left">11. What Features does it have?</h4>
<p align="left"><b>Answer: </b>See the <a href="shorewall_features.htm">Shorewall Feature
List</a>.<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq12"></a>12. Why isn't there a GUI?<!--mstheme--></font></h4>
List</a>.<h4 align="left"><a name="faq12"></a>12. Why isn't there a GUI?</h4>
<p align="left"><b>Answer: </b>Every time I've started to work on one, I find myself doing
other things. I guess I just don't care enough if Shorewall has a GUI to
invest the effort to create one myself. There are several Shorewall GUI
projects underway however and I will publish links to them when the authors
feel that they are ready. <h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">
<a name="faq13"></a>13. Why do you call it &quot;Shorewall&quot;?<!--mstheme--></font></h4>
feel that they are ready. <h4 align="left">
<a name="faq13"></a>13. Why do you call it &quot;Shorewall&quot;?</h4>
<p align="left"><b>Answer: </b>Shorewall is a concatenation of &quot;<u>Shore</u>line&quot; (<a href="http://www.cityofshoreline.com">the
city where I live</a>) and &quot;Fire<u>wall</u>&quot;.<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">
city where I live</a>) and &quot;Fire<u>wall</u>&quot;.<h4 align="left">
<a name="faq14"></a>14.&nbsp; I'm connected via a cable modem and it has an
internal web server that allows me to configure/monitor it but as expected if I
enable rfc1918 blocking for my eth0 interface (the internet one), it also blocks
the cable modems web server.<!--mstheme--></font></h4>
the cable modems web server.</h4>
<p align="left">Is there any way it can add a rule before the
rfc1918 blocking that will let all traffic to and from the 192.168.100.1 address
of the modem in/out but still block all other rfc1918 addresses.</p>
<p align="left"><b>Answer: </b>If you are running a version of Shorewall earlier than
1.3.1, create /etc/shorewall/start and in it, place the following:<div align="left">
<!--mstheme--></font><pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre> run_iptables -I rfc1918 -s 192.168.100.1 -j ACCEPT</pre>
</div>
<div align="left">
<p align="left">If you are running version 1.3.1 or later, simply add the
following to<a href="Documentation.htm#rfc1918"> /etc/shorewall/rfc1918</a>:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SUBNET </b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>TARGET</b></u><!--mstheme--></font></td>
<td><u><b>SUBNET </b></u></td>
<td><u><b>TARGET</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">192.168.100.1<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">RETURN<!--mstheme--></font></td>
<td>192.168.100.1</td>
<td>RETURN</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
<p align="left">Be sure that you add the entry ABOVE the entry for
192.168.0.0/16.</div>
<div align="left">
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq14a"></a>14a. Even though it assigns public IP
<h4 align="left"><a name="faq14a"></a>14a. Even though it assigns public IP
addresses, my ISP's DHCP server has an RFC 1918 address. If I enable RFC 1918
filtering on my external interface, my DHCP client cannot renew its lease.<!--mstheme--></font></h4>
filtering on my external interface, my DHCP client cannot renew its lease.</h4>
</div>
<div align="left">
<p align="left">The solution is the same as FAQ 14 above. Simply substitute
the IP address of your ISPs DHCP server.</div>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq15"></a>15. My local systems can't see out to the
net<!--mstheme--></font></h4>
<h4 align="left"><a name="faq15"></a>15. My local systems can't see out to the
net</h4>
<p align="left"><b>Answer: </b>Every time I read &quot;systems can't see out to the net&quot;, I wonder
where the poster bought computers with eyes and what those computers will &quot;see&quot;
@ -522,20 +529,20 @@ problem are:</p>
</li>
</ol>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq16"></a>16. Shorewall is writing log messages all
over my console making it unusable!<!--mstheme--></font></h4>
<h4 align="left"><a name="faq16"></a>16. Shorewall is writing log messages all
over my console making it unusable!</h4>
<p align="left"><b>Answer: </b>&quot;man dmesg&quot; -- add a suitable 'dmesg' command to your startup
scripts or place it in /etc/shorewall/start.</p>
<h4 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="faq17"></a>17. Why can't Shorewall detect my
interfaces properly?<!--mstheme--></font></h4>
<h4 align="left"><a name="faq17"></a>17. Why can't Shorewall detect my
interfaces properly?</h4>
<p align="left">I just installed Shorewall and when I issue the start command,
I see the following:</p>
<div align="left">
<!--mstheme--></font><pre> Processing /etc/shorewall/shorewall.conf ...
<pre> Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
@ -549,23 +556,22 @@ over my console making it unusable!<!--mstheme--></font></h4>
Local Zone: eth1:0.0.0.0/0
</b> Deleting user chains...
Creating input Chains...
...</pre><!--mstheme--><font face="arial, Arial, Helvetica">
...</pre>
</div>
<div align="left">
<p align="left">Why can't Shorewall detect my interfaces properly?</div>
<div align="left">
<p align="left"><b>Answer: </b>The above output is perfectly normal. The Net
zone is defined as all hosts that are connected through eth0 and the local
zone is defined as all hosts connected through eth1.
</div>
zone is defined as all hosts connected through eth1.</div>
<p align="left"><font size="2">Last updated
7/31/2002 - <a href="support.htm">Tom
8/15/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

75
STABLE/documentation/GnuCopyright.htm
View File

@ -6,18 +6,23 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Copyright</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a href="#TOC1" name="SEC1">GNU Free Documentation License</a><!--mstheme--></font></h2>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h2 align="center"><font color="#FFFFFF">GNU Free Documentation License</font></h2>
</td>
</tr>
</table>
<p>Version 1.1, March 2000 </p>
<!--mstheme--></font><pre>Copyright (C) 2000 Free Software Foundation, Inc.
<pre>Copyright (C) 2000 Free Software Foundation, Inc.
59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</pre>
<p><strong>0. PREAMBLE</strong> </p>
<p>The purpose of this License is to make a manual, textbook, or other written
document &quot;free&quot; in the sense of freedom: to assure everyone the effective
@ -130,55 +135,55 @@ of the Document, thus licensing distribution and modification of the Modified
Version to whoever possesses a copy of it. In addition, you must do these things
in the Modified Version: </p>
<p>&nbsp;</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>A.</strong> Use in the Title Page (and on the covers, if any) a
<ul>
<li><strong>A.</strong> Use in the Title Page (and on the covers, if any) a
title distinct from that of the Document, and from those of previous versions
(which should, if there were any, be listed in the History section of the
Document). You may use the same title as a previous version if the original
publisher of that version gives permission. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>B.</strong> List on the Title Page, as authors, one or more
publisher of that version gives permission. </li>
<li><strong>B.</strong> List on the Title Page, as authors, one or more
persons or entities responsible for authorship of the modifications in the
Modified Version, together with at least five of the principal authors of the
Document (all of its principal authors, if it has less than five). <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>C.</strong> State on the Title page the name of the publisher of
the Modified Version, as the publisher. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>D.</strong> Preserve all the copyright notices of the Document.
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>E.</strong> Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>F.</strong> Include, immediately after the copyright notices, a
Document (all of its principal authors, if it has less than five). </li>
<li><strong>C.</strong> State on the Title page the name of the publisher of
the Modified Version, as the publisher. </li>
<li><strong>D.</strong> Preserve all the copyright notices of the Document.
</li>
<li><strong>E.</strong> Add an appropriate copyright notice for your
modifications adjacent to the other copyright notices. </li>
<li><strong>F.</strong> Include, immediately after the copyright notices, a
license notice giving the public permission to use the Modified Version under
the terms of this License, in the form shown in the Addendum below. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>G.</strong> Preserve in that license notice the full lists of
the terms of this License, in the form shown in the Addendum below. </li>
<li><strong>G.</strong> Preserve in that license notice the full lists of
Invariant Sections and required Cover Texts given in the Document's license
notice. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>H.</strong> Include an unaltered copy of this License. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>I.</strong> Preserve the section entitled &quot;History&quot;, and its
notice. </li>
<li><strong>H.</strong> Include an unaltered copy of this License. </li>
<li><strong>I.</strong> Preserve the section entitled &quot;History&quot;, and its
title, and add to it an item stating at least the title, year, new authors,
and publisher of the Modified Version as given on the Title Page. If there is
no section entitled &quot;History&quot; in the Document, create one stating the title,
year, authors, and publisher of the Document as given on its Title Page, then
add an item describing the Modified Version as stated in the previous
sentence. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>J.</strong> Preserve the network location, if any, given in the
sentence. </li>
<li><strong>J.</strong> Preserve the network location, if any, given in the
Document for public access to a Transparent copy of the Document, and likewise
the network locations given in the Document for previous versions it was based
on. These may be placed in the &quot;History&quot; section. You may omit a network
location for a work that was published at least four years before the Document
itself, or if the original publisher of the version it refers to gives
permission. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>K.</strong> In any section entitled &quot;Acknowledgements&quot; or
permission. </li>
<li><strong>K.</strong> In any section entitled &quot;Acknowledgements&quot; or
&quot;Dedications&quot;, preserve the section's title, and preserve in the section all
the substance and tone of each of the contributor acknowledgements and/or
dedications given therein. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>L.</strong> Preserve all the Invariant Sections of the Document,
dedications given therein. </li>
<li><strong>L.</strong> Preserve all the Invariant Sections of the Document,
unaltered in their text and in their titles. Section numbers or the equivalent
are not considered part of the section titles. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>M.</strong> Delete any section entitled &quot;Endorsements&quot;. Such a
section may not be included in the Modified Version. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><strong>N.</strong> Do not retitle any existing section as &quot;Endorsements&quot;
or to conflict in title with any Invariant Section. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
are not considered part of the section titles. </li>
<li><strong>M.</strong> Delete any section entitled &quot;Endorsements&quot;. Such a
section may not be included in the Modified Version. </li>
<li><strong>N.</strong> Do not retitle any existing section as &quot;Endorsements&quot;
or to conflict in title with any Invariant Section. </li>
</ul>
<p>If the Modified Version includes new front-matter sections or appendices that
qualify as Secondary Sections and contain no material copied from the Document,
you may at your option designate some or all of these sections as invariant. To
@ -272,6 +277,6 @@ does not specify a version number of this License, you may choose any version
ever published (not as a draft) by the Free Software Foundation. </p>
<p align="left">&nbsp;</p>
<!--mstheme--></font></body>
</body>
</html>

130
STABLE/documentation/IPIP.htm
View File

@ -5,13 +5,18 @@
<title>GRE/IPIP Tunnels</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">GRE and IPIP Tunnels<!--mstheme--></font></h1>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#FF6633">Warning: </font>GRE and IPIP Tunnels are insecure when used
over the internet; use them at your own risk<!--mstheme--></font></h3>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">GRE and IPIP Tunnels</font></h1>
</td>
</tr>
</table>
<h3><font color="#FF6633">Warning: </font>GRE and IPIP Tunnels are insecure when used
over the internet; use them at your own risk</h3>
<p>GRE and IPIP tunneling with Shorewall requires iproute2 and can be used to bridge two masqueraded networks.&nbsp;GRE
tunnels were introduced in shorewall version 1.2.0_Beta2.</p>
<p>The simple scripts described in the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
@ -19,9 +24,10 @@ and Shaping HOWTO</a> work fine with Shorewall. Shorewall also includes a tunnel
script for automating tunnel configuration. If you have installed the RPM, the
tunnel script may be found in the Shorewall documentation directory (usually
/usr/share/doc/shorewall-&lt;version&gt;/).</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Bridging two Masqueraded Networks<!--mstheme--></font></h2>
<h2>Bridging two Masqueraded Networks</h2>
<p>Suppose that we have the following situation:</p>
<p align="center"><img border="0" src="images/TwoNets1.jpg" width="651" height="394"></p>
<p align="center">
<img border="0" src="images/TwoNets1.png" width="745" height="427"></p>
<p align="left">We want systems in the 192.168.1.0/24 subnetwork to be able to
communicate with the systems in the 10.0.0.0/8 network. This is accomplished
through use of the /etc/shorewall/tunnels file, the /etc/shorewall/policy file
@ -39,37 +45,37 @@ parameter to the type of tunnel that you want to create.</p>
<p align="left">On system A, the 10.0.0.0/8 will comprise the <b>gw</b> zone. In
/etc/shorewall/interfaces:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>BROADCAST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tosysb<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">10.255.255.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>gw</td>
<td>tosysb</td>
<td>10.255.255.255</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p align="left">In /etc/shorewall/tunnels on system A, we need the following:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>TYPE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>GATEWAY</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>GATEWAY ZONE</b><!--mstheme--></font></td>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipip<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">134.28.54.2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ipip</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p>This entry in /etc/shorewall/tunnels, opens the firewall so that the IP
encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
@ -85,37 +91,37 @@ encapsulation protocol (4) will be accepted to/from the remote gateway.</p>
<p>Similarly, On system B the 192.168.1.0/24 subnet will comprise the <b>gw</b>
zone. In /etc/shorewall/interfaces:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>BROADCAST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tosysa<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">192.168.1.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>gw</td>
<td>tosysa</td>
<td>192.168.1.255</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p>In /etc/shorewall/tunnels on system B, we have:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>TYPE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>GATEWAY</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>GATEWAY ZONE</b><!--mstheme--></font></td>
<td><b>TYPE</b></td>
<td><b>ZONE</b></td>
<td><b>GATEWAY</b></td>
<td><b>GATEWAY ZONE</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipip<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">206.191.148.9<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ipip</td>
<td>net</td>
<td>206.191.148.9</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p>And in the tunnel script on system B:</p>
<blockquote>
@ -135,28 +141,28 @@ secured so that root can execute them. </p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>SOURCE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>DEST</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>POLICY</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>LOG LEVEL</strong><!--mstheme--></font></td>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>loc</td>
<td>gw</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>gw</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p>On both systems, restart Shorewall and
run the modified tunnel script with the &quot;start&quot; argument on each
@ -167,6 +173,6 @@ Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

218
STABLE/documentation/IPSEC.htm
View File

@ -10,11 +10,16 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">IPSEC Tunnels<!--mstheme--></font></h1>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">Configuring FreeS/Wan</font><!--mstheme--></font></h2>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">IPSEC Tunnels</font></h1>
</td>
</tr>
</table>
<h2><font color="#660066">Configuring FreeS/Wan</font></h2>
There is an excellent guide to configuring IPSEC tunnels at<a href="http://jixen.tripod.com">
http://jixen.tripod.com</a>
. I highly recommend that you consult that site for information about confuring
@ -31,18 +36,18 @@ FreeS/Wan.
<p>&nbsp;&nbsp;&nbsp;&nbsp; qt service ipsec stop</p>
<p>In /etc/shorewall/start, include:</p>
<p>&nbsp;&nbsp;&nbsp; qt service ipsec start</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">
<h2>
<font color="#660066">IPSec Gateway
on the Firewall System
</font><!--mstheme--></font></h2>
</font></h2>
<p>Suppose that we have the following sutuation:</p>
<font color="#660066">
<p align="Center"><font face="Century Gothic, Arial, Helvetica">
<img src="images/TwoNets1.jpg" width="651" height="394">
<img src="images/TwoNets1.png" width="745" height="427">
</font></p>
</font>
@ -65,109 +70,129 @@ adding an entry to the /etc/shorewall/tunnels file.</p>
on system A, we need the following </p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
TYPE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
ZONE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY ZONE</strong><!--mstheme--></font></td>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipsec<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">134.28.54.2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ipsec</td>
<td>net</td>
<td>134.28.54.2</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table><!--mstheme--><font face="arial, Arial, Helvetica"></blockquote>
</table></blockquote>
<p align="Left">In /etc/shorewall/tunnels
on system B, we would have:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
TYPE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
ZONE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY ZONE</strong><!--mstheme--></font></td>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipsec<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">206.161.148.9<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ipsec</td>
<td>net</td>
<td>206.161.148.9</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table><!--mstheme--><font face="arial, Arial, Helvetica"></blockquote>
</table></blockquote>
<p align="Left">You need to define a zone for the remote subnet or include
it in your local zone. In this example, we'll assume that you have created a
zone called &quot;vpn&quot; to represent the remote subnet.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</table>
</blockquote>
<p align="Left">At both
systems, ipsec0 would be included in /etc/shorewall/interfaces as a "gw"
systems, ipsec0 would be included in /etc/shorewall/interfaces as a "vpn"
interface:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
ZONE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
INTERFACE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
BROADCAST</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
OPTIONS</strong><!--mstheme--></font></td>
<td><strong>
ZONE</strong></td>
<td><strong>
INTERFACE</strong></td>
<td><strong>
BROADCAST</strong></td>
<td><strong>
OPTIONS</strong></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipsec0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>vpn</td>
<td>ipsec0</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</tbody>
</table><!--mstheme--><font face="arial, Arial, Helvetica"></blockquote>
</table></blockquote>
<p align="Left"> You will need to allow traffic between the &quot;gw&quot; zone and
<p align="Left"> You will need to allow traffic between the &quot;vpn&quot; zone and
the &quot;loc&quot; zone -- if you simply want to admit all traffic in both
directions, you can use the policy file:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>SOURCE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>DEST</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>POLICY</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>LOG LEVEL</strong><!--mstheme--></font></td>
<td><strong>SOURCE</strong></td>
<td><strong>DEST</strong></td>
<td><strong>POLICY</strong></td>
<td><strong>LOG LEVEL</strong></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>loc</td>
<td>vpn</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>vpn</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p align="Left"> Once
@ -177,48 +202,67 @@ you are now ready to configure the tunnel in <a href="http://www.xs4all.nl/%7Efr
.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066"><a name="RoadWarrior"></a>
Mobile System (Road Warrior)</font><!--mstheme--></font></h2>
<h2><font color="#660066"><a name="RoadWarrior"></a>
Mobile System (Road Warrior)</font></h2>
<p>Suppose that you have
a laptop system (B) that you take with you when you travel and you want to
be able to establish a secure connection back to your local network.</p>
<p align="Center"><strong><font face="Century Gothic, Arial, Helvetica">
<img src="images/Mobile.jpg" width="535" height="402">
<img src="images/Mobile.png" width="677" height="426">
</font></strong></p>
<p align="Left">You need to define a zone for the laptop or include it in
your local zone. In this example, we'll assume that you have created a zone
called &quot;vpn&quot; to represent the remote host.</p>
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><strong>ZONE</strong></td>
<td><strong>DISPLAY</strong></td>
<td><strong>COMMENTS</strong></td>
</tr>
<tr>
<td>vpn</td>
<td>VPN</td>
<td>Remote Subnet</td>
</tr>
</table>
</blockquote>
<p align="Left"> In this
instance, the mobile system (B) has IP address 134.28.54.2 but that cannot
be determined in advance. In the /etc/shorewall/tunnels file on system A,
the following entry should be made:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tbody>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
TYPE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
ZONE</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY</strong><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><strong>
GATEWAY ZONE</strong><!--mstheme--></font></td>
<td><strong>
TYPE</strong></td>
<td><strong>
ZONE</strong></td>
<td><strong>
GATEWAY</strong></td>
<td><strong>
GATEWAY ZONE</strong></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ipsec<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">0.0.0.0/0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">gw<!--mstheme--></font></td>
<td>ipsec</td>
<td>net</td>
<td>0.0.0.0/0</td>
<td>vpn</td>
</tr>
</tbody>
</table><!--mstheme--><font face="arial, Arial, Helvetica"></blockquote>
</table></blockquote>
<p>Note that the GATEWAY
ZONE column contains the name of the zone corresponding to peer subnetworks
(<i>gw</i> in the default /etc/shorewall/zones). This indicates that the
ZONE column contains the name of the zone corresponding to peer subnetworks. This indicates that the
gateway system itself comprises the peer subnetwork; in other words, the
remote gateway is a standalone system.</p>
@ -228,7 +272,7 @@ remote gateway is a standalone system.</p>
<p><font size="2"> Last
updated 5/18/2002 - </font><font size="2">
updated 8/20/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
@ -236,5 +280,5 @@ updated 5/18/2002 - </font><font size="2">
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">
Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

174
STABLE/documentation/Install.htm
View File

@ -5,10 +5,16 @@
<title>Shorewall Installation</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica"><h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Installation<!--mstheme--></font></h1>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Installation</font></h1>
</td>
</tr>
</table>
<p><font size="4"><b><a href="#Install_RPM">Install using RPM</a><br>
<a href="#Install_Tarball">Install
@ -25,48 +31,48 @@ either from the
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">RedHat update
site</a> or from the <a href="errata.htm">Shorewall Errata page</a> before
attempting to start Shorewall.</b></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<ul>
<li>Install the RPM (rpm -ivh &lt;shorewall rpm&gt;).<br>
<br>
<b>Note: </b>Some SuSE users have encountered a problem whereby rpm reports a
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -ivh --nodeps &lt;shorewall
rpm&gt;).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#FF0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM
rpm&gt;).</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration. <font color="#FF0000"><b>WARNING - YOU CAN <u>NOT</u> SIMPLY INSTALL THE RPM
AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED BEFORE THE
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Start the firewall by typing &quot;shorewall start&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></li>
<li>Start the firewall by typing &quot;shorewall start&quot;</li>
</ul>
<p><a name="Install_Tarball"></a>To
install Shorewall using the tarball and install
script: </p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">unpack the tarball<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-1.1.10&quot;).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you are using <a
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-1.1.10&quot;).</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you are using <a href="http://www.suse.com">SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If your distribution has directory
then type &quot;./install.sh&quot;</li>
<li>If you are using <a href="http://www.suse.com">SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">For other distributions, determine where your
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Start the firewall by typing &quot;shorewall
start&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If the install script was unable to configure Shorewall to be started automatically at boot,
&quot;./install.sh &lt;init script directory&gt;</li>
<li>Edit the <a href="#Config_Files"> configuration files</a> to match your configuration.</li>
<li>Start the firewall by typing &quot;shorewall
start&quot;</li>
<li>If the install script was unable to configure Shorewall to be started automatically at boot,
see <a href="Documentation.htm#Starting">these
instructions</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
instructions</a>.</li>
</ul>
<p><a name="Upgrade_RPM"></a>If you already have the Shorewall RPM installed and are upgrading to a new
version:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
@ -74,11 +80,11 @@ have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file. Also, there are certain 1.2 rule forms
that are no longer supported under 1.3 (you must use the new 1.3 syntax). See
<a href="errata.htm">the errata </a>for details. You can check your rules and
<a href="errata.htm#Upgrade">the upgrade issues </a>for details. You can check your rules and
host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If you
<ul>
<li>Upgrade the RPM (rpm -Uvh &lt;shorewall rpm file&gt;) <b>Note: </b>If you
are installing version 1.2.0 and have one of the 1.2.0 Beta RPMs installed,
you must use the &quot;--oldpackage&quot; option to rpm (e.g., &quot;rpm
-Uvh --oldpackage shorewall-1.2-0.noarch.rpm&quot;).
@ -87,11 +93,11 @@ installing the latest version of 1.3.</p>
conflict with kernel &lt;= 2.2 even though a 2.4 kernel is installed. If this
happens, simply use the --nodeps option to rpm (rpm -Uvh --nodeps &lt;shorewall
rpm&gt;).<br>
&nbsp;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Restart the firewall (shorewall restart).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
&nbsp;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Restart the firewall (shorewall restart).</li>
</ul>
<p><a name="Upgrade_Tarball"></a>If you already have Shorewall installed and are upgrading to a new version
using the tarball:</p>
<p>If you are upgrading from a 1.2 version of Shorewall to a 1.3 version and you
@ -99,67 +105,67 @@ have entries in the /etc/shorewall/hosts file then please check your
/etc/shorewall/interfaces file to be sure that it contains an entry for each
interface mentioned in the hosts file.&nbsp; Also, there are certain 1.2 rule
forms that are no longer supported under 1.3 (you must use the new 1.3 syntax).
See <a href="errata.htm">the errata </a>for details. You can check your rules
See <a href="errata.htm#Upgrade">the upgrade issues</a> for details. You can check your rules
and host file for 1.3 compatibility using the &quot;shorewall check&quot; command after
installing the latest version of 1.3.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">unpack the tarball<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-3.0.1&quot;).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you are using <a
<ul>
<li>unpack the tarball (tar -zxf shorewall-x.y.z.tgz).</li>
<li>cd to the shorewall directory (the version is encoded in the
directory name as in &quot;shorewall-3.0.1&quot;).</li>
<li>If you are using <a
href="http://www.caldera.com/openstore/openlinux/">Caldera</a>, <a href="http://www.redhat.com">RedHat</a>,
<a href="http://www.linux-mandrake.com">Mandrake</a>, <a href="http://www.corel.com">Corel</a>,
<a href="http://www.slackware.com/">Slackware</a> or
<a href="http://www.debian.org">Debian</a>
then type &quot;./install.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you are using<a href="http://www.suse.com"> SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If your distribution has directory
then type &quot;./install.sh&quot;</li>
<li>If you are using<a href="http://www.suse.com"> SuSe</a> then type
&quot;./install.sh /etc/init.d&quot;</li>
<li>If your distribution has directory
/etc/rc.d/init.d or /etc/init.d then type
&quot;./install.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">For other distributions, determine where your
&quot;./install.sh&quot;</li>
<li>For other distributions, determine where your
distribution installs init scripts and type
&quot;./install.sh &lt;init script directory&gt;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Restart the firewall by typing &quot;shorewall restart&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="Config_Files"></a>Configuring Shorewall<!--mstheme--></font></h3>
&quot;./install.sh &lt;init script directory&gt;</li>
<li>See if there are any incompatibilities between your configuration and the
new Shorewall version (type &quot;shorewall check&quot;) and correct as necessary.</li>
<li>Restart the firewall by typing &quot;shorewall restart&quot;</li>
</ul>
<h3><a name="Config_Files"></a>Configuring Shorewall</h3>
<p>You will need to edit some or all of these configuration files to match your
setup. In most cases, the <a href="shorewall_quickstart_guide.htm">Shorewall
QuickStart Guides</a> contain all of the information you need.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/shorewall.conf - used to set several firewall
parameters.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/policy - establishes firewall high-level policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/interfaces - describes the interfaces on the
firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/modules - directs the firewall to load kernel modules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/nat - defines static NAT rules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/proxyarp - defines use of Proxy ARP.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><font size="2">Updated 7/31/2002 - <a href="support.htm">Tom
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) NAT a.k.a. Masquerading.</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul>
<p><font size="2">Updated 8/7/2002 - <a href="support.htm">Tom
Eastep</a> </font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body></html>
</body></html>

50
STABLE/documentation/NAT.htm
View File

@ -5,13 +5,18 @@
<title>Shorewall NAT</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<blockquote>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Static NAT<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Static NAT</font></h1>
</td>
</tr>
</table>
<p><font color="#FF0000"><b>IMPORTANT: If all you want to do is forward
ports to servers behind your firewall, you do NOT want to use static NAT.
Port forwarding can be accomplished with simple entries in the
@ -22,7 +27,8 @@
addresses.</p>
<p>The following figure represents a static NAT
environment.</p>
<p align="center"><strong><img src="images/staticnat.jpg" width="595" height="455"></strong></p>
<p align="center"><strong>
<img src="images/staticnat.png" width="435" height="397"></strong></p>
<blockquote>
</blockquote>
<p align="left">Static NAT can be used to make the systems with the
@ -31,29 +37,29 @@
/etc/shorewall/NAT file would make the lower left-hand system appear to have
IP address 130.252.100.18 and the right-hand one to have IP address
130.252.100.19.</p>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>EXTERNAL</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERNAL</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ALL INTERFACES</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>LOCAL</b><!--mstheme--></font></td>
<td><b>EXTERNAL</b></td>
<td><b>INTERFACE</b></td>
<td><b>INTERNAL</b></td>
<td><b>ALL INTERFACES</b></td>
<td><b>LOCAL</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">130.252.100.18<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">10.1.1.2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">yes<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">yes<!--mstheme--></font></td>
<td>130.252.100.18</td>
<td>eth0</td>
<td>10.1.1.2</td>
<td>yes</td>
<td>yes</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">130.252.100.19<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">10.1.1.3<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">yes<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">yes<!--mstheme--></font></td>
<td>130.252.100.19</td>
<td>eth0</td>
<td>10.1.1.3</td>
<td>yes</td>
<td>yes</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
<p>Be sure that the internal system(s) (10.1.1.2 and 10.1.1.3 in the above
example) is (are) not included in any specification in /etc/shorewall/masq
or /etc/shorewall/proxyarp.</p>
@ -83,4 +89,4 @@
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

899
STABLE/documentation/News.htm
View File

File diff suppressed because it is too large Load Diff

585
STABLE/documentation/PPTP.htm
View File

@ -6,27 +6,32 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall PPTP</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">PPTP<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">PPTP</font></h1>
</td>
</tr>
</table>
<p align="left">Shorewall easily supports PPTP in a number of configurations:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="#ServerFW">PPTP Server running on your Firewall</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>
<a href="#ServerFW">PPTP Server running on your Firewall</a></li>
<li>
<a href="#ServerBehind">PPTP Server running behind your
Firewall.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
Firewall.</a></li>
<li>
<a href="#ClientsBehind">PPTP Clients running behind your
Firewall.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="#ClientFW">PPTP Client running on your Firewall.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall<!--mstheme--></font></h2>
Firewall.</a></li>
<li>
<a href="#ClientFW">PPTP Client running on your Firewall.</a></li>
</ul>
<h2 align="center"><a name="ServerFW"></a>1. PPTP Server Running on your Firewall</h2>
<p>I will try to give you an idea of how to set up a PPTP server
on your firewall system. This isn't a detailed HOWTO but rather an example of
how I have set up a working PPTP server on my own firewall.</p>
@ -39,56 +44,56 @@ how I have set up a working PPTP server on my own firewall.</p>
<li><a href="#ConfigPptpd">Configuring pptpd</a></li>
<li><a href="#ConfigFw">Configuring Shorewall</a></li>
</ol>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="PatchPppd"></a>Patching and Building pppd<!--mstheme--></font></h3>
<h3><a name="PatchPppd"></a>Patching and Building pppd</h3>
<p>To run pppd on a 2.4 kernel, you need the pppd 2.4.1 or later. The primary
site for releases of pppd is <a href="ftp://ftp.samba.org/pub/ppp">ftp://ftp.samba.org/pub/ppp</a>.</p>
<p>You will need the following patches:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>
<a href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-openssl-0.9.6-mppe-patch.gz</a></li>
<li><a href="http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz">http://www.shorewall.net/pub/shorewall/pptp/ppp-2.4.1-MSCHAPv2-fix.patch.gz</a></li>
</ul>
<p>You may also want the following patch if you want to require remote hosts to
use encryption:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff">ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li><a href="ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff">ftp://ftp.shorewall.net/pub/shorewall/pptp/require-mppe.diff</a></li>
</ul>
<p>Un-tar the pppd source and uncompress the patches into one directory (the
patches and the ppp-2.4.1 directory are all in a single parent directory):</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd ppp-2.4.1<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">patch -p1 &lt; ../ppp-2.4.0-openssl-0.9.6-mppe.patch<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">patch -p1 &lt; ../ppp-2.4.1-MSCHAPv2-fix.patch<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">(Optional) patch -p1 &lt; ../require-mppe.diff<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">./configure<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">make<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>cd ppp-2.4.1</li>
<li>patch -p1 &lt; ../ppp-2.4.0-openssl-0.9.6-mppe.patch</li>
<li>patch -p1 &lt; ../ppp-2.4.1-MSCHAPv2-fix.patch</li>
<li>(Optional) patch -p1 &lt; ../require-mppe.diff</li>
<li>./configure</li>
<li>make</li>
</ul>
<p>You will need to install the resulting binary on your firewall system. To do
that, I NFS mount my source filesystem and use &quot;make install&quot; from the
ppp-2.4.1 directory.</p>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="PatchKernel"></a>Patching and Building your Kernel<!--mstheme--></font></h3>
<h3><a name="PatchKernel"></a>Patching and Building your Kernel</h3>
<p>You will need one of the following patches depending on your kernel version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz">http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>
<a href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz">http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.4-openssl-0.9.6a-mppe-patch.gz</a></li>
<li>
<a href="http://www.shorewall.net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz">http://www.shorewall/net/pub/shorewall/pptp/linux-2.4.16-openssl-0.9.6b-mppe-patch.gz</a></li>
</ul>
<p>Uncompress the patch into the same directory where your top-level kernel
source is located and:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd &lt;your GNU/Linux source top-level directory&gt;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">patch -p1 &lt; ../linux-2.4.16-openssl-0.9.6b-mppe.patch<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>cd &lt;your GNU/Linux source top-level directory&gt;</li>
<li>patch -p1 &lt; ../linux-2.4.16-openssl-0.9.6b-mppe.patch</li>
</ul>
<p>Now configure your kernel. Here is my ppp configuration:</p>
<blockquote>
<p><img border="0" src="images/ppp.jpg" width="592" height="734"></p>
</blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="Samba"></a>Configuring Samba<!--mstheme--></font></h3>
<h3><a name="Samba"></a>Configuring Samba</h3>
<p>You will need a WINS server (Samba configured to run as a WINS server is
fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) is:</p>
<blockquote>
<!--mstheme--></font><pre>[global]
<pre>[global]
workgroup = TDM-NSTOP
netbios name = WOOKIE
server string = GNU/Linux Box
@ -113,9 +118,9 @@ fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) i
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes</pre><!--mstheme--><font face="arial, Arial, Helvetica">
printable = Yes</pre>
</blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ConfigPppd"></a>Configuring pppd<!--mstheme--></font></h3>
<h3><a name="ConfigPppd"></a>Configuring pppd</h3>
<p>Here is a copy of my /etc/ppp/options.poptop file:</p>
<blockquote>
<p><font face="Courier" size="2">ipparam PoPToP<br>
@ -141,14 +146,14 @@ fine). Global section from /etc/samba/smb.conf on my WINS server (192.168.1.3) i
require-mppe-stateless</font></p>
</blockquote>
<p>Notes:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Since the firewall itself is acting as a WINS server, I have included the
firewall's internal IP as the 'ms-wins' value.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">I have pointed the remote clients at my DNS server -- it has external
address 206.124.146.177.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">I am requiring 128-bit stateless compression (my kernel is built with the
'require-mppe.diff' patch mentioned above.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>Since the firewall itself is acting as a WINS server, I have included the
firewall's internal IP as the 'ms-wins' value.</li>
<li>I have pointed the remote clients at my DNS server -- it has external
address 206.124.146.177.</li>
<li>I am requiring 128-bit stateless compression (my kernel is built with the
'require-mppe.diff' patch mentioned above.</li>
</ul>
<p>Here's my /etc/ppp/chap-secrets:</p>
<blockquote>
<p><font face="Courier" size="2"> Secrets for authentication using CHAP<br>
@ -164,11 +169,11 @@ or without a domain being specified. The system I connect from is my laptop so I
give it the same IP address when tunneled in as it has when it is in its docking
station.</p>
<p>You will also want the following in /etc/modules.conf:</p>
<!--mstheme--></font><pre> alias ppp-compress-18 ppp_mppe
<pre> alias ppp-compress-18 ppp_mppe
alias ppp-compress-21 bsd_comp
alias ppp-compress-24 ppp_deflate
alias ppp-compress-26 ppp_deflate</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ConfigPptpd"></a>Configuring pptpd<!--mstheme--></font></h3>
alias ppp-compress-26 ppp_deflate</pre>
<h3><a name="ConfigPptpd"></a>Configuring pptpd</h3>
<p>PoPTop (pptpd) is available from <a href="http://poptop.lineo.com/">http://poptop.lineo.com/</a>.</p>
<p>Here is a copy of my /etc/pptpd.conf file:</p>
<blockquote>
@ -178,14 +183,14 @@ station.</p>
remoteip 192.168.1.33-38</font></p>
</blockquote>
<p>Notes:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">I specify the /etc/ppp/options.poptop file as my ppp options file (I have
several).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The local IP is the same as my internal interface's (192.168.1.254).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">I have assigned a remote IP range that overlaps my local network. This,
<ul>
<li>I specify the /etc/ppp/options.poptop file as my ppp options file (I have
several).</li>
<li>The local IP is the same as my internal interface's (192.168.1.254).</li>
<li>I have assigned a remote IP range that overlaps my local network. This,
together with 'proxyarp' in my /etc/ppp/options.poptop file make the remote
hosts look like they are part of the local subnetwork.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
hosts look like they are part of the local subnetwork.</li>
</ul>
<p>I use this file to start/stop pptpd -- I have this in /etc/init.d/pptpd:</p>
<blockquote>
<p><font face="Courier" size="2">#!/bin/sh<br>
@ -225,249 +230,249 @@ station.</p>
&nbsp;&nbsp;&nbsp; ;;<br>
esac</font></p>
</blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ConfigFw"></a>Configuring Shorewall<!--mstheme--></font></h3>
<h3><a name="ConfigFw"></a>Configuring Shorewall</h3>
<p>I consider hosts connected to my PPTP server to be just like local systems.
My key Shorewall entries are:</p>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/zones:<!--mstheme--></font></h4>
<h4>/etc/shorewall/zones:</h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DISPLAY</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>COMMENTS</b><!--mstheme--></font></td>
<td><b>ZONE</b></td>
<td><b>DISPLAY</b></td>
<td><b>COMMENTS</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Internet<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">The Internet<!--mstheme--></font></td>
<td>net</td>
<td>Internet</td>
<td>The Internet</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Local<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">My Local Network including remote PPTP clients<!--mstheme--></font></td>
<td>loc</td>
<td>Local</td>
<td>My Local Network including remote PPTP clients</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/interfaces:<!--mstheme--></font></h4>
<h4>/etc/shorewall/interfaces:</h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>BROADCAST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">206.124.146.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">noping,norfc1918<!--mstheme--></font></td>
<td>net</td>
<td>eth0</td>
<td>206.124.146.255</td>
<td>noping,norfc1918</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">192.168.1.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>loc</td>
<td>eth2</td>
<td>192.168.1.255</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ppp+<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>-</td>
<td>ppp+</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/hosts:<!--mstheme--></font></h4>
<h4>/etc/shorewall/hosts:</h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>HOST(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
<td><b>ZONE</b></td>
<td><b>HOST(S)</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2:192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">routestopped<!--mstheme--></font></td>
<td>loc</td>
<td>eth2:192.168.1.0/24</td>
<td>routestopped</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ppp+:192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>loc</td>
<td>ppp+:192.168.1.0/24</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/policy:<!--mstheme--></font></h4>
<h4>/etc/shorewall/policy:</h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>POLICY</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>LOG LEVEL</b><!--mstheme--></font></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>POLICY</b></td>
<td><b>LOG LEVEL</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>loc</td>
<td>loc</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/rules:<!--mstheme--></font></h4>
<h4>/etc/shorewall/rules:</h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ACTION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>
PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ORIGINAL<br>
DEST</b><!--mstheme--></font></td>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</font>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">1723<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>1723</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">47<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">47<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p align="left">Note: I have multiple ppp interfaces on my firewall. If you
have a single ppp interface, you probably want:</p>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/interfaces:<!--mstheme--></font></h4>
<h4>/etc/shorewall/interfaces:</h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>BROADCAST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">206.124.146.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">noping,norfc1918<!--mstheme--></font></td>
<td>net</td>
<td>eth0</td>
<td>206.124.146.255</td>
<td>noping,norfc1918</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">192.168.1.255<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>loc</td>
<td>eth2</td>
<td>192.168.1.255</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ppp0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>loc</td>
<td>ppp0</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p align="left">and <u><b>no</b></u> entries in /etc/shorewall/hosts.</p>
<h2 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ServerBehind"></a>2. PPTP Server Running Behind your Firewall<!--mstheme--></font></h2>
<h2 align="center"><a name="ServerBehind"></a>2. PPTP Server Running Behind your Firewall</h2>
<p>If you have a single external IP address, add the following to your
/etc/shorewall/rules file:</p>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ACTION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>
PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ORIGINAL<br>
DEST</b><!--mstheme--></font></td>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</font>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;server address&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">1723<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>tcp</td>
<td>1723</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;server address&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">47<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
<p>If you have multiple external IP address and you want to forward a single <i>&lt;external
address&gt;, </i>add the following to your /etc/shorewall/rules file:<p>&nbsp;<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
address&gt;, </i>add the following to your /etc/shorewall/rules file:<p>&nbsp;<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ACTION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>
PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ORIGINAL<br>
DEST</b><!--mstheme--></font></td>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</font>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;server address&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">1723<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;external address&gt;</i><!--mstheme--></font></td>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>tcp</td>
<td>1723</td>
<td>-</td>
<td><i>&lt;external address&gt;</i></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;server address&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">47<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;external address&gt;</i><!--mstheme--></font></td>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server address&gt;</i></td>
<td>47</td>
<td>-</td>
<td>-</td>
<td><i>&lt;external address&gt;</i></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ClientsBehind"></a>3. PPTP Clients Running Behind your Firewall<!--mstheme--></font></h2>
</table>
<h2 align="center"><a name="ClientsBehind"></a>3. PPTP Clients Running Behind your Firewall</h2>
<p>You shouldn't have to take any special action for this case unless you wish
to connect multiple clients to the same external server. In that case, you will
need to follow the instructions at <a href="http://www.impsec.org/linux/masquerade/ip_masq_vpn.html">http://www.impsec.org/linux/masquerade/ip_masq_vpn.html</a>.
@ -477,7 +482,7 @@ file:
<p>loadmodule ip_conntrack_pptp<br>
loadmodule ip_nat_pptp
</blockquote>
<h2 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.<!--mstheme--></font></h2>
<h2 align="center"><a name="ClientFW"></a>4. PPTP Client Running on your Firewall.</h2>
<p align="left">The PPTP GNU/Linux client is available at <a href="http://sourceforge.net/projects/pptpclient/">http://sourceforge.net/projects/pptpclient/</a>.&nbsp;&nbsp;&nbsp;
Rather than use the configuration script that comes with the client, I built my
own. I also build my own kernel <a href="#PatchKernel">as described above</a>
@ -492,90 +497,90 @@ below).</p>
<li>Define rules for traffic two and from the remote zone.</li>
</ol>
<p>Here are examples from my setup:</p>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/zones<!--mstheme--></font></h4>
<h4>/etc/shorewall/zones</h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DISPLAY</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>COMMENTS</b><!--mstheme--></font></td>
<td><b>ZONE</b></td>
<td><b>DISPLAY</b></td>
<td><b>COMMENTS</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">cpq<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Compaq<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Compaq Intranet<!--mstheme--></font></td>
<td>cpq</td>
<td>Compaq</td>
<td>Compaq Intranet</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/interfaces<!--mstheme--></font></h4>
<h4>/etc/shorewall/interfaces</h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>BROADCAST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
<td><b>ZONE</b></td>
<td><b>INTERFACE</b></td>
<td><b>BROADCAST</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ppp+<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>-</td>
<td>ppp+</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/hosts<!--mstheme--></font></h4>
<h4>/etc/shorewall/hosts</h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ZONE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>HOST(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>OPTIONS</b><!--mstheme--></font></td>
<td><b>ZONE</b></td>
<td><b>HOST(S)</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ppp+:!192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>-</td>
<td>ppp+:!192.168.1.0/24</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/rules<!--mstheme--></font></h4>
<h4>/etc/shorewall/rules</h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ACTION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>
PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ORIGINAL<br>
DEST</b><!--mstheme--></font></td>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</font>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">1723<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>1723</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">47<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">-<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>47</td>
<td>-</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p>I use the combination of interface and hosts file to define the 'cpq' zone
because I also run a PPTP server on my firewall (see above). Using this
@ -706,7 +711,7 @@ traffic through the PPTP tunnel:
&nbsp;&nbsp;&nbsp; ;;<br>
esac</font></blockquote>
<p>Finally, I run the following script every five minutes under crond to
restart the tunnel if it fails:<!--mstheme--></font><pre> #!/bin/sh
restart the tunnel if it fails:<pre> #!/bin/sh
restart_pptp() {
/sbin/service pptp stop
sleep 10
@ -722,10 +727,10 @@ traffic through the PPTP tunnel:
echo &quot;Attempting to restart PPTP&quot;
restart_pptp &gt; /dev/null 2&gt;&amp;1 &amp;
</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</pre>
<p><a href="ftp://ftp.shorewall.net/pub/shorewall/misc/Vonau">Here's a script
and corresponding ip-up.local </a>from <a href="mailto:jvonau@home.com">Jerry
Vonau </a>that controls two PPTP connections.</p>
<p><font size="2">Last modified 7/11/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

93
STABLE/documentation/ProxyARP.htm
View File

@ -5,46 +5,59 @@
<title>Shorewall Proxy ARP</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
<meta name="Microsoft Theme" content="none">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<blockquote>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Proxy ARP<!--mstheme--></font></h1>
<p>&nbsp;</p>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Proxy ARP</font></h1>
</td>
</tr>
</table>
<p>Proxy ARP allows you to insert a firewall in front of a set of servers
without changing their IP addresses and without having to re-subnet.</p>
<p>The following figure represents a Proxy ARP
environment.</p>
<p align="center"><strong><img src="images/proxyarp.jpg" width="595" height="455"></strong></p>
<blockquote>
<p align="center"><strong>
<img src="images/proxyarp.png" width="519" height="397"></strong></p>
<blockquote>
</blockquote>
</blockquote>
<p align="left">Proxy ARP can be used to make the systems with addresses
130.252.100.18 and 130.252.100.19 appear to be on the upper (130.252.100.*)
subnet.&nbsp; Assuming that the upper firewall interface is eth0 and the
lower interface is eth1, this is accomplished using the following entries in
/etc/shorewall/proxyarp:</p>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<blockquote>
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ADDRESS</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>INTERFACE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>EXTERNAL</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>HAVEROUTE</b><!--mstheme--></font></td>
<td><b>ADDRESS</b></td>
<td><b>INTERFACE</b></td>
<td><b>EXTERNAL</b></td>
<td><b>HAVEROUTE</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">130.252.100.18<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">no<!--mstheme--></font></td>
<td>130.252.100.18</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">130.252.100.19<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">no<!--mstheme--></font></td>
<td>130.252.100.19</td>
<td>eth1</td>
<td>eth0</td>
<td>no</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p>Be sure that the internal systems (130.242.100.18 and 130.252.100.19&nbsp;
in the above example) are not included in any specification in
/etc/shorewall/masq or /etc/shorewall/nat.</p>
@ -53,13 +66,41 @@
<p>The lower systems (130.252.100.18 and 130.252.100.19) should have their
subnet mask and default gateway configured exactly the same way that the
Firewall system's eth0 is configured.</p>
</blockquote>
<div align="left">
<p align="left">A word of warning is in order here. ISPs typically configure
their routers with a long ARP cache timeout. If you move a system from
parallel to your firewall to behind your firewall with Proxy ARP, it will
probably be HOURS before that system can communicate with the internet. You
can call your ISP and ask them to purge the stale ARP cache entry but many
either can't or won't purge individual entries. You can determine if your
ISP's gateway ARP cache is stale using ping and tcpdump. Suppose that we
suspect that the gateway router has a stale ARP cache entry for 130.252.100.19.
On the firewall, run tcpdump as follows:</div>
<div align="left">
<pre> tcpdump -nei eth0 icmp</pre>
</div>
<div align="left">
<p align="left">Now from 130.252.100.19, ping the ISP's gateway (which we will
assume is 130.252.100.254):</div>
<div align="left">
<pre> ping 130.252.100.254</pre>
</div>
<div align="left">
<p align="left">We can now observe the tcpdump output:</div>
<div align="left">
<pre> 13:35:12.159321 <u>0:4:e2:20:20:33</u> 0:0:77:95:dd:19 ip 98: 130.252.100.19 &gt; 130.252.100.254: icmp: echo request (DF)
13:35:12.207615 0:0:77:95:dd:19 <u>0:c0:a8:50:b2:57</u> ip 98: 130.252.100.254 &gt; 130.252.100.177 : icmp: echo reply</pre>
</div>
<div align="left">
<p align="left">Notice that the source MAC address in the echo request is
different from the destination MAC address in the echo reply!! In this case
0:4:e2:20:20:33 was the MAC of the firewall's eth0 NIC while 0:c0:a8:50:b2:57
was the MAC address of the system on the lower left. In other words, the gateway's ARP cache still
associates 130.252.100.19 with the NIC in that system rather than with the firewall's
eth0.</div>
<blockquote>
</blockquote>
<p><font size="2">Last updated 5/16/2002 - </font><font size="2">
<p><font size="2">Last updated 8/17/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

111
STABLE/documentation/Shorewall_index_frame.htm
View File

@ -7,60 +7,97 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Index</title>
<base target="main">
<meta name="Microsoft Theme" content="radial 011">
<meta name="Microsoft Theme" content="none">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica"><h3 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">&nbsp;Shorewall<!--mstheme--></font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="seattlefirewall_index.htm">Home</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="/1.2/index.htm">Shorewall 1.2 Home</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_features.htm">Features</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_prerequisites.htm">Requirements</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="download.htm">Download</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_quickstart_guide.htm">QuickStart Guides</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Install.htm">Installation/Upgrade<br>
/Configuration</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm">Reference Manual</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="FAQ.htm">FAQs</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="troubleshoot.htm">Troubleshooting</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="errata.htm">Errata</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="support.htm">Support</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="mailing_list.htm">Mailing Lists</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_mirrors.htm">Mirrors</a><!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://germany.shorewall.net">Germany</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="News.htm">News Archive</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="quotes.htm">Quotes from Users</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shoreline.htm">About the Author</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#4B017C" height="90">
<tr>
<td width="100%" height="90">
<h3 align="center"><font color="#FFFFFF">Shorewall</font></h3>
</td>
</tr>
<tr>
<td width="100%" bgcolor="#FFFFFF">
<ul>
<li>
<a href="seattlefirewall_index.htm">Home</a></li>
<li>
<a target="_top" href="/1.2/index.htm">Shorewall 1.2 Home</a></li>
<li>
<a href="shorewall_features.htm">Features</a></li>
<li>
<a href="shorewall_prerequisites.htm">Requirements</a></li>
<li>
<a href="download.htm">Download</a></li>
<li>
<a href="shorewall_quickstart_guide.htm">QuickStart Guides</a></li>
<li>
<a href="Install.htm">Installation/Upgrade/</a><br>
<a href="Install.htm">Configuration</a></li>
<li>
<a href="shorewall_quickstart_guide.htm#Documentation">Documentation</a></li>
<li>
<a href="Documentation.htm">Reference Manual</a></li>
<li>
<a href="FAQ.htm">FAQs</a></li>
<li>
<a href="troubleshoot.htm">Troubleshooting</a></li>
<li>
<a href="errata.htm">Errata/Upgrade Issues</a></li>
<li>
<a href="support.htm">Support</a></li>
<li>
<a href="mailing_list.htm">Mailing Lists</a></li>
<li>
<a href="shorewall_mirrors.htm">Mirrors</a><ul>
<li><a target="_top" href="http://slovakia.shorewall.net">Slovak Republic</a></li>
<li><a target="_top" href="http://shorewall.infohiiway.com">Texas, USA</a></li>
<li><a target="_top" href="http://germany.shorewall.net">Germany</a></li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">Argentina</a></li>
</ul>
</li>
</ul>
<ul>
<li>
<a href="News.htm">News Archive</a></li>
<li>
<a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">CVS Repository</a></li>
<li>
<a href="quotes.htm">Quotes from Users</a></li>
<li>
<a href="shoreline.htm">About the Author</a></li>
<li>
<a href="seattlefirewall_index.htm#Donations">Donations</a></li>
</ul>
</td>
</tr>
</table>
<form method="post" action="http://www.shorewall.net/cgi-bin/htsearch" >
<p>
<strong>Quick Search</strong><br>
<font size="-1">
<input type=text name=words size=15>
<font face="Arial" size="-1">
<input type=text name=words size=15></font><font size="-1"> </font>
<font face="Arial" size="-1">
<input type=hidden name=format value=long>
<input type=hidden name=method value=and>
<input type=hidden name=config value=htdig>
<input type="submit" value="Search"></font>
</p>
<font face="Arial">
<input type="hidden" name="exclude" value="[http://www.shorewall.net/pipermail/*]">
</font>
</form>
<p><strong><a href="htdig/search.html">Extended Search Forms</a></strong></p>
<p><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></p>
<p><a href="http://www.shorewall.net" target="_top">
<img border="1" src="images/shorewall.jpg" width="119" height="38"></a></p>
<img border="1" src="images/shorewall.jpg" width="119" height="38" hspace="0"></a></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

65
STABLE/documentation/blacklisting_support.htm
View File

@ -6,50 +6,55 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Blacklisting Support</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Blacklisting Support<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Blacklisting Support</font></h1>
</td>
</tr>
</table>
<p>Shorewall supports two different forms of blacklisting; static and dynamic.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Static Blacklisting<!--mstheme--></font></h2>
<h2>Static Blacklisting</h2>
<p>Shorewall
static blacklisting support has the following configuration parameters:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You specify whether you want packets from blacklisted hosts dropped or
<ul>
<li>You specify whether you want packets from blacklisted hosts dropped or
rejected using the <a href="Documentation.htm#BLDisposition">BLACKLIST_DISPOSITION</a>
setting in /etc/shorewall/shorewall.conf<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You specify whether you want packets from blacklisted hosts logged and at
setting in /etc/shorewall/shorewall.conf</li>
<li>You specify whether you want packets from blacklisted hosts logged and at
what syslog level using the <a href="Documentation.htm#BLLoglevel">BLACKLIST_LOGLEVEL</a>
setting in /etc/shorewall/shorewall.conf<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You list the IP addresses/subnets that you wish to blacklist in <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You specify the interfaces whose incoming packets you want checked against
setting in /etc/shorewall/shorewall.conf</li>
<li>You list the IP addresses/subnets that you wish to blacklist in <a href="Documentation.htm#Blacklist">/etc/shorewall/blacklist</a></li>
<li>You specify the interfaces whose incoming packets you want checked against
the blacklist using the &quot;<a href="Documentation.htm#BLInterface">blacklist</a>&quot;
option in /etc/shorewall/interfaces.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The black list is refreshed from /etc/shorewall/blacklist by the &quot;<a href="Documentation.htm#Starting">shorewall
refresh</a>&quot; command.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Dynamic Blacklisting<!--mstheme--></font></h2>
option in /etc/shorewall/interfaces.</li>
<li>The black list is refreshed from /etc/shorewall/blacklist by the &quot;<a href="Documentation.htm#Starting">shorewall
refresh</a>&quot; command.</li>
</ul>
<h2>Dynamic Blacklisting</h2>
<p>Dynamic blacklisting support was added in version 1.3.2. Dynamic blacklisting
doesn't use any configuration parameters but is rather controlled using
/sbin/shorewall commands:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">deny <i>&lt;ip address list&gt; </i>- causes packets from the listed IP
addresses to be silently dropped by the firewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">reject <i>&lt;ip address list&gt; </i>- causes packets from the listed IP
addresses to be rejected by the firewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets from hosts
previously blacklisted by a <i>deny</i> or <i>reject</i> command.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">save - save the dynamic blacklisting configuration so that it will be
automatically restored the next time that the firewall is restarted.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">show dynamic - displays the dynamic blacklisting configuration.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>deny <i>&lt;ip address list&gt; </i>- causes packets from the listed IP
addresses to be silently dropped by the firewall.</li>
<li>reject <i>&lt;ip address list&gt; </i>- causes packets from the listed IP
addresses to be rejected by the firewall.</li>
<li>allow <i>&lt;ip address list&gt; </i>- re-enables receipt of packets from hosts
previously blacklisted by a <i>deny</i> or <i>reject</i> command.</li>
<li>save - save the dynamic blacklisting configuration so that it will be
automatically restored the next time that the firewall is restarted.</li>
<li>show dynamic - displays the dynamic blacklisting configuration.</li>
</ul>
<p>Example 1:</p>
<!--mstheme--></font><pre> shorewall deny 192.0.2.124 192.0.2.125</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre> shorewall deny 192.0.2.124 192.0.2.125</pre>
<p>&nbsp;&nbsp;&nbsp; Drops packets from hosts 192.0.2.124 and 192.0.2.125</p>
<p>Example 2:</p>
<!--mstheme--></font><pre> shorewall allow 192.0.2.125</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre> shorewall allow 192.0.2.125</pre>
<p>&nbsp;&nbsp;&nbsp; Reenables access from 192.0.2.125.</p>
<p><font size="2">Last updated 6/16/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
@ -57,6 +62,6 @@ Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

121
STABLE/documentation/configuration_file_basics.htm
View File

@ -6,55 +6,60 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Configuration File Basics</title>
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Configuration Files<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Configuration Files</font></h1>
</td>
</tr>
</table>
<p><b><font color="#FF0000">Warning: </font>If you copy or edit your
configuration files on a system running Microsoft Windows, you <u>must</u>
run them through <a href="http://www.megaloman.com/~hany/software/hd2u/">
dos2unix</a> before you use them with Shorewall.</b></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Files<!--mstheme--></font></h2>
<h2>Files</h2>
<p>Shorewall's configuration files are in the directory /etc/shorewall.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/shorewall.conf - used to set several firewall
parameters.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/policy - establishes firewall high-level policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/interfaces - describes the interfaces on the
firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/masq - directs the firewall where to use many-to-one
<ul>
<li>/etc/shorewall/shorewall.conf - used to set several firewall
parameters.</li>
<li>/etc/shorewall/params - use this file to set shell variables that you will
expand in other files.</li>
<li>/etc/shorewall/zones - partition the firewall's view of the world
into <i>zones.</i></li>
<li>/etc/shorewall/policy - establishes firewall high-level policy.</li>
<li>/etc/shorewall/interfaces - describes the interfaces on the
firewall system.</li>
<li>/etc/shorewall/hosts - allows defining zones in terms of individual
hosts and subnetworks.</li>
<li>/etc/shorewall/masq - directs the firewall where to use many-to-one
(dynamic) Network Address Translation (a.k.a. Masquerading) and Source
Network Address Translation (SNAT).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/modules - directs the firewall to load kernel modules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/nat - defines static NAT rules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/proxyarp - defines use of Proxy ARP.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping or policy routing.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on
the firewall system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Comments<!--mstheme--></font></h2>
Network Address Translation (SNAT).</li>
<li>/etc/shorewall/modules - directs the firewall to load kernel modules.</li>
<li>/etc/shorewall/rules - defines rules that are exceptions to the
overall policies established in /etc/shorewall/policy.</li>
<li>/etc/shorewall/nat - defines static NAT rules.</li>
<li>/etc/shorewall/proxyarp - defines use of Proxy ARP.</li>
<li>/etc/shorewall/routestopped (Shorewall 1.3.4 and later) - defines hosts
accessible when Shorewall is stopped.</li>
<li>/etc/shorewall/tcrules - defines marking of packets for later use by
traffic control/shaping or policy routing.</li>
<li>/etc/shorewall/tos - defines rules for setting the TOS field in packet
headers.</li>
<li>/etc/shorewall/tunnels - defines IPSEC, GRE and IPIP tunnels with end-points on
the firewall system.</li>
<li>/etc/shorewall/blacklist - lists blacklisted IP/subnet/MAC addresses.</li>
</ul>
<h2>Comments</h2>
<p>You may place comments in configuration files by making the first non-whitespace
@ -65,8 +70,8 @@
<p>Examples:</p>
<!--mstheme--></font><pre># This is a comment</pre><!--mstheme--><font face="arial, Arial, Helvetica"><!--mstheme--></font><pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Line Continuation<!--mstheme--></font></h2>
<pre># This is a comment</pre><pre>ACCEPT net fw tcp www #This is an end-of-line comment</pre>
<h2>Line Continuation</h2>
<p>You may continue lines in the configuration files using the usual backslash (&quot;\&quot;) followed
@ -76,41 +81,41 @@
<p>Example:</p>
<!--mstheme--></font><pre>ACCEPT net fw tcp \
smtp,www,pop3,imap #Services running on the firewall</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Complementing an Address or Subnet<!--mstheme--></font></h2>
<pre>ACCEPT net fw tcp \
smtp,www,pop3,imap #Services running on the firewall</pre>
<h2>Complementing an Address or Subnet</h2>
<p>Where specifying an IP address, a subnet or an interface, you can
precede the item with &quot;!&quot; to specify the complement of the item. For
example, !192.168.1.4 means &quot;any host but 192.168.1.4&quot;.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Comma-separated Lists<!--mstheme--></font></h2>
<h2>Comma-separated Lists</h2>
<p>Comma-separated lists are allowed in a number of contexts within the
configuration files. A comma separated list:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Must not have any embedded white space.<br>
<ul>
<li>Must not have any embedded white space.<br>
Valid: routestopped,dhcp,norfc1918<br>
Invalid: routestopped,&nbsp;&nbsp;&nbsp;&nbsp; dhcp,&nbsp;&nbsp;&nbsp;&nbsp;
norfc1818<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you use line continuation to break a comma-separated list, the
norfc1818</li>
<li>If you use line continuation to break a comma-separated list, the
continuation line(s) must begin in column 1 (or there would be embedded
white space)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Entries in a comma-separated list may appear in any order.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
white space)</li>
<li>Entries in a comma-separated list may appear in any order.</li>
</ul>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Numbers/Service Names<!--mstheme--></font></h2>
<h2>Port Numbers/Service Names</h2>
<p>Unless otherwise specified, when giving a port number you can use
either an integer or a service name from /etc/services. </p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Ranges<!--mstheme--></font></h2>
<h2>Port Ranges</h2>
<p>If you need to specify a range of ports, the proper syntax is &lt;<i>low
port number</i>&gt;:&lt;<i>high port number</i>&gt;.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Using Shell Variables<!--mstheme--></font></h2>
<h2>Using Shell Variables</h2>
<p>You may use the file /etc/shorewall/params
file to set shell variables that you can then use in some of the other
@ -123,9 +128,9 @@ Shorewall programs</p>
<p>Example:</p>
<blockquote>
<p>NET_IF=eth0<br>
NET_BCAST=130.252.100.255<br>
NET_OPTIONS=noping,norfc1918</p>
<pre>NET_IF=eth0
NET_BCAST=130.252.100.255
NET_OPTIONS=noping,norfc1918</pre>
</blockquote>
<p><br>
@ -134,7 +139,7 @@ Shorewall programs</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<p><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></p>
<pre><font face="Courier">net $NET_IF $NET_BCAST $NET_OPTIONS</font></pre>
</blockquote>
</font>
@ -144,7 +149,7 @@ Shorewall programs</p>
<font face="Century Gothic, Arial, Helvetica">
<blockquote>
<p>net eth0 130.252.100.255 noping,norfc1918</p>
<pre>net eth0 130.252.100.255 noping,norfc1918</pre>
</blockquote>
</font>
@ -152,7 +157,7 @@ Shorewall programs</p>
<p>Variables may be used anywhere in the
other configuration files.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Using MAC Addresses<!--mstheme--></font></h2>
<h2>Using MAC Addresses</h2>
<p>Media Access Control (MAC)
addresses can be used to specify packet source in several of the
@ -184,7 +189,7 @@ Shorewall programs</p>
hyphens. In Shorewall, the MAC address in the example above would be
written &quot;~02-00-08-E3-FA-55&quot;.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Configurations<!--mstheme--></font></h2>
<h2>Shorewall Configurations</h2>
<p>
Shorewall allows you to have configuration
directories other than /etc/shorewall. The <a href="#Starting">shorewall start
@ -223,6 +228,6 @@ Eastep</a>
<!--mstheme--></font></body>
</body>
</html>

13
STABLE/documentation/copyright.htm
View File

@ -6,12 +6,17 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Copyright</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Copyright<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Copyright</font></h1>
</td>
</tr>
</table>
<p align="left">Copyright <font face="Trebuchet MS">©</font>&nbsp; 2000, 2001
Thomas M Eastep<br>
&nbsp;</p>
@ -24,6 +29,6 @@ Thomas M Eastep<br>
&nbsp;</p>
</blockquote>
<!--mstheme--></font></body>
</body>
</html>

49
STABLE/documentation/dhcp.htm
View File

@ -6,50 +6,55 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>DHCP</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">DHCP<!--mstheme--></font></h1>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">DHCP Server on your firewall<!--mstheme--></font></h2>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">DHCP</font></h1>
</td>
</tr>
</table>
<h2 align="left">DHCP Server on your firewall</h2>
<ul>
<li>
<p align="left">Specify the &quot;dhcp&quot; option on each interface to be
served by your server in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
file.</li>
<li>
<p align="left">When starting &quot;dhcpd&quot;, you need to list those
interfaces on the run line. On a RedHat system, this is done by modifying
/etc/sysconfig/dhcpd.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">A Firewall Interface gets its IP Address via DHCP<!--mstheme--></font></h2>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
/etc/sysconfig/dhcpd.</li>
</ul>
<h2 align="left">A Firewall Interface gets its IP Address via DHCP</h2>
<ul>
<li>
<p align="left">Specify the &quot;dhcp&quot; option for this interface in
the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
file.</li>
<li>
<p align="left">If you know that the dynamic address is always going to be
in the same subnet, you can specify the subnet address in the interface's
entry in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
file.</li>
<li>
<p align="left">If you don't know the subnet address in advance, you should
specify &quot;detect&quot; for the interface's subnet address in the <a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>
file and start Shorewall after the interface has started.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
file and start Shorewall after the interface has started.</li>
<li>
<p align="left">In the event that the subnet address might change while
Shorewall is started, you need to arrange for a &quot;shorewall
refresh&quot; command to be executed when a new dynamic IP address gets
assigned to the interface. Check your DHCP client's documentation.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
assigned to the interface. Check your DHCP client's documentation.</li>
</ul>
<p align="left"><font size="2">Last updated 1/26/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

185
STABLE/documentation/download.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Download</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Download<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Download</font></h1>
</td>
</tr>
</table>
<p><b>I strongly urge you to read and print a copy of the
<a href="shorewall_quickstart_guide.htm">Shorewall QuickStart Guide</a>
@ -19,8 +24,8 @@
<p>Once you've done that, download <u> one</u> of the modules:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux PPC</b> or
<ul>
<li>If you run a <b>RedHat</b>, <b>SuSE, Mandrake</b>, <b> Linux PPC</b> or
<b> TurboLinux</b> distribution
with a 2.4 kernel, you can use the RPM version (note: the
RPM should also work with other distributions that store
@ -29,29 +34,29 @@ If you find that it works in other cases, let <a href="mailto:teastep@shorewall.
me</a>
know so that I can mention them here. See the
<a href="Install.htm">Installation Instructions</a> if you have problems
installing the RPM.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you are running LRP, download the .lrp file (you might also want to
download the .tgz so you will have a copy of the documentation).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you run <a href="http://www.debian.org"><b>Debian</b></a> and would
installing the RPM.</li>
<li>If you are running LRP, download the .lrp file (you might also want to
download the .tgz so you will have a copy of the documentation).</li>
<li>If you run <a href="http://www.debian.org"><b>Debian</b></a> and would
like a .deb package, Shorewall is in both the
<a href="http://packages.debian.org/testing/net/shorewall.html">Debian
Testing Branch</a> and the
<a href="http://packages.debian.org/unstable/net/shorewall.html">Debian
Unstable Branch</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Otherwise, download the <i>shorewall</i> module (.tgz)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
Unstable Branch</a>.</li>
<li>Otherwise, download the <i>shorewall</i> module (.tgz)</li>
</ul>
<p>The documentation in HTML format is included in the .tgz and .rpm files and
there is an documentation .deb that also contains the documentation.</p>
<p>Please verify the version that you have
downloaded -- during the release of a new version of Shorewall, the links
below may point to a newer or an older version than is shown below.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">RPM - &quot;rpm -qip LATEST.rpm&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">TARBALL - &quot;tar -ztf LATEST.tgz&quot; (the directory
name will contain the version)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">LRP - &quot;mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version&quot; <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>RPM - &quot;rpm -qip LATEST.rpm&quot;</li>
<li>TARBALL - &quot;tar -ztf LATEST.tgz&quot; (the directory
name will contain the version)</li>
<li>LRP - &quot;mkdir Shorewall.lrp; cd Shorewall.lrp; tar
-zxf &lt;downloaded .lrp&gt;; cat var/lib/lrpkg/shorwall.version&quot; </li>
</ul>
<p><font face="Arial">Once you have verified the
version, check the </font><font color="#ff0000" face="Arial"> <a href="errata.htm"> errata</a></font><font face="Arial">
to see if there are updates that apply to the version that you have
@ -61,145 +66,145 @@ AND ISSUE A &quot;shorewall start&quot; COMMAND. SOME CONFIGURATION IS REQUIRED
FIREWALL WILL START. IF YOU ISSUE A &quot;start&quot; COMMAND AND THE FIREWALL FAILS TO
START, YOUR SYSTEM WILL NO LONGER ACCEPT ANY NETWORK TRAFFIC. IF THIS HAPPENS,
ISSUE A &quot;shorewall clear&quot; COMMAND TO RESTORE NETWORK CONNECTIVITY.</b></font></p>
<p>Download Latest Version (<b>1.3.6</b>): <b>Remember that updates to the mirrors
<p>Download Latest Version (<b>1.3.7</b>): <b>Remember that updates to the mirrors
occur 1-12 hours after an update to the primary site.</b></p>
<blockquote>
<!--mstheme--></font><table border="2" cellspacing="3" cellpadding="3" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellspacing="3" cellpadding="3" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SERVER LOCATION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DOMAIN</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>HTTP</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>FTP</b><!--mstheme--></font></td>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Washington State, USA<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a href="http://www.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
.lrp</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.rpm" target="_blank">
Download .rpm</a>&nbsp;<br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.tgz" target="_blank">Download
.tgz</a>&nbsp;<br>
<a href="ftp://ftp.shorewall.net/pub/shorewall/LATEST.lrp" target="_blank">Download
.lrp</a><!--mstheme--></font></td>
.lrp</a></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Slovak Republic<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a href="http://slovakia.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
.lrp</a></td>
<td>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/LATEST.lrp">Download
.rpm</a><!--mstheme--></font></td>
.rpm</a></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Texas, USA<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Infohiiway.com<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a><br>
<a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a href="http://shorewall.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.lrp</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
.lrp</a></td>
<td>
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/LATEST.lrp">Download
.rpm</a><!--mstheme--></font></td>
.rpm</a></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Hamburg, Germany<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm">
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/LATEST.rpm">
Download .rpm</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a><br>
<a href="http://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
.lrp</a></td>
<td>
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.rpm">
Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall/LATEST.lrp">Download
.lrp</a><!--mstheme--></font></td>
.lrp</a></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Martinez (Zona Norte - GBA), Argentina<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Correofuego.com.ar<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
Download .lrp</a></td>
<td>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.rpm">Download .rpm</a>&nbsp;&nbsp;<br>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.tgz">Download
.tgz</a>&nbsp;<br>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall/LATEST.lrp">
Download .lrp</a><!--mstheme--></font></td>
Download .lrp</a></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p>Browse Download Sites:</p>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SERVER LOCATION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DOMAIN</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>HTTP</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>FTP</b><!--mstheme--></font></td>
<td><b>SERVER LOCATION</b></td>
<td><b>DOMAIN</b></td>
<td><b>HTTP</b></td>
<td><b>FTP</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Washington State, USA<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://www.shorewall.net/pub/shorewall/">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a><!--mstheme--></font></td>
<td>Washington State, USA</td>
<td>Shorewall.net</td>
<td><a href="http://www.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">Browse</a></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Slovak Republic<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a><!--mstheme--></font></td>
<td>Slovak Republic</td>
<td>Shorewall.net</td>
<td><a href="http://slovakia.shorewall.net/pub/shorewall/">Browse</a></td>
<td>
<a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/">Browse</a></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Texas, USA<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Infohiiway.com<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a><!--mstheme--></font></td>
<td>Texas, USA</td>
<td>Infohiiway.com</td>
<td><a href="http://shorewall.infohiiway.com/pub/shorewall">Browse</a></td>
<td><a target="_blank" href="ftp://ftp.infohiiway.com/pub/shorewall/">Browse</a></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Hamburg, Germany<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">Browse</a><!--mstheme--></font></td>
<td>Hamburg, Germany</td>
<td>Shorewall.net</td>
<td><a href="http://germany.shorewall.net/pub/shorewall/">Browse</a></td>
<td><a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">Browse</a></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Martinez (Zona Norte - GBA), Argentina<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Correofuego.com.ar<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">
<td>Martinez (Zona Norte - GBA), Argentina</td>
<td>Correofuego.com.ar</td>
<td><a href="http://shorewall.correofuego.com.ar/pub/mirrors/shorewall">Browse</a></td>
<td>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">
Browse</a><!--mstheme--></font></td>
Browse</a></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">California, USA (Incomplete)<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">Sourceforge.net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://sourceforge.net/projects/shorewall">Browse</a><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">N/A<!--mstheme--></font></td>
<td>California, USA (Incomplete)</td>
<td>Sourceforge.net</td>
<td><a href="http://sourceforge.net/projects/shorewall">Browse</a></td>
<td>N/A</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p align="left">CVS:</p>
@ -211,12 +216,12 @@ Shorewall component. There's no guarantee that what you find there will work at
all.</p>
</blockquote>
<p align="left"><font size="2">Last Updated 8/05/2002 - <a href="support.htm">Tom
<p align="left"><font size="2">Last Updated 8/22/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

301
STABLE/documentation/errata.htm
View File

@ -10,15 +10,19 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
<meta name="Microsoft Theme" content="none">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Errata<!--mstheme--></font></h1>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Errata/Upgrade Issues</font></h1>
</td>
</tr>
</table>
<p align="center">
<font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p>
<b><u>IMPORTANT</u></b></p>
<ol>
<li>
@ -58,36 +62,111 @@ dos2unix</a></u>
</li>
</ol>
<p align="left">
<b>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </b></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li><b><a href="#Upgrade">Upgrade Issues</a></b></li>
<li>
<b><font color="#660066">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="errata_1.htm">Problems in Version 1.1</a></font></b></li>
<li>
<b><a href="errata_2.htm">Problems in Version 1.2</a></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<b><a href="errata_2.htm">Problems in Version 1.2</a></b></li>
<li>
<b><a href="#V1.3">Problems in Version 1.3</a></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<b><a href="#V1.3">Problems in Version 1.3</a></b></li>
<li>
<b><font color="#660066"><a href="#iptables">
Problem with iptables version 1.2.3</a></font></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
Problem with iptables version 1.2.3 on RH7.2</a></font></b></li>
<li>
<b><a href="#Debug">Problems with kernel 2.4.18 and
RedHat iptables</a></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE SMP</a></b><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--msthemeseparator--><p align="center"><img src="_themes/radial/aradrule.gif" width="614" height="7"></p>
<b><a href="#Debug">Problems with kernels &gt;= 2.4.18 and
RedHat iptables</a></b></li>
<li><b><a href="#SuSE">Problems installing/upgrading RPM on SuSE</a></b></li>
<li><b><a href="#Multiport">Problems with iptables version 1.2.7 and
MULTIPORT=Yes</a></b></li>
</ul>
<hr>
<h2 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="V1.3"></a>Problems in Version 1.3<!--mstheme--></font></h2>
<h2 align="Left"><a name="Upgrade"></a>Upgrade Issues</h2>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Versions &gt;= 1.3.5<!--mstheme--></font></h3>
<h3>Version &gt;= 1.3.7</h3>
<p>Users specifying ALLOWRELATED=No in
/etc/shorewall.conf will need to include the
following rules in their /etc/shorewall/icmpdef
file (creating this file if necessary):</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT</pre>
<p>Users having an /etc/shorewall/icmpdef file may remove the &quot;.
/etc/shorewall/icmp.def&quot; command from that file since the icmp.def file is now
empty.</p>
<h3><b><a name="Bering">Upgrading </a>Bering to
Shorewall &gt;= 1.3.3</b></h3>
<p>To properly upgrade with Shorewall version
1.3.3 and later:</p>
<ol>
<li>Be sure you have a backup -- you will need
to transcribe any Shorewall configuration
changes that you have made to the new
configuration.</li>
<li>Replace the shorwall.lrp package provided on
the Bering floppy with the later one. If you did
not obtain the later version from Jacques's
site, see additional instructions below.</li>
<li>Edit the /var/lib/lrpkg/root.exclude.list
file and remove the /var/lib/shorewall entry if
present. Then do not forget to backup root.lrp !</li>
</ol>
<p>The .lrp that I release isn't set up for a two-interface firewall like
Jacques's. You need to follow the <a href="two-interface.htm">instructions for
setting up a two-interface firewall</a> plus you also need to add the following
two Bering-specific rules to /etc/shorewall/rules:</p>
<blockquote>
<pre># Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
# allow loc to fw tcp/80 for weblet to work
#
ACCEPT loc fw udp 53
ACCEPT loc fw tcp 80</pre>
</blockquote>
<h3 align="Left">Version &gt;= 1.3.6</h3>
<p align="Left">If you have a pair of firewall systems configured for
failover, you will need to modify your firewall setup slightly under
Shorewall versions &gt;= 1.3.6. </p>
<ol>
<li>
<p align="Left">Create the file /etc/shorewall/newnotsyn and in it add
the following rule<br>
<br>
<font face="Courier">run_iptables -A newnotsyn -j RETURN # So that the
connection tracking table can be rebuilt<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
# from non-SYN packets after takeover.<br>
&nbsp;</font></li>
<li>
<p align="Left">Create /etc/shorewall/common (if you don't already
have that file) and include the following:<br>
<br>
<font face="Courier">run_iptables -A common -p tcp --tcp-flags
ACK,FIN,RST ACK -j ACCEPT #Accept Acks to rebuild connection<br>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
#tracking table. <br>
. /etc/shorewall/common.def</font></li>
</ol>
<h3 align="Left">Versions &gt;= 1.3.5</h3>
<p align="Left">Some forms of pre-1.3.0 rules file syntax are no
longer supported. </p>
@ -95,26 +174,60 @@ dos2unix</a></u>
<p align="Left">Example 1:</p>
<div align="left">
<!--mstheme--></font><pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre> ACCEPT net loc:192.168.1.12:22 tcp 11111 - all</pre>
</div>
<p align="Left">Must be replaced with:</p>
<div align="left">
<!--mstheme--></font><pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre> DNAT net loc:192.168.1.12:22 tcp 11111</pre>
</div>
<div align="left">
<p align="left">Example 2:</div>
<div align="left">
<!--mstheme--></font><pre> ACCEPT loc fw::3128 tcp 80 - all</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre> ACCEPT loc fw::3128 tcp 80 - all</pre>
</div>
<div align="left">
<p align="left">Must be replaced with:</div>
<div align="left">
<!--mstheme--></font><pre> REDIRECT loc 3128 tcp 80</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre> REDIRECT loc 3128 tcp 80</pre>
</div>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.5-1.3.5b<!--mstheme--></font></h3>
<h2 align="Left"><a name="V1.3"></a>Problems in Version 1.3</h2>
<h3 align="Left">Version 1.3.6</h3>
<ul>
<li>
<p align="Left">If ADD_SNAT_ALIASES=Yes is specified in
/etc/shorewall/shorewall.conf, an error occurs when the firewall
script attempts to add an SNAT alias.</li>
<li>
<p align="Left">The <b>logunclean </b>and <b>dropunclean</b> options
cause errors during startup when Shorewall is run with iptables 1.2.7.</li>
</ul>
<p align="Left">These problems are fixed in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this correct firewall script</a> which must be installed in
/var/lib/shorewall/ as described above. These problems are also
corrected in version 1.3.7.</p>
<h3 align="Left">Two-interface Samples 1.3.6 (file two-interfaces.tgz)</h3>
<p align="Left">A line was inadvertently deleted from the &quot;interfaces
file&quot; -- this line should be added back in if the version that you
downloaded is missing it:</p>
<p align="Left">net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; detect&nbsp;&nbsp;&nbsp;
routefilter,dhcp,norfc1918</p>
<p align="Left">If you downloaded two-interfaces-a.tgz then the above
line should already be in the file.</p>
<h3 align="Left">Version 1.3.5-1.3.5b</h3>
<p align="Left">The new 'proxyarp' interface option doesn't work :-(
This is fixed in
@ -122,13 +235,13 @@ dos2unix</a></u>
this corrected firewall script</a> which must be installed in
/var/lib/shorewall/ as described above.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Versions 1.3.4-1.3.5a<!--mstheme--></font></h3>
<h3 align="Left">Versions 1.3.4-1.3.5a</h3>
<p align="Left">Prior to version 1.3.4, host file entries such as the
following were allowed:</p>
<div align="left">
<!--mstheme--></font><pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre> adm eth0:1.2.4.5,eth0:5.6.7.8</pre>
</div>
<div align="left">
<p align="left">That capability was lost in version 1.3.4 so that it is only
@ -141,14 +254,14 @@ dos2unix</a></u>
<div align="left">
<p align="left">This problem is corrected in version 1.3.5b.</div>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.5<!--mstheme--></font></h3>
<h3 align="Left">Version 1.3.5</h3>
<p align="Left">REDIRECT rules are broken in this version. Install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.5/firewall">
this corrected firewall script</a> in /var/lib/pub/shorewall/firewall
as instructed above. This problem is corrected in version 1.3.5a.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.n, n &lt; 4<!--mstheme--></font></h3>
<h3 align="Left">Version 1.3.n, n &lt; 4</h3>
<p align="Left">The &quot;shorewall start&quot; and &quot;shorewall restart&quot; commands
to not verify that the zones named in the /etc/shorewall/policy file
@ -157,7 +270,7 @@ dos2unix</a></u>
good idea to run that command after you have made configuration
changes.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.n, n &lt; 3<!--mstheme--></font></h3>
<h3 align="Left">Version 1.3.n, n &lt; 3</h3>
<p align="Left">If you have upgraded from Shorewall 1.2 and after
&quot;Activating rules...&quot; you see the message: &quot;iptables: No
@ -167,82 +280,82 @@ dos2unix</a></u>
must add an entry to /etc/shorewall/interfaces. Shorewall 1.3.3 and
later versions produce a clearer error message in this case.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.2<!--mstheme--></font></h3>
<h3 align="Left">Version 1.3.2</h3>
<p align="Left">Until approximately 2130 GMT on 17 June 2002, the
download sites contained an incorrect version of the .lrp file. That
file can be identified by its size (56284 bytes). The correct version
has a size of 38126 bytes.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The code to detect a duplicate interface entry in
<ul>
<li>The code to detect a duplicate interface entry in
/etc/shorewall/interfaces contained a typo that prevented it from
working correctly. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">&quot;NAT_BEFORE_RULES=No&quot; was broken; it behaved just like &quot;NAT_BEFORE_RULES=Yes&quot;.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
working correctly. </li>
<li>&quot;NAT_BEFORE_RULES=No&quot; was broken; it behaved just like &quot;NAT_BEFORE_RULES=Yes&quot;.</li>
</ul>
<p align="Left">Both problems are corrected in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/firewall">
this script</a> which should be installed in <b><u>/var/lib/shorewall</u></b> as described above.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>
<p align="Left">The IANA have just announced the allocation of subnet
221.0.0.0/8. This
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.2/rfc1918">
updated rfc1918</a> file reflects that allocation.</p>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
</li>
</ul>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.1<!--mstheme--></font></h3>
<h3 align="Left">Version 1.3.1</h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">TCP SYN packets may be double counted when
<ul>
<li>TCP SYN packets may be double counted when
LIMIT:BURST is included in a CONTINUE or ACCEPT policy (i.e., each
packet is sent through the limit chain twice).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">When an option is given for more than one interface in
packet is sent through the limit chain twice).</li>
<li>An unnecessary jump to the policy chain is sometimes
generated for a CONTINUE policy.</li>
<li>When an option is given for more than one interface in
/etc/shorewall/interfaces then depending on the option, Shorewall
may ignore all but the first appearence of the option. For example:<br>
<br>
net&nbsp;&nbsp;&nbsp; eth0&nbsp;&nbsp;&nbsp; dhcp<br>
loc&nbsp;&nbsp;&nbsp; eth1&nbsp;&nbsp;&nbsp; dhcp<br>
<br>
Shorewall will ignore the 'dhcp' on eth1.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Update 17 June 2002 - The bug described in the prior bullet
Shorewall will ignore the 'dhcp' on eth1.</li>
<li>Update 17 June 2002 - The bug described in the prior bullet
affects the following options: dhcp, dropunclean, logunclean,
norfc1918, routefilter, multi, filterping and noping. An additional
bug has been found that affects only the 'routestopped' option.<br>
<br>
Users who downloaded the corrected script prior to 1850 GMT today
should download and install the corrected script again to ensure
that this second problem is corrected.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
that this second problem is corrected.</li>
</ul>
<p align="Left">These problems are corrected in
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.1/firewall">
this firewall script</a> which should be installed in
/etc/shorewall/firewall as described above.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.3.0<!--mstheme--></font></h3>
<h3 align="Left">Version 1.3.0</h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Folks who downloaded 1.3.0 from the links on the download page
<ul>
<li>Folks who downloaded 1.3.0 from the links on the download page
before 23:40 GMT, 29 May 2002 may have downloaded 1.2.13 rather than
1.3.0. The &quot;shorewall version&quot; command will tell you which version
that you have installed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The documentation NAT.htm file uses non-existent
that you have installed.</li>
<li>The documentation NAT.htm file uses non-existent
wallpaper and bullet graphic files. The
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.0/NAT.htm">
corrected version is here</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--msthemeseparator--><p align="center"><img src="_themes/radial/aradrule.gif" width="614" height="7"></p>
corrected version is here</a>.</li>
</ul>
<hr>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="iptables"></a><font color="#660066">
Problem with iptables version 1.2.3</font><!--mstheme--></font></h3>
<h3 align="Left"><a name="iptables"></a><font color="#660066">
Problem with iptables version 1.2.3</font></h3>
<blockquote>
@ -257,9 +370,9 @@ RedHat released this buggy iptables in RedHat 7.2.&nbsp;</p>
you are currently running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="Left"><font face="Century Gothic, Arial, Helvetica" color="#FF6633"><b>Update
<p align="Left"><font color="#FF6633"><b>Update
11/9/2001: </b></font>RedHat has
released an iptables-1.2.4 RPM of their own which you can download from<font face="Century Gothic, Arial, Helvetica" color="#FF6633">
released an iptables-1.2.4 RPM of their own which you can download from<font color="#FF6633">
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM
on my firewall and it works fine.</p>
@ -272,20 +385,20 @@ you are currently running RedHat 7.1, you can install either of these RPMs
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="Left">To install one of the above patches:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="top" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd iptables-1.2.3/extensions<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">patch -p0 &lt; <i>the-patch-file</i><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="Debug"></a>Problems with kernel 2.4.18
and RedHat iptables<!--mstheme--></font></h3>
<h3><a name="Debug"></a>Problems with kernels &gt;= 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18/19 may
experience the following:</p>
<blockquote>
<!--mstheme--></font><pre># shorewall start
<pre># shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
@ -303,7 +416,7 @@ Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
</pre><!--mstheme--><font face="arial, Arial, Helvetica">
</pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
@ -314,8 +427,8 @@ Aborted (core dumped)
&quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
</blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="SuSE"></a>Problems
installing/upgrading RPM on SuSE SMP<!--mstheme--></font></h3>
<h3><a name="SuSE"></a>Problems
installing/upgrading RPM on SuSE</h3>
<p>If you find that rpm complains about a conflict
with kernel &lt;= 2.2 yet you have a 2.4 kernel
@ -326,13 +439,29 @@ Aborted (core dumped)
<p>Upgrading: rpm -Uvh <i>&lt;shorewall rpm&gt;</i></p>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2">
Last updated 8/4/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</font></p>
<h3><a name="Multiport"></a><b>Problems with
iptables version 1.2.7 and MULTIPORT=Yes</b></h3>
<p>The iptables 1.2.7 release of iptables has made
an incompatible change to the syntax used to
specify multiport match rules; as a consequence,
if you install iptables 1.2.7 you must</p>
<ul>
<li>set MULTIPORT=No in
/etc/shorewall/shorewall.conf; or </li>
<li>if you are running Shorewall 1.3.6 you may
install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.3.6/firewall">
this firewall script</a> in /var/lib/shorewall/firewall
as described above.</li>
</ul>
<p><font size="2">
Last updated 8/22/2002 -
<a href="support.htm">Tom Eastep</a></font> </p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

79
STABLE/documentation/errata_1.htm
View File

@ -6,15 +6,20 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Errata for Version 1</title>
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Errata for Version 1.1<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Errata for Version 1.1</font></h1>
</td>
</tr>
</table>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066"><u>To those of you who downloaded the 1.1.13 updated firewall script prior
to Sept 20, 2001:</u></font><!--mstheme--></font></h3>
<h3 align="Left"><font color="#660066"><u>To those of you who downloaded the 1.1.13 updated firewall script prior
to Sept 20, 2001:</u></font></h3>
<blockquote>
@ -24,7 +29,7 @@ of the firewall script. This has now been corrected. I apologize for any confusi
this may have caused.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.1.18<!--mstheme--></font></h3>
<h3 align="Left">Version 1.1.18</h3>
<blockquote>
@ -34,8 +39,8 @@ this may have caused.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.17</font><!--mstheme--></font></h3>
<h3 align="Left"><font color="#660066">
Version 1.1.17</font></h3>
<blockquote>
@ -47,8 +52,8 @@ this may have caused.</p>
problem is also corrected in version 1.1.18.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.16</font><!--mstheme--></font></h3>
<h3 align="Left"><font color="#660066">
Version 1.1.16</font></h3>
<blockquote>
<p align="Left">
@ -61,16 +66,16 @@ in the firewall script. To correct this problem, install the <a href="ftp://ft
This problem is also corrected in version 1.1.17.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.14-1.1.15</font><!--mstheme--></font></h3>
<h3 align="Left"><font color="#660066">
Version 1.1.14-1.1.15</font></h3>
<blockquote>
<p align="Left">
There are no corrections for these versions.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.13</font><!--mstheme--></font></h3>
<h3 align="Left"><font color="#660066">
Version 1.1.13</font></h3>
<blockquote>
<p align="Left">
@ -85,8 +90,8 @@ in the firewall script. To correct this problem, install the <a href="ftp://ft
in the location pointed to by the symbolic link /etc/shorewall/firewall. </p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.12</font><!--mstheme--></font></h3>
<h3 align="Left"><font color="#660066">
Version 1.1.12</font></h3>
<blockquote>
<p align="Left">
@ -103,16 +108,16 @@ file. This incorrect file results in many error messages of the form:</p>
. This problem is also corrected in version 1.1.13.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.11</font><!--mstheme--></font></h3>
<h3 align="Left"><font color="#660066">
Version 1.1.11</font></h3>
<blockquote>
<p align="Left">
There are no known problems with this version.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.10</font><!--mstheme--></font></h3>
<h3 align="Left"><font color="#660066">
Version 1.1.10</font></h3>
<blockquote>
<p align="Left">
@ -148,24 +153,24 @@ Install the script into the location pointed to by the symbolic link
This problem has also been corrected in version 1.1.11.</p>
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><font color="#660066">
Version 1.1.9</font><!--mstheme--></font></h3>
<h3 align="Left"><font color="#660066">
Version 1.1.9</font></h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The shorewall "hits" command lists extraneous service names in the final
<ul>
<li>The shorewall "hits" command lists extraneous service names in the final
report. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.9/shorewall">
This version of the shorewall script</a>
corrects this problem.<br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
</li>
</ul>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.1.8<!--mstheme--></font></h3>
<h3 align="Left">Version 1.1.8</h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Under some circumstances, the "dhcp" option on an interface triggers
<ul>
<li>Under some circumstances, the "dhcp" option on an interface triggers
a bug in the firewall script that results in a "chain already exists"
error. <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.1.8/firewall">
This version of the firewall script</a>
@ -175,22 +180,22 @@ the symbolic link /etc/shorewall/firewall.<br>
This problem is also corrected in version 1.1.9.<br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
</li>
</ul>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 1.1.7<!--mstheme--></font></h3>
<h3 align="Left">Version 1.1.7</h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If the /etc/shorewall/rules template from version 1.1.7 is used, a warning
<ul>
<li>If the /etc/shorewall/rules template from version 1.1.7 is used, a warning
message appears during firewall startup:<br>
<br>
    Warning: Invalid Target - rule "@ icmp-unreachable packet."
ignored<br>
<br>
This warning may be eliminated by replacing the "@" in column 1 of
line 17 with "#"<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
line 17 with "#"</li>
</ul>
<blockquote>
<p align="Left">
@ -205,6 +210,6 @@ ignored<br>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

439
STABLE/documentation/errata_2.htm Normal file
View File

@ -0,0 +1,439 @@
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall 1.2 Errata</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" height="90" bgcolor="#400169">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall 1.2 Errata</font></h1>
</td>
</tr>
</table>
<p align="center">
<font face="Century Gothic, Arial, Helvetica">
<b><u>IMPORTANT</u></b></font></p>
<p align="center">
<b><u>If you use a Windows system to download a corrected script, be sure to
run the script through <a href="http://www.megaloman.com/%7Ehany/software/hd2u/">
dos2unix</a>
after you have moved it to your Linux system.</u></b></p>
<p align="center">
<u><b>When the instructions say to install a corrected firewall script in
/etc/shorewall/firewall, use the 'cp' (or 'scp') utility to overwrite the
existing file. DO NOT REMOVE OR RENAME THE OLD /etc/shorewall/firewall
before you do that. /etc/shorewall/firewall is a symbolic link that points
to the 'shorewall' file used by your system initialization scripts to
start Shorewall during boot and it is that file that must be overwritten
with the corrected script. </b></u></p>
<ul>
<li>
<h3 align="Left"><font color="#660066">
<a href="errata_1.htm">
Problems in Version 1.1</a></font></h3>
</li>
<li>
<h3 align="Left"><a href="#V1.2">Problems in Version 1.2</a></h3>
</li>
<li>
<h3 align="Left"><font color="#660066"><a href="#iptables">
Problem with iptables version 1.2.3</a></font></h3>
</li>
<li>
<h3 align="Left"><a href="#Debug">Problems with kernel 2.4.18 and
RedHat iptables</a></h3>
</li>
</ul>
<hr>
<h3 align="Left"><a name="V1.2"></a>Problems in Version 1.2</h3>
<h3 align="Left">Version 1.2.13</h3>
<ul>
<li>
<p align="Left">Some users have reported problems installing the RPM
on SuSE 7.3 where rpm reports a conflict with kernel &lt;= 2.2 even
though a 2.4 kernel RPM is installed. To get around this problem, use
the --nodeps option to rpm (e.g., &quot;rpm -ivh --nodeps
shorewall-1.2-13.noarch.rpm&quot;).<br>
<br>
The problem stems from the fact that SuSE does not
include a package named &quot;kernel&quot; but rather has a number of packages
that provide the virtual package &quot;kernel&quot;. Since virtual packages have
no version associated with them, a conflict results. Since the
workaround is simple, I don't intend to change the Shorewall package.</p>
</li>
<li>
<p align="Left">Shorewall accepts invalid rules of the form:<br>
<br>
<font face="Courier">ACCEPT &lt;src&gt; &lt;dest&gt;:&lt;ip addr&gt; all &lt;port number&gt; -
&lt;original ip address&gt;<br>
<br>
</font>The &lt;port number&gt; is ignored with the result that <u>all</u>
connection requests from the &lt;src&gt; zone whose original destination IP
address matches the last column are forwarded to the &lt;dest&gt; zone, IP
address &lt;ip addr&gt;.&nbsp;
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.13/firewall">
This corrected firewall script</a> correctly generates an error when
such a rule is encountered.</p>
</li>
</ul>
<h3 align="Left">Version 1.2.11</h3>
<ul>
<li>
<p align="Left">The 'try' command is broken.</li>
<li>
<p align="Left">The usage text printed by the shorewall utility
doesn't show the optional timeout for the 'try' command.</li>
</ul>
<p align="Left">Both problems are corrected by
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.11/shorewall">
this new version of /sbin/shorewall</a>.</p>
<h3 align="Left">Sample Configurations:</h3>
<ul>
<li>
<p align="Left">There have been several problems with SSH, DNS and
ping in the two- and three-interface examples. Before reporting
problems with these services, please verify that you have the latest
version of the appropriate sample 'rules' file.</li>
</ul>
<h3 align="Left">All Versions through 1.2.10</h3>
<ul>
<li>
<p align="Left">The <a href="PPTP.htm#ServerFW">documentation for
running PoPToP on the firewall system</a> contained an incorrect entry
in the /etc/shorewall/hosts file. The corrected entry (underlined) is
shown here:</li>
</ul>
<blockquote>
<blockquote>
<table border="2">
<tr>
<td><b>ZONE</b></td>
<td><b>HOST(S)</b></td>
<td><b>OPTIONS</b></td>
</tr>
<tr>
<td>loc</td>
<td><u>eth2</u>:192.168.1.0/24</td>
<td>routestopped</td>
</tr>
<tr>
<td>loc</td>
<td>ppp+:192.168.1.0/24</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
</blockquote>
<h3 align="Left">All Versions through 1.2.8</h3>
<ul>
<li>
<p align="Left">The shorewall.conf file and the documentation
incorrectly refer to a parameter in /etc/shorewall/shorewall.conf
called LOCKFILE; the correct name for the parameter is SUBSYSLOCK (<a href="Documentation.htm#Conf">see
the corrected online documentation</a>). Users of the rpm should
change the name (and possibly the value) of this parameter so that
Shorewall interacts properly with the SysV init scripts. The
documentation on this web site has been corrected and
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.8/shorewall.conf">
here's a corrected version of shorewall.conf</a>.</p>
</li>
<li>
<p align="Left">The documentation indicates that a comma-separated
list of IP/subnet addresses may appear in an entry in the hosts file.
This is not the case; if you want to specify multiple addresses for a
zone, you need to have a separate entry for each address.</p>
</li>
</ul>
<h3 align="Left">Version 1.2.7</h3>
<p align="Left">Version 1.2.7 is quite broken -- please install 1.2.8</p>
<p>If you have installed and started version 1.2.7 then before trying
to restart under 1.2.8:</p>
<ol>
<li>Look at your /etc/shorewall/shorewall.conf file and note the directory
named in the STATEDIR variable. If that variable is empty, assume
/var/state/shorewall.</li>
<li>Remove the file 'lock' in the directory determined in step 1.</li>
</ol>
<p>You may now restart using 1.2.8.</p>
<h3 align="Left">Version 1.2.6</h3>
<ul>
<li>
<p align="Left">GRE and IPIP tunnels are broken.</li>
<li>
<p align="Left">The following rule results in a start error:<br>
<br>
&nbsp;&nbsp;&nbsp; ACCEPT&nbsp;&nbsp;&nbsp; z1&nbsp;&nbsp;&nbsp; z2&nbsp;&nbsp;&nbsp;
icmp</li>
</ul>
<p align="Left">To correct the above problems, install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.6/firewall">this
corrected firewall script</a> in&nbsp; /etc/shorewall/firewall..<h3 align="Left">Version 1.2.5</h3>
<ul>
<li>
<p align="Left">The new ADDRESS column in /etc/shorewall/masq cannot
contain a $-variable name.</li>
<li>
<p align="Left">Errors result if $FW appears in the
/etc/shorewall/policy file.</li>
<li>
<p align="Left">Using Blacklisting without setting BLACKLIST_LOGLEVEL
results in an error at start time.</li>
</ul>
<p align="Left">To correct the above problems, install
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall.<p align="Left">&nbsp;<ul>
<li>
<p align="Left">The /sbin/shorewall script produces error messages
saying that 'mygrep' cannot be found.
<a href="http://www.shorewall.net/pub/shorewall/errata/1.2.5/shorewall">
Here is the correct version of /sbin/shorewall.</a></li>
</ul>
<h3 align="Left">Version 1.2.4</h3>
<ul>
<li><p align="Left">This version will not install &quot;out of the box&quot; without
modification. Before attempting to start the
firewall, please change the STATEDIR in /etc/shorewall/shorewall.conf to
refer to /var/lib/shorewall. This only applies to fresh installations -- if
you are upgrading from a previous version of Shorewall, version 1.2.4 will
work without modification.</li>
</ul>
<h3 align="Left">Version 1.2.3</h3>
<ul>
<li>
<p align="Left">When BLACKLIST_LOGLEVEL is set, packets from blacklisted
hosts aren't logged. Install <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.3/firewall">this
corrected firewall script</a> in /etc/shorewall/firewall.</li>
</ul>
<blockquote>
<p>Alternatively, edit /etc/shorewall/firewall and change line 1564 from:</p>
</blockquote>
<pre> run_iptables -A blacklst -d $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<blockquote>
<p>to</p>
</blockquote>
<pre> run_iptables -A blacklst -s $addr -j LOG $LOGPARAMS --log-prefix \</pre>
<h3 align="Left">Version 1.2.2</h3>
<ul>
<li>The &quot;shorewall status&quot; command hangs after
it displays the chain information. <a href="pub/shorewall/errata/1.2.2/shorewall">Here's
a corrected /sbin/shorewall.</a> if&nbsp; you want to simply modify your copy of
/sbin/shorewall, then at line 445 change this:</li>
</ul>
<div align="left">
<pre align="Left"> status)
clear</pre>
</div>
<blockquote>
<p align="Left">to this:</p>
</blockquote>
<div align="left">
<pre align="Left"> status)
get_config
clear</pre>
</div>
<ul>
<li>The &quot;shorewall monitor&quot; command
doesn't show the icmpdef chain - <a href="pub/shorewall/errata/1.2.2/shorewall">this
corrected /sbin/shorewall</a> fixes that problem as well as the status
problem described above.</li>
</ul>
<ul>
<li>In all 1.2.x versions, the 'CLIENT PORT(S)'
column in /etc/shorewall/tcrules is ignored. This is corrected in <a href="/pub/shorewall/errata/1.2.2/firewall">this
updated firewall script</a>.&nbsp; Place the script in /etc/shorewall/firewall. Thanks to Shingo Takeda for
spotting this bug.</li>
</ul>
<h3 align="Left">Version 1.2.1</h3>
<ul>
<li>The new <i>logunclean </i>interface option is not
described in the help text in /etc/shorewall/interfaces. An <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.1/interfaces">updated
interfaces file</a> is available.</li>
<li>When REJECT is specified in a TCP rule, Shorewall
correctly replies with a TCP RST packet. Previous versions of the
firewall script are broken in the case of a REJECT policy, however; in
REJECT policy chains, all requests are currently replied to with an
ICMP port-unreachable packet. <a href="http://www.shorewall.net/pub/shorewall/errata/1.2.1/firewall">This
corrected firewall script</a> replies to TCP requests with TCP RST in
REJECT policy chains. Place the script in /etc/shorewall/firewall.</li>
</ul>
<h3 align="Left">Version 1.2.0</h3>
<blockquote>
<p align="Left"><b>Note: </b>If you are upgrading from one of the Beta
RPMs to 1.2.0, you must use the &quot;--oldpackage&quot; option to rpm
(e.g., rpm -Uvh --oldpackage shorewall-1.2-0.noarch.rpm).</p>
<p align="Left">The tunnel script released in version 1.2.0 contained
errors -- a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/1.2.0/tunnel">corrected
script</a> is available.</p>
</blockquote>
<hr>
<h3 align="Left"><a name="iptables"></a><font color="#660066">
Problem with iptables version 1.2.3</font></h3>
<blockquote>
<p align="Left">There are a couple of serious bugs in iptables 1.2.3 that
prevent it from working with Shorewall. Regrettably,
RedHat released this buggy iptables in RedHat 7.2.&nbsp;</p>
<p align="Left"> I have built a <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3-3.i386.rpm">
corrected 1.2.3 rpm which you can download here</a>&nbsp; and I have also built
an <a href="ftp://ftp.shorewall.net/pub/shorewall/iptables-1.2.4-1.i386.rpm">
iptables-1.2.4 rpm which you can download here</a>. If
you are currently running RedHat 7.1, you can install either of these RPMs
<b><u>before</u> </b>you upgrade to RedHat 7.2.</p>
<p align="Left"><font face="Century Gothic, Arial, Helvetica" color="#FF6633"><b>Update
11/9/2001: </b></font>RedHat has
released an iptables-1.2.4 RPM of their own which you can download from<font face="Century Gothic, Arial, Helvetica" color="#FF6633">
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">http://www.redhat.com/support/errata/RHSA-2001-144.html</a>.
</font>I have installed this RPM
on my firewall and it works fine.</p>
<p align="Left">If you
would like to patch iptables 1.2.3 yourself, the patches are available
for download. This <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/loglevel.patch">patch</a>
which corrects a problem with parsing of the --log-level specification while
this <a href="ftp://ftp.shorewall.net/pub/shorewall/errata/iptables-1.2.3/tos.patch">patch</a>
corrects a problem in handling the&nbsp; TOS target.</p>
<p align="Left">To install one of the above patches:</p>
<ul>
<li>cd iptables-1.2.3/extensions</li>
<li>patch -p0 &lt; <i>the-patch-file</i></li>
</ul>
</blockquote>
<h3><a name="Debug"></a>Problems with kernel 2.4.18
and RedHat iptables</h3>
<blockquote>
<p>Users who use RedHat iptables RPMs and who upgrade to kernel 2.4.18 may
experience the following:</p>
<blockquote>
<pre># shorewall start
Processing /etc/shorewall/shorewall.conf ...
Processing /etc/shorewall/params ...
Starting Shorewall...
Loading Modules...
Initializing...
Determining Zones...
Zones: net
Validating interfaces file...
Validating hosts file...
Determining Hosts in Zones...
Net Zone: eth0:0.0.0.0/0
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
iptables: libiptc/libip4tc.c:380: do_check: Assertion
`h-&gt;info.valid_hooks == (1 &lt;&lt; 0 | 1 &lt;&lt; 3)' failed.
Aborted (core dumped)
</pre>
</blockquote>
<p>The RedHat iptables RPM is compiled with debugging enabled but the
user-space debugging code was not updated to reflect recent changes in the
Netfilter 'mangle' table. You can correct the problem by installing
<a href="http://www.shorewall.net/pub/shorewall/iptables-1.2.5-1.i386.rpm">
this iptables RPM</a>. If you are already running a 1.2.5 version of
iptables, you will need to specify the --oldpackage option to rpm (e.g.,
&quot;iptables -Uvh --oldpackage iptables-1.2.5-1.i386.rpm&quot;).</p>
</blockquote>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2">
Last updated 5/24/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

49
STABLE/documentation/fallback.htm
View File

@ -5,40 +5,47 @@
<title>Shorewall Fallback and Uninstall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Fallback and Uninstall<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Fallback and Uninstall</font></h1>
</td>
</tr>
</table>
<p><strong>Shorewall includes
a </strong><a href="#fallback"><strong>fallback script</strong></a><strong>
and an </strong><a href="#uninstall"><strong>uninstall script</strong></a><strong>.</strong></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="fallback"></a>Falling Back to the Previous Version of Shorewall
using the Fallback Script<!--mstheme--></font></h2>
<h2><a name="fallback"></a>Falling Back to the Previous Version of Shorewall
using the Fallback Script</h2>
<p>If you install Shorewall and discover that
it doesn't work for you, you can fall back to your previously
installed version. To do that:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd to the distribution directory for the version
<ul>
<li>cd to the distribution directory for the version
of Seattle Firewall <u>that you are
currently running </u>(NOT the version
that you want to fall back to).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Type &quot;./fallback.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
that you want to fall back to).</li>
<li>Type &quot;./fallback.sh&quot;</li>
</ul>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><strong><u>Warning:</u> The fallback script
<h3><strong><u>Warning:</u> The fallback script
will replace /etc/shorewall/policy, /etc/shorewall/rules, /etc/shorewall/interfaces,
/etc/shorewall/nat, /etc/shorewall/proxyarp and /etc/shorewall/masq with the version of
these files from before the current version was installed. Any
changes to any of these files will be lost.</strong><!--mstheme--></font></h3>
changes to any of these files will be lost.</strong></h3>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using
rpm<!--mstheme--></font></h2>
<h2><a name="rpm"></a>Falling Back to the Previous Version of Shorewall using
rpm</h2>
<p>If your previous version of Shorewall was
installed using RPM, you may fall back to that version by typing
@ -46,16 +53,16 @@ installed using RPM, you may fall back to that version by typing
prompt (Example: &quot;rpm -Uvh --force /downloads/shorewall-3.1=0noarch.rpm&quot; would fall back to the 3.1-0
version of Shorewall).</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="uninstall"></a>Uninstalling Shorewall<!--mstheme--></font></h2>
<h2><a name="uninstall"></a>Uninstalling Shorewall</h2>
<p>If you no longer wish to use Shorewall, you
may remove it by:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">cd to the distribution directory for the version
of Shorewall that you have installed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">type &quot;./uninstall.sh&quot;<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>cd to the distribution directory for the version
of Shorewall that you have installed.</li>
<li>type &quot;./uninstall.sh&quot;</li>
</ul>
<p>If you installed using an rpm, at a root shell prompt
type &quot;rpm -e shorewall&quot;.</p>
@ -64,4 +71,4 @@ type &quot;rpm -e shorewall&quot;.</p>
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

25
STABLE/documentation/gnu_mailman.htm
View File

@ -6,15 +6,22 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>GNU Mailman</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">GNU Mailman/Postfix<br>
the Easy Way<!--mstheme--></font></h1>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.<!--mstheme--></font></h4>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">GNU Mailman/Postfix
the Easy Way</font></h1>
</td>
</tr>
</table>
<h1 align="center">&nbsp;</h1>
<h4>The following was posted on the Postfix mailing list on 5/4/2002 by Michael
Tokarev as a suggested addition to the Postfix FAQ.</h4>
<p>Q: Mailman does not work with Postfix, complaining about GID mismatch<br>
<br>
A: Mailman uses a setgid wrapper that is designed to be used in system-wide
@ -43,13 +50,13 @@ mailinglist: /var/mailman/scripts/post mailinglist<br>
mailinglist-admin: /var/mailman/scripts/mailowner mailinglist<br>
mailinglist-request: /var/mailman/scripts/mailcmd mailinglist<br>
...</p>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">The Shorewall mailing lists are currently running Postfix 1.1.7 together
with the stock RedHat Mailman-2.0.8 RPM configured as shown above.<!--mstheme--></font></h4>
<h4>The Shorewall mailing lists are currently running Postfix 1.1.7 together
with the stock RedHat Mailman-2.0.8 RPM configured as shown above.</h4>
<p align="left"><font size="2">Last updated 5/4/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

BIN
STABLE/documentation/images/DMZ.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 22 KiB

BIN
STABLE/documentation/images/DMZ2.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 25 KiB

BIN
STABLE/documentation/images/DMZ3.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 22 KiB

BIN
STABLE/documentation/images/DMZ4.JPG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 26 KiB

BIN
STABLE/documentation/images/DMZ5.JPG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 26 KiB

BIN
STABLE/documentation/images/DMZ6.JPG
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 24 KiB

BIN
STABLE/documentation/images/Mobile.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/TwoNets1.jpg
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 28 KiB

After

Width:  |  Height:  |  Size: 28 KiB

BIN
STABLE/documentation/images/TwoNets1.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/basics.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 16 KiB

BIN
STABLE/documentation/images/basics.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/basics1.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 17 KiB

BIN
STABLE/documentation/images/basics1.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/dmz1.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/dmz2.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/dmz3.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/dmz4.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/dmz5.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/dmz6.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/network.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 30 KiB

BIN
STABLE/documentation/images/network.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/proxyarp.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 14 KiB

BIN
STABLE/documentation/images/proxyarp.png Normal file
View File

Binary file not shown.

BIN
STABLE/documentation/images/staticnat.jpg
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 13 KiB

BIN
STABLE/documentation/images/staticnat.png Normal file
View File

Binary file not shown.

7
STABLE/documentation/index.htm
View File

@ -5,18 +5,17 @@
<title>Shoreline Firewall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<frameset cols="237,*">
<frameset cols="242,*">
<frame name="contents" target="main" src="Shorewall_index_frame.htm">
<frame name="main" src="seattlefirewall_index.htm" target="_self" scrolling="auto">
<noframes>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<p>This page uses frames, but your browser doesn't support them.</p>
<!--mstheme--></font></body>
</body>
</noframes>
</frameset>

13
STABLE/documentation/kernel.htm
View File

@ -5,11 +5,16 @@
<title>Shorewall Kernel Configuration</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Kernel Configuration<!--mstheme--></font></h1>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Kernel Configuration</font></h1>
</td>
</tr>
</table>
<p>For information regarding configuring and building GNU/Linux kernels, see <a href="http://www.kernelnewbies.org">http://www.kernelnewbies.org</a>.</p>
<p>Here's a screen shot of my Network Options Configuration:</p>
<blockquote>
@ -138,4 +143,4 @@ the options selected above built as modules:</p>
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

71
STABLE/documentation/mailing_list.htm
View File

@ -6,35 +6,37 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing Lists</title>
<meta name="Microsoft Theme" content="radial 011">
<meta name="Microsoft Theme" content="boldstri 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a href="http://www.gnu.org/software/mailman/mailman.html">
<img border="0" src="images/logo-sm.jpg" align="left" width="110" height="35"></a>Shorewall Mailing Lists<!--mstheme--></font></h1>
<p align="left">&nbsp;<a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="left" width="115" height="45"></a> </p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">&nbsp;<!--mstheme--></font></h2>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><a href="http://www.gnu.org/software/mailman/mailman.html">
<img border="0" src="images/logo-sm.jpg" align="left" hspace="5" width="110" height="35"></a><a href="http://www.postfix.org/"><img src="images/small-picture.gif" align="right" border="0" width="115" height="45"></a><font color="#FFFFFF">Shorewall Mailing Lists</font></h1>
</td>
</tr>
</table>
<p align="left">
<b>Note: </b>The list server limits posts to 120kb.</p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Not getting List Mail? -- <a href="mailing_list_problems.htm">Check
Here</a><!--mstheme--></font></h2>
<h2 align="left">Not getting List Mail? -- <a href="mailing_list_problems.htm">Check
Here</a></h2>
<p align="left">If you experience problems with any of these lists, please
let <a href="mailto:teastep@shorewall.net">me</a> know</p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Not able to Post Mail to shorewall.net?<!--mstheme--></font></h2>
<h2 align="left">Not able to Post Mail to shorewall.net?</h2>
<p align="left">You can report such problems by sending mail to tom dot eastep
at hp dot com.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">A Word about SPAM Filters
<h2>A Word about SPAM Filters
<a href="http://ordb.org">
<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a><a href="http://osirusoft.com/"><img border="0" src="images/ORE.jpg" width="88" height="37"></a><!--mstheme--></font></h2>
<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a><a href="http://osirusoft.com/"><img border="0" src="images/ORE.jpg" width="88" height="37"></a></h2>
<p>Before subscribing please read my <a href="spam_filters.htm">policy
about list traffic that bounces.</a> Also please note that the mail server
@ -42,7 +44,7 @@ at hp dot com.</p>
databases at <a href="http://ordg.org">ordb.org</a> and at
<a href="http://osirusoft.com">osirusoft.com</a>.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Search the Mailing List Archives<!--mstheme--></font></h2>
<h2>Search the Mailing List Archives</h2>
<form method="POST" action="http://www.shorewall.net/cgi-bin/htsearch">
<p>
@ -74,59 +76,62 @@ Search:
<input type="submit" value="Search"> </p>
</form>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Users Mailing List<!--mstheme--></font></h2>
<h2 align="left">Shorewall Users Mailing List</h2>
<p align="left">The Shorewall Users Mailing list provides a way for users to get
answers to questions and to report problems.
Information of general interest to the Shorewall user community is also posted
to this list.</p>
<p align="left"><b>Before posting a problem report to this list, please see the
<a href="support.htm">problem reporting guidelines</a>.</b></p>
<p align="left">To subscribe to the mailing list, go to <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">https://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
<p align="left">To subscribe to the mailing list, go to
<a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>.</p>
<p align="left">To post to the list, post to <a href="mailto:shorewall-users@shorewall.net">shorewall-users@shorewall.net</a>.</p>
<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<p align="left">Note that prior to 1/1/2002, the mailing list was hosted at <a href="http://sourceforge.net">Sourceforge</a>.
The archives from that list may be found at <a href="http://www.geocrawler.com/lists/3/Sourceforge/9327/0/">www.geocrawler.com/lists/3/Sourceforge/9327/0/</a>.</p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Announce Mailing List<!--mstheme--></font></h2>
<h2 align="left">Shorewall Announce Mailing List</h2>
<p align="left">This list is for announcements of general interest to the
Shorewall community. To subscribe, go to <a href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">https://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
Shorewall community. To subscribe, go to
<a href="http://www.shorewall.net/mailman/listinfo/shorewall-announce">http://www.shorewall.net/mailman/listinfo/shorewall-announce</a>.</p>
<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-announce">http://www.shorewall.net/pipermail/shorewall-announce</a>.</p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Development Mailing List<!--mstheme--></font></h2>
<h2 align="left">Shorewall Development Mailing List</h2>
<p align="left">The Shorewall Development Mailing list provides a forum for the
exchange of ideas about the future of Shorewall and for coordinating ongoing
Shorewall Development.</p>
<p align="left">To subscribe to the mailing list, go to <a href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">https://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
<p align="left">To subscribe to the mailing list, go to
<a href="http://www.shorewall.net/mailman/listinfo/shorewall-devel">http://www.shorewall.net/mailman/listinfo/shorewall-devel</a>.</p>
<p align="left">To post to the list, post to <a href="mailto:shorewall-devel@shorewall.net">shorewall-devel@shorewall.net</a>.&nbsp;</p>
<p align="left">The list archives are at <a href="http://www.shorewall.net/pipermail/shorewall-devel">http://www.shorewall.net/pipermail/shorewall-devel</a>.</p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="Unsubscribe"></a>How to Unsubscribe from one of the
Mailing Lists<!--mstheme--></font></h2>
<h2 align="left"><a name="Unsubscribe"></a>How to Unsubscribe from one of the
Mailing Lists</h2>
<p align="left">There seems to be near-universal confusion about unsubscribing
from Mailman-managed lists. To unsubscribe:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>
<p align="left">Follow the same link above that you used to subscribe to the
list.</p>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
</li>
<li>
<p align="left">Down at the bottom of that page is the following text: &quot;To
change your subscription (set options like digest and delivery modes, get a
reminder of your password, <b>or unsubscribe</b> from &lt;name of list&gt;), enter
your subscription email address:&quot;. Enter your email address in the box and click
on the &quot;Edit Options&quot; button.</p>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
</li>
<li>
<p align="left">There will now be a box where you can enter your password and
click on &quot;Unsubscribe&quot;; if you have forgotten your password, there is another
button that will cause your password to be emailed to you.</p>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--msthemeseparator--><p align="center"><img src="_themes/radial/aradrule.gif" width="614" height="7"></p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Frustrated by having to Rebuild Mailman to use it with Postfix?<!--mstheme--></font></h2>
</li>
</ul>
<hr>
<h2 align="left">Frustrated by having to Rebuild Mailman to use it with Postfix?</h2>
<p align="left"><a href="gnu_mailman.htm">Check out these instructions</a></p>
<p align="left"><font size="2">Last updated 7/26/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

21
STABLE/documentation/mailing_list_problems.htm
View File

@ -6,19 +6,24 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Mailing List Problems</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Mailing List Problems<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Mailing List Problems</font></h1>
</td>
</tr>
</table>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall.net is currently experiencing mail delivery problems
to at least one address in each of the following domains:<!--mstheme--></font></h2>
<h2 align="left">Shorewall.net is currently experiencing mail delivery problems
to at least one address in each of the following domains:</h2>
<blockquote>
<div align="left">
<!--mstheme--></font><pre>2020ca - delivery to this domain has been disabled (cause unknown)
<pre>2020ca - delivery to this domain has been disabled (cause unknown)
excite.com - delivery to this domain has been disabled (cause unknown)
epacificglobal.com - delivery to this domain has been disabled (no MX record for domain)
gmx.net - delivery to this domain has been disabled (cause unknown)
@ -33,7 +38,7 @@ penquindevelopment.com - delivery to this domain has been disabled (connection t
scip-online.de - delivery to this domain has been disabled (cause unknown)
spctnet.com - connection timed out - delivery to this domain has been disabled
telusplanet.net - delivery to this domain has been disabled (cause unknown)
yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre><!--mstheme--><font face="arial, Arial, Helvetica">
yahoo.com - delivery to this domain has been disabled (Mailbox over quota)</pre>
</div>
</blockquote>
@ -47,6 +52,6 @@ Eastep</a></font></p>
<p align="left">&nbsp;</p>
<!--mstheme--></font></body>
</body>
</html>

102
STABLE/documentation/myfiles.htm
View File

@ -10,14 +10,20 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
<meta name="Microsoft Theme" content="none">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">About My Network<!--mstheme--></font></h1>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">About My Network</font></h1>
</td>
</tr>
</table>
<blockquote> </blockquote>
<h1><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">My Current Network <!--mstheme--></font></h1>
<h1>My Current Network </h1>
<blockquote>
<p>
@ -38,7 +44,8 @@ runs Samba and acts as the a WINS server.&nbsp; Wookie is in its own 'whitelist'
called 'me'.</p>
<p>
My laptop (eastept1) is connected to eth3 using a cross-over cable. It runs its own <a href="http://www.sygate.com">
Sygate</a> firewall software and is managed by Proxy ARP.</p>
Sygate</a> firewall software and is managed by Proxy ARP. It connects to the
local network through the PopTop server running on my firewall. </p>
<p>
The single system in the DMZ (address 206.124.146.177) runs postfix, Courier
IMAP (imaps and pop3), DNS, a Web server (Apache) and an FTP server
@ -52,7 +59,7 @@ All administration and publishing is done using ssh/scp.</p>
I run an SNMP server on my firewall to serve <a href="http://www.ee.ethz.ch/%7Eoetiker/webtools/mrtg/">
MRTG</a> running in the DMZ.</p>
<p align="center">
<img border="0" src="images/network.jpg" width="493" height="588"></p>
<img border="0" src="images/network.png" width="764" height="846"></p>
<p>&nbsp;</p>
<p>The ethernet interface in the Server is configured
with IP address 206.124.146.177, netmask
@ -68,9 +75,9 @@ MRTG</a> running in the DMZ.</p>
Note: My files use features not available before
Shorewall version 1.3.4.</font></p>
</blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall.conf<!--mstheme--></font></h3>
<h3>Shorewall.conf</h3>
<!--mstheme--></font><pre> SUBSYSLOCK=/var/lock/subsys/shorewall
<pre> SUBSYSLOCK=/var/lock/subsys/shorewall
STATEDIR=/var/state/shorewall
LOGRATE=
@ -80,16 +87,16 @@ MRTG</a> running in the DMZ.</p>
CLAMPMSS=Yes
MULTIPORT=Yes</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Zones File:<!--mstheme--></font></h3>
<!--mstheme--></font><pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS
MULTIPORT=Yes</pre>
<h3>Zones File:</h3>
<pre><font face="Courier" size="2"> #ZONE DISPLAY COMMENTS
net Internet Internet
me Eastep My Workstation
loc Local Local networks
dmz DMZ Demilitarized zone
tx Texas Peer Network in Dallas Texas
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Interfaces File: <!--mstheme--></font></h3>
#LAST LINE - ADD YOUR ENTRIES ABOVE THIS ONE - DO NOT REMOVE</font></pre>
<h3>Interfaces File: </h3>
<blockquote>
<p>
@ -98,38 +105,35 @@ interfaces. </p>
</blockquote>
<!--mstheme--></font><pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS
<pre><font face="Courier" size="2"> #ZONE INTERFACE BROADCAST OPTIONS
net eth0 206.124.146.255 routefilter,norfc1918,blacklist,filterping
- eth2 192.168.1.255 dhcp
loc eth2 192.168.1.255 dhcp
dmz eth1 206.124.146.255 -
loc eth3 206.124.146.255 -
tx texas -
net eth3 206.124.146.255 norfc1918
- texas -
loc ppp+
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Hosts File: <!--mstheme--></font></h3>
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3>Hosts File: </h3>
<!--mstheme--></font><pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS
<pre><font face="Courier" size="2"> #ZONE HOST(S) OPTIONS
me eth2:192.168.1.3
loc eth2:0.0.0.0/0
loc ppp+:192.168.1.0/24
loc eth3:206.124.146.180
tx texas:192.168.9.0/24
#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
#LAST LINE -- ADD YOUR ENTRIES ABOVE -- DO NOT REMOVE</font></pre>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Routestopped File:<!--mstheme--></font></h3>
<h3>Routestopped File:</h3>
<!--mstheme--></font><pre> #INTERFACE HOST(S)
<pre><font face="Courier" size="2"> #INTERFACE HOST(S)
eth1 206.124.146.177
eth2 -
eth3 206.124.146.180</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Common File: <!--mstheme--></font></h3>
<!--mstheme--></font><pre><font size="2" face="Courier"> . /etc/shorewall/common.def
eth3 206.124.146.180</font></pre>
<h3>Common File: </h3>
<pre><font size="2" face="Courier"> . /etc/shorewall/common.def
run_iptables -A common -p udp --sport 53 -mstate --state NEW -j DROP
run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
run_iptables -A common -p tcp --dport 113 -j REJECT</font></pre>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Policy File:<!--mstheme--></font></h3>
<h3>Policy File:</h3>
<!--mstheme--></font><pre><font size="2" face="Courier">
<pre><font size="2" face="Courier">
#SOURCE DEST POLICY LOG LEVEL LIMIT:BURST
me all ACCEPT
tx me ACCEPT #Give Texas access to my personal system
@ -141,10 +145,11 @@ interfaces. </p>
$FW tx ACCEPT
loc tx ACCEPT
loc fw REJECT
net net ACCEPT
net all DROP info 10/sec:40
all all REJECT info
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Masq File: <!--mstheme--></font></h3>
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOTE</font></pre>
<h3>Masq File: </h3>
<blockquote>
<p>
@ -152,25 +157,25 @@ Although most of our internal systems use static NAT, my wife's system
(192.168.1.4) uses IP Masquerading (actually SNAT) as do visitors with laptops.</p>
</blockquote>
<!--mstheme--></font><pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS
<pre><font size="2" face="Courier"> #INTERFACE SUBNET ADDRESS
eth0 192.168.1.0/24 206.124.146.176
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">NAT File: <!--mstheme--></font></h3>
<!--mstheme--></font><pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3>NAT File: </h3>
<pre><font size="2" face="Courier"> #EXTERNAL INTERFACE INTERNAL ALL LOCAL
206.124.146.178 eth0 192.168.1.5 No No
206.124.146.179 eth0 192.168.1.3 No No
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
#LAST LINE -- ADD YOUR ENTRIES ABOVE THIS LINE -- DO NOT REMOVE</font></pre>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Proxy ARP File:<!--mstheme--></font></h3>
<!--mstheme--></font><pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE
<h3>Proxy ARP File:</h3>
<pre><font face="Courier" size="2"> #ADDRESS INTERFACE EXTERNAL HAVEROUTE
206.124.146.177 eth1 eth0 No
206.124.146.180 eth3 eth0 No
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Rules File (The shell variables
are set in /etc/shorewall/params):<!--mstheme--></font></h3>
<h3>Rules File (The shell variables
are set in /etc/shorewall/params):</h3>
<!--mstheme--></font><pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
<pre><font face="Courier" size="2"> #ACTION SOURCE DEST PROTO DEST SOURCE ORIGINAL
# PORT(S) PORT(S) PORT(S) DEST
#
# Local Network to Internet - Reject attempts by Trojans to call home
@ -218,7 +223,6 @@ Although most of our internal systems use static NAT, my wife's system
#
# Net to Local
#
ACCEPT net loc:206.124.146.180 #Runs its own firewall software
ACCEPT net loc tcp auth
REJECT net loc tcp www
#
@ -282,12 +286,12 @@ Although most of our internal systems use static NAT, my wife's system
ACCEPT tx fw icmp echo-request
ACCEPT tx loc icmp echo-request
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre><!--mstheme--><font face="arial, Arial, Helvetica">
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE</font></pre>
<p><font size="2">
Last updated 8/4/2002
Last updated 8/9/2002
- </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

20
STABLE/documentation/ports.htm
View File

@ -5,10 +5,16 @@
<title>Shorewall Port Information</title>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica"><h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Ports required for Various Services/Applications<!--mstheme--></font></h1>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Ports required for Various Services/Applications</font></h1>
</td>
</tr>
</table>
<p>In addition to those applications described in <a href="Documentation.htm">the
/etc/shorewall/rules documentation</a>, here are some other
@ -95,6 +101,12 @@ services/applications that you may need to configure your firewall to accommodat
<p>Traceroute</p>
<blockquote>
<p>UDP ports 33434 through 33434+<i>&lt;max number of hops&gt;</i>-1</p>
</blockquote>
<p>NFS</p>
<blockquote>
<p>There's some good information at&nbsp;
<a href="http://nfs.sourceforge.net/nfs-howto/security.html">
http://nfs.sourceforge.net/nfs-howto/security.html</a></p>
</blockquote>
<p>Didn't find what you are looking for -- have you looked in your own
/etc/services file? </p>
@ -103,8 +115,8 @@ services/applications that you may need to configure your firewall to accommodat
<a href="http://www.networkice.com/advice/Exploits/Ports">
http://www.networkice.com/advice/Exploits/Ports</a></p>
<p><font size="2">Last updated 7/30/2002 - </font><font size="2">
<p><font size="2">Last updated 8/21/2002 - </font><font size="2">
<a href="support.htm">Tom
Eastep</a></font> </p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

13
STABLE/documentation/quotes.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Quotes from Shorewall Users</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Quotes from Shorewall Users<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Quotes from Shorewall Users</font></h1>
</td>
</tr>
</table>
<p>&quot;I just installed Shorewall after weeks of messing with
@ -86,6 +91,6 @@ Guatamala<br>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

125
STABLE/documentation/samba.htm
View File

@ -6,88 +6,93 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Samba</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Samba<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Samba</font></h1>
</td>
</tr>
</table>
<p>If you wish to run Samba on your firewall and access shares between the
firewall and local hosts, you need the following rules:</p>
<h4><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">/etc/shorewall/rules:<!--mstheme--></font></h4>
<h4>/etc/shorewall/rules:</h4>
<blockquote>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ACTION</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>
PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE<br>
PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>ORIGINAL<br>
DEST</b><!--mstheme--></font></td>
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</font>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">udp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">137:139<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">137,139<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>tcp</td>
<td>137,139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">udp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">1024:<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">137<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>fw</td>
<td>loc</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">udp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">137:139<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>137:139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">137,139<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>137,139</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">udp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">1024:<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">137<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>1024:</td>
<td>137</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p><font size="2">Last modified 5/29/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font></body></html>

274
STABLE/documentation/seattlefirewall_index.htm
View File

@ -11,195 +11,151 @@
<base target="_self">
<meta name="Microsoft Theme" content="radial 011">
<meta name="Microsoft Theme" content="none">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<table border="0" cellpadding="0" cellspacing="4" style="border-collapse: collapse" width="100%" id="AutoNumber3" bgcolor="#4B017C">
<tr>
<td width="100%">
<h1 align="center"> <font size="4"><i>
<a href="http://www.cityofshoreline.com">
<img border="0" src="images/washington.jpg" align="right" width="100" height="82"><img border="0" src="images/washington.jpg" align="left" width="100" height="82"></a></i></font><font color="#FFFFFF">Shorewall 1.3 - <font size="4">&quot;<i>iptables made easy&quot;</i></font></font></h1>
</td>
</tr>
</table>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall 1.3 - <font size="4">&quot;<i>iptables made easy&quot;</i></font><a href="http://www.cityofshoreline.com"><img border="0" src="images/washington.jpg" width="100" height="82" align="right"></a><!--mstheme--></font></h1>
<div align="center">
<center>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber4">
<tr>
<td width="90%">
<p align="center"><b>Shorewall 1.2 Site is
<a target="_top" href="/1.2/index.htm">Here</a></b></p>
<p align="center">&nbsp;</p>
<h2 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">What is it?<!--mstheme--></font></h2>
<h2 align="Left">What is it?</h2>
<p>The Shoreline Firewall, more commonly known as &quot;Shorewall&quot;,&nbsp; is a
<a href="http://www.netfilter.org">Netfilter</a> (iptables)
based firewall that can be used on a dedicated firewall system, a
multi-function gateway/router/server or on a standalone GNU/Linux system.</p>
<a href="http://www.netfilter.org">Netfilter</a> (iptables) based firewall
that can be used on a dedicated firewall system, a multi-function
gateway/router/server or on a standalone GNU/Linux system.</p>
<p>This program is free software; you can redistribute it and/or modify
it under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version 2 of the GNU General Public License</a>
as published by the Free Software Foundation.<br>
<p>This program is free software; you can redistribute it and/or modify it
under the terms of <a href="http://www.gnu.org/licenses/gpl.html">Version
2 of the GNU General Public License</a> as published by the Free Software
Foundation.<br>
<br>
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
This program is distributed in the hope that it will be useful, but
WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details.<br>
<br>
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
along with this program; if not, write to the Free Software Foundation,
Inc., 675 Mass Ave, Cambridge, MA 02139, USA</p>
<p><a href="copyright.htm">Copyright 2001, 2002 Thomas M. Eastep</a></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Want a Copy of this Site?<!--mstheme--></font></h2>
<p>The Shorewall .tgz and .rpm files contain a copy of this site --
<a href="download.htm">download Shorewall</a> and you get a copy of the
Shorewall portion of this site for the same low price (Free!).</p>
<p>&nbsp;<a href="http://leaf.sourceforge.net" target="_top"><img border="0" src="images/leaflogo.gif" width="49" height="36"></a>Jacques
Nilo and Eric Wolzak have a LEAF distribution called <i>Bering</i> that
features Shorewall-1.3.3 and Kernel-2.4.18. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo">
http://leaf.sourceforge.net/devel/jnilo</a></p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">News<!--mstheme--></font></h2>
<h2>News</h2>
<p><b>8/7/2002 - Shorewall 1.3.6
<img border="0" src="images/new10.gif" width="28" height="12"></b></p>
<p><b>8/22/2002 - Shorewall 1.3.7 Released 8/13/2002
<img border="0" src="images/new10.gif" width="28" height="12"> </b></p>
<p>Features in this release include:</p>
<ul>
<li>The 'icmp.def' file is now empty! The rules in that file were
required in ipchains firewalls but are not required in Shorewall. Users
who have ALLOWRELATED=No in <a href="Documentation.htm#Conf">
shorewall.conf</a> should see the <a href="errata.htm#Upgrade">Upgrade
Issues</a>.</li>
<li>A 'FORWARDPING' option has been added to
<a href="Documentation.htm#Conf">shorewall.conf</a>. The effect of
setting this variable to Yes is the same as the effect of adding an
ACCEPT rule for ICMP echo-request in
<a href="shorewall_extension_scripts.htm">/etc/shorewall/icmpdef</a>.
Users who have such a rule in icmpdef are encouraged to switch to
FORWARDPING=Yes.</li>
<li>The loopback CLASS A Network (127.0.0.0/8) has been added to the
rfc1918 file.</li>
<li>Shorewall now works with iptables 1.2.7.</li>
<li>The documentation and Web site no longer use FrontPage themes.</li>
</ul>
<p>I would like to thank John Distler for his valuable input regarding TCP SYN
and ICMP treatment in Shorewall. That input has led to marked improvement in
Shorewall in the last two releases.</p>
<p><b>8/13/2002 - Documentation in the <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">
CVS Repository</a></b></p>
<p>The Shorewall-docs project now contains just the HTML and image files - the
Frontpage files have been removed.</p>
<p><b>8/7/2002 - <i>STABLE</i></b> <b>branch added to <a target="_top" href="http://www.shorewall.net/cgi-bin/cvs/cvsweb.cgi">
CVS Repository</a></b></p>
<p>This branch will only be updated after I release a new version of Shorewall
so you can always update from this branch to get the latest stable tree.</p>
<p><b>8/7/2002 - <a href="errata.htm#Upgrade">Upgrade Issues</a> section added
to the <a href="errata.htm">Errata Page</a></b></p>
<p>Now there is one place to go to look for issues involved with upgrading to
recent versions of Shorewall.</p>
<p><b>8/7/2002 - Shorewall 1.3.6</b></p>
<p>This is primarily a bug-fix rollup with a couple of new features:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides </a>
including the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall will now DROP TCP packets that are not part of or
related to an existing connection and that are not SYN packets. These &quot;New
not SYN&quot; packets may be optionally logged by setting the LOGNEWNOTSYN option
in <a href="Documentation.htm#Conf">/etc/shorewall/shorewall.conf</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The processing of &quot;New not SYN&quot; packets may be extended by command in the
new <a href="shorewall_extension_scripts.htm">newnotsyn extension script</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>7/30/2002 - Shorewall 1.3.5b Released</b></p>
<p>This interim release:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Causes the firewall script to remove the lock file if it is killed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Once again allows lists in the second column of the
<a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Includes the latest <a href="shorewall_quickstart_guide.htm">QuickStart
Guides</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>7/29/2002 - New Shorewall Setup Guide Available</b></p>
<p>The first draft of this guide is available at
<a href="http://www.shorewall.net/shorewall_setup_guide.htm">
http://www.shorewall.net/shorewall_setup_guide.htm</a>. The guide is intended
for use by people who are setting up Shorewall to manage multiple public IP
addresses and by people who want to learn more about Shorewall than is
described in the single-address guides. Feedback on the new guide is welcome.</p>
<p><b>7/28/2002 - Shorewall 1.3.5 Debian Package Available</b></p>
<p>Lorenzo Martignoni reports that the packages are version 1.3.5a and are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>7/27/2002 - Shorewall 1.3.5a Released</b></p>
<p>This interim release restores correct handling of REDIRECT rules. </p>
<p><b>7/26/2002 - Shorewall 1.3.5 Released</b></p>
<p>This will be the last Shorewall release for a while. I'm going to be
focusing on rewriting a lot of the documentation.</p>
<p><b>&nbsp;</b>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Empty and invalid source and destination qualifiers are now detected in
the rules file. It is a good idea to use the 'shorewall check' command before
you issue a 'shorewall restart' command be be sure that you don't have any
configuration problems that will prevent a successful restart.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Added <b>MERGE_HOSTS</b> variable in <a href="Documentation.htm#Conf">shorewall.conf</a> to provide saner behavior of
the <a href="Documentation.htm#Hosts">/etc/shorewall/hosts</a> file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The time that the counters were last reset is now displayed in the
heading of the 'status' and 'show' commands.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A <b>proxyarp </b>option has been added for entries in
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a>. This
option facilitates Proxy ARP sub-netting as described in the Proxy ARP
subnetting mini-HOWTO (<a href="http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/">http://www.tldp.org/HOWTO/mini/Proxy-ARP-Subnet/</a>).
Specifying the proxyarp option for an interface causes Shorewall to set
/proc/sys/net/ipv4/conf/&lt;interface&gt;/proxy_arp.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The Samples have been updated to reflect the new capabilities in this
release. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>7/16/2002 - New Mirror in Argentina</b></p>
<p>Thanks to Arturo &quot;Buanzo&quot; Busleiman, there is now a Shorewall
<a href="http://shorewall.correofuego.com.ar">mirror in Argentina</a>. Thanks Buanzo!!!</p>
<p><b>7/16/2002 - Shorewall 1.3.4 Released</b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A new <a href="Documentation.htm#Routestopped">
/etc/shorewall/routestopped</a> file has been added. This file is intended to
eventually replace the <b>routestopped</b> option in the
/etc/shorewall/interface and /etc/shorewall/hosts files. This new file makes
remote firewall administration easier by allowing any IP or subnet to be
enabled while Shorewall is stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">An /etc/shorewall/stopped <a href="Documentation.htm#Scripts">extension
script</a> has been added. This script is invoked after Shorewall has
stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A <b>DETECT_DNAT_ADDRS </b>option has been added to
<a href="Documentation.htm#Conf">/etc/shoreall/shorewall.conf</a>. When this
option is selected, DNAT rules only apply when the destination address is the
external interface's primary IP address.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The <a href="shorewall_quickstart_guide.htm">QuickStart Guide</a> has
been broken into three guides and has been almost entirely rewritten.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The <a href="/pub/shorewall/LATEST.samples">Samples</a> have been updated
to reflect the new capabilities in this release.&nbsp; <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<p><b>7/8/2002 - Shorewall 1.3.3 Debian Package Available</b></p>
<p>Lorenzo Martignoni reports that the packages are available at <a href="http://security.dsi.unimi.it/~lorenzo/debian.html">http://security.dsi.unimi.it/~lorenzo/debian.html</a>.</p>
<p><b>7/6/2002 - Shorewall 1.3.3 Released</b></p>
<p>In this version:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Entries in /etc/shorewall/interface that use the wildcard character (&quot;+&quot;)
now have the &quot;multi&quot; option assumed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The 'rfc1918' chain in the mangle table has been renamed 'man1918' to
make log messages generated from that chain distinguishable from those
generated by the 'rfc1918' chain in the filter table.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Interface names appearing in the hosts file are now validated against the
interfaces file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The TARGET column in the rfc1918 file is now checked for correctness.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The chain structure in the nat table has been changed to reduce the
number of rules that a packet must traverse and to correct problems with
NAT_BEFORE_RULES=No.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The 'hits' command has been enhanced.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>The latest <a href="shorewall_quickstart_guide.htm">QuickStart Guides </a>
including the <a href="shorewall_setup_guide.htm">Shorewall Setup Guide.</a></li>
<li>Shorewall will now DROP TCP packets that are not part of or related to an
existing connection and that are not SYN packets. These &quot;New not SYN&quot; packets
may be optionally logged by setting the LOGNEWNOTSYN option in <a href="Documentation.htm#Conf">
/etc/shorewall/shorewall.conf</a>.</li>
<li>The processing of &quot;New not SYN&quot; packets may be extended by commands in
the new <a href="shorewall_extension_scripts.htm">newnotsyn extension script</a>.</li>
</ul>
<p><a href="News.htm">More News</a></p>
<p><a href="http://sourceforge.net" target="_top"><img src="http://sourceforge.net/sflogo.php?group_id=22587" alt="SourceForge Logo"></a>The
Shorewall Project uses facilities provided by SourceForge.</p>
<h2><a name="Donations"></a>Donations</h2>
<p><a href="http://leaf.sourceforge.net" target="_top">
<img border="0" src="images/leaflogo.gif" width="49" height="36"></a>
Jacques Nilo and Eric Wolzak have a LEAF distribution called <i>Bering</i>
that features Shorewall-1.3.3 and Kernel-2.4.18. You can find their work at:
<a href="http://leaf.sourceforge.net/devel/jnilo">http://leaf.sourceforge.net/devel/jnilo</a></p>
</td>
<td width="88" bgcolor="#4B017C" valign="top" align="center"><a href="http://sourceforge.net" target="_top">
<img src="http://sourceforge.net/sflogo.php?group_id=22587" alt="SourceForge Logo" border="0" hspace="14" vspace="5" align="center"></a></td>
</tr>
</table>
</center>
</div>
<table border="0" cellpadding="5" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber2" bgcolor="#4B017C">
<tr>
<td width="100%" style="margin-top: 1">
<p align="center"><a href="http://www.starlight.org">
<img border="4" src="images/newlog.gif" width="57" height="100" align="left" hspace="10"><img border="4" src="images/newlog.gif" width="57" height="100" align="right" hspace="10"></a></p>
<p align="center"><font size="4" color="#FFFFFF">Shorewall is free but if
you try it and find it useful, please consider making a donation to
<a href="http://www.starlight.org"><font color="#FFFFFF">Starlight Children's Foundation.</font></a> Thanks!</font></td>
</tr>
</table>
<p><font face="Century Gothic, Arial, Helvetica"><font size="2">Updated
7/29/2002 - <a href="support.htm">Tom Eastep</a>
<p><font size="2">Updated
8/22/2002 - <a href="support.htm">Tom Eastep</a>
</font>
</font>
</p>
<!--mstheme--></font></body>
</body>
</html>

73
STABLE/documentation/shoreline.htm
View File

@ -10,13 +10,19 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
<meta name="Microsoft Theme" content="none">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="Center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Tom Eastep<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Tom Eastep</font></h1>
</td>
</tr>
</table>
@ -32,21 +38,21 @@
by Ken Mazawa</font></p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Born 1945 in <a href="http://www.experiencewashington.com">Washington
<ul>
<li>Born 1945 in <a href="http://www.experiencewashington.com">Washington
State</a>
.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">BA Mathematics from <a href="http://www.wsu.edu">Washington State
.</li>
<li>BA Mathematics from <a href="http://www.wsu.edu">Washington State
University</a>
1967<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Married 1969 - no children.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
1967</li>
<li>MA Mathematics from <a href="http://www.washington.edu">University
of Washington</a> 1969</li>
<li>Burroughs Corporation (now <a href="http://www.unisys.com">Unisys</a>
) 1969 - 1980</li>
<li><a href="http://www.tandem.com">Tandem Computers, Incorporated</a>
(now part of the <a href="http://www.hp.com">The New HP</a>) 1980 - present</li>
<li>Married 1969 - no children.</li>
</ul>
<p>I am currently a member of the design team for the next-generation
operating system from the NonStop Enterprise Division of HP. </p>
@ -64,26 +70,25 @@ Washington</a>
<p>Our current home network consists of: </p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs
and LNE100TX (Tulip) NIC - My personal Windows system. This system also has
RH7.3 installed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">PII/266, RH7.3, 320MB RAM, 20GB HD, LNE100TX(Tulip) NIC - My personal
GNU/Linux System which runs Samba configured as a WINS server.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">K6-2/350, RH7.3, 256MB RAM, 8GB IDE HD, EEPRO100 NIC 
<ul>
<li>1.2Gz Athlon, Windows XP Pro, 320MB RAM, 40GB &amp; 8GB IDE HDs and LNE100TX
(Tulip) NIC - My personal Windows system.</li>
<li>Celeron 1.4Gz, RH7.3, 256MB RAM, 60GB HD, LNE100TX(Tulip) NIC - My
personal Linux System which runs Samba configured as a WINS server.</li>
<li>K6-2/350, RH7.3, 384MB RAM, 8GB IDE HD, EEPRO100 NIC 
- Mail (Postfix &amp; Courier-IMAP), HTTP (Apache), FTP (Pure_ftpd), DNS server
(Bind).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">PII/233, RH7.3 with 2.4.19 kernel, 128MB MB RAM, 2GB SCSI HD - 3
LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.4 and a DHCP
server.  Also runs PoPToP for road warrior access.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100
in expansion base - My main work system.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
(Bind).</li>
<li>PII/233, RH7.3 with 2.4.19 kernel, 256MB MB RAM, 2GB SCSI HD - 3
LNE100TX&nbsp; (Tulip) and 1 TLAN NICs&nbsp; - Firewall running Shorewall 1.3.6 and a DHCP
server.  Also runs PoPToP for road warrior access.</li>
<li>Duron 750, Win ME, 192MB RAM, 20GB HD, RTL8139 NIC - My wife's personal system.</li>
<li>PII/400 Laptop, Win2k SP2, 224MB RAM, 12GB HD, onboard EEPRO100 and EEPRO100
in expansion base - My main work system.</li>
</ul>
<p>For more about our network see <a href="myfiles.htm">my Shorewall
Configuration</a>.</p>
<p>The PII/266 is made by <a href="http://www.dell.com">Dell</a>. All of our
<p>All of our
other systems are made by <a href="http://www.compaq.com">Compaq</a> (part
of the new <a href="http://www.hp.com/">HP</a>).. All of our Tulip NICs are <a href="http://www.netgear.com">Netgear</a>
FA310TXs.</p>
@ -93,8 +98,8 @@ in expansion base - My main work system.<!--mstheme--></font><!--msthemelist--><
</font></p>
<p><font size="2">Last updated 8/4/2002 - </font><font size="2">
<p><font size="2">Last updated 8/16/2002 - </font><font size="2">
<a href="support.htm">Tom Eastep</a></font>
</p>
<font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

81
STABLE/documentation/shorewall_extension_scripts.htm
View File

@ -6,12 +6,17 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Extension Scripts</title>
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Extension Scripts<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Extension Scripts</font></h1>
</td>
</tr>
</table>
<p>
Extension scripts are user-provided
@ -19,17 +24,17 @@
stop and clear. The scripts are placed in /etc/shorewall and are processed
using the Bourne shell "source" mechanism. The following scripts can be
supplied:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">init -- invoked early in "shorewall start" and "shorewall restart"<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">start -- invoked after the firewall has been started or restarted.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">stop -- invoked as a first step when the firewall is being stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">stopped -- invoked after the firewall has been stopped.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">clear -- invoked after the firewall has been cleared.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">refresh -- invoked while the firewall is being refreshed but before the
common and/or blacklst chains have been rebuilt.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain
has been created but before any rules have been added to it.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>init -- invoked early in "shorewall start" and "shorewall restart"</li>
<li>start -- invoked after the firewall has been started or restarted.</li>
<li>stop -- invoked as a first step when the firewall is being stopped.</li>
<li>stopped -- invoked after the firewall has been stopped.</li>
<li>clear -- invoked after the firewall has been cleared.</li>
<li>refresh -- invoked while the firewall is being refreshed but before the
common and/or blacklst chains have been rebuilt.</li>
<li>newnotsyn (added in version 1.3.6) -- invoked after the 'newnotsyn' chain
has been created but before any rules have been added to it.</li>
</ul>
@ -41,20 +46,10 @@ been processed.</p>
<p>The following two files receive
special treatment:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/common -- If this file is present, the rules that it
<p>The /etc/shorewall/common file receives special treatment. If this file is present, the rules that it
defines will totally replace the default rules in the common chain. These
default rules are contained in the file /etc/shorewall/common.def which
may be used as a starting point for making your own customized file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/icmpdef -- If this file is present, the rules that it
defines will totally replace the default rules in the icmpdef chain.
These default rules are contained in the file /etc/shorewall/icmp.def
which may be used as a starting point for making your own customized
file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
may be used as a starting point for making your own customized file.</p>
@ -68,9 +63,8 @@ processing of the command.</p>
<p>
If you decide to create /etc/shorewall/common or /etc/shorewall/icmp.def, it
is a good idea to use the following technique (common file shown but the same
technique applies to icmpdef).</p>
If you decide to create /etc/shorewall/common it is a good idea to use the
following technique</p>
@ -80,29 +74,40 @@ processing of the command.</p>
<blockquote>
<!--mstheme--></font><pre>source /etc/shorewall/common.def
&lt;add your rules here&gt;</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre>. /etc/shorewall/common.def
&lt;add your rules here&gt;</pre>
</blockquote>
<p>If you need to supercede a rule in the released common.def file, you can add
the superceding rule before the 'source' command. Using this technique allows
the superceding rule before the '.' command. Using this technique allows
you to add new rules while still getting the benefit of the latest common.def
file.</p>
<p>Remember that /etc/shorewall/common and /etc/shorewall/icmpdef define rules
<p>Remember that /etc/shorewall/common defines rules
that are only applied if the applicable policy is DROP or REJECT. These rules
are NOT applied if the policy is ACCEPT or CONTINUE.<br>
</p>
are NOT applied if the policy is ACCEPT or CONTINUE.</p>
<p align="left"><font size="2">Last updated
8/5/2002 - <a href="support.htm">Tom
<p>If you set ALLOWRELATED=No in shorewall.conf, then most ICMP packets will be
rejected by the firewall. It is recommended with this setting that you create
the file /etc/shorewall/icmpdef and in it place the following commands:</p>
<pre> run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT
</pre>
<p align="left"><font size="2">Last updated
8/22/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<!--mstheme--></font></body>
</body>
</html>

131
STABLE/documentation/shorewall_features.htm
View File

@ -6,81 +6,86 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Features</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Features<!--mstheme--></font></h1>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Uses Netfilter's connection tracking facilities for stateful packet
filtering.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Can be used in a <b> wide range of router/firewall/gateway applications</b>.
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Completely customizable using configuration files.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">No limit on the number of network interfaces.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Allows you to partitions the network into <i><a href="Documentation.htm#Zones">zones</a></i>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Features</font></h1>
</td>
</tr>
</table>
<ul>
<li>Uses Netfilter's connection tracking facilities for stateful packet
filtering.</li>
<li>Can be used in a <b> wide range of router/firewall/gateway applications</b>.
<ul>
<li>Completely customizable using configuration files.</li>
<li>No limit on the number of network interfaces.</li>
<li>Allows you to partitions the network into <i><a href="Documentation.htm#Zones">zones</a></i>
and gives you complete control over the connections permitted between
each pair of zones.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Multiple interfaces per zone and multiple zones per interface
permitted.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Supports nested and overlapping zones.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to help
get your first firewall up and running quickly<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a> </b>
included in the .tgz and .rpm downloads.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><b>Flexible address management/routing support</b> (and you can use all
each pair of zones.</li>
<li>Multiple interfaces per zone and multiple zones per interface
permitted.</li>
<li>Supports nested and overlapping zones.</li>
</ul>
</li>
<li> <a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> to help
get your first firewall up and running quickly</li>
<li>Extensive <b> <a href="Documentation_Index.htm" target="_top">documentation</a> </b>
included in the .tgz and .rpm downloads.</li>
<li><b>Flexible address management/routing support</b> (and you can use all
types in the same firewall):
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#Masq">Masquerading/SNAT</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#NAT">
Static NAT</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#ProxyArp">
Proxy ARP</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Simple host/subnet Routing<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
IP addresses and subnetworks is supported.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#Starting"><b>Operational support</b></a>:
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Commands to start, stop and clear the firewall<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Supports status monitoring
with an audible alarm when an "interesting" packet is detected.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Wide variety of informational commands.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><b>VPN Support</b>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP
Tunnels</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="PPTP.htm">PPTP </a> clients and Servers.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
integration.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Wide support for different <b>GNU/Linux Distributions</b>.
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a href="http://security.dsi.unimi.it/~lorenzo/debian.html"><b>Debian</b></a>
packages available.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Includes <a href="Install.htm"><b>automated install, upgrade, fallback
<ul>
<li><a href="Documentation.htm#Masq">Masquerading/SNAT</a></li>
<li><a href="Documentation.htm#PortForward">Port Forwarding (DNAT)</a>.</li>
<li><a href="Documentation.htm#NAT">
Static NAT</a>.</li>
<li><a href="Documentation.htm#ProxyArp">
Proxy ARP</a>.</li>
<li>Simple host/subnet Routing</li>
</ul>
</li>
<li><a href="blacklisting_support.htm"><b>Blacklisting</b></a> of individual
IP addresses and subnetworks is supported.</li>
<li><a href="Documentation.htm#Starting"><b>Operational support</b></a>:
<ul>
<li>Commands to start, stop and clear the firewall</li>
<li>Supports status monitoring
with an audible alarm when an "interesting" packet is detected.</li>
<li>Wide variety of informational commands.</li>
</ul>
</li>
<li><b>VPN Support</b>
<ul>
<li><a href="Documentation.htm#Tunnels">IPSEC, GRE and IPIP
Tunnels</a>.</li>
<li><a href="PPTP.htm">PPTP </a> clients and Servers.</li>
</ul>
</li>
<li>Support for <a href="traffic_shaping.htm"><b>Traffic Control/Shaping</b></a>
integration.</li>
<li>Wide support for different <b>GNU/Linux Distributions</b>.
<ul>
<li><a href="Install.htm#Install_RPM"><b>RPM</b></a> and <a href="http://security.dsi.unimi.it/~lorenzo/debian.html"><b>Debian</b></a>
packages available.</li>
<li>Includes <a href="Install.htm"><b>automated install, upgrade, fallback
and uninstall facilities</b></a> for users who can't use or choose not
to use the RPM or Debian packages.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Compatible with 2.4-kernel based versions of <b> <a href="http://leaf.sourceforge.net">
to use the RPM or Debian packages.</li>
<li>Compatible with 2.4-kernel based versions of <b> <a href="http://leaf.sourceforge.net">
LEAF</a>
</b>
.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
.</li>
</ul>
</li>
</ul>
<p><font size="2">Last updated 7/14/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001,2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

30
STABLE/documentation/shorewall_firewall_structure.htm
View File

@ -6,14 +6,19 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall Firewall Structure</title>
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Firewall Structure<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Firewall Structure</font></h1>
</td>
</tr>
</table>
<p>
Shorewall views the network in which it is running as a set of disjoint
Shorewall views the network in which it is running as a set of
<i> zones. </i>Shorewall itself defines exactly one zone called "fw"
which refers to the firewall system itself . The /etc/shorewall/zones file
is used to define additional zones and the example file provided with Shorewall
@ -36,6 +41,21 @@ from the internet and from the DMZ and in some cases, from each other.</li
with the exception of the firewall zone, Shorewall itself attaches no meaning to
zone names. Zone names are simply labels used to refer to a collection of
network hosts.</p>
<p>While zones are normally disjoint (no two zones have a host in common),
there are cases where nested or overlapping zone definitions are appropriate.</p>
<p>Packets entering the firewall first pass through the <i>mangle </i>table's
PREROUTING chain (you can see the mangle table by typing &quot;shorewall show
mangle&quot;). If the packet entered through an interface that has the <b>norfc1918</b>
option, then the packet is sent down the <b>man1918</b>&nbsp; which will drop
the packet if its destination IP address is reserved (as specified in the
/etc/shorewall/rfc1918 file). Next the packet passes through the<b> pretos</b>
chain to set its TOS field as specified in the /etc/shorewall/tos file.
Finally, if traffic control/shaping is being used, the packet is sent through
the<b> tcpre</b> chain to be marked for later use in policy routing or traffic
control.</p>
<p>Next, if the packet isn't part of an established connection, it passes
through the<i> nat</i> table's PREROUTING chain (you can see the nat table by
typing &quot;shorewall show nat&quot;). </p>
<p>
Traffic entering the
firewall is sent to an<i> input </i>chain. If the traffic is destined for the
@ -133,4 +153,4 @@ server, <font color="#ff6633"><b><u> adding a rule won't help</u></b></font>
(see point 3 above).</p>
<p><font size="2">Last modified 7/26/2002 - <a href="support.htm">Tom
Eastep</a></font><p><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font><!--mstheme--></font></body></html>
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></body></html>

5
STABLE/documentation/shorewall_index.htm
View File

@ -5,7 +5,6 @@
<title>Shoreline Firewall</title>
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011, default">
<meta name="Microsoft Border" content="none, default">
</head>
@ -16,9 +15,9 @@
<frame name="main" src="seattlefirewall_index.htm" target="_self">
</frameset>
<noframes>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<p>This page uses frames, but your browser doesn't support them.<!--mstheme--></font></body>
<p>This page uses frames, but your browser doesn't support them.</body>
</noframes>
</frameset>

13
STABLE/documentation/shorewall_mailing_list_migration.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mailing List Migration</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Mailing List Migration<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Mailing List Migration</font></h1>
</td>
</tr>
</table>
<p align="left">If you are a current subscriber to the Shorewall mailing list at
<a href="http://sourceforge.net">Sourceforge</a>, please do the following:</p>
<ol>
@ -32,6 +37,6 @@ Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

51
STABLE/documentation/shorewall_mirrors.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Mirrors</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Mirrors<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Mirrors</font></h1>
</td>
</tr>
</table>
<p align="left"><b>Remember that updates to the mirrors are often delayed for
6-12 hours after an update to the primary site.</b></p>
@ -20,38 +25,38 @@
and is located in Washington State, USA.
It is mirrored at:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://slovakia.shorewall.net">
<ul>
<li><a target="_top" href="http://slovakia.shorewall.net">
http://slovakia.shorewall.net</a>
(Slovak Republic).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
(Slovak Republic).</li>
<li>
<a href="http://www.infohiiway.com/shorewall" target="_top">
http://shorewall.infohiiway.com</a>
(Texas, USA).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://germany.shorewall.net">
http://germany.shorewall.net</a> (Hamburg, Germany)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a> (Martinez (Zona Norte - GBA), Argentina)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
(Texas, USA).</li>
<li><a target="_top" href="http://germany.shorewall.net">
http://germany.shorewall.net</a> (Hamburg, Germany)</li>
<li><a target="_top" href="http://shorewall.correofuego.com.ar">http://shorewall.correofuego.com.ar</a> (Martinez (Zona Norte - GBA), Argentina)</li>
</ul>
<p align="left">The main Shorewall FTP Site is <a href="ftp://ftp.shorewall.net/pub/shorewall/" target="_blank">ftp://ftp.shorewall.net/pub/shorewall/</a>
and is located in Washington State, USA.&nbsp;
It is mirrored at:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li><a target="_blank" href="ftp://slovakia.shorewall.net/mirror/shorewall/">ftp://slovakia.shorewall.net/mirror/shorewall</a>
(Slovak Republic).</li>
<li>
<a href="ftp://ftp.infohiiway.com/pub/mirrors/shorewall/" target="_blank">ftp://ftp.infohiiway.com/pub/shorewall</a>
(Texas, USA).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">
ftp://germany.shorewall.net/pub/shorewall</a> (Hamburg, Germany)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a> (Martinez (Zona Norte - GBA), Argentina)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
(Texas, USA).</li>
<li><a target="_blank" href="ftp://germany.shorewall.net/pub/shorewall">
ftp://germany.shorewall.net/pub/shorewall</a> (Hamburg, Germany)</li>
<li>
<a target="_blank" href="ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall">ftp://shorewall.correofuego.com.ar/pub/mirrors/shorewall</a> (Martinez (Zona Norte - GBA), Argentina)</li>
</ul>
<p align="left"><font size="2">Last Updated 7/16/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

43
STABLE/documentation/shorewall_prerequisites.htm
View File

@ -6,46 +6,49 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Shorewall Prerequisites</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Requirements<!--mstheme--></font></h1>
<p align="center">&nbsp;</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.19. <a href="kernel.htm">
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Requirements</font></h1>
</td>
</tr>
</table>
<ul>
<li>A kernel that supports netfilter. I've tested with 2.4.2 - 2.4.19. <a href="kernel.htm">
Check here for kernel configuration information.</a>
If you are looking for a firewall for use with 2.2 kernels, <a href="http://www.shorewall.net/seawall">
see the Seattle Firewall site</a>
.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">iptables 1.2 or later but beware version 1.2.3 -- see the <a href="errata.htm">Errata</a>.
.</li>
<li>iptables 1.2 or later but beware version 1.2.3 -- see the <a href="errata.htm">Errata</a>.
<font color="#FF0000"><b>WARNING: </b></font>The buggy iptables version 1.2.3
is included in RedHat 7.2 and you should upgrade to iptables 1.2.4 prior to
installing Shorewall. Version 1.2.4 is available
<a href="http://www.redhat.com/support/errata/RHSA-2001-144.html">from RedHat</a>
and in the <a href="errata.htm">Shorewall Errata</a>. If you are going to be
running kernel 2.4.18 or later, NO currently-available RedHat iptables RPM
will work -- again, see the <a href="errata.htm">Shorewall Errata</a>. <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Some features require iproute ("ip" utility). The iproute package is
will work -- again, see the <a href="errata.htm">Shorewall Errata</a>. </li>
<li>Some features require iproute ("ip" utility). The iproute package is
included with most distributions but may not be installed by default. The
official download site is <font face="Century Gothic, Arial, Helvetica"><a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
ftp://ftp.inr.ac.ru/ip-routing</a>.
</font>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A Bourne shell or derivative such as bash or ash. Must have correct
official download site is <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
<font face="Century Gothic, Arial, Helvetica">f</font>tp://ftp.inr.ac.ru/ip-routing</a>.
</li>
<li>A Bourne shell or derivative such as bash or ash. Must have correct
support for variable expansion formats ${<i>variable</i>%<i>pattern</i>
}, ${<i>variable</i>%%<i>pattern</i>}, ${<i>variable</i>#<i>pattern</i>
} and ${<i>variable</i>##<i>pattern</i>}.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The firewall monitoring display is greatly improved if you have awk
(gawk) installed.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
} and ${<i>variable</i>##<i>pattern</i>}.</li>
<li>The firewall monitoring display is greatly improved if you have awk
(gawk) installed.</li>
</ul>
<p align="left"><font size="2">Last updated 8/4/2002 - <a href="support.htm">Tom
Eastep</a></font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

231
STABLE/documentation/shorewall_quickstart_guide.htm
View File

@ -6,138 +6,145 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Shorewall QuickStart Guide</title>
<meta name="Microsoft Theme" content="radial 011">
<meta name="Microsoft Theme" content="none">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall QuickStart Guides<br>
Version 3.0<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall QuickStart Guides<br>
Version 3.0</font></h1>
</td>
</tr>
</table>
<p align="center">With thanks to Richard who reminded me once again that we must
all first walk before we can run.</p>
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">The Guides<!--mstheme--></font></h2>
<h2>The Guides</h2>
<p>These guides provide step-by-step instructions for configuring Shorewall in
common firewall setups.</p>
<p>The following guides are for firewalls with a single external IP address:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="standalone.htm">Standalone</a> Linux System<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="two-interface.htm">Two-interface</a> Linux System acting as a
firewall/router for a small local network<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="three-interface.htm">Three-interface</a> Linux System acting as a
firewall/router for a small local network and a DMZ.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li><a href="standalone.htm">Standalone</a> Linux System</li>
<li><a href="two-interface.htm">Two-interface</a> Linux System acting as a
firewall/router for a small local network</li>
<li><a href="three-interface.htm">Three-interface</a> Linux System acting as a
firewall/router for a small local network and a DMZ.</li>
</ul>
<p>The above guides are designed to get your first firewall up and running
quickly in the three most common Shorewall configurations.</p>
<p>The <a href="shorewall_setup_guide.htm">Shorewall Setup Guide</a> outlines
the steps necessary to set up a firewall where there are multiple public IP
addresses involved or if you want to learn more about Shorewall than is
explained in the single-address guides above.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets and Routing</a><!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution Protocol</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a><!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a><!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul3.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul3.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul3.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul3.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="Documentation"></a>Additional Documentation<!--mstheme--></font></h2>
<ul>
<li><a href="shorewall_setup_guide.htm#Introduction">1.0 Introduction</a></li>
<li><a href="shorewall_setup_guide.htm#Concepts">2.0 Shorewall Concepts</a></li>
<li><a href="shorewall_setup_guide.htm#Interfaces">3.0 Network Interfaces</a></li>
<li><a href="shorewall_setup_guide.htm#Addressing">4.0 Addressing, Subnets and Routing</a><ul>
<li><a href="shorewall_setup_guide.htm#Addresses">4.1 IP Addresses</a></li>
<li><a href="shorewall_setup_guide.htm#Subnets">4.2 Subnets</a></li>
<li><a href="shorewall_setup_guide.htm#Routing">4.3 Routing</a></li>
<li><a href="shorewall_setup_guide.htm#ARP">4.4 Address Resolution Protocol</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#RFC1918">4.5 RFC 1918</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Options">5.0 Setting up your Network</a><ul>
<li><a href="shorewall_setup_guide.htm#Routed">5.1 Routed</a></li>
</ul>
<ul>
<li><a href="shorewall_setup_guide.htm#NonRouted">5.2 Non-routed</a><ul>
<li><a href="shorewall_setup_guide.htm#SNAT">5.2.1 SNAT</a></li>
<li><a href="shorewall_setup_guide.htm#DNAT">5.2.2 DNAT</a></li>
<li><a href="shorewall_setup_guide.htm#ProxyARP">5.2.3 Proxy ARP</a></li>
<li><a href="shorewall_setup_guide.htm#NAT">5.2.4 Static NAT</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#Rules">5.3 Rules</a></li>
<li><a href="shorewall_setup_guide.htm#OddsAndEnds">5.4 Odds and Ends</a></li>
</ul>
</li>
<li><a href="shorewall_setup_guide.htm#DNS">6.0 DNS</a></li>
<li><a href="shorewall_setup_guide.htm#StartingAndStopping">7.0 Starting and
Stopping the Firewall</a></li>
</ul>
<h2><a name="Documentation"></a>Additional Documentation</h2>
<p>The following documentation covers a variety of topics and supplements the
QuickStart Guides described above.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="blacklisting_support.htm">Blacklisting</a><!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Static Blacklisting using /etc/shorewall/blacklist<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Dynamic Blacklisting using /sbin/shorewall<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="configuration_file_basics.htm">Common configuration file features</a><!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Comments in configuration files<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Line Continuation<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Port Numbers/Service Names<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Port Ranges<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Using Shell Variables<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Complementing an IP address or Subnet<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Shorewall Configurations (making a test configuration)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Using MAC Addresses in Shorewall<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm">Configuration File Reference Manual</a><!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="Documentation.htm#Variables">params</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#Common">common</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="traffic_shaping.htm#tcrules">tcrules</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#modules">modules</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#TOS">tos</a> <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#Blacklist">blacklist</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#rfc1918">rfc1918</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="Documentation.htm#Routestopped">routestopped</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="dhcp.htm">DHCP</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="fallback.htm">Fallback/Uninstall</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="shorewall_firewall_structure.htm">Firewall Structure</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="myfiles.htm">My
Configuration Files</a> (How I personally use Shorewall)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="ports.htm">Port Information</a><!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Which applications use which ports<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Ports used by Trojans<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="ProxyARP.htm">Proxy ARP</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="samba.htm">Samba</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><font color="#000099"><a href="NAT.htm">Static NAT</a></font><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Tunnels<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="IPSEC.htm">IPSEC</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="IPIP.htm">GRE and IPIP</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul2.gif" width="12" height="12" hspace="15" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="PPTP.htm">PPTP</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="whitelisting_under_shorewall.htm">White List Creation</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<a href="shorewall_quickstart_guide.htm">QuickStart Guides</a> described above.</p>
<ul>
<li><a href="blacklisting_support.htm">Blacklisting</a><ul>
<li>Static Blacklisting using /etc/shorewall/blacklist</li>
<li>Dynamic Blacklisting using /sbin/shorewall</li>
</ul>
</li>
<li><a href="configuration_file_basics.htm">Common configuration file features</a><ul>
<li>Comments in configuration files</li>
<li>Line Continuation</li>
<li>Port Numbers/Service Names</li>
<li>Port Ranges</li>
<li>Using Shell Variables</li>
<li>Complementing an IP address or Subnet</li>
<li>Shorewall Configurations (making a test configuration)</li>
<li>Using MAC Addresses in Shorewall</li>
</ul>
</li>
<li><a href="Documentation.htm">Configuration File Reference Manual</a><ul>
<li>
<a href="Documentation.htm#Variables">params</a></li>
<li><font color="#000099"><a href="Documentation.htm#Zones">zones</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Interfaces">interfaces</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Hosts">hosts</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Policy">policy</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Rules">rules</a></font></li>
<li><a href="Documentation.htm#Common">common</a></li>
<li><font color="#000099"><a href="Documentation.htm#Masq">masq</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#ProxyArp">proxyarp</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#NAT">nat</a></font></li>
<li><font color="#000099"><a href="Documentation.htm#Tunnels">tunnels</a></font></li>
<li><a href="traffic_shaping.htm#tcrules">tcrules</a></li>
<li><font color="#000099"><a href="Documentation.htm#Conf">shorewall.conf</a></font></li>
<li><a href="Documentation.htm#modules">modules</a></li>
<li><a href="Documentation.htm#TOS">tos</a> </li>
<li><a href="Documentation.htm#Blacklist">blacklist</a></li>
<li><a href="Documentation.htm#rfc1918">rfc1918</a></li>
<li><a href="Documentation.htm#Routestopped">routestopped</a></li>
</ul>
</li>
<li><a href="dhcp.htm">DHCP</a></li>
<li><font color="#000099"><a href="shorewall_extension_scripts.htm">Extension Scripts</a></font>
(How to extend Shorewall without modifying Shorewall code)</li>
<li><a href="fallback.htm">Fallback/Uninstall</a></li>
<li><a href="shorewall_firewall_structure.htm">Firewall Structure</a></li>
<li><font color="#000099"><a href="kernel.htm">Kernel Configuration</a></font></li>
<li><a href="myfiles.htm">My
Configuration Files</a> (How I personally use Shorewall)</li>
<li><a href="ports.htm">Port Information</a><ul>
<li>Which applications use which ports</li>
<li>Ports used by Trojans</li>
</ul>
</li>
<li><a href="ProxyARP.htm">Proxy ARP</a></li>
<li><a href="samba.htm">Samba</a></li>
<li><font color="#000099"><a href="starting_and_stopping_shorewall.htm">Starting/stopping the Firewall</a></font></li>
<li><font color="#000099"><a href="NAT.htm">Static NAT</a></font></li>
<li><a href="traffic_shaping.htm">Traffic Shaping/Control</a></li>
<li>Tunnels<ul>
<li><a href="IPSEC.htm">IPSEC</a></li>
<li><a href="IPIP.htm">GRE and IPIP</a></li>
<li><a href="PPTP.htm">PPTP</a></li>
</ul>
</li>
<li><a href="whitelisting_under_shorewall.htm">White List Creation</a></li>
</ul>
<p>If you use one of these guides and have a suggestion for improvement
<a href="mailto:webmaster@shorewall.net">please let me know</a>.</p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<!--mstheme--></font></body>
</body>
</html>

1672
STABLE/documentation/shorewall_setup_guide.htm
View File

File diff suppressed because it is too large Load Diff

17
STABLE/documentation/spam_filters.htm
View File

@ -6,14 +6,21 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>SPAM Filters</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">SPAM Filters<br>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">SPAM Filters</font></h1>
</td>
</tr>
</table>
<h1 align="center"><br>
<a href="http://ordb.org">
<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a><!--mstheme--></font></h1>
<img border="0" src="images/but3.png" hspace="3" width="88" height="31"></a></h1>
<p>Like all of you, I'm concerned about the increasing volume of Unsolicited
Commercial Email (UCE or SPAM). I am therefore sympathetic with those of you who
are installing SPAM filters on your mail servers. A couple of recent incidents
@ -32,6 +39,6 @@ delivery (or you can reenable delivery yourself).</p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

253
STABLE/documentation/standalone.htm
View File

@ -6,32 +6,39 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Standalone Firewall</title>
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Standalone Firewall<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber6" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h2 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Version 2.0.1<!--mstheme--></font></h2>
<h1 align="center"><font color="#FFFFFF">Standalone Firewall</font></h1>
</td>
</tr>
</table>
<h2 align="center">Version 2.0.1</h2>
<p align="left">Setting up Shorewall on a standalone Linux system is very easy if you understand the basics and follow the
documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall in one
of its
most common configurations:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Linux system<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Single external IP address<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>Linux system</li>
<li>Single external IP address</li>
<li>Connection through Cable Modem, DSL, ISDN, Frame Relay, dial-up...</li>
</ul>
<p>This guide assumes that you have the iproute/iproute2 package installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this
package is installed by the presence of an <b>ip</b> program on your firewall
system. As root, you can use the 'which' command to check for this program:</p>
<!--mstheme--></font><pre> [root@gateway root]# which ip
<pre> [root@gateway root]# which ip
/sbin/ip
[root@gateway root]#</pre><!--mstheme--><font face="arial, Arial, Helvetica"><p>I recommend that you read through the guide
[root@gateway root]#</pre><p>I recommend that you read through the guide
first to familiarize yourself with what's involved then go back through it again
making your configuration changes.&nbsp; Points at which configuration changes
are recommended are flagged with <img border="0" src="images/BD21298_.gif" width="13" height="13">.</p>
@ -41,13 +48,13 @@ Unix files if your editor supports that option or you must run them through
dos2unix before trying to use them. Similarly, if you copy a configuration file
from your Windows hard drive to a floppy disk, you must run dos2unix against the
copy before using it with Shorewall.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
dos2unix</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Concepts<!--mstheme--></font></h2>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a href="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you only need to deal with a few of
these as described in this guide. After you have <a href="Install.htm">installed Shorewall</a>,
@ -61,28 +68,28 @@ configuration instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a set of
<i>zones.</i> In the one-interface sample configuration, only one zone is
defined:</p>
<!--mstheme--></font><table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber2">
<table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber2">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Name</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Description</b></u><!--mstheme--></font></td>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>net</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>The Internet</b><!--mstheme--></font></td>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
<p>Shorewall zones are defined in <a href="Documentation.htm#Zones">
/etc/shorewall/zones</a>.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw</b>.</p>
<p>Rules about what traffic to allow and what traffic to deny are expressed in
terms of zones.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first checked against the
/etc/shorewall/rules file. If no rule in that file matches the connection
request then the first policy in /etc/shorewall/policy that matches the
@ -93,40 +100,40 @@ file for you).</p>
<p>The /etc/shorewall/policy file included with the one-interface sample has the
following policies:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber3" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE ZONE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION ZONE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>POLICY</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>LOG LEVEL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>LIMIT:BURST</b></u><!--mstheme--></font></td>
<td><u><b>SOURCE ZONE</b></u></td>
<td><u><b>DESTINATION ZONE</b></u></td>
<td><u><b>POLICY</b></u></td>
<td><u><b>LOG LEVEL</b></u></td>
<td><u><b>LIMIT:BURST</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>fw</td>
<td>net</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DROP<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">info<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>net</td>
<td>net</td>
<td>DROP</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">all<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">all<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">REJECT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">info<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<!--mstheme--></font><pre> fw net ACCEPT
<pre> fw net ACCEPT
net all DROP info
all all REJECT info</pre><!--mstheme--><font face="arial, Arial, Helvetica">
all all REJECT info</pre>
<p>The above policy will:</p>
<ol>
<li>allow all connection requests from the firewall to the internet</li>
@ -136,7 +143,7 @@ following policies:</p>
</ol>
<p>At this point, edit your /etc/shorewall/policy and make any changes that you
wish.</p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">External Interface<!--mstheme--></font></h2>
<h2 align="left">External Interface</h2>
<p align="left">The firewall has a single network interface. Where Internet
connectivity is through a cable or DSL &quot;Modem&quot;, the <i>External Interface</i>
will be the ethernet adapter (<b>eth0</b>) that is connected to that &quot;Modem&quot;&nbsp;
@ -150,24 +157,24 @@ the external interface is <b>eth0</b>.
If your configuration is different, you will have to modify the sample
/etc/shorewall/interfaces file accordingly. While you are there, you may wish to
review the list of options that are specified for the interface. Some hints:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, you can replace the
&quot;detect&quot; in the second column with &quot;-&quot;.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
&quot;detect&quot; in the second column with &quot;-&quot;.</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> or if you have a static IP
address, you can remove &quot;dhcp&quot; from the option list.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
address, you can remove &quot;dhcp&quot; from the option list.</li>
</ul>
<div align="left">
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">IP Addresses<!--mstheme--></font></h2>
<h2 align="left">IP Addresses</h2>
</div>
<div align="left">
<p align="left">RFC 1918 reserves several <i>Private </i>IP address ranges for
use in private networks:</p>
<div align="left">
<!--mstheme--></font><pre> 10.0.0.0 - 10.255.255.255
<pre> 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255</pre><!--mstheme--><font face="arial, Arial, Helvetica">
192.168.0.0 - 192.168.255.255</pre>
</div>
<p align="left">These addresses are sometimes referred to as <i>non-routable</i>
because the Internet backbone routers will not forward a packet whose
@ -179,32 +186,32 @@ use in private networks:</p>
interface and if it is one of the above ranges, you should remove the
'norfc1918' option from the entry in /etc/shorewall/interfaces.</div>
<div align="left">
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Enabling other Connections<!--mstheme--></font></h2>
<h2 align="left">Enabling other Connections</h2>
</div>
<div align="left">
<p align="left">If you wish to enable connections from the internet to your firewall, the general format is:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;protocol&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;port&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
@ -212,35 +219,35 @@ use in private networks:</p>
system:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber5" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber5">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">80<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">110<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>110</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
@ -252,36 +259,36 @@ use in private networks:</p>
access to your firewall from the internet, use SSH:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">22<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
<!--mstheme--></font><pre> ACCEPT net fw tcp 22</pre><!--mstheme--><font face="arial, Arial, Helvetica">
<pre> ACCEPT net fw tcp 22</pre>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_3.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; At this point, edit
/etc/shorewall/rules to add other connections as desired.</div>
<div align="left">
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Starting and Stopping Your Firewall<!--mstheme--></font></h2>
<h2 align="left">Starting and Stopping Your Firewall</h2>
</div>
<div align="left">
<p align="left">The <a href="Install.htm">installation procedure </a>
@ -308,6 +315,6 @@ Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<!--mstheme--></font></body>
</body>
</html>

147
STABLE/documentation/starting_and_stopping_shorewall.htm
View File

@ -6,14 +6,19 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Starting and Stopping Shorewall</title>
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Starting/Stopping and Monitoring the Firewall<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Starting/Stopping and Monitoring the Firewall</font></h1>
</td>
</tr>
</table>
@ -46,71 +51,76 @@ from this default, you can use the "--level" option in chkconfig
You can manually start and stop Shoreline Firewall using the "shorewall"
shell program: </p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall start - starts the firewall<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall stop - stops the firewall<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall restart - stops the firewall (if it's running) and
then starts it again<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall reset - reset the packet and byte counters in the
firewall<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall clear - remove all rules and chains installed by
Shoreline Firewall<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall refresh - refresh the rules involving the broadcast addresses
of firewall interfaces and the black and white lists.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>shorewall start - starts the firewall</li>
<li>shorewall stop - stops the firewall</li>
<li>shorewall restart - stops the firewall (if it's running) and
then starts it again</li>
<li>shorewall reset - reset the packet and byte counters in the
firewall</li>
<li>shorewall clear - remove all rules and chains installed by
Shoreline Firewall</li>
<li>shorewall refresh - refresh the rules involving the broadcast addresses
of firewall interfaces and the black and white lists.</li>
</ul>
<p>
The "shorewall" program may also be used to monitor the firewall.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall show <i>chain</i> - produce a verbose report about <i>chain
</i>(iptables -L <i>chain</i> -n -v)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall show tos - produce a verbose report about the mangle table
(iptables -t mangle -L -n -v)<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall show log - display the last 20 packet log entries.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall show connections - displays the IP connections currently being
tracked by the firewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall
<ul>
<li>shorewall status - produce a verbose report about the firewall
(iptables -L -n -v)</li>
<li>shorewall show <i>chain</i> - produce a verbose report about <i>chain
</i>(iptables -L <i>chain</i> -n -v)</li>
<li>shorewall show nat - produce a verbose report about the nat table
(iptables -t nat -L -n -v)</li>
<li>shorewall show tos - produce a verbose report about the mangle table
(iptables -t mangle -L -n -v)</li>
<li>shorewall show log - display the last 20 packet log entries.</li>
<li>shorewall show connections - displays the IP connections currently being
tracked by the firewall.</li>
<li>shorewall
show
tc
- displays information about the traffic control/shaping configuration.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall monitor [ delay ] - Continuously display the firewall
- displays information about the traffic control/shaping configuration.</li>
<li>shorewall monitor [ delay ] - Continuously display the firewall
status, last 20 log entries and nat. When the log entry display
changes, an audible alarm is sounded.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall hits - Produces several reports about the Shorewall packet log
messages in the current /var/log/messages file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall version - Displays the installed
version number.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall check - Performs a <u>cursory</u> validation
of the zones, interfaces, hosts, rules and policy files.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall try<i> configuration-directory</i> [<i> timeout</i> ] - Restart shorewall using the
changes, an audible alarm is sounded.</li>
<li>shorewall hits - Produces several reports about the Shorewall packet log
messages in the current /var/log/messages file.</li>
<li>shorewall version - Displays the installed
version number.</li>
<li>shorewall check - Performs a <u>cursory</u> validation
of the zones, interfaces, hosts, rules and policy files.
<font size="4" color="#FF6666"><b>The &quot;check&quot; command does not parse and
validate the generated iptables commands so even though the &quot;check&quot; command
completes successfully, the configuration may fail to start. See the
recommended way to make configuration changes described below. </b></font>
</li>
<li>shorewall try<i> configuration-directory</i> [<i> timeout</i> ] - Restart shorewall using the
specified configuration and if an error occurs or if the<i> timeout </i>
option is given and the new configuration has been up for that many seconds
then shorewall is restarted using the standard configuration.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall deny, shorewall reject, shorewall accept and shorewall save
implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall logwatch (added in version 1.3.2) - Monitors the
then shorewall is restarted using the standard configuration.</li>
<li>shorewall deny, shorewall reject, shorewall accept and shorewall save
implement <a href="blacklisting_support.htm">dynamic blacklisting</a>.</li>
<li>shorewall logwatch (added in version 1.3.2) - Monitors the
<a href="#Conf">LOGFILE </a>and produces an audible alarm when new Shorewall
messages are logged.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
messages are logged.</li>
</ul>
<p>
The <b>shorewall start </b>and
<b>
shorewall restart</b> commands allow you to specify which <a href="#Configs">
The <b>shorewall start</b>, <b>shorewall restart, shorewall check </b>&nbsp;and
<b>shorewall try </b>commands allow you to specify which <a href="#Configs">
Shorewall configuration</a>
to use:</p>
<blockquote>
<p>
shorewall [ -c <i>configuration-directory</i> ] {start|restart}</p>
shorewall [ -c <i>configuration-directory</i> ] {start|restart|check}<br>
shorewall try <i>configuration-directory</i></p>
</blockquote>
<p>
@ -121,8 +131,43 @@ Shoreline Firewall<!--mstheme--></font><!--msthemelist--></td></tr>
<p>
When changing the configuration of a production firewall, I recommend the
following:</p>
<ul>
<li>mkdir /etc/test</li>
<li>cd /etc/test</li>
<li>&lt;copy any files that you need to change from /etc/shorewall to . and change them here&gt;</li>
<li>shorewall -c . check</li>
<li>&lt;correct any errors found by check and check again&gt;</li>
<li>/sbin/shorewall try .</li>
</ul>
<p>
If the configuration starts but doesn't work, just &quot;shorewall restart&quot; to
restore the old configuration. If the new configuration fails to start, the
&quot;try&quot; command will automatically start the old one for you.</p>
<p>
When the new configuration works then just </p>
<ul>
<li>cp * /etc/shorewall</li>
<li>cd</li>
<li>rm -rf /etc/test</li>
</ul>
<p><font size="2">
Updated 7/26/2002 - <a href="support.htm">Tom
Updated 8/8/2002 - <a href="support.htm">Tom
Eastep</a>
</font></p>
@ -133,6 +178,6 @@ Eastep</a>
<!--mstheme--></font></body>
</body>
</html>
</html>

13
STABLE/documentation/subnet_masks.htm
View File

@ -6,12 +6,17 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Subnet Masks</title>
<meta name="Microsoft Theme" content="radial 011, default">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Subnet Masks/VLSM Notation<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Subnet Masks/VLSM Notation</font></h1>
</td>
</tr>
</table>
<p align="left">IP addresses and subnet masks are 32-bit numbers. The notation
w.x.y.z refers to an address where the high-order byte has value &quot;w&quot;, the next
byte has value &quot;x&quot;, etc. If we take 255.255.255.0 and express it in
@ -68,6 +73,6 @@ thing of the past.</p>
Eastep</a></font></p>
<p><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<!--mstheme--></font></body>
</body>
</html>

89
STABLE/documentation/support.htm
View File

@ -6,34 +6,40 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Support</title>
<meta name="Microsoft Theme" content="radial 011">
<meta name="Microsoft Theme" content="none">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Support<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Support</font></h1>
</td>
</tr>
</table>
<h3 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Before Reporting a Problem<!--mstheme--></font></h3>
<h3 align="left">Before Reporting a Problem</h3>
<blockquote>
<h3 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"> <span style="font-weight: 400"><i>
<h3 align="left"> <span style="font-weight: 400"><i>
&quot;It is easier to post a problem than to use your own brain&quot; -- </i>
<font size="2">Weitse Venema (creator of Postfix)</font></span><!--mstheme--></font></h3>
<font size="2">Weitse Venema (creator of Postfix)</font></span></h3>
</blockquote>
<p>There are a number of sources for problem solution information.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The <a href="troubleshoot.htm">Troubleshooting</a> Information contains a
number of tips to help you solve common problems.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The <a href="errata.htm"> Errata</a> has links to download updated
components.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The <a href="FAQ.htm">FAQ</a> has solutions to common problems.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The Mailing List Archives are a useful source of problem solving
information.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>The <a href="troubleshoot.htm">Troubleshooting</a> Information contains a
number of tips to help you solve common problems.</li>
<li>The <a href="errata.htm"> Errata</a> has links to download updated
components.</li>
<li>The <a href="FAQ.htm">FAQ</a> has solutions to common problems.</li>
<li>The Mailing List Archives are a useful source of problem solving
information.</li>
</ul>
<blockquote>
<p>The archives from the mailing List are at <a href="http://www.shorewall.net/pipermail/shorewall-users">http://www.shorewall.net/pipermail/shorewall-users</a>.</p>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Search the Mailing List Archives at Shorewall.net<!--mstheme--></font></h3>
<h3>Search the Mailing List Archives at Shorewall.net</h3>
<form method="POST" action="http://www.shorewall.net/cgi-bin/htsearch">
<p>
@ -67,52 +73,55 @@ Search:
</blockquote>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Problem Reporting Guidelines<!--mstheme--></font></h3>
<h3 align="Left">Problem Reporting Guidelines</h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">When reporting a problem, give as much information as you can. Reports
that say "I tried XYZ and it didn't work&quot; are not at all helpful.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Please don't describe your environment and then ask us to send you
<ul>
<li>When reporting a problem, give as much information as you can. Reports
that say "I tried XYZ and it didn't work&quot; are not at all helpful.</li>
<li>Please don't describe your environment and then ask us to send you
custom configuration files. We're here to answer your questions but we
can't do your job for you.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Do you see any "Shorewall" messages in /var/log/messages when you exercise
the function that is giving you problems?<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Have you looked at the packet flow with a tool like tcpdump to try to
understand what is going on?<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Have you tried using the diagnostic capabilities of the application that
can't do your job for you.</li>
<li>Do you see any "Shorewall" messages in /var/log/messages when you exercise
the function that is giving you problems?</li>
<li>Have you looked at the packet flow with a tool like tcpdump to try to
understand what is going on?</li>
<li>Have you tried using the diagnostic capabilities of the application that
isn't working? For example, if "ssh" isn't able to connect, using the
"-v" option gives you a lot of valuable diagnostic information.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Please include any of the Shorewall configuration files (especially the
"-v" option gives you a lot of valuable diagnostic information.</li>
<li>Please include any of the Shorewall configuration files (especially the
/etc/shorewall/hosts file if you have modified that file) that you think are
relevant. If an error occurs when you try to &quot;shorewall start&quot;, include a
trace (See the <a href="troubleshoot.htm">Troubleshooting</a> section for
instructions).<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The list server limits posts to 120kb so don't post GIFs of your
network layout, etc to the Mailing List -- your post will be rejected.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Where to Send your Problem
Report or to Ask for Help<!--mstheme--></font></h3>
<p>Please post your question or problem to the
instructions).</li>
<li>The list server limits posts to 120kb so don't post GIFs of your
network layout, etc to the Mailing List -- your post will be rejected.</li>
</ul>
<h3>Where to Send your Problem
Report or to Ask for Help</h3>
<h4>If you run Shorewall under Bering -- <span style="font-weight: 400">please
post your question or problem to the
<a href="mailto:leaf-user@lists.sourceforge.net">LEAF Users mailing list</a>.</span></h4>
<p>Otherwise, please post your question or problem to the
<a href="mailto:shorewall-users@shorewall.net">Shorewall users mailing list</a>;
there are lots of folks there who are willing to help you. Your question/problem
description and their responses will be placed in the mailing list archives to
help people who have a similar question or problem in the future.</p>
<blockquote>
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><span style="font-weight: 400"><i>&quot;It irks me when people believe that free software
<h3><span style="font-weight: 400"><i>&quot;It irks me when people believe that free software
comes at no cost. The cost is incredibly high.&quot;</i> - <font size="2">
Weitse Venema</font></span><!--mstheme--></font></h3>
Weitse Venema</font></span></h3>
</blockquote>
<p>I do not answer questions or work on problems sent to me personally but I try
to respond promptly to mailing list posts.&nbsp;&nbsp; <a href="mailto:teastep@shorewall.net">-Tom</a></p>
<p>To Subscribe to the mailing list go to <a href="http://www.shorewall.net/mailman/listinfo/shorewall-users">http://www.shorewall.net/mailman/listinfo/shorewall-users</a>
.</p>
<p align="left"><font size="2">Last Updated 8/5/2002 - Tom
<p align="left"><font size="2">Last Updated 8/17/2002 - Tom
Eastep</font></p>
<p align="left"><font face="Trebuchet MS"><a href="copyright.htm">
<font size="2">Copyright</font> © <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

764
STABLE/documentation/three-interface.htm
View File

File diff suppressed because it is too large Load Diff

185
STABLE/documentation/traffic_shaping.htm
View File

@ -6,12 +6,17 @@
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Traffic Shaping</title>
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Traffic Shaping/Control<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Traffic Shaping/Control</font></h1>
</td>
</tr>
</table>
<p align="left">Beginning with version 1.2.0, Shorewall has limited support for traffic
shaping/control. In order to use traffic shaping under Shorewall, it is
essential that you get a copy of the <a href="http://ds9a.nl/lartc">Linux Advanced Routing
@ -21,15 +26,15 @@ utilities.</p>
<p align="left">Shorewall traffic shaping support consists of the following:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
<ul>
<li>A new TC_ENABLED parameter in /etc/shorewall.conf. Traffic
Shaping also requires that you enable packet mangling.<br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tcrules - A file where you can specify
</li>
<li>/etc/shorewall/tcrules - A file where you can specify
firewall marking of packets. The firewall mark value may be used to classify
packets for traffic shaping/control.<br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tcstart - A user-supplied file that is
</li>
<li>/etc/shorewall/tcstart - A user-supplied file that is
sourced by Shorewall during &quot;shorewall start&quot; and which you can
use to define your traffic shaping disciplines and classes. I have provided
a <a href="ftp://ftp.shorewall.net/pub/shorewall/cbq">sample</a> that does
@ -44,24 +49,24 @@ utilities.</p>
<br>
In tcstart, when you want to run the 'tc' utility, use the run_tc function
supplied by shorewall. <br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">/etc/shorewall/tcclear - A user-supplied file that is
</li>
<li>/etc/shorewall/tcclear - A user-supplied file that is
sourced by Shorewall when it is clearing traffic shaping. This file is
normally not required as Shorewall's method of clearing qdisc and filter
definitions is pretty general.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h3 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666"><a name="tcrules"></a>/etc/shorewall/tcrules<!--mstheme--></font></h3>
definitions is pretty general.</li>
</ul>
<h3 align="left"><a name="tcrules"></a>/etc/shorewall/tcrules</h3>
<p align="left">The fwmark classifier provides a convenient way to classify
packets for traffic shaping. The /etc/shorewall/tcrules file provides a means
for specifying these marks in a tabular fashion.</p>
<p align="left">Columns in the file are as follows:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">MARK - Specifies the mark value is to be assigned in case of
<ul>
<li>MARK - Specifies the mark value is to be assigned in case of
a match. This is an integer in the range 1-255.<br>
<br>
Example - 5<br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">SOURCE - The source of the packet. If the packet originates
</li>
<li>SOURCE - The source of the packet. If the packet originates
on the firewall, place &quot;fw&quot; in this column. Otherwise, this is a
comma-separated list of interface names, IP addresses, MAC addresses in
<a href="Documentation.htm#MAC">Shorewall Format</a> and/or Subnets.<br>
@ -69,110 +74,110 @@ for specifying these marks in a tabular fashion.</p>
Examples<br>
&nbsp;&nbsp;&nbsp; eth0<br>
&nbsp;&nbsp;&nbsp; 192.168.2.4,192.168.1.0/24<br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">DEST -- Destination of the packet. Comma-separated list of
</li>
<li>DEST -- Destination of the packet. Comma-separated list of
IP addresses and/or subnets.<br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">PROTO - Protocol - Must be the name of a protocol from
</li>
<li>PROTO - Protocol - Must be the name of a protocol from
/etc/protocol, a number or &quot;all&quot;<br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">PORT(S) - Destination Ports. A comma-separated list of Port
</li>
<li>PORT(S) - Destination Ports. A comma-separated list of Port
names (from /etc/services), port numbers or port ranges (e.g., 21:22); if
the protocol is &quot;icmp&quot;, this column is interpreted as the
destination icmp type(s).<br>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">CLIENT PORT(S) - (Optional) Port(s) used by the client. If
</li>
<li>CLIENT PORT(S) - (Optional) Port(s) used by the client. If
omitted, any source port is acceptable. Specified as a comma-separate list
of port names, port numbers or port ranges.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
of port names, port numbers or port ranges.</li>
</ul>
<p align="left">Example 1 - All packets arriving on eth1 should be marked with
1. All packets arriving on eth2 should be marked with 2. All packets originating
on the firewall itself should be marked with 3.</p>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>MARK</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>CLIENT PORT(S)</b><!--mstheme--></font></td>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">1<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth1<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">0.0.0.0/0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">all<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>1</td>
<td>eth1</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">eth2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">0.0.0.0/0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">all<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>2</td>
<td>eth2</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">3<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">0.0.0.0/0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">all<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>3</td>
<td>fw</td>
<td>0.0.0.0/0</td>
<td>all</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
<p align="left">Example 2 - All GRE (protocol 47) packets not originating on the
firewall and destined for 155.186.235.151 should be marked with 12.</p>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>MARK</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>CLIENT PORT(S)</b><!--mstheme--></font></td>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">12<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">0.0.0.0/0<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">155.186.235.151<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">47<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>12</td>
<td>0.0.0.0/0</td>
<td>155.186.235.151</td>
<td>47</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
<p align="left">Example 3 - All SSH packets originating in 192.168.1.0/24 and
destined for 155.186.235.151 should be marked with 22.</p>
<!--mstheme--></font><table border="2" cellpadding="2" style="border-collapse: collapse" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="2" cellpadding="2" style="border-collapse: collapse">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>MARK</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>SOURCE</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>DEST</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>PROTO</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>PORT(S)</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>CLIENT PORT(S)</b><!--mstheme--></font></td>
<td><b>MARK</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>PROTO</b></td>
<td><b>PORT(S)</b></td>
<td><b>CLIENT PORT(S)</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">22<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">192.168.1.0/24<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">155.186.235.151<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">22<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>22</td>
<td>192.168.1.0/24</td>
<td>155.186.235.151</td>
<td>tcp</td>
<td>22</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Hierarchical Token Bucket<!--mstheme--></font></h3>
</table>
<h3>Hierarchical Token Bucket</h3>
<p>I personally use HTB. I have found a couple of things that may be of
use to others.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The gzipped tc binary at the <a href="http://luxik.cdi.cz/~devik/qos/htb/">HTB
<ul>
<li>The gzipped tc binary at the <a href="http://luxik.cdi.cz/~devik/qos/htb/">HTB
website</a> didn't work for me -- I had to download the lastest version of
the <a href="ftp://ftp.inr.ac.ru/ip-routing">iproute2 sources</a> and patch
them for HTB.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">The HTB example in the HOWTO seems to be full of errors. I'm currently
running with this set of shaping rules in my tcstart file so I know that it works.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
them for HTB.</li>
<li>The HTB example in the HOWTO seems to be full of errors. I'm currently
running with this set of shaping rules in my tcstart file so I know that it works.</li>
</ul>
<blockquote>
<p><font face="Courier" size="2">run_tc qdisc add dev eth0 root handle 1: htb default 30<br>
<br>
@ -201,6 +206,6 @@ Eastep</a></font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

117
STABLE/documentation/troubleshoot.htm
View File

@ -10,57 +10,62 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta name="Microsoft Theme" content="radial 011">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
</head>
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Troubleshooting<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Shorewall Troubleshooting</font></h1>
</td>
</tr>
</table>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Check the Errata<!--mstheme--></font></h3>
<h3 align="Left">Check the Errata</h3>
<p align="Left">Check the <a href="errata.htm">Shorewall Errata</a>
to be sure that there isn't an update that you are missing for your version
of the firewall.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Check the FAQs<!--mstheme--></font></h3>
<h3 align="Left">Check the FAQs</h3>
<p align="Left">Check the <a href="FAQ.htm">FAQs</a> for solutions to common problems.</p>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">If the firewall fails to start<!--mstheme--></font></h3>
<h3 align="Left">If the firewall fails to start</h3>
If you
receive an error message when starting or restarting the firewall and you
can't determine the cause, then do the following:
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">shorewall debug start 2&gt; /tmp/trace<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Look at the /tmp/trace file and see if that helps you determine what
the problem is.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Your test environment<!--mstheme--></font></h3>
<ul>
<li>shorewall debug start 2&gt; /tmp/trace</li>
<li>Look at the /tmp/trace file and see if that helps you determine what
the problem is.</li>
<li>If you still can't determine what's wrong then see the
<a href="support.htm">support page</a>.</li>
</ul>
<h3>Your test environment</h3>
<p>Many times when people have problems with Shorewall, the problem is
actually an ill-conceived test setup. Here are several popular snafus: </p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Port
<ul>
<li>Port
Forwarding where client and server are in the same subnet. See <a href="FAQ.htm">FAQ
2.</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Changing the IP address of a local system to be in the external subnet,
2.</a></li>
<li>Changing the IP address of a local system to be in the external subnet,
thinking that Shorewall will suddenly believe that the system is in the
'net' zone.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Multiple interfaces connected to the same HUB or Switch. Given the way
'net' zone.</li>
<li>Multiple interfaces connected to the same HUB or Switch. Given the way
that the Linux kernel respond to ARP &quot;who-has&quot; requests, this type of setup
does NOT work the way that you expect it to.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
does NOT work the way that you expect it to.</li>
</ul>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">If you are having
connection problems:<!--mstheme--></font></h3>
<h3 align="Left">If you are having
connection problems:</h3>
<p align="Left">If the appropriate policy for the connection that you
are trying to make is ACCEPT, please DO NOT ADD ADDITIONAL ACCEPT RULES TRYING
@ -100,16 +105,16 @@ ID=5805 DF PROTO=UDP SPT=1803 DPT=53 LEN=47</font></p>
<p align="Left">Let's look at the important parts of this message:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">all2all:REJECT - the packet was rejected under the "all"-&gt;"all" REJECT
policy<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">IN=eth2 - the packet entered the firewall via eth2<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">OUT=eth1 - if accepted, the packet would be sent on eth1<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">SRC=192.168.2.2 - the packet was sent by 192.168.2.2<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">DST=192.168.1.3 - the packet is destined for 192.168.1.3<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">PROTO=UDP - UDP Protocol<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">DPT=53 - DNS<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>all2all:REJECT - the packet was rejected under the "all"-&gt;"all" REJECT
policy</li>
<li>IN=eth2 - the packet entered the firewall via eth2</li>
<li>OUT=eth1 - if accepted, the packet would be sent on eth1</li>
<li>SRC=192.168.2.2 - the packet was sent by 192.168.2.2</li>
<li>DST=192.168.1.3 - the packet is destined for 192.168.1.3</li>
<li>PROTO=UDP - UDP Protocol</li>
<li>DPT=53 - DNS</li>
</ul>
<p align="Left">In this case, 192.168.2.2 was in the "dmz" zone and
192.168.1.3 is in the "loc" zone. I was missing the rule:</p>
@ -118,10 +123,10 @@ policy<!--mstheme--></font><!--msthemelist--></td></tr>
<h3 align="Left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Other Gotchas<!--mstheme--></font></h3>
<h3 align="Left">Other Gotchas</h3>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Remember that Shorewall doesn't automatically allow ICMP type 8 ("ping")
<ul>
<li>Remember that Shorewall doesn't automatically allow ICMP type 8 ("ping")
requests to be sent between zones. If you want pings to be allowed between
zones, you need a rule of the form:<br>
<br>
@ -136,40 +141,40 @@ icmp
and you ping 130.252.100.18, unless you have allowed icmp type 8 between
the zone containing the system you are pinging from and the zone containing
10.1.1.2, the ping requests will be dropped. This is true even if you
have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you specify "routefilter" for an interface, that interface must be
up prior to starting the firewall.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Is your routing correct? For example, internal systems usually need to
have NOT specified 'noping' for eth0 in /etc/shorewall/interfaces.</li>
<li>If you specify "routefilter" for an interface, that interface must be
up prior to starting the firewall.</li>
<li>Is your routing correct? For example, internal systems usually need to
be configured with their default gateway set to the IP address of their
nearest firewall interface. One often overlooked aspect of routing is that
in order for two hosts to communicate, the routing between them must be set
up <u>in both directions.</u> So when setting up routing between <b>A</b>
and<b> B</b>, be sure to verify that the route from <b>B</b> back to <b>A</b>
is defined.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Some versions of LRP (EigerStein2Beta for example) have a shell with
is defined.</li>
<li>Some versions of LRP (EigerStein2Beta for example) have a shell with
broken variable expansion. <a href="ftp://ftp.shorewall.net/pub/shorewall/ash.gz">
You can get a corrected shell from the Shorewall Errata download site.</a>
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Do you have your kernel properly configured? <a href="kernel.htm">Click
here to see my kernel configuration.</a> <!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Some features require the "ip" program. That program is generally included
</li>
<li>Do you have your kernel properly configured? <a href="kernel.htm">Click
here to see my kernel configuration.</a> </li>
<li>Some features require the "ip" program. That program is generally included
in the "iproute" package which should be included with your distribution
(though many distributions don't install iproute by default). You
may also download the latest source tarball from <a href="ftp://ftp.inr.ac.ru/ip-routing" target="_blank">
ftp://ftp.inr.ac.ru/ip-routing</a>
.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">If you have <u>any</u> entry for a zone in /etc/shorewall/hosts then the
.</li>
<li>If you have <u>any</u> entry for a zone in /etc/shorewall/hosts then the
zone must be entirely defined in /etc/shorewall/hosts unless you have
specified MERGE_HOSTS=Yes (Shorewall version 1.3.5 and later). For example, if
a zone has two interfaces but only one interface has an entry in /etc/shorewall/hosts
then hosts attached to the other interface will <u>not</u> be considered
part of the zone.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Problems with NAT? Be sure that you let Shorewall add all external addresses
part of the zone.</li>
<li>Problems with NAT? Be sure that you let Shorewall add all external addresses
to be use with NAT unless you have set <a href="Documentation.htm#Aliases">
ADD_IP_ALIASES</a>
=No in /etc/shorewall/shorewall.conf.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h3><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Still Having Problems?<!--mstheme--></font></h3>
=No in /etc/shorewall/shorewall.conf.</li>
</ul>
<h3>Still Having Problems?</h3>
<p>See the<a href="support.htm"> support page.</a></p>
<font face="Century Gothic, Arial, Helvetica">
@ -185,5 +190,5 @@ Tom Eastep</font>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2001, 2002 Thomas M. Eastep.</font></a></font></p>
<!--mstheme--></font></body>
</body>
</html>

568
STABLE/documentation/two-interface.htm
View File

@ -6,33 +6,40 @@
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Two-Interface Firewall</title>
<meta name="Microsoft Theme" content="radial 011, default">
<meta name="Microsoft Theme" content="none">
</head>
<body background="_themes/radial/radbkgnd.gif" bgcolor="#FFFFFF" text="#000000" link="#6666FF" vlink="#993333" alink="#66CCCC"><!--mstheme--><font face="arial, Arial, Helvetica">
<body>
<h1 align="center"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Basic Two-Interface Firewall<!--mstheme--></font></h1>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" width="100%" id="AutoNumber5" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Basic Two-Interface Firewall</font></h1>
</td>
</tr>
</table>
<p align="left">Setting up a Linux system as a firewall for a small network is a
fairly straight-forward task if you understand the basics and follow the
documentation.</p>
<p>This guide doesn't attempt to acquaint you with all of the features of
Shorewall. It rather focuses on what is required to configure Shorewall in its
most common configuration:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Linux system used as a firewall/router for a small local network.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Single external IP address.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Internet connection through cable modem, DSL, ISDN, Frame Relay, dial-up
...<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>Linux system used as a firewall/router for a small local network.</li>
<li>Single external IP address.</li>
<li>Internet connection through cable modem, DSL, ISDN, Frame Relay, dial-up
...</li>
</ul>
<p align="left">Here is a schematic of a typical installation.</p>
<p align="center"><img border="0" src="images/basics.jpg" width="592" height="394"></p>
<p align="center">
<img border="0" src="images/basics.png" width="444" height="635"></p>
<p>This guide assumes that you have the iproute/iproute2 package installed (on
RedHat, the package is called <i>iproute</i>)<i>. </i>You can tell if this
package is installed by the presence of an <b>ip</b> program on your firewall
system. As root, you can use the 'which' command to check for this program:</p>
<!--mstheme--></font><pre> [root@gateway root]# which ip
<pre> [root@gateway root]# which ip
/sbin/ip
[root@gateway root]#</pre><!--mstheme--><font face="arial, Arial, Helvetica"><p>I recommend that you first read through the
[root@gateway root]#</pre><p>I recommend that you first read through the
guide to familiarize yourself with what's involved then go back through it again
making your configuration changes. Points at which configuration changes are
recommended are flagged with <img border="0" src="images/BD21298_.gif" width="13" height="13">.</p>
@ -42,50 +49,49 @@ Unix files if your editor supports that option or you must run them through
dos2unix before trying to use them. Similarly, if you copy a configuration file
from your Windows hard drive to a floppy disk, you must run dos2unix against the
copy before using it with Shorewall.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica"><a href="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
dos2unix</a><!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Shorewall Concepts<!--mstheme--></font></h2>
<ul>
<li><a href="http://www.simtel.net/pub/pd/51438.html">Windows Version of
dos2unix</a></li>
<li><a href="http://www.megaloman.com/~hany/software/hd2u/">Linux Version of
dos2unix</a></li>
</ul>
<h2 align="left">Shorewall Concepts</h2>
<p>The configuration files for Shorewall are contained in the directory
/etc/shorewall -- for simple setups, you will only need to deal with a few of
these as described in this guide. After you have <a href="Install.htm">installed Shorewall</a>,
download the <a href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">
two-interface sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
download the <a href="/pub/shorewall/LATEST.samples/two-interfaces.tgz">two-interface sample</a>, un-tar it (tar -zxvf two-interfaces.tgz) and and copy the files to /etc/shorewall
(these files will replace files with the same name).</p>
<p>As each file is introduced, I suggest that you
look through the actual file on your system -- each file contains detailed
configuration instructions and default entries.</p>
<p>Shorewall views the network where it is running as being composed of a set of
<i>zones.</i> In the two-interface sample configuration, the following zone names are used:</p>
<!--mstheme--></font><table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber2">
<table border="0" style="border-collapse: collapse" cellpadding="3" cellspacing="0" id="AutoNumber2">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Name</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Description</b></u><!--mstheme--></font></td>
<td><u><b>Name</b></u></td>
<td><u><b>Description</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>net</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>The Internet</b><!--mstheme--></font></td>
<td><b>net</b></td>
<td><b>The Internet</b></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>loc</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Your Local Network</b><!--mstheme--></font></td>
<td><b>loc</b></td>
<td><b>Your Local Network</b></td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
<p>Zones are defined in the <a href="Documentation.htm#Zones">
/etc/shorewall/zones</a> file.</p>
<p>Shorewall also recognizes the firewall system as its own zone - by default,
the firewall itself is known as <b>fw.</b></p>
<p>Rules about what traffic to allow and what traffic to deny are expressed in
terms of zones.</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>You express your default policy for connections from one zone to another
zone in the<a href="Documentation.htm#Policy"> /etc/shorewall/policy </a>file.</li>
<li>You define exceptions to those default policies in the
<a href="Documentation.htm#Rules">/etc/shorewall/rules </a>file.</li>
</ul>
<p>For each connection request entering the firewall, the request is first checked against the
/etc/shorewall/rules file. If no rule in that file matches the connection
request then the first policy in /etc/shorewall/policy that matches the
@ -96,57 +102,57 @@ file for you).</p>
<p>The /etc/shorewall/policy file included with the two-interface sample has the
following policies:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Source Zone</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Destination Zone</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Policy</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Log Level</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Limit:Burst</b></u><!--mstheme--></font></td>
<td><u><b>Source Zone</b></u></td>
<td><u><b>Destination Zone</b></u></td>
<td><u><b>Policy</b></u></td>
<td><u><b>Log Level</b></u></td>
<td><u><b>Limit:Burst</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>loc</td>
<td>net</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">all<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DROP<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">info<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>net</td>
<td>all</td>
<td>DROP</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">all<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">all<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">REJECT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">info<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<blockquote>
<p>In the two-interface sample, the line below is included but commented out. If
you want your firewall system to have full access to servers on the internet,
uncomment that line.</p>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber3">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Source Zone</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Destination Zone</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Policy</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Log Level</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>Limit:Burst</b></u><!--mstheme--></font></td>
<td><u><b>Source Zone</b></u></td>
<td><u><b>Destination Zone</b></u></td>
<td><u><b>Policy</b></u></td>
<td><u><b>Log Level</b></u></td>
<td><u><b>Limit:Burst</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>fw</td>
<td>net</td>
<td>ACCEPT</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p>The above policy will:</p>
<ol>
@ -159,8 +165,9 @@ uncomment that line.</p>
</ol>
<p><img border="0" src="images/BD21298_.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; At this point, edit your /etc/shorewall/policy and make any changes that you
wish.</p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Network Interfaces<!--mstheme--></font></h2>
<p align="center"><img border="0" src="images/basics.jpg" width="592" height="394"></p>
<h2 align="left">Network Interfaces</h2>
<p align="center">
<img border="0" src="images/basics.png" width="444" height="635"></p>
<p align="left">The firewall has two network interfaces. Where Internet
connectivity is through a cable or DSL &quot;Modem&quot;, the <i>External Interface</i>
will be the ethernet adapter that is connected to that &quot;Modem&quot; (e.g., <b>eth0</b>)&nbsp;
@ -188,15 +195,15 @@ the external interface is <b>eth0</b> and the internal interface is <b>eth1</b>.
If your configuration is different, you will have to modify the sample
<a href="Documentation.htm#Interfaces">/etc/shorewall/interfaces</a> file accordingly. While you are there, you may wish to
review the list of options that are specified for the interfaces. Some hints:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b>, you can replace the
&quot;detect&quot; in the second column with &quot;-&quot;.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
&quot;detect&quot; in the second column with &quot;-&quot;.</li>
<li>
<p align="left">If your external interface is <b>ppp0</b> or <b>ippp0</b> or if you have a static IP
address, you can remove &quot;dhcp&quot; from the option list.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">IP Addresses<!--mstheme--></font></h2>
address, you can remove &quot;dhcp&quot; from the option list.</li>
</ul>
<h2 align="left">IP Addresses</h2>
<p align="left">Before going further, we should say a few words about Internet
Protocol (IP) <i>addresses</i>. Normally, your ISP will assign you a single <i>
Public</i> IP address. This address may be assigned via the<i> Dynamic Host
@ -210,9 +217,9 @@ internal network (the Internal Interface on your firewall plus your other
computers). RFC 1918 reserves several <i>Private </i>IP address ranges for this
purpose:</p>
<div align="left">
<!--mstheme--></font><pre> 10.0.0.0 - 10.255.255.255
<pre> 10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255</pre><!--mstheme--><font face="arial, Arial, Helvetica">
192.168.0.0 - 192.168.255.255</pre>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" height="13">&nbsp;&nbsp;&nbsp;
@ -236,24 +243,24 @@ purpose:</p>
<p align="left">Example sub-network:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" style="border-collapse: collapse" id="AutoNumber1" cellpadding="2" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" style="border-collapse: collapse" id="AutoNumber1" cellpadding="2">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Range:</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">10.10.10.0 - 10.10.10.255<!--mstheme--></font></td>
<td><b>Range:</b></td>
<td>10.10.10.0 - 10.10.10.255</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Subnet Address:</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">10.10.10.0<!--mstheme--></font></td>
<td><b>Subnet Address:</b></td>
<td>10.10.10.0</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>Broadcast Address:</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">10.10.10.255<!--mstheme--></font></td>
<td><b>Broadcast Address:</b></td>
<td>10.10.10.255</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><b>VLSM Notation:</b><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">10.10.10.0/24<!--mstheme--></font></td>
<td><b>VLSM Notation:</b></td>
<td>10.10.10.0/24</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
@ -278,9 +285,10 @@ Needs to Know about Addressing &amp; Routing&quot;,</i> Thomas A. Maufer, Prenti
1999, ISBN 0-13-975483-0.</p>
<p align="left">The remainder of this quide will assume that you have configured
your network as shown here:</p>
<p align="center"><img border="0" src="images/basics1.jpg" width="592" height="394"></p>
<p align="center">
<img border="0" src="images/basics1.png" width="444" height="635"></p>
<p align="left">The default gateway for computer's 1 &amp; 2 would be 10.10.10.254.</p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">IP Masquerading (SNAT)<!--mstheme--></font></h2>
<h2 align="left">IP Masquerading (SNAT)</h2>
<p align="left">The addresses reserved by RFC 1918 are sometimes referred to as
<i>non-routable</i> because the Internet backbone routers don't forward packets
which have an RFC-1918 destination address. When one of your local systems
@ -299,15 +307,15 @@ forwards the packet on to computer 1. </p>
IP Masquerading</i> but you will also see the term <i>Source Network Address
Translation </i>(SNAT) used. Shorewall follows the convention used with
Netfilter:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>
<p align="left"><i>Masquerade</i> describes the case where you let your
firewall system automatically detect the external interface address.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
firewall system automatically detect the external interface address.</li>
<li>
<p align="left"><i>SNAT</i> refers to the case when you explicitly specify the
source address that you want outbound packets from your local network to use.
<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
</li>
</ul>
<p align="left">In Shorewall, both Masquerading and SNAT are configured with
entries in the /etc/shorewall/masq file. You will normally use Masquerading if
your external IP is dynamic and SNAT if the IP is static.</p>
@ -320,7 +328,7 @@ static, you can enter it in the third column in the /etc/shorewall/masq entry if
you like although your firewall will work fine if you leave that column empty.
Entering your static IP in column 3 makes processing outgoing packets a little
more efficient. </p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Port Forwarding (DNAT)<!--mstheme--></font></h2>
<h2 align="left">Port Forwarding (DNAT)</h2>
<p align="left">One of your goals may be to run one or more servers on your
local computers. Because these computers have RFC-1918 addresses, it is not
possible for clients on the internet to connect directly to them. It is rather
@ -334,89 +342,89 @@ forwarding using DNAT rules in the /etc/shorewall/rules file.</p>
<p>The general form of a simple port forwarding rule in
/etc/shorewall/rules is:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;protocol&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;port&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>DNAT</td>
<td>net</td>
<td>loc:<i>&lt;server local ip address&gt; </i>[:<i>&lt;server port&gt;</i>]</td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p>Example - you run a Web Server on computer 2 and you want to forward incoming
TCP port 80 to that system:</p>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:10.10.10.2<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">80<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>DNAT</td>
<td>net</td>
<td>loc:10.10.10.2</td>
<td>tcp</td>
<td>80</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p>A couple of important points
to keep in mind:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">You must test the above rule from a client outside of your local network
<ul>
<li>You must test the above rule from a client outside of your local network
(i.e., don't test from a browser running on computers 1 or 2 or on the
firewall). If you want to be able to access your web server using the IP
address of your external interface, see <a href="FAQ.htm#faq2">Shorewall FAQ
#2</a>.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">Many ISPs block incoming connection requests to port 80. If you have
#2</a>.</li>
<li>Many ISPs block incoming connection requests to port 80. If you have
problems connecting to your web server, try the following rule and try
connecting to port 5000.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
connecting to port 5000.</li>
</ul>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">DNAT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc:10.10.10.2:80<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">5000<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>DNAT</td>
<td>net</td>
<td>loc:10.10.10.2:80</td>
<td>tcp</td>
<td>5000</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<p>
<img border="0" src="images/BD21298_.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; At this point, modify
/etc/shorewall/rules to add any DNAT rules that you require.</p>
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Domain Name Server (DNS)<!--mstheme--></font></h2>
<h2 align="left">Domain Name Server (DNS)</h2>
<p align="left">Normally, when you connect to your ISP, as part of getting an IP
address your firewall's <i>Domain Name Service </i>(DNS) resolver will be
automatically configured (e.g., the /etc/resolv.conf file will be written).
@ -424,15 +432,15 @@ Alternatively, your ISP may have given you the IP address of a pair of DNS <i>
name servers</i> for you to manually configure as your primary and secondary
name servers. Regardless of how DNS gets configured on your firewall, it is <u>your</u> responsibility to configure the resolver in your
internal systems. You can take one of two approaches:</p>
<!--mstheme--></font><!--msthemelist--><table border="0" cellpadding="0" cellspacing="0" width="100%">
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
<ul>
<li>
<p align="left">You can configure your internal systems to use your ISP's name
servers. If you ISP gave you the addresses of their servers or if those
addresses are available on their web site, you can configure your internal
systems to use those addresses. If that information isn't available, look in
/etc/resolv.conf on your firewall system -- the name servers are given in
&quot;nameserver&quot; records in that file.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--><tr><td valign="baseline" width="42"><img src="_themes/radial/aradbul1.gif" width="15" height="15" hspace="13" alt="bullet"></td><td valign="top" width="100%"><!--mstheme--><font face="arial, Arial, Helvetica">
&quot;nameserver&quot; records in that file.</li>
<li>
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; You can configure a<i> Caching Name Server </i>on your
firewall.<i> </i>Red Hat has an RPM for a caching name server (the RPM also
requires the 'bind' RPM) and for Bering users, there is dnscache.lrp. If you
@ -441,75 +449,75 @@ internal systems. You can take one of two approaches:</p>
address of the firewall (10.10.10.254 in the example above) for the name
server address. To allow your local systems to talk to your caching name
server, you must open port 53 (both UDP and TCP) from the local network to the
firewall; you do that by adding the following rules in /etc/shorewall/rules.<!--mstheme--></font><!--msthemelist--></td></tr>
<!--msthemelist--></table><!--mstheme--><font face="arial, Arial, Helvetica">
firewall; you do that by adding the following rules in /etc/shorewall/rules.</li>
</ul>
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">53<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>53</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">udp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">53<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>udp</td>
<td>53</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
<div align="left">
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Other Connections<!--mstheme--></font></h2>
<h2 align="left">Other Connections</h2>
</div>
<div align="left">
<p align="left">The two-interface sample includes the following rules:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">53<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>tcp</td>
<td>53</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">udp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">53<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>fw</td>
<td>net</td>
<td>udp</td>
<td>53</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
@ -520,26 +528,26 @@ internal systems. You can take one of two approaches:</p>
<p align="left">The sample also includes:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">22<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
@ -550,26 +558,26 @@ internal systems. You can take one of two approaches:</p>
and other systems, the general format is:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;source zone&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;destination zone&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;protocol&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><i>&lt;port&gt;</i><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td><i>&lt;source zone&gt;</i></td>
<td><i>&lt;destination zone&gt;</i></td>
<td><i>&lt;protocol&gt;</i></td>
<td><i>&lt;port&gt;</i></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
@ -577,35 +585,35 @@ internal systems. You can take one of two approaches:</p>
system:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">80<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">#Allow web access<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">from the internet<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td>#Allow web access</td>
<td>from the internet</td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">loc<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">80<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">#Allow web access<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">from the local network<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>loc</td>
<td>fw</td>
<td>tcp</td>
<td>80</td>
<td>#Allow web access</td>
<td>from the local network</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
@ -620,33 +628,33 @@ internal systems. You can take one of two approaches:</p>
access to your firewall from the internet, use SSH:</div>
<div align="left">
<blockquote>
<!--mstheme--></font><table border="1" cellpadding="2" style="border-collapse: collapse" bordercolor="#111111" id="AutoNumber4" bordercolordark="#666666" bordercolorlight="#CCCCCC">
<table border="1" cellpadding="2" style="border-collapse: collapse" id="AutoNumber4">
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ACTION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>DESTINATION</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PROTOCOL</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>SOURCE PORT</b></u><!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica"><u><b>ORIGINAL ADDRESS</b></u><!--mstheme--></font></td>
<td><u><b>ACTION</b></u></td>
<td><u><b>SOURCE</b></u></td>
<td><u><b>DESTINATION</b></u></td>
<td><u><b>PROTOCOL</b></u></td>
<td><u><b>PORT</b></u></td>
<td><u><b>SOURCE PORT</b></u></td>
<td><u><b>ORIGINAL ADDRESS</b></u></td>
</tr>
<tr>
<td><!--mstheme--><font face="arial, Arial, Helvetica">ACCEPT<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">net<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">fw<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">tcp<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">22<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td><!--mstheme--><font face="arial, Arial, Helvetica">&nbsp;<!--mstheme--></font></td>
<td>ACCEPT</td>
<td>net</td>
<td>fw</td>
<td>tcp</td>
<td>22</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table><!--mstheme--><font face="arial, Arial, Helvetica">
</table>
</blockquote>
</div>
<div align="left">
<p align="left"><img border="0" src="images/BD21298_.gif" width="13" height="13">&nbsp;&nbsp;&nbsp; Now edit your
/etc/shorewall/rules file to add or delete other connections as required.</div>
<div align="left">
<h2 align="left"><!--mstheme--><font face="times new roman, Times New Roman, Times" color="#666666">Starting and Stopping Your Firewall<!--mstheme--></font></h2>
<h2 align="left">Starting and Stopping Your Firewall</h2>
</div>
<div align="left">
<p align="left">The <a href="Install.htm">installation procedure </a>
@ -678,6 +686,6 @@ Eastep</a></font></p>
<p align="left"><a href="copyright.htm"><font size="2">Copyright 2002 Thomas M. Eastep</font></a></p>
<!--mstheme--></font></body>
</body>
</html>

281
STABLE/documentation/whitelisting_under_shorewall.htm Normal file
View File

@ -0,0 +1,281 @@
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Whitelisting under Shorewall</title>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1" bgcolor="#400169" height="90">
<tr>
<td width="100%">
<h1 align="center"><font color="#FFFFFF">Whitelisting under Shorewall</font></h1>
</td>
</tr>
</table>
<p align="left">For a brief time, the 1.2 version of Shorewall supported an
/etc/shorewall/whitelist file. This file was intended to contain a list of IP
addresses of hosts whose POLICY to all zones was ACCEPT. The whitelist file was
implemented as a stop-gap measure until the facilities necessary for
implementing white lists using zones was in place. As of Version 1.3 RC1, those
facilities were available.</p>
<p align="left">White lists are most often used to give special privileges to a
set&nbsp; of hosts within an organization. Let us suppose that we have the
following environment:</p>
<ul>
<li>A firewall with three interfaces -- one to the internet, one
to a local network and one to a DMZ.</li>
<li>The local network uses SNAT to the internet and is comprised
of the class B network 10.10.0.0/16 (Note: While this example uses an RFC 1918
local network, the technique described here in no way depends on that or on
SNAT. It may be used with Proxy ARP, Subnet Routing, Static NAT, etc.).</li>
<li>The network operations staff have workstations with IP
addresses in the class C network 10.10.10.0/24</li>
<li>We want the network operations staff to have full access to
all other hosts.</li>
<li>We want the network operations staff to bypass the transparent
HTTP proxy running on our firewall.</li>
</ul>
<p align="left">The basic approach will be that we will place the operations
staff's class C in its own zone called <b>ops</b>. Here are the appropriate
configuration files:</p>
<h2 align="left">Zone File</h2>
<blockquote>
<table border="2">
<tr>
<td><b>
ZONE</b></td>
<td><b>
DISPLAY</b></td>
<td><b>
COMMENTS</b></td>
</tr>
<tr>
<td>net</td>
<td>Net</td>
<td>Internet</td>
</tr>
<tr>
<td>ops</td>
<td>Operations</td>
<td>Operations Staff's Class C</td>
</tr>
<tr>
<td>loc</td>
<td>Local</td>
<td>Local Class B</td>
</tr>
<tr>
<td>dmz</td>
<td>DMZ</td>
<td>Demilitarized zone</td>
</tr>
</table>
</blockquote>
<p>The <b>ops </b>zone has been added to the standard 3-zone zones file -- since
<b>ops</b> is a sub-zone of <b>loc</b>, we list it <u>BEFORE</u> <b>loc</b>.</p>
<h2>Interfaces File</h2>
<blockquote>
<table border="2">
<tr>
<td><b>
ZONE</b></td>
<td><b>
INTERFACE</b></td>
<td><b>
BROADCAST</b></td>
<td><b>
OPTIONS</b></td>
</tr>
<tr>
<td>net</td>
<td>eth0</td>
<td>&lt;whatever&gt;</td>
<td>&lt;options&gt;</td>
</tr>
<tr>
<td>dmz</td>
<td>eth1</td>
<td>&lt;whatever&gt;</td>
<td>routestopped</td>
</tr>
<tr>
<td>-</td>
<td>eth2</td>
<td>10.10.255.255</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p>Because <b>eth2</b> interfaces to two zones (<b>ops</b> and <b>loc)</b>, we
don't specify a zone for it here.</p>
<h2>Hosts File</h2>
<blockquote>
<table border="2">
<tr>
<td><b>
ZONE</b></td>
<td><b>
HOST(S)</b></td>
<td><b>
OPTIONS</b></td>
</tr>
<tr>
<td>ops</td>
<td>eth2:10.10.10.0/24</td>
<font face="Century Gothic, Arial, Helvetica">
<td>routestopped</td>
</font>
</tr>
<tr>
<td>loc</td>
<td>eth2:0.0.0.0/0</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p>Here we define the <b>ops</b> and <b>loc</b> zones. When Shorewall is
stopped, only the hosts in the <b>ops</b> zone will be allowed to access the
firewall and the DMZ. I use 0.0.0.0/0 to define the <b>loc</b> zone rather than
10.10.0.0/16 so that the limited broadcast address (255.255.255.255) falls into
that zone. If I used 10.10.0.0/16 then I would have to have a separate entry for
that special address.</p>
<h2>Policy File</h2>
<blockquote>
<table border="2">
<tr>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
POLICY</b></td>
<td><b>
LOG LEVEL</b></td>
<td><b>LIMIT:BURST</b></td>
</tr>
<tr>
<td><font color="#0000FF">ops</font></td>
<td><font color="#0000FF">all</font></td>
<td><font color="#0000FF">ACCEPT</font></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td><font color="#0000FF">all</font></td>
<td><font color="#0000FF">ops</font></td>
<td><font color="#0000FF">CONTINUE</font></td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>loc</td>
<td>net</td>
<td>ACCEPT</td>
<font face="Century Gothic, Arial, Helvetica">
<td>&nbsp;</td>
<td>&nbsp;</td>
</font>
</tr>
<tr>
<td>net</td>
<td>all</td>
<td>DROP</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>all</td>
<td>all</td>
<td>REJECT</td>
<td>info</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p>Two entries for <b>ops</b> have been added to the standard 3-zone policy file.
<font color="#FF0000"><b>WARNING: You must be running Shorewall 1.3.1 or later
for the above to work properly.</b></font></p>
<h2>Rules File</h2>
<blockquote>
<table border="2">
<tr>
<font face="Century Gothic, Arial, Helvetica">
<td><b>ACTION</b></td>
<td><b>SOURCE</b></td>
<td><b>DEST</b></td>
<td><b>
PROTO</b></td>
<td><b>DEST<br>
PORT(S)</b></td>
<td><b>SOURCE<br>
PORT(S)</b></td>
<td><b>ORIGINAL<br>
DEST</b></td>
</font>
</tr>
<tr>
<td>REDIRECT</td>
<td>loc!ops</td>
<td>3128</td>
<td>tcp</td>
<td>http</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>...</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
</table>
</blockquote>
<p>This is the rule that transparently redirects web traffic to the transparent
proxy running on the firewall. The SOURCE column explicitly excludes the <b>ops</b>
zone from the rule.</p>
<p><font size="2">
Updated 5/31/2002 - <a href="support.htm">Tom
Eastep</a>
</font></p>
<p><font face="Trebuchet MS"><a href="copyright.htm"><font size="2">Copyright</font>
© <font size="2">2002 Thomas M. Eastep.</font></a></font></p>
</body>
</html>

2
STABLE/fallback.sh
View File

@ -28,7 +28,7 @@
# shown below. Simply run this script to revert to your prior version of
# Shoreline Firewall.
VERSION=1.3.6
VERSION=1.3.7
usage() # $1 = exit status
{

49
STABLE/firewall
View File

@ -1565,7 +1565,13 @@ add_nat_rule() {
# Replace destination port by the new destination port
[ -n "$servport" ] && dports="--dport ${servport#*:}"
if [ -n "$servport" ]; then
if [ -z "$multiport" ]; then
dports="--dport ${servport#*:}"
else
dports="--dports ${servport#*:}"
fi
fi
# Handle SNAT
@ -1650,18 +1656,21 @@ add_a_rule()
case $proto in
tcp|udp|TCP|UDP|6|17)
if [ -n "$port" -a "x${port}" != "x-" ]; then
[ -n "$multioption" ] && \
[ "$port" != "${port%,*}" ] && \
dports="--dport"
if [ -n "$multioption" -a "$port" != "${port%,*}" ]; then
multiport="$multioption"
dports="--dport $port"
dports="--dports"
fi
dports="$dports $ports"
fi
if [ -n "$cport" -a "x${cport}" != "x-" ]; then
[ -n "$multioption" ] && \
[ -z "$multiport" ] && \
[ "$cport" != "${cport%,*}" ] && \
sports="--sport"
if [ -n "$multioption" -a "$cport" != "${cport%,*}" ]; then
multiport="$multioption"
sports="--sport $cport"
sports="--sports"
fi
sports="$sports $cport"
fi
;;
icmp|ICMP|1)
@ -2428,7 +2437,7 @@ setup_masq()
if [ -n "$address" -a -n "$ADD_SNAT_ALIASES" ]; then
list_search $address $aliases_to_add || \
aliases_to_add="$aliases_to_add $external $address"
aliases_to_add="$aliases_to_add $address $interface"
fi
destination=$destnet
@ -2778,7 +2787,8 @@ add_common_rules() {
logoptions="$LOGPARAMS --log-prefix Shorewall:badpkt:DROP:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
run_iptables -A badpkt -p tcp -j LOG $logoptions --log-tcp-options
run_iptables -A badpkt -p !tcp -j LOG $logoptions
run_iptables -A badpkt -p tcp -j DROP # Workaround for iptables 1.2.7
run_iptables -A badpkt -j LOG $logoptions
fi
run_iptables -A badpkt -j DROP
@ -2803,7 +2813,8 @@ add_common_rules() {
logoptions="$LOGPARAMS --log-prefix Shorewall:logpkt:LOG:"
logoptions="$logoptions --log-level $LOGUNCLEAN --log-ip-options"
run_iptables -A logpkt -p tcp -j LOG $logoptions --log-tcp-options
run_iptables -A logpkt -p !tcp -j LOG $logoptions
run_iptables -A logpkt -p tcp -j RETURN # Workaround for iptables 1.2.7
run_iptables -A logpkt -j LOG $logoptions
echo "Mangled/Invalid Packet Logging enabled on:"
@ -2814,16 +2825,15 @@ add_common_rules() {
echo " $interface"
done
fi
###########################################################################
# PING
#
[ -n "$FORWARDPING" ] && \
run_iptables -A common -p icmp --icmp-type echo-request -j ACCEPT
############################################################################
# Common ICMP rules
#
icmpdef=`find_file icmpdef`
if [ -f $icmpdef ]; then
. $icmpdef
else
. `find_file icmp.def`
fi
run_user_exit icmpdef
############################################################################
# Common rules in each chain
#
@ -2838,7 +2848,6 @@ add_common_rules() {
# BROADCASTS
#
drop_broadcasts `find_broadcasts`
###########################################################################
# RFC 1918
#
@ -3400,6 +3409,7 @@ do_initialize() {
MERGE_HOSTS=
MUTEX_TIMEOUT=
LOGNEWNOTSYN=
FORWARDPING=
stopping=
have_mutex=
masq_seq=1
@ -3476,6 +3486,7 @@ do_initialize() {
MULTIPORT=`added_param_value_no MULTIPORT $MULTIPORT`
DETECT_DNAT_IPADDRS=`added_param_value_no DETECT_DNAT_IPADDRS $DETECT_DNAT_IPADDRS`
MERGE_HOSTS=`added_param_value_no MERGE_HOSTS $MERGE_HOSTS`
FORWARDPING=`added_param_value_no FORWARDPING $FORWARDPING`
}
################################################################################

20
STABLE/icmp.def
View File

@ -1,22 +1,6 @@
##############################################################################
# Shorewall 1.3 /etc/shorewall/icmp.def
#
# This file defines the default rules for accepting ICMP packets.
# This file is obsolete and is included for compatibility with existing
# icmpdef extension scripts that source it.
#
# Do not modify this file -- if you wish to change these rules, create
# /etc/shorewall/icmpdef to replace it. It is suggested that you include
# the command "source /etc/shorewall/icmp.def" in your
# /etc/shorewall/icmpdef file so that you will continue to get the
# advantage of new releases of this file.
#
# For example, if you want to accept 'ping' everywhere then create
# /etc/shorewall/icmpdef with the following two lines:
#
# source /etc/shorewall/icmp.def
# run_iptables -A icmpdef -p ICMP --icmp-type echo-request -j ACCEPT
#
run_iptables -A icmpdef -p ICMP --icmp-type echo-reply -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type source-quench -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type destination-unreachable -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type time-exceeded -j ACCEPT
run_iptables -A icmpdef -p ICMP --icmp-type parameter-problem -j ACCEPT

10
STABLE/install.sh
View File

@ -54,7 +54,7 @@
# /etc/rc.d/rc.local file is modified to start the firewall.
#
VERSION=1.3.6
VERSION=1.3.7
usage() # $1 = exit status
{
@ -479,11 +479,17 @@ if [ -z "$PREFIX" -a -n "$first_install" ]; then
fi
elif [ -x /sbin/chkconfig -o -x /usr/sbin/chkconfig ]; then
if chkconfig --add $FIREWALL ; then
echo -e "\nFirewall will automatically start in run levels as follows:"
echo -e "\nFirewall will start automatically in run levels as follows:"
chkconfig --list $FIREWALL
else
cant_autostart
fi
elif [ -x /sbin/rc-update ]; then
if rc-update add shorewall default; then
echo -e "\nFirewall will start automatically at boot"
else
cant_autostart
fi
else
modify_rclocal
fi

14
STABLE/interfaces
View File

@ -12,20 +12,24 @@
# of a zone defined in /etc/shorewall/zones.
#
# If the interface serves multiple zones that will be
# defined in the /etc/shorewall/hosts file, you may
# defined in the /etc/shorewall/hosts file, you should
# place "-" in this column.
#
# INTERFACE Name of interface
# INTERFACE Name of interface. Each interface may be listed only
# once in this file.
#
# BROADCAST The broadcast address for the subnetwork to which the
# interface belongs. For P-T-P interfaces, this
# column is left black.
# column is left black.If the interface has multiple
# addresses on multiple subnets then list the broadcast
# addresses as a comma-separated list.
#
# If you use the special value "detect", the firewall
# will detect the broadcast address for you. If you
# select this option, the interface must be up before
# the firewall is started and you must have iproute
# installed.
# the firewall is started, you must have iproute
# installed and the interface must only be associated
# with a single subnet.
#
# If you don't want to give a value for this column but
# you want to enter a value in the OPTIONS column, enter

2
STABLE/policy
View File

@ -18,7 +18,7 @@
# in /etc/shorewall/zones, $FW or "all"
#
# POLICY Policy if no match from the rules file is found. Must
# be "ACCEPT", "DENY", "REJECT" or "CONTINUE"
# be "ACCEPT", "DROP", "REJECT" or "CONTINUE"
#
# LOG LEVEL If supplied, each connection handled under the default
# POLICY is logged at that level. If not supplied, no

23
STABLE/releasenotes.txt
View File

@ -3,13 +3,22 @@ fixes.
New features include:
1) The new "Shorewall Setup Guide" is included in this release. This
guide is intended for users who have multiple static external IP
addresses and for users who what to learn a bit more abound
Shorewall than is described in the single-address guides.
1) The 'icmp.def' file is now empty! The rules in that file were
required in ipchains firewalls but are not required in Shorewall.
Users who have ALLOWRELATED=No in shorewall.conf should see the
Upgrade Issues.
2) A 'FORWARDPING' option has been added to shorewall.conf. The effect
of setting this variable to Yes is the same as the effect of adding
an ACCEPT rule for ICMP echo-request in
/etc/shorewall/icmpdef. Users who have such a rule in icmpdef are
encouraged to switch to FORWARDPING=Yes.
3) The loopback CLASS A Network (127.0.0.0/8) has been added to the
rfc1918 file.
4) Shorewall now works with iptables 1.2.7.
5) The documentation and Web site no longer use FrontPage themes.
2) Shorewall now drops non-SYN tcp packets that are not part of an
established connection. These packets can be optionally logged by
setting the new LOGNEWNOTSYN variable in shorewall.conf.
I would like to thank John Distler for his valuable input regarding TCP
SYN and ICMP treatment in Shorewall. That input has led to marked
improvement in Shorewall in the last two releases.

2
STABLE/rfc1918
View File

@ -45,13 +45,13 @@
42.0.0.0/8 logdrop # Reserved
58.0.0.0/7 logdrop # Reserved
60.0.0.0/8 logdrop # Reserved
69.0.0.0/8 logdrop # Reserved
70.0.0.0/7 logdrop # Reserved
72.0.0.0/5 logdrop # Reserved
82.0.0.0/7 logdrop # Reserved
84.0.0.0/6 logdrop # Reserved
88.0.0.0/5 logdrop # Reserved
96.0.0.0/3 logdrop # Reserved
127.0.0.0/8 logdrop # Loopback
197.0.0.0/8 logdrop # Reserved
222.0.0.0/7 logdrop # Reserved
240.0.0.0/4 logdrop # Reserved

8
STABLE/shorewall.conf
View File

@ -349,4 +349,12 @@ MUTEX_TIMEOUT=60
LOGNEWNOTSYN=
#
# Forward "Ping"
#
# If FORWARDPING is set to "Yes" then Echo Request ("Ping") packets are
# forwarded by the firewall.
FORWARDPING=Yes
#LAST LINE -- DO NOT REMOVE

4
STABLE/shorewall.spec
View File

@ -1,5 +1,5 @@
%define name shorewall
%define version 1.3.6
%define version 1.3.7
%define release 1
%define prefix /usr
@ -76,6 +76,8 @@ if [ $1 = 0 ]; then if [ -x /sbin/insserv ]; then /sbin/insserv -r /etc/init.d/s
%doc COPYING INSTALL changelog.txt releasenotes.txt tunnel
%changelog
* Thu Aug 22 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.7
* Sun Aug 04 2002 Tom Eastep <tom@shorewall.net>
- Changed version to 1.3.6
* Mon Jul 29 2002 Tom Eastep <tom@shorewall.net>

2
STABLE/uninstall.sh
View File

@ -26,7 +26,7 @@
# You may only use this script to uninstall the version
# shown below. Simply run this script to remove Seattle Firewall
VERSION=1.3.6
VERSION=1.3.7
usage() # $1 = exit status
{